Setting two ISP connections on 2 vlans, same ISP cable

I’ll try to understand … and eliminate what I can (there is no need for a VLAN, nor for a second bridge as there is only ether3 connected)

ether1-rds : ethernet connection to your ISP
ppoe-rds-home: your first account interface
ppoe-rds-work: your second account interface

ether3 : ethernet to your business environment
bridge-1 : with ether4,ether5,wlan1, wlan2 ports for your home environment.

OK not all details (it’s late here, over midnight)

1. Interface lists

• ether1,ppoe-rds-home, ppoe-rds-work should be member of the WAN interface list
• bridge1 and ether3 should be member of the LAN interface list
  This is because WAN and LAN words are used in the firewall and other lines in the config. (If you insist on using a second bridge, bridge2 should be in the LAN interface list. Ports follow the bridge value not their own value) Actually bridge2 or ether3 (if no 2nd bridge) is missing in the interface lists membership. There are also some empty lines.

2. IP firewall NAT

• the out interfaces are ppoe-rds-home and ppoe-rds-work.
  Not the bridge as out interface, and the interface list WAN might work for the NAT of both interfaces, but you can specify the output interfaces separately in 2 rules.

3. Policy routing

• routing rules must route the LAN home range to the pppoe-rds-home interface, and the LAN work range to the pppoe-rds-work interface.
  There are no static routes in your config yet. See http://forum.mikrotik.com/t/routing-based-on-source-ip-or-source-interface/111479/1 where setting routing marks with mangle rules is not needed.

4 Separate home and work.

• using VLANs here does not make much sense to me, as the work and home traffic goes to different ethernet interfaces.
• the router and firewall will connect (route and NAT) the ‘home LAN to the home pppoe interface’, and the ‘work LAN to the work pppoe interface’
• however the router will route what it can , and if not blocked by the firewall the ‘work’ and ‘home’ LAN will have a working route to each other.
• So the forwarding between LAN subnets (or interfaces) must be stopped in the firewall.
  (Even with a VLAN , the router would route to and from the defined VLAN if not denied to do so).
• Rule with the IP address ranges or the interfaces. Something like : “chain=forward action=drop in-interface=ether3 out-interface=bridge-1-home” , and the reverse rule also, both high enough in the forward rules to be selected before the accept rule, that could allow the route between both LAN’s.