Unable to access VLAN devices from main network

RouterOS General
1

I’m fairly new to Mikrotik/setting up my own router/switch CSR310-8g+2s+in.
I have an IOT VLAN (172.16.10.x) but have had issues getting devices on the main network (172.16.0.x) to acces them. When I disable all drop firewall rules, I still can’t access VLAN10 devices so I’m not sure where the issue is. What I’m hoping to accomplish

  • Any device on main network can access IOT VLAN devices
  • IOT VLAN devices can communicate with Home Assistant on the main network (If this is not possible, please let me know. I need home assistant to access devices on both main and VLAN networks)

Config

# 2025-06-16 07:01:22 by RouterOS 7.13.5
# software id = **ELIDED**
#
# model = CRS310-8G+2S+
# serial number = **ELIDED**
/interface bridge
add name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_Internet
set [ find default-name=ether4 ] name=ether4_Desktop
set [ find default-name=ether7 ] name=ether7_TPLink
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1_server
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=VLAN10-IoT vlan-id=10
add interface=bridge name=VLAN20 vlan-id=20
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 0 l3-hw-offloading=no
/interface list
add include=all name=LAN
add include=all name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=172.16.0.20-172.16.0.254
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.200.1-172.16.200.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN10-IoT name=dhcp2
add address-pool=dhcp_pool2 interface=VLAN20 lease-time=8h name=dhcp3
/port
set 0 name=serial0
/user group
add name=hassio policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!winbox,!password\
    ,!web,!sniff,!sensitive,!romon,!rest-api"
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" name=zt1 port=9993
/zerotier interface
add instance=zt1 name=zerotier1 network=23…**ELIDED**
/interface bridge port
add bridge=bridge hw=no interface=ether4_Desktop internal-path-cost=10 path-cost=10
add bridge=bridge hw=no interface=ether8 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge hw=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge hw=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge hw=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment="TPLink Trunk Port" hw=no interface=ether7_TPLink internal-path-cost=10 \
    path-cost=10
add bridge=bridge interface=sfp-sfpplus1_server
add bridge=bridge hw=no interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,sfp-sfpplus1_server,ether7_TPLink vlan-ids=10
add bridge=bridge tagged=ether3,bridge vlan-ids=20
/interface list member
add interface=bridge list=LAN
add interface=ether1_Internet list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=172.16.20.2/32 disabled=yes interface=wireguard1 public-key="**ELIDED**"
add allowed-address=172.16.20.3/32 disabled=yes interface=wireguard1 public-key="**ELIDED**"
/ip address
add address=172.16.0.1/24 interface=bridge network=172.16.0.0
add address=172.16.10.1/24 interface=VLAN10-IoT network=172.16.10.0
add address=172.16.200.0/24 interface=VLAN20 network=172.16.200.0
add address=172.16.20.1/24 comment="Wireguard IP range" interface=wireguard1 network=172.16.20.0
/ip dhcp-client
add interface=ether1_Internet use-peer-dns=no
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge name=dhcp1 parent-queue=*FFFFFFFF
/ip dhcp-server network
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.200.0/24 gateway=172.16.200.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=172.16.0.30 comment="homeassistant redirect" name=homeassistant.local
/ip firewall address-list
add address=172.16.0.0/24 list=LOCAL_IPs
add address=172.16.10.0/24 list=IoT_IPs
add address=172.16.10.245 list=Google_Home_IPs
add address=172.16.10.251 list=Google_Home_IPs
add address=172.16.200.0/24 list=IoT_IPs
add address=172.16.0.248 list=PS5
add list=crowdsec
add address=172.16.0.38 list=homeassistant
add address=172.16.10.187 list=homeassistant
/ip firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="Allow local traffic to VLAN" dst-address-list=IoT_IPs \
    src-address-list=LOCAL_IPs
add action=accept chain=forward comment="test plex forward" connection-nat-state=dstnat
add action=accept chain=forward dst-address=172.16.0.1 dst-port=53 protocol=udp src-address-list=\
    IoT_IPs
add action=accept chain=input comment="HOAS TPLink port" dst-port=9999 in-interface=ether1_Internet \
    protocol=tcp
add action=accept chain=forward comment="Allow VLAN trafic to HOAS" dst-address-list=homeassistant \
    src-address-list=IoT_IPs
add action=accept chain=forward comment="Allow Home Assistant to access main LAN" dst-address-list=\
    LOCAL_IPs src-address=172.16.10.187
add action=drop chain=forward comment="Drop IoT outbound traffic" connection-nat-state="" \
    connection-state=new dst-address-list=LOCAL_IPs src-address-list=IoT_IPs
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1_Internet
add action=drop chain=forward connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_Internet
add action=masquerade chain=srcnat out-interface=VLAN10-IoT
add action=masquerade chain=srcnat comment="Allow local access on Wireguard" disabled=yes \
    out-interface=bridge src-address=172.16.20.0/24
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface-list=WAN protocol=tcp \
    to-addresses=172.16.0.22
add action=dst-nat chain=dstnat comment=tplink dst-port=29810-29816 in-interface-list=WAN protocol=tcp \
    to-addresses=172.16.0.22
add action=accept chain=dstnat comment="PS5 Remote Play" dst-address-list=PS5 dst-port=\
    9295-9308,8572,987 in-interface=ether1_Internet protocol=udp
add action=accept chain=dstnat comment="PS5 Remote Play" dst-address-list=PS5 dst-port=9295-9308,8572 \
    in-interface=ether1_Internet protocol=tcp
add action=accept chain=dstnat comment="Sunshine Ports" dst-address-list=sunshine_servers dst-port=\
    47989,47984,48010 in-interface=ether1_Internet protocol=tcp
add action=accept chain=dstnat comment="Sunshine Ports" dst-address-list=sunshine_servers dst-port=\
    48010,47998,47999,47800 in-interface=ether1_Internet protocol=udp
add action=accept chain=dstnat comment=Zerotier dst-port=9993,39758,27284,36875,21291 in-interface=\
    ether1_Internet protocol=udp
add action=accept chain=srcnat comment=Zerotier dst-port=9993,39758,27284,36875,21291 out-interface=\
    ether1_Internet protocol=udp
add action=accept chain=dstnat comment="Tailscale Wireguard" dst-address-list=sunshine_servers \
    dst-port=41641 in-interface=ether1_Internet protocol=udp
add action=accept chain=srcnat comment="Tailscale HTTPS" dst-port=443 out-interface=ether1_Internet \
    protocol=udp src-address-list=sunshine_servers
add action=accept chain=srcnat comment="Tailscale HTTPS" dst-port=443 out-interface=ether1_Internet \
    protocol=tcp src-address-list=sunshine_servers
/ip upnp
set enabled=yes
/system clock
set time-zone-name=**ELIDED**
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
/tool sniffer
set streaming-enabled=yes streaming-server=172.16.0.56
2

CRS310 is very capable switch but not a router by any stretch this will leads to a very high cpu usage, I know this is not the answer you are looking for :frowning:

3

When using VLANs you go VLANs all the way. Your 172.16.0.1 network should be on another VLAN interface, not on a bridge. Also I don’t see DHCP server for that network, only for the VLANs 10 and 20

4

Please read this link for help on vlan setups: Using RouterOS to VLAN your network - #2 by pcunite

Also recommend you use an offbridge port to conduct the tranistion to vlans and its a good spot to do any configuration down the line safely as well.

5

I think its this one, dhcp1. Thanks for clarifying on VLANs.
If I do create a VLAN for 172.16.0.x and I want to maintain the IP leases for all associated devices, can I simply change the interaface for dhcp1 to the new VLAN and keep those leases?

6

Don’t know about your Setup…

Normaly VLANS should not be able to talk to each other or traffic between them should go over a Route… and be firewalled to only allow the expected traffic.

I don’t know about your HA setup… if it is running in Proxmox you could add a 2nd virtual NIC with the Vlan ID of the Mainnetwork… to have it to be present in both Networks…

If it is installed one bare Metal… an USB nic might help…

7

I had no idea, I’ve been using it this way for years now assuming it could handle both. Thanks for the heads up. I’ll look into alternate solutions for routing

8

So, to use that network on a VLAN you simply change interface in DHCP server and in IP → Addresses change interface from bridge to the VLAN.

Regarding communication between VLANs, by default and by nature all L2 is blocked between different VLANs but default FW in ROS allows communication on L3.

Also, your device is primarily a switch so don’t expect great routing performance.