Two VLANs on the Same Bridge: interference problem between the two VLANs

NanoTik · October 19, 2025, 12:15pm

Hello to all MikroTik lovers here!
I’d like your advice on this scenario. Based on my limited experience, I created two VLANs on my bridge — VLAN180 and VLAN10 (you can see the configuration below).

The goal is to keep these two VLANs separated, but I also want some devices in the VLAN10 range to be able to access the VLAN180 range.

However, I noticed that I can ping devices in VLAN180 from VLAN10, and vice versa. This means there’s probably an error in my VLAN configuration.

I tried to block both VLANs using firewall rules, but when I activate those rule:
add action=drop chain=forward comment="Block employees from guests" disabled=
yes dst-address=192.168.10.0/24 src-address=192.168.180.0/24

The internet disconnected from both network.

Any advice from you would be greatly appreciated.

Here is my current L009UiGS-RM Router configuration.


# model = L009UiGS
# serial number = 
/interface bridge
add admin-mac=F4:1E:57:71:F7:53 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes

/interface wireguard
add listen-port=xxxx mtu=1420 name=wireguard1
add listen-port=xxxx mtu=1420 name=wireguard2

/interface vlan
add interface=bridge name=vlan-10-guests vlan-id=10
add interface=bridge name=vlan180-employees vlan-id=180

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp_pool1 ranges=192.168.10.40-192.168.10.254
add name=dhcp_pool2 ranges=
    192.168.180.70-192.168.180.100,192.168.180.151-192.168.180.229

/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan-10-guests lease-time=1h name=dhcp1
add address-pool=dhcp_pool2 interface=vlan180-employees lease-time=1h name=
    dhcp2

/port
set 0 name=serial0

/queue simple
add disabled=yes max-limit=40G/40G name=network1-night target=\
    192.168.180.0/24
add disabled=yes max-limit=130G/130G name=network2-night target=\
    192.168.10.0/24
add disabled=yes max-limit=170M/170M name=default target=192.168.180.0/24
add disabled=yes limit-at=30M/30M max-limit=30M/30M name=POS parent=default \
    priority=1/1 target=192.168.180.216/32
add disabled=yes max-limit=130G/130G name=network1-day queue=default/default \
    target=192.168.180.0/24
add disabled=yes max-limit=40G/40G name=network2-day queue=default/default \
    target=192.168.10.0/24
add disabled=yes limit-at=140M/140M max-limit=170M/170M name=LAN parent=\
    default queue=pcq-upload-default/pcq-download-default target=\
    192.168.180.0/24

/system logging action
set 0 memory-lines=3000
set 1 disk-lines-per-file=3000

/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=180
add bridge=bridge comment=defconf interface=ether3 pvid=180
add bridge=bridge comment=defconf interface=ether4 pvid=180
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=ether6 pvid=10
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=sfp1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether5,ether6 vlan-ids=10
add bridge=bridge tagged=dynamic untagged=ether2,ether3,ether4 vlan-ids=180

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan180-employees list=LAN
add interface=vlan-10-guests list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard2 list=LAN

/interface wireguard peers
add allowed-address=10.10.10.2/32 interface=wireguard1 name=B \
    public-key=
add allowed-address=10.10.11.2/32 interface=wireguard2 name="BA" \
    public-key=/ip address
add address=192.168.180.1/24 interface=vlan180-employees network=\
    192.168.180.0
add address=192.168.10.1/24 interface=vlan-10-guests network=192.168.10.0
add address=10.10.10.1/24 interface=wireguard1 network=10.10.10.0
add address=192.168.100.50/24 interface=ether1 network=192.168.100.0
add address=10.10.11.1/24 interface=wireguard2 network=10.10.11.0

/ip dhcp-server lease
add address=192.168.180.216 client-id=1:60:be:b4:2:fd:28 mac-address=\
    60:BE:B4:02:FD:28 server=dhcp2
add address=192.168.10.48 client-id=1:ac:f4:2c:a7:db:e6 mac-address=\
    AC:F4:2C:A7:DB:E6 server=dhcp1
add address=192.168.10.86 client-id=1:e2:26:cc:98:7c:51 mac-address=\
    E2:26:CC:98:7C:51 server=dhcp1

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.180.0/24 dns-server=8.8.8.8 gateway=192.168.180.1

/ip dns
set allow-remote-requests=yes servers=192.168.100.1,8.8.8.8

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=xxx \
    protocol=udp
add action=accept chain=input comment="allow WireGuard" dst-port=xxx \
    protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="Block employees from guests" disabled=\
    yes dst-address=192.168.10.0/24 src-address=192.168.180.0/24
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward disabled=yes dst-address=192.168.180.0/24 \
    src-address=192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-table=\
    main suppress-hw-offload=no

/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes




/ipv6 firewall filter

add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

/system clock
set time-zone-name=
/system routerboard settings
set enter-setup-on=delete-key



/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Techsystem · October 21, 2025, 7:30am

Looking at your MikroTik configuration, I can see the main issues causing your VLAN separation problems:
/interface bridge vlan
Primary Issues

1. Missing VLAN tagging on the bridge interface Your bridge VLAN configuration shows:

VLAN 10: tagged=bridge ✓ (correct)
VLAN 180: tagged=dynamic ✗ (should be tagged=bridge)
set [find vlan-ids=180] tagged=bridge


Step 1: Fix the Bridge VLAN Configuration
/interface bridge vlan
set [find vlan-ids=180] tagged=bridge
```

### Step 2: Create Separate Interface Lists
```
/interface list
add name=EMPLOYEES
add name=GUESTS

/interface list member
remove [find interface=vlan180-employees list=LAN]
remove [find interface=vlan-10-guests list=LAN]
add interface=vlan180-employees list=EMPLOYEES
add interface=vlan-10-guests list=GUESTS
```

### Step 3: Add Proper Firewall Rules (in correct order)
```
/ip firewall filter
# Place these BEFORE the fasttrack rule
add action=drop chain=forward src-address=192.168.10.0/24 dst-address=192.168.180.0/24 \
    comment="Block guests from employees" place-before=[find comment="defconf: fasttrack"]

# To allow specific devices from VLAN10 to access VLAN180, add BEFORE the drop rule:
add action=accept chain=forward src-address=192.168.10.48 dst-address=192.168.180.0/24 \
    comment="Allow specific guest device to employees network" \
    place-before=[find comment="Block guests from employees"]

NanoTik · October 21, 2025, 8:26am

Thank you but I prefer to hear from another people out there.
Is there is another way to apply this ?

holvoetn · October 21, 2025, 10:09am

Why do you need other feedback when you already received a solution ?

You can also read and digest this tutorial, more or less the same advice will be found there.
Separate VLAN and LAN interface lists and apply firewall rules accordingly.

NanoTik · October 21, 2025, 1:13pm

I read this whole article and I appreciate all your answers, but I am now dealing with a specific scenario
as you can see my problem in the config that I can’t apply a valid isolation rules between those VLANs.
and anything I did I make disconnect.
I read another article that said that we shouldn’t create multi bridge on the router so based on this I didn’t make another bridge for the other network I created a VLAN within the same bridge.
My question is is this ok?
Can I proceed with this config ok just add your edit on it?

holvoetn · October 21, 2025, 1:37pm

Needing multi-bridge is usually an indication something is wrong with your config.
It has some uses but it's quite rare.
Also, multiple bridges is a sure way to (sort of) kill HW offloading if your device would be able to do so.
Only 1 bridge can be offloaded and you're not always sure which one it will be.

Multiple VLANs on the same bridge is the most used approach.
But your firewall rules need to be correct then.

If you are afraid to lock yourself out, remove 1 ether port from bridge and use it to connect with your PC using Winbox/MAC.

jaclaz · October 21, 2025, 2:41pm

If needed:

Techsystem · October 21, 2025, 6:09pm

Let me give you a free lesson on how MikroTik thinks. So we can understand what happen in your situation.

Let’s say you want to specify a list of devices that can access another VLAN while blocking the others.

Src. Address: 192.168.10.0/24
Src. Address List: !guest-allowed-to-employees
Dst. Address: 192.168.180.0/24
Action: drop


This means: "Drop traffic that matches **ALL** of these conditions **simultaneously**:"
1. Source is from 192.168.10.0/24 **AND**
2. Source is NOT in guest-allowed-to-employees list **AND**
3. Destination is 192.168.180.0/24

---

## Let's Test Your Scenario:

### Scenario 1: Employee → Employee
- **Source**: 192.168.180.50
- **Destination**: 192.168.180.100

**Rule evaluation:**
1. ❌ Src. Address: 192.168.10.0/24? **NO** (source is 192.168.180.50, not in 10.0/24)
2. ✓ Src. Address List: !guest-allowed-to-employees? **YES** (not in the list)
3. ✓ Dst. Address: 192.168.180.0/24? **YES**

**Result:** Rule does **NOT** match because condition #1 failed!
**Traffic is allowed!** ✅

---

### Scenario 2: Approved Guest → Employee
- **Source**: 192.168.10.20 (in the approved list)
- **Destination**: 192.168.180.216

**Rule evaluation:**
1. ✓ Src. Address: 192.168.10.0/24? **YES**
2. ❌ Src. Address List: !guest-allowed-to-employees? **NO** (IS in the list)
3. ✓ Dst. Address: 192.168.180.0/24? **YES**

**Result:** Rule does **NOT** match because condition #2 failed!
**Traffic is allowed!** ✅

---

### Scenario 3: Non-Approved Guest → Employee
- **Source**: 192.168.10.48 (NOT in approved list)
- **Destination**: 192.168.180.216

**Rule evaluation:**
1. ✓ Src. Address: 192.168.10.0/24? **YES**
2. ✓ Src. Address List: !guest-allowed-to-employees? **YES** (not in the list)
3. ✓ Dst. Address: 192.168.180.0/24? **YES**

**Result:** **ALL** conditions match!
**Traffic is DROPPED!** ✅

---

## Key Point:

By adding `Src. Address: 192.168.10.0/24`, you're saying:

**"Only evaluate this rule for traffic coming from 192.168.10.0/24"**

So traffic from 192.168.180.50 (employees) **never even matches the first condition**, and the rule is skipped entirely!

---

## Visual Logic:

IF (source is from 10.0/24) AND (source NOT in approved list) AND (destination is 180.0/24)
THEN drop

Employee traffic (192.168.180.50 → 192.168.180.100):
IF (FALSE) AND (TRUE) AND (TRUE)
↑
This is FALSE, so the entire rule is FALSE → traffic allowed


---

## Conclusion:
with this rule
✅ Employees can access other employees (doesn't match src address condition)
✅ Approved guests can access employees (doesn't match src address list condition)
✅ Non-approved guests are blocked (matches all conditions)
**your understanding of the logic was incorrect**

from this lesson you can now create the rule that you want, without disconnected other clients without knowing why.