Setup VLANs and Trunk fails

tranqila · November 9, 2025, 9:21pm

Hi and thank you for your help.
I am trying to setup my hap ax3 as router and wifi access point.
It should be connected to a managed switch, where my ethernet devices are connected to.
The ports on the mikrotik should just be used for WAN and the Trunk to the managed switch for now.

I started with the default configuration, which I then slightly modified so that I can have WAN on port 5 instead of the default port1, because I want to use the 2,5G connection between the managed switch and mikrotik.

In the Network I want to have for now 3 VLANS:
guest 10.10.0.0/16 on vlan-id 10
trusted 10.20.0.0/16 on id 20
mgmt 10.100.0.0/16 on id 100

I tried to setup things up as much as I could, and am at the point where I want to get ready to remove the default network & dhcp, so that I connect only via mgmt network from my PC to the managed switch on the vlan-id 100 access port. The managed switch is tagging 10-.20- and 100 vlans on the connection port to the Mikrotik.
I tried to set the port 1 on the mikrotik as trunk(as far as I understood), but it always disconnects me(thank you for Safe mode)
I have port 3 used as a direct connection to mikrotik now aswell.

One thing of note, between the managed switch and the mikrotik there is a POE injection device to power the mikrotik, but I hope this will forward traffic as expected.
Unfortunately only the 2,5G port is POE-in.

The problem is now, that I apparently did not configure the VLANs/Trunk correctly, because I can't connect to the Mikrotik from my pc via the Mgmt network.

I will paste my config in here, cutting out some details about the wifi:

# 2025-11-09 20:22:34 by RouterOS 7.20.4
# software id = IK1E-8R5L
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ------
/interface bridge
add admin-mac=D4:01:C3:44:94:80 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] comment="WAN Port"
/interface vlan
add comment="Guest Vlan" interface=bridge name=vlan10-guests vlan-id=10
add comment="Trusted VLAN" interface=bridge name=vlan20-trusted vlan-id=20
add comment="management vlan" interface=bridge name=vlan100-mgmt vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool10 ranges=10.10.0.10-10.10.255.255
add name=pool20 ranges=10.20.0.2-10.20.255.255
add name=pool100 ranges=10.100.0.1-10.100.255.255
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool10 comment="Guest dhcp server" interface=vlan10-guests \
    lease-time=1d name=dhcp10
add address-pool=pool20 comment="Trusted network dhcp server" interface=\
    vlan20-trusted lease-time=1d name=dhcp20
add address-pool=pool100 comment="Mgmt Network DHCP Server" interface=\
    vlan100-mgmt lease-time=1d name=dhcp100
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="Trunk port to sodola switch" frame-types=\
    admit-only-vlan-tagged interface=ether1 pvid=100
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.0.1/16 comment="Guest Address" interface=vlan10-guests \
    network=10.10.0.0
add address=10.20.0.1/16 comment="Trusted Address" interface=vlan20-trusted \
    network=10.20.0.0
add address=10.100.0.1/16 comment="Mgmt Address" interface=vlan100-mgmt \
    network=10.100.0.0
/ip dhcp-client
add comment="enable dhcp client for WAN" interface=ether5
/ip dhcp-server network
add address=10.10.0.0/16 comment="Guest Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.10.0.1
add address=10.20.0.0/16 comment="Trusted Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.20.0.1
add address=10.100.0.0/16 comment="Mgmt Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.100.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Can you please help my trying to understand what I am doing wrong?

rextended · November 9, 2025, 10:23pm

Why a hole here?
Where is MGMT interface list?

tranqila · November 9, 2025, 10:43pm

I added the mgmt vlan to the LAN interface list and played with ether2 to make it untagged for vlan-id 100 and at least I can get mgmt subnet IP and can connect to the router with it.

connection from my pc via the sodola managed router still does not work.
Sodala port to my pc does 100 untag and the trunk to the mirkrotik on the switch is tagged 100.

# ---------
# software id = IK1E-8R5L
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = -----
/interface bridge
add admin-mac=D4:01:C3:44:94:80 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] comment="WAN Port"
/interface vlan
add comment="Guest Vlan" interface=bridge name=vlan10-guests vlan-id=10
add comment="Trusted VLAN" interface=bridge name=vlan20-trusted vlan-id=20
add comment="management vlan" interface=bridge name=vlan100-mgmt vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="contains mgmt net" name=MGMT

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool10 ranges=10.10.0.10-10.10.255.255
add name=pool20 ranges=10.20.0.2-10.20.255.255
add name=pool100 ranges=10.100.0.2-10.100.255.255
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool10 comment="Guest dhcp server" interface=vlan10-guests \
    lease-time=1d name=dhcp10
add address-pool=pool20 comment="Trusted network dhcp server" interface=\
    vlan20-trusted lease-time=1d name=dhcp20
add address-pool=pool100 comment="Mgmt Network DHCP Server" interface=\
    vlan100-mgmt lease-time=1d name=dhcp100
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="Trunk port to sodola switch" frame-types=\
    admit-only-vlan-tagged interface=ether1
add bridge=bridge comment="port for mgmt vlan direct access" interface=ether2 \
    pvid=100
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set discover-interface-list=LAN
/ipv6 settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment="vlan bridge port for mgmt" tagged=ether1,bridge \
    untagged=ether2 vlan-ids=100
add bridge=bridge comment="vlan bridge port for guest" tagged=ether1,bridge \
    vlan-ids=10
add bridge=bridge comment="vlan bridge port for trusted" tagged=ether1,bridge \
    vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
add interface=vlan100-mgmt list=LAN
add interface=vlan100-mgmt list=MGMT
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.0.1/16 comment="Guest Address" interface=vlan10-guests \
    network=10.10.0.0
add address=10.20.0.1/16 comment="Trusted Address" interface=vlan20-trusted \
    network=10.20.0.0
add address=10.100.0.1/16 comment="Mgmt Address" interface=vlan100-mgmt \
    network=10.100.0.0
/ip dhcp-client
add comment="enable dhcp client for WAN" interface=ether5
/ip dhcp-server network
add address=10.10.0.0/16 comment="Guest Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.10.0.1
add address=10.20.0.0/16 comment="Trusted Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.20.0.1
add address=10.100.0.0/16 comment="Mgmt Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.100.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

What also looks strange to me-
I can see in the dhcp leases, that my pc is getting an address through the trunk port, so going via the switch as I want- but apparently the assignment is not successful, because the lease constantly gets reset to the full 1d expiry time. As if the dhcp ack does not make it back to the mikrotik

anav · November 9, 2025, 11:24pm

Your export is not complete......................

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys, dhcp lease lists )

What I see so far:
You want ether5 to be WAN port, ether1 is to switch, ether2 mgnmt port, ether3 and ether4 not used.
Better than using ether2, take a port off bridge and access the router from there, we will use ether4
Then plug in laptop to ether4 and change ipv4 settings to 192.168.77.2 and with user name and password you should be in , see below for config adjustments.

For some reason you have the bridge still doing dhcp and in needs to be doing nothing of the sort, when you have converted to vlan filtering. Clue is number of pools etc. = number of vlans!

Also, not clear which wifi is for trusted and which is for guests?????
Remove static IP DNS setting.
modify firewall rules so more secure for access to config and clearer.

# model = C53UiG+5HPaxD2HPaxD
# serial number = **** removed ****
/interface bridge
add admin-mac=D4:01:C3:44:94:80 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] comment="WAN Port"
set [ find default-name=ether4 ] comment=OffBridge4
/interface vlan
add comment="Guest Vlan" interface=bridge name=vlan10-guests vlan-id=10
add comment="Trusted VLAN" interface=bridge name=vlan20-trusted vlan-id=20
add comment="management vlan" interface=bridge name=vlan100-mgmt vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="contains mgmt net" name=MGMT
/ip pool
add name=pool10 ranges=10.10.0.10-10.10.255.255
add name=pool20 ranges=10.20.0.2-10.20.255.255
add name=pool100 ranges=10.100.0.2-10.100.255.255
/ip dhcp-server
add address-pool=pool10 comment="Guest dhcp server" interface=vlan10-guests \
    lease-time=1d name=dhcp10
add address-pool=pool20 comment="Trusted network dhcp server" interface=\
    vlan20-trusted lease-time=1d name=dhcp20
add address-pool=pool100 comment="Mgmt Network DHCP Server" interface=\
    vlan100-mgmt lease-time=1d name=dhcp100
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="Trunk port to sodola switch" frame-types=\
    admit-only-vlan-tagged interface=ether1
add bridge=bridge comment="port for mgmt vlan direct access" interface=ether2 \
    frame-types=admit-only-priority-and-untagged pvid=100
add bridge=bridge frame-types=admit-only-priority-and-untagged interface=wifi1 \
  pvid=20  comment="wifi for trusted home users"
add bridge=bridge frame-types=admit-only-priority-and-untagged interface=wifi2 \
  pvid=10  comment="wifi for guests"
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment="guests" tagged=bridge,ether1  untagged=wifi2 \
    vlan-ids=10
add bridge=bridge comment="trusted"  tagged=bridge,ether1  untagged=wifi1 \
    vlan-ids=20
add bridge=bridge comment="management" tagged=bridge,ether1  \
    untagged=ether2  vlan-ids=100
/interface list member
add comment=defconf interface=ether5 list=WAN
add interface=vlan10-guests list=LAN
add interface=vlan20-trusted list=LAN
add interface=vlan100-mgmt list=LAN
add interface=OffBridge4 list=LAN
add interface=vlan100-mgmt list=MGMT
add interface=OffBridge4 list=MGMT
/ip address
add address=192.168.77.1/30 interface=OffBridge4 network=192.168.77.0
add address=10.10.0.1/16 comment="Guest Address" interface=vlan10-guests \
    network=10.10.0.0
add address=10.20.0.1/16 comment="Trusted Address" interface=vlan20-trusted \
    network=10.20.0.0
add address=10.100.0.1/16 comment="Mgmt Address" interface=vlan100-mgmt \
    network=10.100.0.0
/ip dhcp-client
add comment="enable dhcp client for WAN" interface=ether5
/ip dhcp-server network
add address=10.10.0.0/16 comment="Guest Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.10.0.1
add address=10.20.0.0/16 comment="Trusted Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.20.0.1
add address=10.100.0.0/16 comment="Mgmt Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.100.0.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=accept chain=input comment="users to services" in-interface-list=LAN \
    dst-port=53 protocol=udp 
add action=accept chain=input comment="users to services" in-interface-list=LAN \
    dst-port=53 protocol=tcp 
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet" in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment="admin to all vlans"  in-interface-list=MGMT \
    out-interface-list=LAN
add action=accept chain=forward comment="port forwarding} connection-nat-state=dstnat \
    disabled=yes  { enable if required or remove }
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

tranqila · November 10, 2025, 1:06am

Thank you, I tried to make the changes.

I can now connect through mgmt vlan from my PC without direct connection to mikrotik.
So i get IP when connecting to untag port on switch and I can connect to mgmt vlan ip of mikrotik and access.
Thank you.
Somehow, I broke the Wifi a little-
trusted network 10.20 should go to Wifi1 & Wifi2, while guest network 10.10 should go to this slaved copy of the interface.
For some reason the slaved copy & 10.10 works with my wifi devices, but the 10.20 doesn't.
I will try to find what is wrong.

Can you have one more look, so that I didn't make a mistake adding the firewall rules?

# 2025-11-10 01:57:53 by RouterOS 7.20.4
# software id = IK1E-8R5L
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = **********
/interface bridge
add admin-mac=D4:01:C3:44:94:80 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] comment="WAN Port"
/interface vlan
add comment="Guest Vlan" interface=bridge name=vlan10-guests vlan-id=10
add comment="Trusted VLAN" interface=bridge name=vlan20-trusted vlan-id=20
add comment="management vlan" interface=bridge name=vlan100-mgmt vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="contains mgmt net" name=MGMT
add name=GUEST
/interface wifi channel
add band=2ghz-ax disabled=no name=ch-24 width=20/40mhz
add band=5ghz-ax disabled=no frequency=2300-7300 name=ch-5
add band=5ghz-ax disabled=no frequency=2300-7300 name=ch-5-guest
add band=2ghz-ax disabled=no name=ch-24-guest width=20/40mhz
/interface wifi datapath
add bridge=bridge disabled=no name=vlan-20-path vlan-id=20
add bridge=bridge disabled=no name=vlan-10-path vlan-id=10
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes name=\
    trusted-auth wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,gcmp,gcmp-256 ft=yes name=guest-auth wps=disable
/interface wifi configuration
add channel=ch-5 channel.frequency=2300-7300 .width=20/40/80mhz country=\
    Germany datapath=vlan-20-path disabled=no manager=local mode=ap name=\
    trusted-conf-5 security=trusted-auth ssid="bla 5G"
add channel=ch-5-guest channel.band=5ghz-ax .width=20/40/80mhz country=\
    Germany datapath=vlan-10-path disabled=no manager=local mode=ap \
    multicast-enhance=enabled name=guest-conf-5 security=guest-auth ssid=\
    "bli 5G" tx-power=23
add channel=ch-24-guest country=Germany datapath=vlan-10-path disabled=no \
    mode=ap multicast-enhance=enabled name=guest-conf-24 security=guest-auth \
    ssid="bli" tx-power=20
add channel=ch-24 country=Germany datapath=vlan-20-path disabled=no mode=ap \
    name=trusted-conf-24 security=trusted-auth ssid="bla"
/interface wifi
set [ find default-name=wifi1 ] channel=ch-5 channel.band=5ghz-ax \
    configuration=trusted-conf-5 configuration.country=Germany .mode=ap \
    datapath=vlan-20-path datapath.bridge=bridge .vlan-id=20 disabled=no \
    security=trusted-auth security.authentication-types=wpa2-psk,wpa3-psk \
    .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel=ch-24 channel.band=2ghz-ax \
    configuration=trusted-conf-24 configuration.mode=ap .ssid="very Hotspot!" \
    datapath=vlan-20-path datapath.bridge=bridge .vlan-id=20 disabled=no \
    security=trusted-auth security.authentication-types=wpa2-psk,wpa3-psk \
    .ft=yes .ft-over-ds=yes
add channel=ch-5-guest channel.frequency=2300-7300 configuration=guest-conf-5 \
    configuration.mode=ap datapath=vlan-10-path disabled=no mac-address=\
    D6:01:C3:44:94:84 master-interface=wifi1 name=wifi-guest1 security=\
    guest-auth
add configuration=guest-conf-24 configuration.mode=ap datapath=vlan-10-path \
    disabled=no mac-address=D6:01:C3:44:94:85 master-interface=wifi2 name=\
    wifi-guest2 security=guest-auth
/ip pool
add name=pool10 ranges=10.10.0.10-10.10.255.255
add name=pool20 ranges=10.20.0.2-10.20.255.255
add name=pool100 ranges=10.100.0.2-10.100.255.255
/ip dhcp-server
add address-pool=pool10 comment="Guest dhcp server" interface=vlan10-guests \
    lease-time=1d name=dhcp10
add address-pool=pool20 comment="Trusted network dhcp server" interface=\
    vlan20-trusted lease-time=1d name=dhcp20
add address-pool=pool100 comment="Mgmt Network DHCP Server" interface=\
    vlan100-mgmt lease-time=1d name=dhcp100
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="Trunk port to sodola switch" frame-types=\
    admit-only-vlan-tagged interface=ether1
add bridge=bridge comment="port for mgmt vlan direct access" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wifi1 pvid=20 ## ?????
add bridge=bridge comment=defconf interface=wifi2 pvid=20 ## ????? is it correct with pvid=20 here? Guest wifi works, but direct wifi to vlan20 subnet does not work at the moment
/ip neighbor discovery-settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set discover-interface-list=MGMT
/ipv6 settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment="vlan bridge port for mgmt" tagged=ether1,bridge \
    untagged=ether2 vlan-ids=100
add bridge=bridge comment="vlan bridge port for guest" tagged=ether1,bridge \
    vlan-ids=10
add bridge=bridge comment="vlan bridge port for trusted" tagged=ether1,bridge \
    vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
add interface=vlan100-mgmt list=LAN
add interface=vlan100-mgmt list=MGMT
add interface=wifi1 list=LAN
add interface=wifi2 list=LAN
add interface=wifi-guest1 list=GUEST
add interface=vlan10-guests list=GUEST
add interface=wifi-guest2 list=GUEST
add interface=vlan20-trusted list=LAN
add interface=vlan10-guests list=LAN
/ip address
add address=10.10.0.1/16 comment="Guest Address" interface=vlan10-guests \
    network=10.10.0.0
add address=10.20.0.1/16 comment="Trusted Address" interface=vlan20-trusted \
    network=10.20.0.0
add address=10.100.0.1/16 comment="Mgmt Address" interface=vlan100-mgmt \
    network=10.100.0.0
/ip dhcp-client
add comment="enable dhcp client for WAN" interface=ether5
/ip dhcp-server network
add address=10.10.0.0/16 comment="Guest Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.10.0.1
add address=10.20.0.0/16 comment="Trusted Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.20.0.1
add address=10.100.0.0/16 comment="Mgmt Network" dns-server=1.1.1.1,1.0.0.1 \
    domain=chriy.de gateway=10.100.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=internet in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment="admin to all vlans" \
    in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat disabled=yes in-interface-list=MGMT \
    out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT