Struggling with bridge/VLAN configuration

RouterOS Beginner Basics
1

Hello all,

I am currently using an RB5009 and have ether5-8 configured with separate subnets for network segments in my home. All is working great. What I want to do, is keep the current port setup while also setting my sfp port to function as a “trunk” for all the subnets and go directly into my switch. This way, a device directly connected to the router will only get assigned an ip for the subnet to which the port is configured, and the sfp will be able to pass all traffic to the switch which is configured with access ports. I know I need a bridge to accomplish what I am trying to do but keep screwing it up. Can someone help illuminate me? I’m sure it’s crazy simple but the switch and VLAN part of MikroTik still boggles my brain. Please fell free to point out any other stupid things you see in my config.

Current config is as follows:

# dec/26/2021 14:45:29 by RouterOS 7.1.1
# software id = 7ZLE-935S
#
# model = RB5009UG+S+
# serial number = 
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether5 ] name=ether5_LAN
set [ find default-name=ether6 ] name=ether6_KIDS
set [ find default-name=ether7 ] name=ether7_CAMERA
set [ find default-name=ether8 ] name=ether8_DMZ
/interface wireguard
add listen-port=30752 mtu=1420 name=Mullvad
add listen-port=51820 mtu=1420 name="Remote Access Wireguard"
add listen-port=51822 mtu=1420 name=Utah
/interface list
add name=WAN
add name=LAN
add name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN_POOL ranges=10.20.2.100-10.20.2.254
add name=KIDS_POOL ranges=10.20.20.100-10.20.20.254
add name=CAMERAS_POOL ranges=10.20.40.100-10.20.40.254
add name=DMZ_POOL ranges=10.20.80.100-10.20.80.254
/ip dhcp-server
add address-pool=LAN_POOL interface=ether5_LAN lease-time=8h name=LAN
add address-pool=KIDS_POOL interface=ether6_KIDS lease-time=8h name=KIDS
add address-pool=CAMERAS_POOL interface=ether7_CAMERA lease-time=8h name=\
    Cameras
add address-pool=DMZ_POOL interface=ether8_DMZ lease-time=8h name=DMZ
/queue type
add kind=fq-codel name=fqcodel
/queue simple
add max-limit=40M/30M name=Mullvad_fqcodel queue=fqcodel/fqcodel target=\
    Mullvad total-queue=fqcodel
add max-limit=30M/15M name=Utah_fqcodel queue=fqcodel/fqcodel target=Utah \
    total-queue=fqcodel
add max-limit=60M/35M name=WAN_fqcodel queue=fqcodel/fqcodel target=\
    ether1_WAN total-queue=fqcodel
/routing table
add disabled=no fib name=Utah
add disabled=no fib name=Mullvad
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether5_LAN list=VLANS
add interface=ether1_WAN list=WAN
add interface=ether6_KIDS list=VLANS
add interface=ether7_CAMERA list=VLANS
add interface="Remote Access Wireguard" list=VLANS
add interface=Mullvad list=WAN
add interface=Utah list=VLANS
add interface=ether8_DMZ list=VLANS
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=136.36.56.240 endpoint-port=\
    51822 interface=Utah persistent-keepalive=30s public-key=\
    "UOKuHFY1WhC6b2beXIQGmivsFuXtqY9g8KNd6eC5qTc="
add allowed-address=0.0.0.0/0 endpoint-address=86.106.143.145 endpoint-port=\
    51820 interface=Mullvad persistent-keepalive=30s public-key=\
    "JQo2XN042FQbMrpvRMpEoA+CpqhRESeSWjkNB+k41Ds="
add allowed-address=10.103.103.2/32 interface="Remote Access Wireguard" \
    public-key="S0v2v7bRuzOnzcuC35IOTqEoq7TFXZAeLuXMcqgneC0="
/ip address
add address=10.20.2.1/24 interface=ether5_LAN network=10.20.2.0
add address=10.20.20.1/24 interface=ether6_KIDS network=10.20.20.0
add address=10.20.40.1/24 interface=ether7_CAMERA network=10.20.40.0
add address=10.20.80.1/24 interface=ether8_DMZ network=10.20.80.0
add address=10.102.102.2 interface=Utah network=10.102.102.1
add address=10.64.111.167 interface=Mullvad network=10.64.111.167
add address=10.103.103.1/24 interface="Remote Access Wireguard" network=\
    10.103.103.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=no
/ip dhcp-client
add interface=ether1_WAN use-peer-dns=no
/ip dhcp-server lease
add address=10.20.2.54 mac-address=94:9F:3E:A0:10:D0 server=LAN
add address=10.20.20.30 mac-address=10:09:F9:17:CB:1C server=KIDS
add address=10.20.20.31 mac-address=74:E2:0C:75:AF:EB server=KIDS
add address=10.20.20.5 mac-address=74:40:BB:AA:46:51 server=KIDS
add address=10.20.20.21 mac-address=B8:63:4D:9D:54:D7 server=KIDS
add address=10.20.20.10 mac-address=8A:15:12:11:7C:89 server=KIDS
add address=10.20.20.11 mac-address=E6:9D:EF:E8:9C:FA server=KIDS
add address=10.20.20.20 mac-address=22:9F:07:C6:AA:B5 server=KIDS
add address=10.20.20.18 mac-address=68:5A:CF:00:22:4C server=KIDS
add address=10.20.20.23 mac-address=9C:DA:3E:AD:E1:84 server=KIDS
add address=10.20.20.15 mac-address=B8:63:4D:B7:FE:0F server=KIDS
add address=10.20.2.13 mac-address=F0:9F:C2:C3:16:DE server=LAN
add address=10.20.2.12 mac-address=80:2A:A8:DE:F4:4A server=LAN
add address=10.20.2.21 mac-address=80:2A:A8:96:41:CB server=LAN
add address=10.20.2.23 mac-address=74:AC:B9:B0:4C:4A server=LAN
add address=10.20.2.9 mac-address=F0:B3:EC:2A:09:C9 server=LAN
add address=10.20.2.10 mac-address=74:83:C2:79:9F:3D server=LAN
add address=10.20.2.55 mac-address=94:9F:3E:FE:BF:A8 server=LAN
add address=10.20.2.8 mac-address=1C:12:B0:66:D9:F3 server=LAN
add address=10.20.2.20 mac-address=80:2A:A8:53:77:89 server=LAN
add address=10.20.2.22 mac-address=74:AC:B9:B0:4B:EE server=LAN
add address=10.20.2.57 mac-address=94:9F:3E:FE:CF:D8 server=LAN
add address=10.20.2.51 mac-address=94:9F:3E:FE:CB:B0 server=LAN
add address=10.20.2.50 mac-address=94:9F:3E:FE:D1:EC server=LAN
add address=10.20.2.56 mac-address=94:9F:3E:FE:D3:B2 server=LAN
add address=10.20.2.52 mac-address=94:9F:3E:FE:C0:B2 server=LAN
add address=10.20.2.15 mac-address=CC:32:E5:73:FF:EE server=LAN
add address=10.20.2.11 mac-address=80:2A:A8:1D:A1:3F server=LAN
add address=10.20.2.3 mac-address=60:6D:3C:17:00:FD server=LAN
add address=10.20.2.5 mac-address=00:11:32:21:53:FD server=LAN
add address=10.20.2.6 mac-address=00:88:2A:E8:33:B7 server=LAN
add address=10.20.2.4 mac-address=44:09:B8:51:F4:E0 server=LAN
add address=10.20.2.53 mac-address=78:28:CA:53:1D:91 server=LAN
add address=10.20.20.22 mac-address=9C:DA:3E:AE:5D:9E server=KIDS
add address=10.20.80.5 client-id=1:bc:83:85:7e:a7:85 mac-address=\
    BC:83:85:7E:A7:85 server=DMZ
add address=10.20.2.70 client-id=1:46:60:f1:80:43:be mac-address=\
    46:60:F1:80:43:BE server=LAN
add address=10.20.2.71 client-id=1:b8:31:b5:92:69:d2 mac-address=\
    B8:31:B5:92:69:D2 server=LAN
add address=10.20.2.72 client-id=1:54:8c:a0:df:b6:4b mac-address=\
    54:8C:A0:DF:B6:4B server=LAN
add address=10.20.40.30 client-id=1:fc:ec:da:1f:5f:c8 mac-address=\
    FC:EC:DA:1F:5F:C8 server=Cameras
add address=10.20.2.73 client-id=1:a0:78:17:a4:6f:55 mac-address=\
    A0:78:17:A4:6F:55 server=LAN
/ip dhcp-server network
add address=10.20.2.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
    gateway=10.20.2.1
add address=10.20.20.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
    gateway=10.20.20.1
add address=10.20.40.0/24 dns-server=10.20.40.1 domain=mikrotik.overseas \
    gateway=10.20.40.1
add address=10.20.80.0/24 dns-server=10.20.80.1 domain=mikrotik.overseas \
    gateway=10.20.80.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.2.0/24 comment="Local Subnets" list="Local Subnets"
add address=10.10.1.0/24 comment="Utah Subnets" list="Utah Subnets"
add address=10.10.10.0/24 list="Utah Subnets"
add address=10.10.30.0/24 list="Utah Subnets"
add address=10.10.50.0/24 list="Utah Subnets"
add address=10.20.20.0/24 list="Local Subnets"
add address=10.20.80.0/24 list="Local Subnets"
add address=10.20.20.10 comment="Kids Devices" list=KidsDevices
add address=10.20.20.11 list=KidsDevices
add address=10.20.20.22 list=KidsDevices
add address=10.20.20.23 list=KidsDevices
add address=10.20.20.20 list=KidsDevices
add address=10.20.20.21 list=KidsDevices
add address=10.20.20.22 comment="Kids Laptops" list="Kids Laptops"
add address=10.20.20.23 list="Kids Laptops"
add address=10.20.2.50 comment=Sonos list=Sonos
add address=10.20.2.3 comment=Streaming list=Streaming
add address=192.168.88.0/24 list="Local Subnets"
add address=10.20.20.0/24 comment="Kids Network" list="Kids Network"
add address=10.20.2.0/24 comment="Local Trusted Subnet" list=\
    "Local Trusted Network"
add address=10.20.2.4 list=Streaming
add address=10.20.2.8 list=Streaming
add address=10.20.2.9 list=Streaming
add address=10.20.2.51 list=Sonos
add address=10.20.2.52 list=Sonos
add address=10.20.2.53 list=Sonos
add address=10.20.2.54 list=Sonos
add address=10.20.2.55 list=Sonos
add address=10.20.2.56 list=Sonos
add address=10.20.2.57 list=Sonos
add address=10.102.102.0/24 comment="Utah Wireguard" list="Utah Wireguard"
add address=10.20.20.30 list=Streaming
add address=10.20.20.31 list=Streaming
add address=10.20.2.7 list=Streaming
add address=10.103.103.0/24 list="Local Subnets"
add address=10.20.2.70 comment="Management devices" list="Management Devices"
add address=10.20.2.71 list="Management Devices"
add address=10.20.2.72 list="Management Devices"
add address=10.20.2.73 list="Management Devices"
add address=10.20.80.0/24 comment="DMZ network" list=DMZ
add address=10.103.103.0/24 list="Management Devices"
add address=10.20.40.0/24 comment=Cameras list=Cameras
add address=10.20.40.0/24 list="Local Subnets"
/ip firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="management devices to router" \
    connection-state="" src-address-list="Management Devices"
add action=accept chain=input comment="allow ssh" dst-port=55512 protocol=tcp
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="remote access wireguard" dst-port=\
    51820 in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment="utah wireguard" dst-port=51822 \
    in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment="DNS " dst-port=53 in-interface-list=\
    VLANS protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=VLANS protocol=\
    udp
add action=accept chain=input comment=NTP dst-port=123 in-interface-list=\
    VLANS protocol=udp
add action=drop chain=input comment="drop everything else" log-prefix=\
    "drop all"
add action=accept chain=forward comment="allow established and related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="remote wireguard" in-interface=\
    "Remote Access Wireguard"
add action=accept chain=forward comment="LAN firewall" dst-address-list=!DMZ \
    in-interface=ether5_LAN
add action=accept chain=forward comment="kids firewall" dst-address=10.20.2.6 \
    dst-port=53 in-interface=ether6_KIDS protocol=tcp
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53 \
    in-interface=ether6_KIDS protocol=udp
add action=accept chain=forward in-interface=ether6_KIDS out-interface=Utah \
    src-address-list=Streaming
# inactive time
add action=accept chain=forward in-interface=ether6_KIDS out-interface=\
    ether1_WAN time=5h-20h30m,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="cameras firewall" dst-address=\
    10.20.2.10 in-interface=ether7_CAMERA
add action=accept chain=forward comment="DMZ firewall" in-interface=\
    ether8_DMZ out-interface=ether1_WAN
add action=drop chain=forward comment="drop everything else" log-prefix=\
    "drop all"
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list="Local Subnets" \
    new-routing-mark=main passthrough=no src-address=10.103.103.0/24
add action=mark-routing chain=prerouting dst-address-list="Utah Subnets" \
    new-routing-mark=Utah passthrough=no src-address-list=\
    "Local Trusted Network"
add action=mark-routing chain=prerouting new-routing-mark=Utah passthrough=no \
    src-address-list=Streaming
add action=mark-routing chain=prerouting new-routing-mark=main passthrough=no \
    src-address-list="Local Subnets"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Mullvad pref-src="" \
    routing-table=Mullvad scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.1.0/24 gateway=Utah pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=Utah pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.30.0/24 gateway=Utah pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.10.50.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Utah routing-table=\
    Utah scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=55512
set api disabled=yes
set winbox address=10.20.0.0/16,10.103.103.0/24
set api-ssl disabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Kuwait
/system identity
set name=RB5009overseas
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
add address=0.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=VLANS
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
2

The Quick and dirty explanation ist ,

You will need to create a bridge and assign all LAN-Interfaces to it.
Create and Assign VLAN`s to bridge insteed of ether-Ports

You can use Bridge VLAN-Filtering to limit the VLAN`s to specific Port and/or create Trunk-Ports

3

Do you need more help?

Do you know how to configure the bridge & VLAN-Filtering..
or do you need a step-by-Step guide?

4

Step 0: Management Port
It`s quite common to lock yourself out, while configuring
a Bridge with VLAN-Filtering.

So I recommend connection via a PORT, that isnt being assigned to the bridge and isnt Block by Firewall and Co.



Step 1: Create Bridge

/interface bridge
add name=bridge1

Step 2: Create and Assign VLAN

/interface vlan
add comment=LAN interface=bridge1 name=bridge1_vlan100 vlan-id=100
add comment=KIDS interface=bridge1 name=bridge1_vlan200 vlan-id=200
add comment=CAMERA interface=bridge1 name=bridge1_vlan300 vlan-id=300
add comment=DMZ interface=bridge1 name=bridge1_vlan400 vlan-id=400

Step 3: Reassign IP-Address

/ip/address/set [find interface=ether5_LAN] interface=bridge1_vlan100
/ip/address/set [find interface=ether6_KIDS] interface=bridge1_vlan200
/ip/address/set [find interface=ether7_CAMERA] interface=bridge1_vlan300
/ip/address/set [find interface=ether8_DMZ] interface=bridge1_vlan400

Step 4: Reassign DHCP-Servers

/ip/dhcp-server/set [find where interface=ether5_LAN] interface=bridge1_vlan100
/ip/dhcp-server/set [find where interface=ether6_KIDS] interface=bridge1_vlan200
/ip/dhcp-server/set [find where interface=ether7_CAMERA] interface=bridge1_vlan300
/ip/dhcp-server/set [find where interface=ether8_DMZ] interface=bridge1_vlan400

Step 5: Reassign VLANS list-Member

/interface/list/member/add interface=bridge1_vlan100 list=VLANS
/interface/list/member/add interface=bridge1_vlan200 list=VLANS
/interface/list/member/add interface=bridge1_vlan300 list=VLANS
/interface/list/member/add interface=bridge1_vlan400 list=VLANS
/interface/list/member/remove [find where interface=ether5_LAN]
/interface/list/member/remove [find where interface=ether6_KIDS]
/interface/list/member/remove [find where interface=ether7_CAMERA]
/interface/list/member/remove [find where interface=ether8_DMZ]

Step 6: Configure VLAN-Filtering Rules

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether5_LAN vlan-ids=100
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether6_KIDS vlan-ids=200
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether7_CAMERA vlan-ids=300
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether8_DMZ vlan-ids=400

Step 7: Assign Bridge-Port interfaces

/interface bridge port
add bridge=bridge1 interface=ether5_LAN pvid=100
add bridge=bridge1 interface=ether6_KIDS pvid=200
add bridge=bridge1 interface=ether7_CAMERA pvid=300
add bridge=bridge1 interface=ether8_DMZ pvid=400
add bridge=bridge1 interface=sfp-sfpplus1

Step 8: Activate VLAN-Filtering

/interface/bridge/set [find where name=bridge1] vlan-filtering=yes
5

Connie you outdid yourself. I was happy to play around some more and send you updates as I continued to break things. :winking_face_with_tongue: Sorry for the disappearance on my part. Life happened. Give me a bit to digest what you’ve provided and try to implement and I’ll get back to you with my success or failure(s). One thing I’ll ask right off is if there are any special tweaks required due to the fact that my LAN uses VLAN1. I saw your example of putting LAN on VLAN100 but alas my UniFi switches and all expect to find VLAN1. Does that change any of your provided config?

6

Connie you outdid yourself.

No Problem,
I had some spare time!
i’m glad to help =)


LAN uses VLAN1

Its usually “Best Practice” not to mix Untagged and Tagged Networks…
Network without tags aka VLAN 1 , will make it more difficult to learn/understand VLANs.

But it is possible…

Reading material :
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
http://forum.mikrotik.com/t/avoiding-vlan1-on-bridge/127683/1

7

Yeah, I hear you on the tagged/untagged network issue. That’s what I get for starting this adventure using UniFi. Does a lot for you but does a number of things wrong for the sake of simplicity. Major hindsight issues going on for me but had no idea when I started that there were such diverging views on some of these issues.

8

This is how you need to modify your original config for Network “LAN” to be unttagged.
The trick is to assign everything to the “bridge1” interface and not a a “bridge1_vlan1”

Step 1: Create Bridge

/interface bridge
add name=bridge1

Step 2: Create and Assign VLAN

/interface vlan
add comment=KIDS interface=bridge1 name=bridge1_vlan200 vlan-id=200
add comment=CAMERA interface=bridge1 name=bridge1_vlan300 vlan-id=300
add comment=DMZ interface=bridge1 name=bridge1_vlan400 vlan-id=400

Step 3: Reassign IP-Address

/ip/address/set [find interface=ether5_LAN] interface=bridge1
/ip/address/set [find interface=ether6_KIDS] interface=bridge1_vlan200
/ip/address/set [find interface=ether7_CAMERA] interface=bridge1_vlan300
/ip/address/set [find interface=ether8_DMZ] interface=bridge1_vlan400

Step 4: Reassign DHCP-Servers

/ip/dhcp-server/set [find where interface=ether5_LAN] interface=bridge1
/ip/dhcp-server/set [find where interface=ether6_KIDS] interface=bridge1_vlan200
/ip/dhcp-server/set [find where interface=ether7_CAMERA] interface=bridge1_vlan300
/ip/dhcp-server/set [find where interface=ether8_DMZ] interface=bridge1_vlan400

Step 5: Reassign VLANS list-Member

/interface/list/member/add interface=bridge1 list=VLANS
/interface/list/member/add interface=bridge1_vlan200 list=VLANS
/interface/list/member/add interface=bridge1_vlan300 list=VLANS
/interface/list/member/add interface=bridge1_vlan400 list=VLANS
/interface/list/member/remove [find where interface=ether5_LAN]
/interface/list/member/remove [find where interface=ether6_KIDS]
/interface/list/member/remove [find where interface=ether7_CAMERA]
/interface/list/member/remove [find where interface=ether8_DMZ]

Step 6: Configure VLAN-Filtering Rules

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether6_KIDS vlan-ids=200
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether7_CAMERA vlan-ids=300
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether8_DMZ vlan-ids=400

Step 7: Assign Bridge-Port interfaces

/interface bridge port
add bridge=bridge1 interface=ether5_LAN
add bridge=bridge1 interface=ether6_KIDS pvid=200
add bridge=bridge1 interface=ether7_CAMERA pvid=300
add bridge=bridge1 interface=ether8_DMZ pvid=400
add bridge=bridge1 interface=sfp-sfpplus1

Step 8: Activate VLAN-Filtering

/interface/bridge/set [find where name=bridge1] vlan-filtering=yes
9

Conny thanks again for all your verbose assistance. I really appreciate it and can confirm that everything is running at this time albeit I want to get the LAN on a VLAN as well and have an underlying MGMT VLAN for the infrastructure. The UniFi stuff is so needy though that I’m not sure if I have the resolve to deal with it. Trying to think of a good, painless way, to do things but I find myself wincing at one point or another. I’ll think about it a bit more but, in the meantime, thank you yet again for the assistance.

10

you are welcome and Happy Holidays!

11

Well I thought I had this working but I appear not to be able to get DHCP on any of the subnets except for LAN_VLAN. I can’t figure out what is wrong. Anyone able to help point out my error? I do note that on the Brige → Ports, it shows that ether5_LAN is the root port and the others are alternate ones. ??? That doesn’t make sense to me as ether6-8 are untagged for separate subnets. Config below minus a few of the unnecessary parts so as to keep things focused.

# dec/29/2021 21:58:02 by RouterOS 7.1.1
# software id = 7ZLE-935S
#
# model = RB5009UG+S+
# serial number = 
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_BadLan
set [ find default-name=ether5 ] name=ether5_LAN
set [ find default-name=ether6 ] name=ether6_KIDS
set [ find default-name=ether7 ] name=ether7_CAMERAS
set [ find default-name=ether8 ] name=ether8_DMZ
/interface wireguard
add listen-port=30752 mtu=1420 name=Mullvad
add listen-port=51820 mtu=1420 name="Remote Access Wireguard"
add listen-port=51822 mtu=1420 name=Utah
/interface vlan
add interface=bridge1 name=CAMERAS_VLAN vlan-id=40
add interface=bridge1 name=DMZ_VLAN vlan-id=80
add interface=bridge1 name=KIDS_VLAN vlan-id=20
add interface=bridge1 name=LAN_VLAN vlan-id=2
/interface list
add name=WAN
add name=LAN
add name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN_POOL ranges=10.20.2.100-10.20.2.254
add name=KIDS_POOL ranges=10.20.20.100-10.20.20.254
add name=DMZ_POOL ranges=10.20.80.100-10.20.80.254
add name=CAMERAS_POOL ranges=10.20.40.100-10.20.40.254
add name=dhcp_pool6 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=LAN_POOL interface=LAN_VLAN lease-time=8h name=LAN
add address-pool=KIDS_POOL interface=KIDS_VLAN lease-time=8h name=KIDS
add address-pool=DMZ_POOL interface=DMZ_VLAN lease-time=8h name=DMZ
add address-pool=CAMERAS_POOL interface=CAMERAS_VLAN lease-time=8h name=\
    CAMERAS
add address-pool=dhcp_pool6 interface=ether2_BadLan name=dhcp1
/queue type
add kind=fq-codel name=fqcodel
/queue simple
add max-limit=40M/30M name=Mullvad_fqcodel queue=fqcodel/fqcodel target=\
    Mullvad total-queue=fqcodel
add max-limit=30M/15M name=Utah_fqcodel queue=fqcodel/fqcodel target=Utah \
    total-queue=fqcodel
add max-limit=60M/35M name=WAN_fqcodel queue=fqcodel/fqcodel target=\
    ether1_WAN total-queue=fqcodel
/routing table
add disabled=no fib name=Utah
add disabled=no fib name=Mullvad
/interface bridge port
add bridge=bridge1 interface=ether5_LAN pvid=2
add bridge=bridge1 interface=ether6_KIDS pvid=20
add bridge=bridge1 interface=ether7_CAMERAS pvid=40
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=ether8_DMZ pvid=80
/ip neighbor discovery-settings
set discover-interface-list=!WAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 untagged=ether5_LAN vlan-ids=2
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 untagged=ether6_KIDS vlan-ids=\
    20
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 untagged=ether7_CAMERAS \
    vlan-ids=40
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1 untagged=ether8_DMZ vlan-ids=\
    80
/interface list member
add interface=ether1_WAN list=WAN
add interface="Remote Access Wireguard" list=VLANS
add interface=Mullvad list=WAN
add interface=Utah list=VLANS
add interface=CAMERAS_VLAN list=VLANS
add interface=DMZ_VLAN list=VLANS
add interface=KIDS_VLAN list=VLANS
add interface=LAN_VLAN list=VLANS
/ip address
add address=10.20.2.1/24 interface=LAN_VLAN network=10.20.2.0
add address=10.20.20.1/24 interface=KIDS_VLAN network=10.20.20.0
add address=10.20.80.1/24 interface=DMZ_VLAN network=10.20.80.0
add address=10.102.102.2 interface=Utah network=10.102.102.1
add address=10.64.111.167 interface=Mullvad network=10.64.111.167
add address=10.103.103.1/24 interface="Remote Access Wireguard" network=\
    10.103.103.0
add address=10.20.40.1/24 interface=CAMERAS_VLAN network=10.20.40.0
add address=192.168.20.1/24 interface=ether2_BadLan network=192.168.20.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=no
/ip dhcp-client
add interface=ether1_WAN use-peer-dns=no
/ip dhcp-server network
add address=10.20.2.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
    gateway=10.20.2.1
add address=10.20.20.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
    gateway=10.20.20.1
add address=10.20.40.0/24 dns-server=10.20.40.1 domain=mikrotik.overseas \
    gateway=10.20.40.1
add address=10.20.80.0/24 dns-server=10.20.80.1 domain=mikrotik.overseas \
    gateway=10.20.80.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="management devices to router" \
    connection-state="" src-address-list="Management Devices"
add action=accept chain=input comment="allow ssh" dst-port=55512 protocol=tcp
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="remote access wireguard" dst-port=\
    51820 in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment="utah wireguard" dst-port=51822 \
    in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment="DNS " dst-port=53 in-interface-list=\
    VLANS protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=VLANS protocol=\
    udp
add action=accept chain=input comment=NTP dst-port=123 in-interface-list=\
    VLANS protocol=udp
add action=drop chain=input comment="drop everything else" log-prefix=\
    "drop all"
add action=accept chain=forward comment="allow established and related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
    log=yes log-prefix=forward_invalid
add action=accept chain=forward comment="remote wireguard" in-interface=\
    "Remote Access Wireguard"
add action=accept chain=forward comment="LAN firewall" dst-address-list=!DMZ \
    in-interface=LAN_VLAN log-prefix=LAN
add action=accept chain=forward comment="kids firewall" dst-address=10.20.2.6 \
    dst-port=53 in-interface=KIDS_VLAN protocol=tcp
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53 \
    in-interface=KIDS_VLAN protocol=udp
add action=accept chain=forward in-interface=KIDS_VLAN out-interface=Utah \
    src-address-list=Streaming
add action=accept chain=forward in-interface=KIDS_VLAN out-interface=\
    ether1_WAN
add action=accept chain=forward comment="Cameras firewall" dst-address=\
    10.20.2.10 in-interface=CAMERAS_VLAN log-prefix=cameras_NVR
add action=accept chain=forward comment="DMZ firewall" in-interface=DMZ_VLAN \
    out-interface=ether1_WAN
add action=drop chain=forward comment="drop everything else" log-prefix=\
    "drop all"
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list="Local Subnets" \
    new-routing-mark=main passthrough=no src-address=10.103.103.0/24
add action=mark-routing chain=prerouting dst-address-list="Local Subnets" \
    new-routing-mark=main passthrough=no src-address-list="Local Subnets"
add action=mark-routing chain=prerouting dst-address-list="Utah Subnets" \
    new-routing-mark=Utah passthrough=no src-address-list=\
    "Local Trusted Network"
add action=mark-routing chain=prerouting new-routing-mark=Utah passthrough=no \
    src-address-list=Streaming
add action=mark-routing chain=prerouting new-routing-mark=Mullvad \
    passthrough=no src-address-list="Local Trusted Network"
add action=mark-routing chain=prerouting new-routing-mark=main passthrough=no \
    src-address-list="Local Subnets"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Mullvad pref-src="" \
    routing-table=Mullvad scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.1.0/24 gateway=Utah pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=Utah pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.30.0/24 gateway=Utah pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.10.50.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Utah routing-table=\
    Utah scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=55512
set api disabled=yes
set winbox address=10.20.0.0/16,10.103.103.0/24
set api-ssl disabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Kuwait
/system identity
set name=RB5009overseas
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
add address=0.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=VLANS
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
12

Conny should have noted that you should first read this reference to get going. Its best to learn as you go and not just copy stuff verbatim.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Its quite easy,
one bridge
identify all VLANS as subnets on the bridge (the bridge does NO dhcp etc. keep it apples to apples and simple)
(entails IP address, ip pool, dhcp server, dhcp server network for each vlan)
Then setup the interface bridge ports as you see fit.
Trunk ports identify the interface and set ingress filtering on, as well as only tagged frames
Access ports identify the PVID, set ingress filtering on, as a well as only priority and untagged frames.
Then setup the interface vlan settings…
etc.
etc…

The issues is often one of changing subnets and getting kicked off the router while trying to make changes and startiing from scratch gets tiring.
Thus one should make liberal use of SAFE MODE !!!
Also you may want to make take one port OFF the bridge and use if for configing the rest of the router and bridge screwups wont bother you.
https://forum.mikrotik.com/viewtopic.php?t=181718

Will take a look if I get time at the config you have so far…

13

If you had read the reference, you would not have made your first mistake.
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
should be default ADMIT ALL.

By removing parts of the config I have had to guess at stuff which is fricken annoying when trying to analyze!!!

Why is ether2 not on the bridge ???

Forward chain firewall chain rules look like they need work… nothing major.

Not sure why your wireguard mULLVAD has a listen PORT lol, as your router is acting like a client not a server for that tunnel.

presumably to allow you as admin access to what specifically from a remote location ???
add action=accept chain=forward comment=“remote wireguard” in-interface=
“Remote Access Wireguard”


here you want to enable all users of the LAN VLAN access to what specfically as if basically you want from LAN vlan to acccess all other vlans except DMZ VLAN, then suggest make a new interface list call it PARTIAL, the members are camera, kids vlans.
add action=accept chain=forward comment=“LAN firewall” dst-address-list=!DMZ
in-interface=LAN_VLAN log-prefix=LAN
TO
in-interface=LAN_VLAN out-interface-list=PARTIAL



What are you trying to accomplish with these DNS rules, forward chain is not the place to do whatever it is you are trying to do ???
add action=accept chain=forward comment=“kids firewall” dst-address=10.20.2.6
dst-port=53 in-interface=KIDS_VLAN protocol=tcp
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53
in-interface=KIDS_VLAN protocol=udp

This is confusing because UTAH and REMOTE are WIREGUARD Server entities, dont you mean you want them to go out MULLVAD to an external providers internet IP ??
add action=accept chain=forward in-interface=KIDS_VLAN out-interface=Utah
src-address-list=Streaming


It appears You only want TWO VLANS to reach the internet for ALL your subnets ( which include vlans and ether2).
add action=accept chain=forward in-interface=KIDS_VLAN out-interface=
ether1_WAN
add action=accept chain=forward comment=“DMZ firewall” in-interface=DMZ_VLAN
out-interface=ether1_WAN

On this rule, its clear you want all the cameras to be able to reach one IP address on the Main LAN. Why is that, what traffic originates on the cameras?
Wouldnt it be the other way around, you originating traffic to the cameras ???
add action=accept chain=forward comment=“Cameras firewall” dst-address=
10.20.2.10 in-interface=CAMERAS_VLAN log-prefix=cameras_NVR

14

anav - always good to hear from you. I hadn’t meant to upset you with my reduced config but, now that I know how to piss you off… :smiley:

Thanks for the admonition about the change from ADMIT ALL to admit only VLAN tagged. I’ll make that change. I’ve read the source that you referenced a number of times but there are so many details that I can’t promise that I was able to digest it all.

For your questions:

\

  1. not sure why your wireguard mULLVAD has a listen PORT lol, as your router is acting like a client not a server for that tunnel.

MULLVAD vpn does not have a listen port. The UDP listening ports that you see are for my site-to-site Wireguard connection to UTAH, and my remote access Wireguard server connection. The TCP on you see is for my fallback SSH should the VPN get messed up.

  1. presumably to allow you as admin access to what specifically from a remote location ???
    add action=accept chain=forward comment=“remote wireguard” in-interface=
    “Remote Access Wireguard”

This allows me to get to anything I want internally. The router, the LAN, NAS, the cameras, printer, etc. That’s what I want the remote access for. I do not intend to route remote user traffic out to the internet via that connection.

  1. here you want to enable all users of the LAN VLAN access to what specfically as if basically you want from LAN vlan to acccess all other vlans except DMZ VLAN, then suggest make a new interface list call it PARTIAL, the members are camera, kids vlans.
    add action=accept chain=forward comment=“LAN firewall” dst-address-list=!DMZ
    in-interface=LAN_VLAN log-prefix=LAN
    TO
    in-interface=LAN_VLAN out-interface-list=PARTIAL

You are correct. LAN devices get access to everything with exception of DMZ. I personally don’t see a reason to set up another alias to do what my one firewall rule does. It makes sense to me and you were able to make sense of it too.

  1. What are you trying to accomplish with these DNS rules, forward chain is not the place to do whatever it is you are trying to do ???
    add action=accept chain=forward comment=“kids firewall” dst-address=10.20.2.6
    dst-port=53 in-interface=KIDS_VLAN protocol=tcp
    add action=accept chain=forward dst-address=10.20.2.6 dst-port=53
    in-interface=KIDS_VLAN protocol=udp

These rules allow devices on the KIDS network to send DNS requests through a PiHole that resides on my LAN net. Kids devices are assigned PiHole IP as their DNS, however, since Kids network is barred from accessing the LAN, otherwise the rule was needed so that those requests would be passed.

  1. This is confusing because UTAH and REMOTE are WIREGUARD Server entities, dont you mean you want them to go out MULLVAD to an external providers internet IP ??
    add action=accept chain=forward in-interface=KIDS_VLAN out-interface=Utah
    src-address-list=Streaming

I have a few devices that are used for streaming video from Netflix, Amazon etc. Mullvad won’t work for this because it has been blocked by the providers. However, the connection to the location in UTAH exits via a residential IP and so I have no issues. So the rule says, allow any device on the Streaming alias, coming from Kids network, to exit via the Utah route. Otherwise, Kids network devices are not authorized to have access to the remote UTAH end.

  1. It appears You only want TWO VLANS to reach the internet for ALL your subnets ( which include vlans and ether2).
    add action=accept chain=forward in-interface=KIDS_VLAN out-interface=
    ether1_WAN
    add action=accept chain=forward comment=“DMZ firewall” in-interface=DMZ_VLAN
    out-interface=ether1_WAN

You are mostly correct but you forgot the LAN allow all not destined to DMZ. So in total, the only subs that should be accessing the internet are LAN, Kids, and DMZ.

  1. On this rule, its clear you want all the cameras to be able to reach one IP address on the Main LAN. Why is that, what traffic originates on the cameras?
    Wouldnt it be the other way around, you originating traffic to the cameras ???
    add action=accept chain=forward comment=“Cameras firewall” dst-address=
    10.20.2.10 in-interface=CAMERAS_VLAN log-prefix=cameras_NVR
    ether2 was not part of the bridge as the plan was to use it to access the router so that I wouldn’t lose access to it while setting up the bridge. Don’t spend time worrying about that one as it isn’t permanent.

The NVR for the cameras, which is also the controller for my Unifi gear, resides on LAN. So this allows the cameras to send the video stream to the NVR for recording/viewing. I am going to tighten up that one so specify the exact TCP/UDP ports required.

15

Kewl…

  1. So the case is ?? (talking for initial connection purposes mostly but also intent while using to a lesser degree)
    a. mullvad is wireguard to an external provider (router instance is acting as client)
    b. UTAH is wireguard to an external residence in utah (router instance is acting as client)
    c. Remote is wireguard for admin to access router from away (router instance s acting as a Server).

  2. Understood, I forget that by allowing access in the forward chain without restrictions allows access to all entities at the LAN level. (for some reason I thought that one had to specify the vlans one needed to cross but I am wrong). Makes sense for admin access!!

  3. Address lists are better suited when IPs or a mix of IPs and subnets are involved. If its just subnets interface list is superior. However both work and are right.

  4. Not an RPI expert but I thought DNS settings and directing were best done on subnet settings and dns settings etc and NOT forward chain rules.
    I would hope someone with better knowledge could chime in. At the end of the day if its working for you, then stick with it.

  5. Might be answered in question 1

  • either UTAH is client setup for you and the router is acting in a client capacity OR
  • UTAH is the client entity connecting to your SErver Router (for whatever needs) but you use it in a reverse manner to send kids streaming through the tunnel regardless (which just goes to show client and server are just for connecting purpose and keeping the tunnel up, after that traffic can be directed as per requirements).

  1. I dont like your method of delineating WAN access by inference and by allowing LAN all but DMZ , thereby allowing WAn.
    I prefer much cleaner and clear rules so that its easy to read. It may be cute but I dont like it. Personal preference :wink:

  2. Okay understood so the cameras ON their OWN are able to originate traffic to the NVR. Smart cameras…

16

Cameras are told where their mother NVR is when I set them up via their GUI. From there they send a request out to TCP port 7442 for momma NVR to give them a kiss. She does and then the cameras know to send her more kisses. No I won’t have them send you unsolicited TCP kisses.

Edit: realized I didn’t address the UTAH deal. So with WireGuard you can have client - server set up or a server - server (site to site) setup. This enables either end to initiate contact to keep the tunnel up. So I went with that setup and either end can initiate the connection.

17

No worries, there is no such thing as an initial server to server setup LOL.
You create a tunnel with one acting as a server and one acting as a client to enable the connection (one has a listening port that is triggered).

If you are saying that both have listening ports that are triggered then what you are doing is creating TWO tunnels, which is clearly not the case.
After that is established then you can use the tunnel anyway you want. Which is what I was missing in my thinking.

My point is that I was confused only because I forgot that important point when I looked at your config and clearly saw that the UTAH connection (initial) had your router as the Server.
I was only asking to confirm the initial connection method (which was client which was server), understanding that once established you can send traffic from either end.
Semantics… :slight_smile: