Hi this is my config:
[admin@MikroTik] > interface export
# jan/03/1970 06:25:15 by RouterOS 3.26
# software id = 50U8-EUWQ
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=\
1526 max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=rstp transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=\
1522 max-message-age=20s mtu=1500 name=bridge2 priority=0x8000 protocol-mode=rstp transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=\
1522 max-message-age=20s mtu=1500 name=bridge3 priority=0x8000 protocol-mode=rstp transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=\
1522 max-message-age=20s mtu=1500 name=bridge4 priority=0x8000 protocol-mode=rstp transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:34:73:F2 \
mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1522 \
mac-address=00:0C:42:34:73:F3 master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1522 \
mac-address=00:0C:42:34:73:F4 master-port=none mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1522 \
mac-address=00:0C:42:34:73:F5 master-port=none mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1522 \
mac-address=00:0C:42:34:73:F6 master-port=none mtu=1500 name=ether5 speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1522 \
mac-address=00:0C:42:34:73:F7 master-port=none mtu=1500 name=ether6 speed=100Mbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1522 \
mac-address=00:0C:42:34:73:F8 master-port=none mtu=1500 name=ether7 speed=100Mbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1522 \
mac-address=00:0C:42:34:73:F9 master-port=none mtu=1500 name=ether8 speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1522 \
mac-address=00:0C:42:34:73:FA master-port=none mtu=1500 name=ether9 speed=100Mbps
/interface vlan
add arp=enabled comment="" disabled=no interface=bridge1 l2mtu=1522 mtu=1500 name=vlan501 use-service-tag=no vlan-id=501
add arp=enabled comment="" disabled=no interface=bridge1 l2mtu=1522 mtu=1500 name=vlan502 use-service-tag=no vlan-id=502
add arp=enabled comment="" disabled=no interface=bridge1 l2mtu=1522 mtu=1500 name=vlan503 use-service-tag=no vlan-id=503
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" group-key-update=5m interim-update=0s mode=\
none name=default radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=\
disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none \
static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik \
tls-certificate=none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key=""
/interface bridge port
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether1 path-cost=10 \
point-to-point=auto priority=0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether9 path-cost=10 \
point-to-point=auto priority=0x80
add bridge=bridge2 comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=vlan501 path-cost=10 \
point-to-point=auto priority=0x80
add bridge=bridge3 comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=vlan502 path-cost=10 \
point-to-point=auto priority=0x80
add bridge=bridge3 comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether3 path-cost=10 \
point-to-point=auto priority=0x80
add bridge=bridge2 comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 \
point-to-point=auto priority=0x80
add bridge=bridge4 comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=vlan503 path-cost=10 \
point-to-point=auto priority=0x80
add bridge=bridge4 comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=ether4 path-cost=10 \
point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=yes
/interface ethernet mirror
set mirror-port=none source-port=none
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=\
disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 \
mac-address=FE:F1:8C:C9:38:06 max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 \
max-mtu=1460 mrru=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=\
300 frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no \
streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
[admin@MikroTik] >
I don’t known if this is vulnerable with VLAN HOPPING. Somebody know if vulnerable? I’m not sure if this config is secure with a dmz on vlan.