Two ports bridged and the rest in a second bridge. No internet second bridge

Hi,
I didn’t know what to search for, so I didn’t find any other posts that fit my problem. If there are any similar posts please show me.
I have an L009UiGS-2HaxD and port 1 is connected to the company network. Now I need the port 2 and the wifi to be in the company network and port 3-8 need to be a separate network with its own DHCP server. DNS should ideally be copied from the DNS server in the company network.
If created a second bridge and added port 1, 2 and wifi to it and they are working flawlessly. But now I have no access from the rest of the ports to the internet/company network.
What do I need to change?

# 2024-12-03 12:20:04 by RouterOS 7.13.5
# software id = XXXXXXXX
#
# model = L009UiGS-2HaxD
# serial number = XXXXXXX
/disk
set usb1 type=hardware
add parent=usb1 partition-number=1 partition-offset="1 048 576" \
    partition-size="4 194 304 000" type=partition
/interface bridge
add admin-mac=XX+XX+XX+XX+XX+XX auto-mac=no comment=defconf name=bridgeLAN \
    port-cost-mode=short
add name=bridgeWAN port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Germany .mode=ap .ssid=NetGear2 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.111.10
/ip dhcp-server
add address-pool=dhcp interface=bridgeLAN lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeWAN comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLAN comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLAN comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLAN comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLAN comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLAN comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLAN comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLAN comment=defconf interface=sfp1 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeWAN comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeWAN interface=ether1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridgeLAN list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.111.1/24 comment=defconf interface=bridgeLAN network=\
    192.168.111.0
/ip dhcp-client
add comment=defconf interface=bridgeWAN
/ip dhcp-server network
add address=192.168.111.0/24 comment=defconf dns-server=192.168.111.1 \
    gateway=192.168.111.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.111.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=ptbtime2.ptb.de
add address=ptbtime1.ptb.de
add address=de.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/system script
add dont-require-permissions=no name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    ""
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Your ip pool is out of reach when you set netmask=24 (192.168.111.0/24).

Use this IP Calculator if you want to set that range (192.168.88.100-192.168.111.10) https://jodies.de/ipcalc
But I don’t think you need it, except there are more than 255 devices connected to the router.

bridgeWAN port member: ether1, ether2, wifi1
bridgeLAN port member: ether3, ether4, ether5, ether6, ether7, ether8, sfp1

/interface list member
add comment=defconf interface=bridgeLAN list=LAN
add comment=defconf interface=ether1 list=WAN

Its seem you only have 1 internet connection through ether1, BUT you set dhcp client via your bridge.

/ip dhcp-client
add comment=defconf interface=bridgeWAN

My suggestion are:

1. If you only have 1 internet connection, remove bridgeWAN
2. Change dhcp client for WAN to ether1
3. Move ether2 and wifi1 into bridgeLAN
4. Set ip pool for bridgeLAN to 192.168.111.20-192.168.111.245

Based on your input, you want the L1009 to act as a router on the company network.
The first thing is to ask your IT department if this is permitted as normally personal devices on a company network are not permitted.
If you are in the IT department then I suppose its a request for some separate LAN entity and wondering why you dont simply add another subnet onto a switch to feed the xtra subnet need??

Hi,

Juts on question, why create more than one bridge ?

This needs to be fixed:

interface list member
add comment=defconf interface=bridgeLAN list=LAN
add comment=defconf interface=ether1 list=WAN

ether1 Is not anymore a self-standing interface, should be replaced by bridgeWAN. (or you could leave It as-is and add an entry for bridgeWAN as WAN)

Post the output of:
/ip address print
and of
/ip route print
so that we can see also the Dynamic data.

Thanks for all the help.

Your ip pool is out of reach when you set netmask=24 (192.168.111.0/24).

Yep, that was accidental. Should have been

192.168.111.10-192.168.111.100

The first thing is to ask your IT department if this is permitted as normally personal devices on a company network are not permitted.

These are no personal devices. I’m working in automation control and this router is used to simulate machine networks. I want those seperated from the rest of the company network as they are in a seperate subnet. But because this is the main network connection when I’m at my desk, I still want to access the company network and the internet throgh the router. The eth2 is a connection for the computer of my colleague next to me, becuase we ran out of network ports in our office and he doesn’t need access to my seperate subnet.

The fix was last message from jaclaz.
I just had to change from this:

interface list member
add comment=defconf interface=bridgeLAN list=LAN
add comment=defconf interface=ether1 list=WAN

to this:

interface list member
add comment=defconf interface=bridgeLAN list=LAN
add comment=defconf interface=bridgeWAN list=WAN

Now everythings works as i want it to.
Thank you very much everyone!

Addresses:

Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS           NETWORK        INTERFACE
;;; defconf
0   192.168.111.1/24  192.168.111.0  bridgeLAN
1 D 192.168.0.149/24  192.168.0.0    bridgeWAN

Routs:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS       GATEWAY      DISTANCE
DAd 0.0.0.0/0         192.168.0.1         1
DAc 192.168.0.0/24    bridgeWAN           0
DAc 192.168.111.0/24  bridgeLAN           0

Looks just fine to me .