Struggling to create a VLAN that can access the internet

MikroDik · June 7, 2026, 1:14am

Hi, bit of a newbie question here but I've wasted two days trying to do this already so figured it might be time to ask for some help...

The laptop that I am testing all of this on is directly connected to the third ethernet port (ether3) on the hEX S and I manage it over SSH in the terminal on this device too. My ultimate goal is to create a VLAN that can manage the hEX S over SSH and access the internet as per usual from ether3 and prevent devices not connected to ether3 from tampering with the hEX S.

Essentially,
Ethernet port 3 - Able to manage the hEX S and access the internet
Ethernet port(s) 2,4,5 - Unable to access the hEX but can still access the internet

So far I have failed at the first step - getting internet. I've started from default settings and here is everything that I've added so far:

\[admin@hEX\] /interface/bridge> print

[admin@hEX] /interface/bridge> print
Flags: Y - MANAGED; D - DYNAMIC; X - DISABLED, R - RUNNING 
 0   R ;;; defconf
       name="bridge" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto 
       mac-address=D0:EA:11:5D:83:BF protocol-mode=rstp fast-forward=yes igmp-snooping=no 
       auto-mac=no admin-mac=D0:EA:11:5D:83:BF ageing-time=5m priority=0x8000 
       max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no 
       dhcp-snooping=no dhcpv6-snooping=no ra-guard=no port-cost-mode=long 
       max-learned-entries=auto mlag-peer-port=none mlag-priority=128 mlag-heartbeat=5s

\[admin@hEX\] /interface/bridge/port> print

[admin@hEX] /interface/bridge/port> print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, HORIZON, TRUSTED, TRUSTED-RA, TRUSTED-DHCPV6, FAST-LEAVE, 
         BPDU-GUARD, EDGE, POINT-TO-POINT, PVID
#    INTERFACE  BRIDGE  HW   HORIZON  TRUSTED  TRUSTED-RA  TR  FA  BP  EDGE  POIN  PVID
;;; defconf
0 IH ether2     bridge  yes  none     no       no          no  no  no  auto  auto     1
;;; defconf
1  H ether3     bridge  yes  none     no       no          no  no  no  auto  auto    10
;;; defconf
2  H ether4     bridge  yes  none     no       no          no  no  no  auto  auto     1
;;; defconf
3  H ether5     bridge  yes  none     no       no          no  no  no  auto  auto     1
;;; defconf
4 I  sfp1       bridge  yes  none     no       no          no  no  no  auto  auto     1

\[admin@hEX\] /interface/bridge/vlan> print detail

[admin@hEX] /interface/bridge/vlan> print detail
Flags: Y - MANAGED; X - DISABLED, D - DYNAMIC 
 0    bridge=bridge vlan-ids=10 tagged=bridge untagged=ether3 mvrp-forbidden="" current-tagged=""
      current-untagged=""

\[admin@hEX\] /ip/address> print

[admin@hEX] /ip/address> print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE, VRF
#   ADDRESS          NETWORK       INTERFACE   VRF 
;;; defconf
0   192.168.88.1/24  192.168.88.0  bridge      main
1 D 192.168.1.80/24  192.168.1.0   ether1      main
2   10.10.10.1/24    10.10.10.0    management  main

\[admin@hEX\] /ip/dhcp-server/network> print

[admin@hEX] /ip/dhcp-server/network> print
Columns: ADDRESS, GATEWAY, DNS-SERVER
# ADDRESS          GATEWAY       DNS-SERVER  
0 10.10.10.0/24    10.10.10.1    10.10.10.1  
;;; defconf
1 192.168.88.0/24  192.168.88.1  192.168.88.1

\[admin@hEX\] /ip/firewall/filter> print

[admin@hEX] /ip/firewall/filter> print
Flags: X - DISABLED, I - INVALID; D - DYNAMIC 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept src-address=127.0.0.1 dst-address=127.0.0.1 in-interface=lo 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN 

12    chain=forward action=accept in-interface=management out-interface-list=WAN

\[admin@hEX\] /ip/firewall/nat> print

[admin@hEX] /ip/firewall/nat> print
Flags: X - DISABLED, I - INVALID; D - DYNAMIC 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 1    chain=srcnat action=masquerade out-interface=management

To test my configurations, I will always turn on safe mode then enable vlan-filtering in /interface/bridge. When I execute this command, my laptop remains connected to the ethernet network and I am as expected kicked out of SSH however, I cannot access the internet. Any attempt to look anything up fails.

I really can't figure out where I'm going wrong. If someone could point out what needs fixing, I would really appreciate it. At the moment, I'd just like to focus on getting internet working.

Kevo · June 7, 2026, 1:31am

Do you need the vlan? If you are going to isolate port 3 just for management I think the vlan is redundant. You could just remove it from the bridge.

Also, since both subnets would be accessing the internet through the same wan port the one masquerade rule should work fine.

I would start with the management subnet and dhcp server for it on port 3 and test for internet from port 3 to make sure that's working. Then I'd go in and setup the services to only allow connection from the management subnet. After that I'd add in whatever rule I wanted in terms of the management subnet talking to the main network subnet and vice versa. Presumably you could just drop the traffic between the two subnets, but you might want something different there, IDK.

Oh, and after you get all that working you might also want to specify port 3 for the winbox server so no one could connect by MAC on the other ports using winbox.

HTH

MikroDik · June 7, 2026, 2:04am

To be honest, your solution sounds a lot nicer than what I'm doing right now. I'll definitely look into this once I clear this mess up so thanks for suggesting it.

Apart from the masquerade rule, did anything else stand out to you that needs correcting? Maybe this is just sunken cost fallacy at this point, but I already feel like a complete n00b not knowing how to setup a VLAN after two whole days... I cannot walk away from this empty handed .

lurker888 · June 7, 2026, 2:34am

As suggested, both having your management access physically restricted to certain ports (if I understand correctly what you're trying to do) and setting up VLANS are worthwhile things, but they are sort of orthogonal.

What I see lots of people initially flailing about with is that in networking there is a sort of construction and hierarchy of building blocks, and going against this leads to frustration. This also means that a lot of things that start with "I simple want..." are not really easy or even possible, and it's much more useful to rephrase these asks in the established paradigms. (I put this plainly, but it's not my intention to be hurtful.)

The point here is that IP firewalling (which is about restricting who can talk to whom, essentially what you want) happens at the IP (layer 3) level of the networking stack. Specifying things by "which port can do what" is therefore not really useful for this: the more aligned way of thinking is: which network should have access to which others.

Therefore you will want to have your ether3 port not be a part of your default (192.168.88.0/24 as factory default) network, but create another, let's say "admin" network.

The easiest way to do this is without using vlans (it's perfectly okay with vlans as well - it's just easier to do it first without involving them.) You simply:

remove ether3 from the bridge
add an address on that port directly, thereby creating the new network, /ip address add interface=ether3 address=192.168.90.1/24
if you're running on the default configuration, you'll have to add ether3 to the LAN interface list

Now, if you configure an address on your PC manually, such as 192.168.90.10/24, you'll have access to both the admin interface and the Internet.

If you don't want to have to add the address manually, you can go on to configure a DHCP server for this new network on ether3.

This obviously does nothing to restrict admin access from the non-ether3-connected devices, but now you can modify your firewall rules to your liking to restrict access any way you wish.