Hello guys,

I’m trying to achieve easy things (in my opinion of course)
What I need is a router with few VLANs and router’s local ports acting as a Access Ports.
Eth1=WAN, Eth2=Access Port for VLAN88, Eth3=Access Port for VLAN99, Eth4=Access Port for VLAN100, Eth5=TRUNK carrying out all VLANs tagged.
I wish to have VLANs isolated from each other, I need ether3 to be a hybrid port (access for VLAN99, trunk for Vlan100) and few more, but today even basic functionality is not working.
PC connected to any of access ports is not getting IP, when I set manually IPPC cannot ping gateway.

I spent a lot of time reading and I got lost. Nothing is working, and I have no idea why …

My config was adopted to my needs from Using RouterOS to VLAN your network - Useful user articles - MikroTik community forum router.rsc file
Could you guide me what’s wrong with my config?
I’m using RouterBOARD 750G r3 6.49.19 with MediaTek MT7621 build in switch.

###############################################################################

Topic: Using RouterOS to VLAN your network

Example: Switch with a separate router (RoaS)

Web: Using RouterOS to VLAN your network - Useful user articles - MikroTik community forum

RouterOS: 6.43.12

Date: Mar 28, 2019

Notes: Start with a reset (/system reset-configuration)

Thanks: mkx, sindy

###############################################################################

#######################################

Naming

#######################################

name the device being configured

/system identity set name="Router"

#######################################

VLAN Overview

#######################################

1 = CCTV

88 = PPoE

99 = MGMT

100 = WiFi

#######################################

Bridge

#######################################

create one bridge, set VLAN mode off while we configure

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

#######################################

-- Trunk Ports --

#######################################

ingress behavior

/interface bridge port

Purple Trunk. Leave pvid set to default of 1

add bridge=BR1 interface=ether5
add bridge=BR1 interface=ether2 pvid=88
add bridge=BR1 interface=ether3 pvid=99
add bridge=BR1 interface=ether4 pvid=100

egress behavior

/interface bridge vlan

Purple Trunk. These need IP Services (L3), so add Bridge as member

add bridge=BR1 tagged=BR1,ether5 vlan-ids=1
add bridge=BR1 tagged=BR1,ether5 untagged=ether2 vlan-ids=88
add bridge=BR1 tagged=BR1,ether5 untagged=ether3 vlan-ids=99
add bridge=BR1 tagged=BR1,ether5 untagged=ether4 vlan-ids=100

#######################################

IP Addressing & Routing

#######################################

LAN facing router's IP address on the MGMT_VLAN

/interface vlan add interface=BR1 name=MGMT_VLAN vlan-id=99
/ip address add address=192.168.99.1/24 interface=MGMT_VLAN

DNS server, set to cache for LAN

/ip dns set allow-remote-requests=yes servers="8.8.8.8"

WAN facing port with IP Address provided by ISP

/ip address add interface=ether1 address=192.168.188.222/24 network=192.168.188.0

router's gateway provided by ISP

/ip route add distance=1 gateway=192.168.188.1

#######################################

IP Services

#######################################

CCTV VLAN interface creation, IP assignment, and DHCP service

/interface vlan add interface=BR1 name=CCTV_VLAN vlan-id=1
/ip address add interface=CCTV_VLAN address=192.168.0.1/24
/ip pool add name=CCTV_POOL ranges=192.168.0.100-192.168.0.254
/ip dhcp-server add address-pool=CCTV_POOL interface=CCTV_VLAN name=CCTV_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1

WiFi VLAN interface creation, IP assignment, and DHCP service

/interface vlan add interface=BR1 name=WiFi_VLAN vlan-id=100
/ip address add interface=WiFI_VLAN address=192.168.100.1/24
/ip pool add name=WiFI_POOL ranges=192.168.100.100-192.168.100.254
/ip dhcp-server add address-pool=WiFi_POOL interface=WiFi_VLAN name=WiFi_DHCP disabled=no
/ip dhcp-server network add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1

PPoE VLAN interface creation, IP assignment, and DHCP service

/interface vlan add interface=BR1 name=PPoE_VLAN vlan-id=88
/ip address add interface=PPoE_VLAN address=192.168.88.1/24
/ip pool add name=PPoE_POOL ranges=192.168.88.100-192.168.88.254
/ip dhcp-server add address-pool=PPoE_POOL interface=PPoE_VLAN name=PPoE_DHCP disabled=yes
/ip dhcp-server network add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1

Optional: Create a DHCP instance for MGMT_VLAN. Convenience feature for an admin.

/ip pool add name=MGMT_POOL ranges=192.168.99.10-192.168.99.254
/ip dhcp-server add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP disabled=no
/ip dhcp-server network add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1

#######################################

Firewalling & NAT

A good firewall for WAN. Up to you

about how you want LAN to behave.

#######################################

Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=CCTV_VLAN list=VLAN
add interface=PPoE_VLAN list=VLAN
add interface=MGMT_VLAN list=BASE

VLAN aware firewall. Order is important.

/ip firewall filter

##################

INPUT CHAIN

##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.

add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

Allow MGMT_VLAN full access to the device for Winbox, etc.

add chain=input action=accept in-interface=MGMT_VLAN comment="Allow MGMT_VLAN Full Access"

add chain=input action=drop comment="Drop"

##################

FORWARD CHAIN

##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

Allow all VLANs to access the Internet only, NOT each other

add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"

##################

NAT

##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"

#######################################

VLAN Security

#######################################

Only allow packets with tags over the Trunk Ports

/interface bridge port
#set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
#set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
#set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]

#######################################

MAC Server settings

#######################################

Ensure only visibility and availability from MGMT_VLAN, the MGMT network

/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE

#######################################

Turn on VLAN mode

#######################################
/interface bridge set BR1 vlan-filtering=yes

Some output from my router:

[admin@Router] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload

INTERFACE                                                                                      BRIDGE                                                                                     HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON

0 I   ether5                                                                                         BR1                                                                                        yes    1     0x80         10                 10       none
1 I   ether2                                                                                         BR1                                                                                        yes   88     0x80         10                 10       none
2     ether3                                                                                         BR1                                                                                        yes   99     0x80         10                 10       none
3 I   ether4                                                                                         BR1                                                                                        yes  100     0x80         10                 10       none
[admin@Router] > /interface bridge vlan print
Flags: X - disabled, D - dynamic

BRIDGE                                                                   VLAN-IDS  CURRENT-TAGGED                                                                   CURRENT-UNTAGGED

0   BR1                                                                      1         BR1
1   BR1                                                                      88        BR1
2   BR1                                                                      99        BR1                                                                              ether3
3   BR1                                                                      100       BR1
[admin@Router] > /interface bridge  print
Flags: X - disabled, R - running
0 R name="BR1" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=CC:2D:E0:B4:9A:01 protocol-mode=none fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m vlan-filtering=yes ether-type=0x8100 pvid=1
frame-types=admit-all ingress-filtering=no dhcp-snooping=no
[admin@Router] >

I know that I failed on so basic things ... but how to fix this config, Hope someone will be able to guide me :)

Regards

Slawek

Post your full configuration, what you posted - while nice - is more difficult to parse for experts than the plain configuration, instructions here:
Forum rules - #5 by gigabyte091

Rules #1 and #2, just in case:
The twelve Rules of Mikrotik Club

The one bit of advice I will give you as someone doing vlans for the first time is this:

Don't implement all your vlans at once. Do them one at a time.

EDIT: I did the below before rereading your post and it seems, ether3 is going to a ubiquiti switch or access point ( clue hybrid bass ackwards setup). If thats the case, then ignore the below for ether3 but I do recommend an off bridge port nonetheless.

First step, Iwould do is change your management port to an OFFBRIDGE port.
The reason being is that when fiddling with bridge settings and vlans its too easy to lock yourself out of the router (aka any port on the bridge). Having a safe port, that you can access the config even if the bridge is not acting nice, is the way to go.

Thusly,

/interface ethernet
set [ find default-name=ether3 ] name=OffBridge3
/ip address
add address=192.168.55.1/30 interface=ether3  network=192.168.55.0
/interface list members
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=CCTV_VLAN list=VLAN
add interface=PPoE_VLAN list=VLAN
add interface=OffBridge2 list=VLAN  
add interface=MGMT_VLAN list=BASE
add interface=OffBridge2 list=BASE
/tool mac-server set allowed-interface-list=NONE   { this mac-server only access is not secure }

Be sure to remove ether3 from the bridge!!
You can keep the management vlan if.
a.  you have other smart devices ( smart APs, or smart switches etc that can handle vlans and thus will get their IP address from the management subnet).
b.  you have another management port or wlan elsewhere on the network equipment.
+++++++++++++++++++++++++++++++++++++++++

To access the router, plug in your PC to ether3,  and change the IPV4 settings on the pc to  192.168.55.2
Once you can access the router successfully on ether3, recommend upgrading to 7.21
+++++++++++++++++++++++

Regarding the rest of the setup, dont use vlan1, that is used in the background by the bridge and normally should not be used for 'regular' data or management vlans. Use 11 instead.

/interface bridge port
add bridge=BR1  ingress-filtering=yes frame-types=admit-priority-and-untagged \
  interface=ether2 pvid=88
add bridge=BR1 frame-types=admit-all interface=ether3 pvid=99
add bridge=BR1 ingress-filtering=yes frame-types=admit-priority-and-untagged \
  interface=ether4 pvid=100 
add bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged \
  interface=ether5

and it seems completely missing............ the following:

/interface bridge vlans
add bridge=BR1 tagged=BR1,ether5  untagged=ether2  vlan-ids=88
add bridge=BR1 tagged=BR1,ether5  untagged=ether3  vlan-ids=99
add bridge=BR1 tagged=BR1,ether5,ether3  untagged=ether4  vlan-ids=100

As for your input chain rules, why have a separate input chain rule for BASE, when you already allow full access to all using VLAN interface.
In other words change the VLAN interface rule.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"
TO:

add chain=input action=accept in-interface-list=VLAN comment="users to services" \
  dst-port=53 protocol=udp
add chain=input action=accept in-interface-list=VLAN comment="users to services" \
  dst-port=53 protocol=tcp

and a last rule

add chain=input action=drop comment="drop all else"

Hello guys

Thank you for all your comments.

#1 VLAN=1 I know that, but there is existing setting (other devices wich are using vlan1), but here we can assume that this is VLAN=10 I will change it

#2 MGMT, I’m expectig to have more devices in this VLAN, so maybe I should have another bridge, just for this VLAN?

#3 I’m so sorry that I created a mess here, here you have exported configuration.

Hurrra, Magic has happened (most problably problems was caused by VLAN1, thank you @jaclaz)
Eth2 - no IP assigned, no winbox over MAC
Eth3 - OK, PC is recieving correct IP
Eth4 - OK, PC is recieving correct IP
Eth5 - need to test with external switch

• test the hybrid port. Will do it soon.
  Here you can find my /export

/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=CCTV_VLAN vlan-id=10
add interface=BR1 name=MGMT_VLAN vlan-id=99
add interface=BR1 name=PPoE_VLAN vlan-id=88
add interface=BR1 name=WiFi_VLAN vlan-id=100
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=CCTV_POOL ranges=192.168.0.100-192.168.0.254
add name=WiFi_POOL ranges=192.168.100.100-192.168.100.254
add name=PPoE_POOL ranges=192.168.88.100-192.168.88.254
add name=MGMT_POOL ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=CCTV_POOL disabled=no interface=CCTV_VLAN name=CCTV_DHCP
add address-pool=WiFi_POOL disabled=no interface=WiFi_VLAN name=WiFi_DHCP
add address-pool=PPoE_POOL interface=PPoE_VLAN name=PPoE_DHCP
add address-pool=MGMT_POOL disabled=no interface=MGMT_VLAN name=MGMT_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes
interface=ether5
add bridge=BR1 interface=ether2 pvid=88
add bridge=BR1 interface=ether3 pvid=99
add bridge=BR1 interface=ether4 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether5 vlan-ids=10
add bridge=BR1 tagged=BR1,ether5 untagged=ether2 vlan-ids=88
add bridge=BR1 tagged=BR1,ether5 untagged=ether3 vlan-ids=99
add bridge=BR1 tagged=BR1,ether5 untagged=ether4 vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=CCTV_VLAN list=VLAN
add interface=PPoE_VLAN list=VLAN
add interface=MGMT_VLAN list=BASE
/ip address
add address=192.168.99.1/24 interface=MGMT_VLAN network=192.168.99.0
add address=192.168.188.222/24 interface=ether1 network=192.168.188.0
add address=192.168.0.1/24 interface=CCTV_VLAN network=192.168.0.0
add address=192.168.100.1/24 interface=WiFi_VLAN network=192.168.100.0
add address=192.168.88.1/24 interface=PPoE_VLAN network=192.168.88.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8 gateway=192.168.0.1
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related"
connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT_VLAN Full Access"
in-interface=MGMT_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related"
connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only"
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade"
out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.188.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Router
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Usually the offbridge port - at least when testing/setting up VLAN is just a port (NO VLAN) that is not used and to which you can connect if you get kicked out of the normally used ones, it is not part of any bridge, just a self-standing port.

See:

Also be aware that the device has L2 hardware offload with Bridge VLAN Filtering but only with RouterOS 7. It's software only under RouterOS 6.

Hello

Small update, I just connected PC through a switch. All seems to be working OK.
Tommorow I will try to fix firewall rules.

Thank you all for so quick help.

Regards

Slawek