Hi,
I would like to create two separate VLANs to separate the traffic on two subnets.

Currently ether1 is the WAN port and ether2-ether5 and wlan1-wlan2 are in the same LAN subnet.
I would like to create one LAN subnet with ether2-ether4 and wlan1-wlan2 and one second subnet with ether5.
The IP address of the first subnet (192.168.1.0/24) does not change and the new LAN subnet gets a new IP address and range (10.10.1.1/24). There must be a DHCP server on the second subnet.

It is important that the two subnets do not see each other and that there is no traffic between them.
Would VLAN be the solution? How should the current configuration be transformed?

Could someone help me?

Thank you for your help

Have a very good look at this great topic:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

And…yes, VLAN Is a very decent way.

Dear erlinden,

thank you for your advice, I read it.
My problem is that the working configuration should be modified and I am looking for help with this. I hope someone will be able to tell me what needs to be changed step by step.
If you could help me with this, I would be very happy.

Thanks for your help

Do make bridge LAN1 of ether2-ether4 interfaces, assign/move current IP, DHCP server etc to it
Do make the second bridge LAN2 and assign the remaining interfaces to it and create new DHCP server, assign IP etc.
To block traffic between LAN1 and LAN2 you just need to create drop rule for forward like this:

/ip firewall filter
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=192.168.10.0/24

or you may use in the configuration “in” and “out” interfaces for this.

You do need two subnets, each on different logical interfaces (each on separate broadcast domain). But you also need firewall rules to block traffic between the two subnets to prevent traffic from being routed.

So VLAN would be one solution. And it is the most general solution, but vlans are another layer of abstraction, and with that comes more complexity.

As stated, you could just need to remove the ether5 ethernet port from the bridge and assign it its own ip address in another subnet. That may be easier for a novice to understand and would be identical in behavior for most things (for example if you had a single non-vlan aware device connected to ether5, whether that was single host, or a dumb ethernet switch with many hosts attached.

The advantage of using vlans is the extra layer of abstraction, as it removes the routed interface from a specific hardware port. Instead, you associate the physical ports with the vlan(s) you want that physical port to be able to pass traffic for. This becomes important if you want to connect a vlan-aware device that needs access to mulitple vlans, for example, a wifi access point with mulitiple SSIDs, or a connection to another vlan-aware switch on the other end of a long single trunk cable. Another reason would be it you wanted two ports in each vlan, instead of 1 and 3.

Spoon feeding is not generally the level of help you will get on a forum. You are expected to put some effort in yourself.

As far as I know, the link already provided is closest thing to a "recipe book" for common use cases. You will have to read it and try to understand it, and after you have read it and gotten stuck, then come back with the specific questions that you need help with.

And when asking questions, we expect you to provide us with actionable information. You didn't even specify what type of router you have, of what version of firmware you are using, and it there is other equipment involved (like downstream switches or access points, and what your requirements are). A sanitized configuration export is the absolute minimum needed (and leave the model type and router os but remove the Serial number (I also like to remove the Software ID which I think is unique to the router's license)

jul/30/2022 20:55:59 by RouterOS 7.4 <- leave this, it is important because it shows version and timestamp (in case you post your config multiple times, this can be used to find the correct one),

software id = remove (I am not sure this needs removed, but I do)

model = RB760iGS <- leave this, as it shows us what hardware you are using.

serial number = remove (this is used if you save your config in the cloud)

See Getting Answers and How to Report Bugs Effectively
@anav's NEW USER POSTING FOR ASSISTANCE

Thank you very much for the helpful answers and help.

My problem is that I have to make changes on a working device and I don’t want to make a mistake because then we can’t work. I have to be careful. That’s why I’m asking for help…

@BartoszP Thanks for your suggestion, it helps a lot.
@Buckeye Thank you for the detailed information and sorry that I did not write more precise details the first time. I thought that the helpful forum members would ask for the information they considered necessary.
It’s really no problem to remove the ether5 from the bridge and set it up.
The problem is booking ether2, ether3 and ether4 in a separate VPN due to the existing configuration, because it has to be set in many places and if I screw it up, nothing works. I want to avoid that.

The type of router is hap ac2, I work with it. What I have done so far.
To be safe, I made a backup of the config.
This morning I borrowed the same router from a friend for testing.
I updated this test router to the latest firmware because mine was already updated.
I uploaded the configuration of my own router to the test router.
I removed ether5 from the bridge, it got a new IP address from another IP address range and I also created a DHCP server for this range.

The next step will be to configure VLANs and firewall rules.

What do you recommend that I pay attention to so that there are no problems?

Thank you for your helps.

https://forum.mikrotik.com/viewtopic.php?t=181718

Unfortunately, I was unsuccessful. After creating the VLANs, DHCP did not work and I could not connect to the router using Winbox or ssh.

I used this forum comment created by @pcunite:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I used the Router-Switch-AP (all in one) RouterSwitchAP.rsc file.

Since I was not successful, I decided to upload the RouterSwitchAP.rsc file created by @pcunite to the hap ac2 test router and test it.
Unfortunately, the situation has not changed, there is no DHCP and neither Wnbox nor ssh connection to the router is possible.

Therefore, I performed the setting without applying the last line (/interface bridge set BR1 vlan-filtering=yes) and apparently everything is correct in the config according to the contents of the rsc file.
Of course, I set false data for the WAN port and also set DHCP for BASE_VLAN. DHCP still doesn’t work on the individual VLANs and if I set vlan-filtering=yes to bridge, I can’t connect to the router.

I have attached the test config that I modified.

Thanks for your help.
RouterSwitchAP_mod.rsc (7.57 KB)

Please provide the normal config file, not whatever you hve provided. /export

Excuse me @anav and thank you for your help. I hope you thought this format.
testconfig.cfg.rsc (4.18 KB)

(1) The IP address for your WAN is incorrect.
from:
add address=192.168.100**.0**/24 interface=ether1 network=192.168.100.0
TO:
add address=192.168.100**.1**/24 interface=ether1 network=192.168.100.0

(2) This makes no sense, can you figure out why
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN
add action=accept chain=input comment=“Allow Base_Vlan Full Access” in-interface=BASE_VLAN

Answer: The Second one is redundant as it is covered by the first rule. What it should indicate to you is the question why did I give everyone on VLAN access to the router?

TO:
add action=accept chain=input comment=“Allow Base_Vlan Full Access” in-interface=BASE_VLAN
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN dst-port=53 protocol=tcp
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN dst-port=53 protocol=udp
add action=drop chain=input

If there are many on the base vlan consider adding src-address-list to the rule with dst-port=winboxport protocol=tcp with only the admin device IPs on the address list.

(3) Since your wanip seems static fixed, the better form for the Source Nat Rule
from
/ip firewall nat
add action=masquerade chain=srcnat comment=“Default masquerade” out-interface-list=WAN
TO:
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=192.168.100.1

(4) Missing firewall rules FIXED:

/ip firewall filter
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN  dst-port=53  protocol=tcp
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN  dst-port=53  protocol=udp
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="Allow Estab, Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet Access only" \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=srcnat chain=srcnat  in-interface=ether1  to-addresses=192.168.100.1

(5) The Mac server alone is not a secure access method and should be set to none.
/tool mac-server
set allowed-interface-list=NONE

Finally a personal beef is leaving out /interface bridge vlans

I use it as a crosscheck with the /interface bridge ports to ensure intentions are correctly applied.
Often its easy to spot errors in intentions when both can be matched up!!
Makes it easier to read overall.

/interface bridge vlans
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=10
add bridge=BR1 tagged=BR1 untagged=ether4,wlan3 vlan-ids=20
add bridge=BR1 tagged=BR1 untagged=wlan4 vlan-ids=99

@anav Thank you very much for your comments and suggestions. I will try how it works because I want to understand it on a working configuration. After that, I can modify the live router with vlans...

The WAN port setting is fixed because I connected it behind my own router... In the end, it will be pppoe.

Do the following lines appear twice in the firewall rules?

/ip firewall filter
add action=accept chain=input comment="Allow Estab, Related & Untracked"
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

I noticed that not everything from @pcunite's RouterSwitchAP.rsc file was loaded during the import. I have now compared the import and export and see this. The following seem to have been omitted during the import, at least I can't find them in the export:

ingress behavior

/interface bridge port

Blue VLAN

add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=wlan1 pvid=10

Green VLAN

add bridge=BR1 interface=ether4 pvid=20
add bridge=BR1 interface=wlan2 pvid=20

BASE_VLAN

add bridge=BR1 interface=wlan3 pvid=99

Only allow ingress packets without tags on Access Ports

/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan3]

This is really so, what could be the reason for this?

Thanks and Regards

No idea, I dont implement his config verbatim, I do it on winbox
working my way through the config.

What I get from pcunite is one bridge, create vlans with interface bridge
Provide subnet setup; for each vlan,
Assign /interface bridge ports and bridge vlans
Setup firewall rules
Setup routing
activate vlan filtering.

Did you follow the insturctions at the top (from the RouterSwitchAP_mod.rcs file you loaded)

Notes: Start with a reset (/system reset-configuration)

@Buckeye Yes, of course.

@anav
Do the following lines appear twice in the firewall rules?

/ip firewall filter
add action=accept chain=input comment=“Allow Estab, Related & Untracked”
connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid

Thank you for your help.

Hi Steve, my bad, copy and paste error, they do not, the second set is suppose to be forward chain ( one should keep chains together so it makes sense easy to read) Fixed above.

Then perhaps try this method Cloning MikroTik Routers, Quick and Easy by Steve Discher referenced in this thread: importing and exporting config files But do read post #20 by @Sob

Hmm. First sorry for my noobness, but I think I will share my noobness experience..

I'm usually using PCUnite template too and found sometime error when exporting to new router (like I set my hAP-AC3 and RB4011iGS+5HacQ2HnD-IN before), even I have follow all procedure there like Start with a reset (/system reset-configuration).

What I do is follow the template, change all properties like address etc according to my network needs. Then paste it through winbox terminal one by one...

PLUS and for this section

L3 switching so Bridge must be a tagged member

/interface bridge vlan
set bridge=BR1 tagged=BR1 [find vlan-ids=10]
set bridge=BR1 tagged=BR1 [find vlan-ids=20]
set bridge=BR1 tagged=BR1 [find vlan-ids=99]
I found I must enter it fill information there just like for real network we need, to become like @anav comment before :

CMIIW. Sry for my noobness.

Concur, his article can be confusing in that regard.
Does this make sense to you…
My advice is not to config/copy PCUNITES formats, its stilted and confusing. Instead simply using winbox, work through the Configuration Steps logically.

FIRST though, take one etherport and configure it so that it is accessible off the bridge to avoid getting locked out!!. SEE PARA A. above!!!
Add Bridge (or modify default Bridge as required)
Add VLANS with the parent interface being the Bridge
Create Subnet Structure for each VLAN (and likely modify the default subnet to be one of the VLANs)
Construct /interface bridge ports ( etherports and WLANs as applicable )
Construct /interface bridge vlans ( tagged and untagged **** Should match up with /interface bridge ports as a cross-check )
Make Changes to LAN Interface List ( remove bridge and add all vlans typically)
Add Management/Base Interface List & applicable members (Base Vlan and off bridge etherport for example)
Adjust Firewall Rules as necessary (Base List to Input, LAN List to input for DNS only, etc..)
Go to CLI and run export and see if any errors crop up.
Turn on bridge vlan filtering.