Unable to Ping 5009 VLAN to 5009 to Non-VLAN

Josephny · October 24, 2025, 11:40am

I've been playing around (i.e., trying to learn) and I'm stuck.

Two RB5009 units: Unit 1 is named 212-RB5009, unit 2 is 212-RB5009-New

212-RB5009's WAN is ether1, connected to FIOS.

212-RB5009-New (ether6) is connected to 212-RB5009 (ether5).

212-RB5009 is non-VLAN and is also connected to a CRS326 using SPF on both sides.

212-RB5009-New is set up with VLANs (for eventual implementation).

I can't get the 2 RB5009s to talk to each other. I've tried adding specific routes to each other's IP addresses using the local ether port as the gateways.

Here is a diagram. For bigger picture clarification: The RB5009 and the CRS326 are production (in use, operational, necessary -- and I am loath to make any changes to them). Whereas, RB5009-New and hAPax3 are the test lab.

Exports in next messages (size constraint).

Josephny · October 24, 2025, 11:42am

RB5009:

# 2025-10-24 07:15:00 by RouterOS 7.19.3
# software id = 2KBD-7ZZB
#
# model = RB5009UPr+S+
# serial number = HDA0
/interface bridge
add admin-mac=18:FD:74:CF:7F:5D auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN poe-out=off
set [ find default-name=ether2 ] comment=hAPax3-Downstairs poe-out=off
set [ find default-name=ether3 ] comment="JRS PC port 3" poe-out=off
set [ find default-name=ether4 ] comment=hAPax3-Upstairs poe-out=off
set [ find default-name=ether5 ] comment=<empty> poe-out=off
set [ find default-name=ether6 ] comment="MOCA adapter" poe-out=off
set [ find default-name=ether7 ] comment=OffBridge poe-out=off
set [ find default-name=ether8 ] comment=BI-Server poe-out=off
set [ find default-name=sfp-sfpplus1 ] comment=CSS326
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard private-key=\
    "WIPddddd+2L0A="
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
add name=DHCPdisabled
add name=TRUSTED
add name=IoT-Cameras
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/iot mqtt brokers
add address=192.168.0.103 client-id=192.168.2.2 name=HA password=XXXXX \
    username=mqtt
add address=192.168.0.162 auto-connect=yes name="Home Assistant" password=\
    XXXXX username=mqtt
/ip pool
add name=192.168.2.100-200 ranges=192.168.2.100-192.168.2.200
add comment=offbridge-dhcp-server name=offbridge-dhcp-server ranges=\
    192.168.55.101-192.168.55.200
/ip dhcp-server
add address-pool=192.168.2.100-200 interface=bridge lease-script="\
    \n/system\
    \n:local cdate [clock get date] \
    \n:local yyyy  [:pick \$cdate 0  4]\
    \n:local MM    [:pick \$cdate 5  7]\
    \n:local dd    [:pick \$cdate 8 10]\
    \n\
    \n:local thistime [/system clock get time]\
    \n:local thishour [:pick \$thistime 0 2]\
    \n:local thisminute [:pick \$thistime 3 5]\
    \n:local thissecond [:pick \$thistime 6 8]\
    \n:local identitydatetime \"\$[identity get name]_\$yyyy-\$MM-\$dd_\$thish\
    our:\$thisminute:\$thissecond\"\
    \n:local datetime \"\$yyyy-\$MM-\$dd_\$thishour:\$thisminute:\$thissecond\
    \"\
    \n:local systemname \"\$[identity get name]\"\
    \n\
    \n#:if (\$leaseBound=1) do={\
    \n\
    \n#  :log info \"testing after condition BOUND\" }\
    \n\
    \n#:if  ([/ip dhcp-server lease find where dynamic mac-address=\$leaseActM\
    AC]!=\"\") do={\
    \n\
    \n#  :log info \"testing after condition DYNAMIC\"}\
    \n\
    \n\
    \n:if  ((\$leaseBound=1)  && ([/ip dhcp-server lease find where dynamic ma\
    c-address=\$leaseActMAC]!=\"\") && ([/ip dhcp-server lease find where comm\
    ent mac-address=\$leaseActMAC]=\"\")) do={\
    \n\
    \n#    :log info \"testing after conditions BOUND and DYNAMIC and EMPTY CO\
    MMENT\" \
    \n\
    \n:local recipient \"jXXXXX@domain.com\"\
    \n\
    \n #   :tool e-mail send to=\$recipient subject=\"\$systemname DHCP Lease \
    Assigned to \$leaseActMAC\" body=\"MAC address \$leaseActMAC received IP a\
    ddress \$leaseActIP with a hostname of \$[/ip/dhcp-server/lease/get value-\
    name=host-name [find where mac-address=\$leaseActMAC]] from DHCP Server \$\
    leaseServerName on \$datetime from \$systemname with comment \$[/ip/dhcp-s\
    erver/lease/get value-name=comment [find where mac-address=\$leaseActMAC]]\
    \"\
    \n\
    \n\
    \n#    :log info \"Sent DHCP alert for MAC \$leaseActMAC\"\
    \n\
    \n}\
    \n\
    \n\
    \n\
    \n\
    \n" lease-time=3d name=defconf
add address-pool=offbridge-dhcp-server comment=offbridge-dhcp-server \
    interface=ether7 name=offbridge-dhcp-server
/ip smb users
set [ find default=yes ] disabled=yes
/system logging action
set 3 remote=192.168.2.22
add name=logserver remote=192.168.0.112 remote-port=51400 target=remote
add email-to=jXXXXX@domain.com name=email target=email
add disk-file-name=UPSLOG name=diskups target=disk
/container config
set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
/interface bridge filter
add action=drop chain=forward disabled=yes dst-port=67-68 in-interface-list=\
    DHCPdisabled ip-protocol=udp log-prefix=Bridge-Filter-Forward \
    mac-protocol=ip out-interface-list=DHCPdisabled src-port=67-68
add action=drop chain=input disabled=yes dst-port=67-68 in-interface-list=\
    DHCPdisabled ip-protocol=udp log-prefix=Bridge-Filter-Input mac-protocol=\
    ip src-port=67-68
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge interface=sfp-sfpplus1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add disabled=yes interface=bridge list=MANAGE
add disabled=yes interface=ether1 list=MANAGE
add interface=212-Wireguard list=LAN
add disabled=yes interface=212-Wireguard list=MANAGE
add interface=212-Wireguard list=DHCPdisabled
add disabled=yes interface=*13 list=DHCPdisabled
add disabled=yes interface=*14 list=DHCPdisabled
add disabled=yes interface=*12 list=DHCPdisabled
add disabled=yes interface=*17 list=DHCPdisabled
add disabled=yes interface=*18 list=DHCPdisabled
add disabled=yes interface=*15 list=DHCPdisabled
add disabled=yes interface=*16 list=DHCPdisabled
add comment=OffBridge interface=ether7 list=LAN
add disabled=yes interface=ether7 list=MANAGE
add interface=bridge list=TRUSTED
add interface=ether7 list=TRUSTED
add interface=212-Wireguard list=TRUSTED
/interface ovpn-server server
add mac-address=FE:B2:B3:FE:59:72 name=ovpn-server1
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" interface=\
    212-Wireguard name=jrs-laptop public-key=\
    "b9iyIPddddddjRpJX8="
add allowed-address=\
    10.10.100.2/32,192.168.88.0/24,10.10.100.40/32,192.168.40.0/24 comment=\
    371 endpoint-address=XXXXX.dyndns.org endpoint-port=52820 interface=\
    212-Wireguard name=371 persistent-keepalive=40s public-key=\
    "zoZtiesddddddU5lohI="
add allowed-address=10.10.100.9/32 comment="JRS iPhone" interface=\
    212-Wireguard name=jrs-iphone public-key=\
    "PypzufCddddddpy61F8="
add allowed-address=10.10.100.12/32,192.168.20.0/24 comment=629 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51821 interface=\
    212-Wireguard name=629 persistent-keepalive=40s public-key=\
    "q28DddddddoG4CfXo="
add allowed-address=10.10.100.60/32,192.168.1.0/24 comment=255 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51835 interface=\
    212-Wireguard name=255 persistent-keepalive=40s public-key=\
    "6E3ddddddPMwbRc="
add allowed-address=10.10.100.30/32,192.168.30.1/24 comment=76 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51830 interface=\
    212-Wireguard name=76 persistent-keepalive=40s public-key=\
    "EJu69dddddcNgUic="
add allowed-address=10.10.90.0/24 comment="BI PC WG APP" endpoint-port=51820 \
    interface=212-Wireguard name=peer8 public-key=\
    "R5SjZudddddSC0jt9TV4="
add allowed-address=10.10.100.1/32,192.168.2.2/24 comment=\
    "212 (local, just for reference);   192.168.2.2" disabled=yes \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51820 interface=\
    212-Wireguard name=peer9 public-key=\
    "xx2ddddddOqXrW4Ds="
add allowed-address=10.10.100.100/32 comment="JRS Laptop 201" disabled=yes \
    interface=212-Wireguard name=peer10 public-key=\
    "QJCXZdddddddeqsSFk="
add allowed-address=10.10.100.101/32 endpoint-port=51840 interface=\
    212-Wireguard name=peer11 public-key=\
    "N/t6/8dddddGQQZsW8="
add allowed-address=10.10.100.70/32,192.168.70.0/24 comment=125 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51870 interface=\
    212-Wireguard name=125 persistent-keepalive=40s public-key=\
    "Otp5dddddayGqT8="
add allowed-address=10.10.100.99/32,192.168.2.0/24 comment="JRS Laptop 2023" \
    interface=212-Wireguard name=peer13 private-key=\
    "ED8Ig6ddddddyBZH//vOc9p2Q=" public-key=\
    "w9XFdddddMndCHiU="
add allowed-address=10.10.100.53/32,192.168.0.0/24 client-listen-port=51840 \
    comment="WG Proxmox Win11" endpoint-address=XXXXX.dyndns.org \
    endpoint-port=51844 interface=*12 name=peer15 public-key=\
    "Wut4dddddGRDk="
add allowed-address=10.10.100.15/32 comment=355-AX3 disabled=yes \
    endpoint-address=10.0.0.1 endpoint-port=51860 interface=212-Wireguard \
    name=355-ax3 persistent-keepalive=40s public-key=\
    "C6fhddddd3LZ04="
add allowed-address=10.10.100.10/32 comment="T Laptop" interface=\
    212-Wireguard name=t-laptop public-key=\
    "MbtddddddmL+itsBc="
add allowed-address=10.10.100.80/32,192.168.80.1/24,10.72.0.0/16 comment=729 \
    endpoint-address=xxxx.dyndns.org endpoint-port=51880 interface=\
    212-Wireguard name=729 persistent-keepalive=40s public-key=\
    "dddddd0CQ="
add allowed-address=10.10.100.81/32 comment=hex-lab endpoint-address=\
    192.168.2.192 endpoint-port=51881 interface=212-Wireguard name=peer19 \
    persistent-keepalive=40s public-key=\
    "U/TxIdbddddddj4/y0="
add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment=355 \
    endpoint-address=XXXXX.dyndns.org endpoint-port=51833 interface=\
    212-Wireguard name=355 persistent-keepalive=40s public-key=\
    "Q8CPdddddLZq3g="
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
add address=192.168.55.1/24 interface=ether7 network=192.168.55.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server alert
add alert-timeout=12h disabled=no interface=bridge on-alert="/system script ad\
    d name=rogue-dhcp source=\94:log warning message=\\\94Rogue DHCP server de\
    tected!\\\94\94"
add alert-timeout=30m interface=bridge on-alert=rogue-dhcp

/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.2 gateway=\
    192.168.2.2 netmask=24
add address=192.168.55.0/24 dns-server=1.1.1.1 gateway=192.168.55.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes cache-max-ttl=3d cache-size=10000KiB servers=\
    9.9.9.9,1.1.1.1,8.8.4.4
/ip dns static
add address=192.168.2.8 name=212-rb5009.212.local type=A
add address=192.168.2.2 name=RB5009.212.local ttl=9w6d10h40m type=A
add address=10.10.100.1 name=212.10.10.100.1.local ttl=9w6d10h40m type=A
add address=192.168.2.100 comment="automatic-from-comment (magic comment)" \
    name=TV15.212.local ttl=1h type=A
add address=192.168.2.121 comment="automatic-from-comment (magic comment)" \
    name="Ipad SRN.212.local" ttl=9w6d10h40m type=A
add address=192.168.2.138 comment="automatic-from-comment (magic comment)" \
    name=MFCL3770CDW.212.local ttl=9w6d10h40m type=A
add address=192.168.2.141 comment="automatic-from-comment (magic comment)" \
    name="JRS iPhone.212.local" ttl=9w6d10h40m type=A
add address=192.168.2.109 comment="automatic-from-comment (magic comment)" \
    name="Vizio on 15.212.local" ttl=9w6d10h40m type=A
add address=192.168.2.122 comment="automatic-from-comment (magic comment)" \
    name=Homepod.212.local ttl=9w6d10h40m type=A
add address=192.168.2.199 comment="automatic-from-comment (magic comment)" \
    name=Playstation.212.local ttl=9w6d10h40m type=A
add address=192.168.2.142 comment="automatic-from-comment (magic comment)" \
    name=SRNAppleWatch.212.local ttl=9w6d10h40m type=A
add address=192.168.2.22 name=JRS-PC.212.local type=A
add address=192.168.2.102 comment="automatic-from-dhcp (magic comment)" name=\
    Master-Bedroom.212.local ttl=1h40m type=A
add address=192.168.2.103 comment="automatic-from-dhcp (magic comment)" name=\
    Family-Room.212.local ttl=1h40m type=A
add address=192.168.2.138 comment="automatic-from-dhcp (magic comment)" name=\
    MFC-L3770.212.local ttl=1h40m type=A
add address=192.168.2.147 comment="automatic-from-dhcp (magic comment)" name=\
    212LR.212.local ttl=1h40m type=A
add address=192.168.2.191 comment="automatic-from-dhcp (magic comment)" name=\
    SRNOffice.212.local ttl=1h40m type=A
add address=192.168.2.128 comment="automatic-from-dhcp (magic comment)" name=\
    212MBR.212.local ttl=1h40m type=A
add address=192.168.2.200 comment="automatic-from-dhcp (magic comment)" name=\
    HarmonyHub.212.local ttl=1h40m type=A
add address=192.168.2.124 comment="automatic-from-dhcp (magic comment)" name=\
    BRW2C6FC95FBCEB.212.local ttl=1h40m type=A
add address=192.168.2.173 comment="automatic-from-dhcp (magic comment)" name=\
    NC-LT-SN20.212.local ttl=1h40m type=A
add address=192.168.2.137 comment="automatic-from-dhcp (magic comment)" name=\
    tasmota-E37677-5751.212.local ttl=1h40m type=A
add address=192.168.2.117 comment="automatic-from-dhcp (magic comment)" name=\
    BRNB4220095598A.212.local ttl=1h40m type=A
add address=192.168.2.127 comment="automatic-from-dhcp (magic comment)" name=\
    Debian.212.local ttl=1h40m type=A
add address=192.168.2.110 comment="automatic-from-dhcp (magic comment)" name=\
    JRS-Laptop-2023.212.local ttl=1h40m type=A
add address=192.168.2.108 comment="automatic-from-dhcp (magic comment)" name=\
    0005CD193C07.212.local ttl=1h40m type=A
add address=69.202.199.148 name=XXXXX.dyndns.org type=A
add address=192.168.2.2 comment=router.212.internal name=router.212.internal \
    type=A
add address=10.10.100.80 comment=729router.internal name=729router.internal \
    type=A
add address=192.168.2.22 comment=jrspc name=jrspc.212.internal type=A
/ip firewall address-list
add address=XXXXX.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=Authorized
add address=10.10.100.0/24 list=Authorized
add address=XXXXX.dyndns.org list=XXXXX
add address=hda08a4mazh.sn.mynetname.net list=PublicIP
/ip firewall filter
add action=log chain=input comment="Port 53 Log" connection-state=new \
    disabled=yes dst-port=53 log=yes log-prefix=TCP-53 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 protocol=udp
add action=drop chain=input comment="DROP DHCP on DHCPdisabled" disabled=yes \
    dst-port=67-68 in-interface-list=DHCPdisabled log=yes protocol=udp \
    src-port=67-68
add action=accept chain=input comment="Allow GRE for EoIP" disabled=yes log=\
    yes protocol=gre
add action=accept chain=input comment="Allow Authorized" src-address-list=\
    Authorized
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=drop chain=input comment="drop all else" log-prefix=drop-all-else
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf:  drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment="Allow all traffic out WG iface" \
    out-interface=212-Wireguard
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow LAN to WAN" disabled=yes \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" src-address=192.168.2.0/24
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" src-address=192.168.2.0/24
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=dst-nat chain=dstnat comment=XXXXX.dyndns.org:81 \
    dst-address-list=XXXXX dst-port=81 log-prefix=\
    "NAT FW destination XXXXX port 81" protocol=tcp to-addresses=\
    192.168.0.101 to-ports=81
add action=dst-nat chain=dstnat comment=XXXXX.dyndns.org:8123 \
    dst-address-list=XXXXX dst-port=8123 protocol=tcp to-addresses=\
    192.168.0.162 to-ports=8123
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
    protocol=tcp to-addresses=192.168.2.176
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" disabled=yes dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    disabled=yes out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=5911 log=yes protocol=tcp to-addresses=192.168.2.139
add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
    to-addresses=192.168.2.50
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" disabled=yes dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    disabled=yes out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=dst-nat chain=dstnat disabled=yes dst-address-list=dynamic-WANIP \
    dst-port=5911 log=yes protocol=tcp to-addresses=192.168.2.139
add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
    to-addresses=192.168.2.50
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d \
    wed=0s-1d
/ip route
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=355-Cameras disabled=no distance=1 dst-address=192.168.5.0/24 \
    gateway=212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=192.168.2.8 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=76 disabled=no distance=1 dst-address=192.168.30.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=371 disabled=no distance=1 dst-address=192.168.40.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=125 disabled=no distance=1 dst-address=192.168.70.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.5 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment="TEMP -- REMOVE THIS WHEN 729 AX3 is moved" disabled=yes \
    distance=1 dst-address=172.16.0.0/16 gateway=192.168.2.192 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=212-Wireguard \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.4.0/24 gateway=10.10.100.80 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=729 disabled=no distance=1 dst-address=192.168.80.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=10.21.0.0/16 gateway=ether5 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl disabled=no
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set always-allow-password-login=yes forwarding-enabled=both
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=212-RB5009
/system logging
set 0 topics=info,!wireguard,!dhcp
add topics=account
add topics=watchdog
add action=logserver prefix="XXXXXH MikroTik" topics=hotspot
add action=logserver prefix="XXXXXH MikroTik" topics=\
    !debug,!packet,!snmp
add action=remote disabled=yes prefix=192.168.2.2 topics=info
add action=remote disabled=yes topics=ups
add topics=ups
add disabled=yes topics=dns
add topics=firewall
add action=diskups regex="^\\[UPS\\]:" topics=script
add action=disk topics=watchdog
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=104.16.132.229
/system ups
add name=ups1 port=usbhid1
/system watchdog
set auto-send-supout=yes ping-start-after-boot=10m ping-timeout=10m \
    send-email-to=jXXXXX@domain.com watch-address=1.1.1.1
/tool bandwidth-server
set authenticate=no
/tool e-mail
set from=jXXXXX@domain.com password="<dddd>" port=587 \
    server=smtp.gmail.com tls=starttls user=<dddd>@gmail.com
/tool graphing interface
add interface=bridge
add
/tool graphing queue
add
/tool graphing resource
add
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

/tool romon
set enabled=yes
/tool sniffer
set file-limit=10000KiB filter-ip-address=10.21.0.0/16 filter-ip-protocol=\
    icmp memory-limit=10000KiB streaming-server=192.168.2.22
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1
add disabled=yes interface=ether3 name=tmon2 traffic=received trigger=always

Josephny · October 24, 2025, 11:59am

RB5009-New:

# 2025-10-24 07:14:59 by RouterOS 7.18.2
# model = RB5009UG+S+
/interface bridge
add admin-mac=F4:1E:57:C3:6E:8A ageing-time=5m arp=enabled arp-timeout=auto \
    auto-mac=no comment=defconf dhcp-snooping=no disabled=no ether-type=\
    0x8100 fast-forward=yes forward-delay=15s frame-types=\
    admit-only-vlan-tagged igmp-snooping=no ingress-filtering=yes \
    max-learned-entries=auto max-message-age=20s mtu=auto mvrp=no name=bridge \
    port-cost-mode=short priority=0x8000 protocol-mode=rstp pvid=1 \
    transmit-hold-count=6 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full,2.5G-baseT" arp=\
    enabled arp-timeout=auto auto-negotiation=yes bandwidth=\
    unlimited/unlimited comment=WAN disabled=no l2mtu=1514 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s \
    mac-address=F4:1E:57:C3:6E:89 mtu=1500 name=ether1 orig-mac-address=\
    F4:1E:57:C3:6E:89 rx-flow-control=off tx-flow-control=off
set [ find default-name=ether2 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="Switch JRS Office; vlan32 access" disabled=no l2mtu=1514 \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=F4:1E:57:C3:6E:8A mtu=1500 \
    name=ether2 orig-mac-address=F4:1E:57:C3:6E:8A rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether3 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="Blue Iris Server vlan62 access port" disabled=no l2mtu=1514 \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=F4:1E:57:C3:6E:8B mtu=1500 \
    name=ether3 orig-mac-address=F4:1E:57:C3:6E:8B rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether4 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="hAPax3-downstairs trunk vlans 2, 12, 32, 42" disabled=no l2mtu=\
    1514 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=F4:1E:57:C3:6E:8C mtu=1500 \
    name=ether4 orig-mac-address=F4:1E:57:C3:6E:8C rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether5 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="hAPax3-upstairs trunk vlans 2, 12, 32, 42" disabled=no l2mtu=\
    1514 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=F4:1E:57:C3:6E:8D mtu=1500 \
    name=ether5 orig-mac-address=F4:1E:57:C3:6E:8D rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether6 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="Joseph PC access port vlan32" disabled=no l2mtu=1514 \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=F4:1E:57:C3:6E:8E mtu=1500 \
    name=ether6 orig-mac-address=F4:1E:57:C3:6E:8E rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether7 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="MGMT access port vlan32" disabled=no l2mtu=1514 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s \
    mac-address=F4:1E:57:C3:6E:8F mtu=1500 name=ether7 orig-mac-address=\
    F4:1E:57:C3:6E:8F rx-flow-control=off tx-flow-control=off
set [ find default-name=ether8 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment=OffBridge disabled=no l2mtu=1514 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    F4:1E:57:C3:6E:90 mtu=1500 name=ether8 orig-mac-address=F4:1E:57:C3:6E:90 \
    rx-flow-control=off tx-flow-control=off
set [ find default-name=sfp-sfpplus1 ] advertise="10M-baseT-half,10M-baseT-ful\
    l,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full,1G-baseX,2.5\
    G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR" arp=\
    enabled arp-timeout=auto auto-negotiation=yes bandwidth=\
    unlimited/unlimited comment=CSS326 disabled=no l2mtu=1514 loop-protect=\
    default loop-protect-disable-time=5m loop-protect-send-interval=5s \
    mac-address=F4:1E:57:C3:6E:91 mtu=1500 name=sfp-sfpplus1 \
    orig-mac-address=F4:1E:57:C3:6E:91 rx-flow-control=off sfp-ignore-rx-los=\
    no sfp-rate-select=high sfp-shutdown-temperature=95C tx-flow-control=off

/queue interface
set bridge queue=no-queue
set wireguard1 queue=no-queue
/interface vlan
add arp=enabled arp-timeout=auto comment="TV VLAN42" disabled=no interface=\
    bridge loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-TV \
    use-service-tag=no vlan-id=42
add arp=enabled arp-timeout=auto comment="Cameras VLAN22" disabled=no \
    interface=bridge loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-camera \
    use-service-tag=no vlan-id=22
add arp=enabled arp-timeout=auto comment="Guest WiFi VLAN2" disabled=no \
    interface=bridge loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-guest \
    use-service-tag=no vlan-id=2
add arp=enabled arp-timeout=auto comment="IoT  VLAN12" disabled=no interface=\
    bridge loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-iot \
    use-service-tag=no vlan-id=12
add arp=enabled arp-timeout=auto comment="MGMT VLAN32" disabled=no interface=\
    bridge loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-mgmt \
    use-service-tag=no vlan-id=32
add arp=enabled arp-timeout=auto comment="MOCA VLAN52" disabled=no interface=\
    bridge loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-moca \
    use-service-tag=no vlan-id=52
add arp=enabled arp-timeout=auto comment="Printers vlan82" disabled=no \
    interface=bridge loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-printers \
    use-service-tag=no vlan-id=82
add arp=enabled arp-timeout=auto comment="Servers VLAN62" disabled=no \
    interface=bridge loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-server \
    use-service-tag=no vlan-id=62
add arp=enabled arp-timeout=auto comment="VONAGE VLAN72" disabled=no \
    interface=bridge loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mtu=1500 mvrp=no name=vlan-vonage \
    use-service-tag=no vlan-id=72


/interface ethernet switch
set 0 cpu-flow-control=yes mirror-egress-target=none name=switch1
/interface ethernet switch port
set 0 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
set 1 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
set 2 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
set 3 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
set 4 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
set 5 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
set 6 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
set 7 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
set 8 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
set 9 !egress-rate !ingress-rate mirror-egress=no mirror-ingress=no \
    mirror-ingress-target=none
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
set 3 !forwarding-override
set 4 !forwarding-override
set 5 !forwarding-override
set 6 !forwarding-override
set 7 !forwarding-override
set 8 !forwarding-override
set 9 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
add comment=defconf exclude="" include="" name=WAN
add comment=defconf exclude="" include="" name=LAN
add exclude="" include="" name=TRUSTED
add exclude="" include="" name=Iot-Cameras
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=\
    none default-route-distance=2 ip-type=auto name=default use-network-apn=\
    yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=\
    0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default \
    smtp-server=0.0.0.0 split-user-domain=no use-radius=no



/ip pool
add comment=offbridge-dhcp-server name=offbridge-dhcp-server ranges=\
    192.168.55.2-192.168.55.200
add name=guest-pool ranges=10.21.2.100-10.21.2.252
add name=iot-pool ranges=10.21.12.100-10.21.12.252
add name=cameras-pool ranges=10.21.22.100-10.21.22.252
add name=mgmt-pool ranges=10.21.32.100-10.21.32.252
add name=TV-pool ranges=10.21.42.100-10.21.42.252
add name=MOCA-pool ranges=10.21.52.100-10.21.52.252
add name=servers-pool ranges=10.21.62.100-10.21.62.252
add name=vonage-pool ranges=10.21.72.100-10.21.72.252
/ip dhcp-server
add address-lists="" address-pool=guest-pool disabled=no interface=vlan-guest \
    lease-script="" lease-time=30m name=dhcp-guest use-radius=no
add address-lists="" address-pool=iot-pool disabled=no interface=vlan-iot \
    lease-script="" lease-time=30m name=dhcp-iot use-radius=no
add address-lists="" address-pool=mgmt-pool disabled=yes interface=vlan-mgmt \
    lease-script="" lease-time=30m name=dhcp-mgmt use-radius=no
# Interface not running
add address-lists="" address-pool=offbridge-dhcp-server comment=\
    offbridge-dhcp-server disabled=no interface=ether8 lease-script="" \
    lease-time=30m name=offbridge-dhcp-server use-radius=no
add address-lists="" address-pool=MOCA-pool disabled=no interface=vlan-moca \
    lease-script="" lease-time=30m name=dhcp-moca use-radius=no
add address-lists="" address-pool=servers-pool disabled=no interface=\
    vlan-server lease-script="" lease-time=30m name=dhcp-servers use-radius=\
    no
add address-lists="" address-pool=TV-pool disabled=no interface=vlan-TV \
    lease-script="" lease-time=30m name=dhcp-TV use-radius=no
add address-lists="" address-pool=vonage-pool disabled=no interface=\
    vlan-vonage lease-script="" lease-time=30m name=dhcp-vonage use-radius=no

/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
    pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
    pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
    pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10


/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    "hAPax3-upstairs trunk vlan1" disabled=no edge=auto fast-leave=no \
    frame-types=admit-only-vlan-tagged horizon=none hw=yes ingress-filtering=\
    yes interface=ether5 !internal-path-cost learn=auto multicast-router=\
    temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 \
    pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    "JRS PC; assign vlan32; access port" disabled=no edge=auto fast-leave=no \
    frame-types=admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether6 !internal-path-cost learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 \
    pvid=32 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    "MGMT; assign vlan32; access port " disabled=no edge=auto fast-leave=no \
    frame-types=admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether7 !internal-path-cost learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 \
    pvid=32 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    "CSS326; trunk vlan1" disabled=no edge=auto fast-leave=no frame-types=\
    admit-only-vlan-tagged horizon=none hw=yes ingress-filtering=yes \
    interface=sfp-sfpplus1 !internal-path-cost learn=auto multicast-router=\
    temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 \
    pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    "JRS office switch; vlan32; access port" disabled=no edge=auto \
    fast-leave=no frame-types=admit-only-untagged-and-priority-tagged \
    horizon=none hw=yes ingress-filtering=yes interface=ether2 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=32 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    "Blue Iris; assign vlan62 tag; access port" disabled=no edge=auto \
    fast-leave=no frame-types=admit-only-untagged-and-priority-tagged \
    horizon=none hw=yes ingress-filtering=yes interface=ether3 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=62 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    "hAPax3-downstairs; trunk vlan1" disabled=no edge=auto fast-leave=no \
    frame-types=admit-only-vlan-tagged horizon=none hw=yes ingress-filtering=\
    yes interface=ether4 internal-path-cost=10 learn=auto multicast-router=\
    temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal path-cost=10 point-to-point=auto priority=\
    0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=\
    no unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\
    1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=all discover-interval=30s lldp-mac-phy-config=no \
    lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled lldp-vlan-info=\
    no mode=tx-and-rx protocol=cdp,lldp,mndp


/interface bridge vlan
add bridge=bridge comment=\
    "ports bridge,4,5,sfp to carry vlan2 (Guest) tagged frames out of 5009" \
    disabled=no mvrp-forbidden="" tagged=bridge,ether4,ether5,sfp-sfpplus1 \
    untagged="" vlan-ids=2
add bridge=bridge comment=\
    "port bridge,4,5,sfp to carry vlan12 (IoT) tagged frames out of 5009" \
    disabled=no mvrp-forbidden="" tagged=bridge,ether4,ether5,sfp-sfpplus1 \
    untagged="" vlan-ids=12
add bridge=bridge comment="ports bridge,4,5,sfp to carry vlan32 (MGMT) out of \
    5009 AND assign vlan32 to frames arriving on ports 6,7; access 32 for ethe\
    r2, 6, 7" disabled=no mvrp-forbidden="" tagged=\
    bridge,sfp-sfpplus1,ether4,ether5 untagged=ether2,ether6,ether7 vlan-ids=\
    32
add bridge=bridge comment=\
    "ports bridge,4,5,sfp to carry vlan42 (TV) frames out of 5009" disabled=\
    no mvrp-forbidden="" tagged=bridge,ether4,ether5,sfp-sfpplus1 untagged="" \
    vlan-ids=42
add bridge=bridge comment=\
    "ports bridge,sfp to carry vlan52(MOCA)  out of 5009" disabled=no \
    mvrp-forbidden="" tagged=bridge,sfp-sfpplus1 untagged="" vlan-ids=52
add bridge=bridge comment="ports bridge,sfp to carry vlan62 (server) frames ou\
    t of 5009 AND assign vlan62 to frames arriving at ether3" disabled=no \
    mvrp-forbidden="" tagged=bridge,sfp-sfpplus1 untagged=ether3 vlan-ids=62
add bridge=bridge comment=\
    "ports bridge,sfp to carry vlan72 (vonage) frames out of 5009" disabled=\
    no mvrp-forbidden="" tagged=bridge,sfp-sfpplus1 untagged="" vlan-ids=72
add bridge=bridge comment=\
    "ports bridge,sfp to carry vlan 82 (printer) frames out of 5009" \
    disabled=no mvrp-forbidden="" tagged=bridge,sfp-sfpplus1 untagged="" \
    vlan-ids=82


/interface list member
add comment=defconf disabled=no interface=ether1 list=WAN
add disabled=no interface=wireguard1 list=TRUSTED
add disabled=no interface=ether8 list=TRUSTED
add disabled=no interface=wireguard1 list=LAN
add comment="LAN OffBridge" disabled=no interface=ether5 list=LAN
add comment="TRUSTED OffBridge" disabled=no interface=ether5 list=TRUSTED
add comment="LAN VLAN2" disabled=no interface=vlan-guest list=LAN
add comment="LAN VLAN12" disabled=no interface=vlan-iot list=LAN
add comment="LAN VLAN32" disabled=no interface=vlan-mgmt list=LAN
add comment="TRUSTED VLAN32" disabled=no interface=vlan-mgmt list=TRUSTED
add disabled=no interface=vlan-iot list=Iot-Cameras
add comment="TEMP " disabled=no interface=ether1 list=TRUSTED
add comment="LAN VLAN62" disabled=no interface=vlan-server list=LAN
add comment="LAN VLAN52" disabled=no interface=vlan-moca list=LAN
add comment="LAN VLAN42" disabled=no interface=vlan-TV list=LAN
add disabled=no interface=ether8 list=LAN


/ip address
add address=192.168.55.1/24 disabled=no interface=ether8 network=192.168.55.0
add address=10.10.100.212/24 disabled=no interface=wireguard1 network=\
    10.10.100.0
add address=10.21.2.1/24 disabled=no interface=vlan-guest network=10.21.2.0
add address=10.21.12.1/24 disabled=no interface=vlan-iot network=10.21.12.0
add address=10.21.32.1/24 disabled=no interface=vlan-mgmt network=10.21.32.0
add address=10.21.42.1/24 disabled=no interface=vlan-TV network=10.21.42.0
add address=10.21.52.1/24 disabled=no interface=vlan-moca network=10.21.52.0
add address=10.21.62.1/24 disabled=no interface=vlan-server network=\
    10.21.62.0
add address=10.21.72.1/24 disabled=no interface=vlan-vonage network=\
    10.21.72.0
add address=10.21.82.1/24 disabled=no interface=vlan-printers network=\
    10.21.82.0

/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 \
    default-route-tables=default dhcp-options=hostname,clientid disabled=no \
    interface=ether1 use-peer-dns=yes use-peer-ntp=yes

/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=\
    5m
/ip dhcp-server network
add address=10.21.2.0/24 caps-manager="" dhcp-option="" dns-server=10.21.2.1 \
    gateway=10.21.2.1 !next-server ntp-server="" wins-server=""
add address=10.21.12.0/24 caps-manager="" dhcp-option="" dns-server=\
    10.21.12.1 gateway=10.21.12.1 !next-server ntp-server="" wins-server=""
add address=10.21.22.0/24 caps-manager="" dhcp-option="" dns-server=\
    10.21.22.1 gateway=10.21.22.1 !next-server ntp-server="" wins-server=""
add address=10.21.32.0/24 caps-manager="" dhcp-option="" dns-server=1.1.1.1 \
    gateway=10.21.32.1 !next-server ntp-server="" wins-server=""
add address=10.21.42.0/24 caps-manager="" dhcp-option="" dns-server=\
    10.21.42.1 gateway=10.21.42.1 !next-server ntp-server="" wins-server=""
add address=10.21.52.0/24 caps-manager="" dhcp-option="" dns-server=\
    10.21.52.1 gateway=10.21.52.1 !next-server ntp-server="" wins-server=""
add address=10.21.62.0/24 caps-manager="" dhcp-option="" dns-server=\
    10.21.62.1 gateway=10.21.62.1 !next-server ntp-server="" wins-server=""
add address=10.21.72.0/24 caps-manager="" dhcp-option="" dns-server=\
    10.21.72.1 gateway=10.21.72.1 !next-server ntp-server="" wins-server=""
add address=192.168.55.0/24 caps-manager="" dhcp-option="" dns-server=1.1.1.1 \
    gateway=192.168.55.1 netmask=24 !next-server ntp-server="" wins-server=""
/ip dns
set address-list-extra-time=0s allow-remote-requests=yes cache-max-ttl=1w \
    cache-size=10000KiB doh-max-concurrent-queries=50 \
    doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 \
    max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
    mdns-repeat-ifaces="" query-server-timeout=2s query-total-timeout=10s \
    servers=1.1.1.1,9.9.9.9 use-doh-server="" verify-doh-cert=no vrf=main
/ip dns static
add address=10.21.32.1 disabled=no name=212-rb5009-new.212.internal ttl=1d \
    type=A
add address=10.21.32.1 disabled=no name=RB5009-new.212.internal ttl=\
    9w6d10h40m type=A
add address=10.21.32.1 disabled=no name=212.10.10.100.212.internal ttl=\
    9w6d10h40m type=A
add address=10.21.32.22 disabled=no name=vlan-JRSPC.212.internal ttl=1d type=\
    A
add address=192.168.2.2 comment=router.212.internal disabled=no name=\
    router.212.internal ttl=1d type=A
add address=10.21.32.1 comment=router.212.internal disabled=no name=\
    vlan-router.212.internal ttl=1d type=A
add address=10.10.100.80 comment=729router.internal disabled=no name=\
    729router.internal ttl=1d type=A
add address=192.168.2.22 disabled=no name=jrspc.212.internal ttl=1d type=A
/ip firewall address-list
add address=XXXXX.dyndns.org disabled=no dynamic=no list=dynamic-WANIP
add address=192.168.0.103 comment="Home Assistant" disabled=no dynamic=no \
    list=ALLOWED-REMOTE-SERVERS
add address=192.168.55.0/24 disabled=no dynamic=no list=admin
add address=10.0.0.0/8 disabled=no dynamic=no list=admin
add address=192.168.2.168 comment="Blue Iris 2" disabled=no dynamic=no list=\
    ALLOWED-REMOTE-SERVERS
add address=192.168.0.101 comment="Blue Iris" disabled=no dynamic=no list=\
    ALLOWED-REMOTE-SERVERS
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow INPUT users to services" \
    dst-port=53 in-interface-list=LAN log-prefix=users-to-services protocol=\
    udp
add action=accept chain=input comment="Allow INPUT users to services" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow INPUT from TRUSTED" \
    in-interface-list=TRUSTED
add action=accept chain=input comment="Allow INPUT WG Handshake" dst-port=\
    51880 log-prefix=Allow-WG-Handshake protocol=udp
add action=accept chain=input comment="NTP to Devices" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    in-interface=vlan-mgmt !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=udp !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address src-port=123 !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=drop chain=input comment="Drop all INPUT" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port !in-bridge-port-list \
    !in-interface !in-interface-list !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix=DROP-ALL !nth \
    !out-bridge-port !out-bridge-port-list !out-interface !out-interface-list \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !tls-host !ttl
add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack established related" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow FORWARD LAN to WAN" \
    in-interface-list=LAN log-prefix=Allow-LAN-WAN out-interface-list=WAN
add action=accept chain=forward comment="Allow FORWARD TRUSTED" \
    in-interface-list=TRUSTED log-prefix=Allow-TRUSTED out-interface-list=LAN
add action=accept chain=forward comment=\
    "Allow FORWARD Admin & remote wg admin to wireguard" in-interface-list=\
    TRUSTED out-interface=wireguard1 src-address-list=admin
add action=accept chain=forward comment=\
    "Allow FORWARD IOT-CAMERAS iface to ALLOWED-REMOTE-SERVER" \
    dst-address-list=ALLOWED-REMOTE-SERVERS in-interface-list=Iot-Cameras \
    out-interface=wireguard1
add action=accept chain=forward comment="Allow WG relay" in-interface=\
    wireguard1 out-interface=wireguard1
add action=drop chain=forward comment="Drop all FORWARD" log-prefix=DROP-ALL
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN !to-addresses !to-ports
add action=masquerade chain=srcnat out-interface=wireguard1 !to-addresses \
    !to-ports

/ip route
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355-Cameras disabled=no distance=1 dst-address=192.168.5.0/24 \
    gateway=wireguard1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=76 disabled=no distance=1 dst-address=192.168.30.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=371 disabled=no distance=1 dst-address=192.168.40.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=125 disabled=no distance=1 dst-address=192.168.70.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.4.0/24 gateway=10.10.100.80 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/system identity
set name=212-RB5009-New

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool mac-server ping
set enabled=yes

/tool romon
set enabled=yes id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all

KexyBiscuit · October 24, 2025, 12:05pm

Set your /interface bridge bridge's pvid to 32.

Josephny · October 24, 2025, 2:46pm

I think that made it work!

Do I understand correctly that by setting the RB5009’s bridge’s pvid to 32 the bridge allows all the traffic in from the RB5009-New?

KexyBiscuit · October 24, 2025, 2:59pm

(That setting is done on RB5009-New I think?) Yes, now RB5009-New’s bridge port has access to your manage VLAN 32, so it can communicate with RB5009.

Josephny · October 24, 2025, 3:02pm

I was testing the ping connectivity from the wrong device.

I changed the pvid on RB5009-New to 32 and tried it with “admit all” as well as “admit only VLAN” and still cannot ping from the RB5009-New to RB5009

KexyBiscuit · October 24, 2025, 3:05pm

Could you show us the result of /interface/bridge/vlan/printon both RB5009?

Josephny · October 24, 2025, 3:11pm

VLANs exist only on RB5009-New:

[admin@212-RB5009-New] > /interface/bridge/vlan/print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
;;; ports bridge,4,5,sfp to carry vlan2 (Guest) tagged frames out of 5009
0   bridge         2  bridge                          
                      sfp-sfpplus1                    
                      ether4                          
;;; port bridge,4,5,sfp to carry vlan12 (IoT) tagged frames out of 5009
1   bridge        12  bridge                          
                      sfp-sfpplus1                    
                      ether4                          
;;; ports bridge,4,5,sfp to carry vlan32 (MGMT) out of 5009 AND assign vlan32 to frames arriving on ports 6,7; access 32 for ether2, 6, 7
2   bridge        32  bridge          ether6          
                      sfp-sfpplus1                    
                      ether4                          
;;; ports bridge,4,5,sfp to carry vlan42 (TV) frames out of 5009
3   bridge        42  bridge                          
                      sfp-sfpplus1                    
                      ether4                          
;;; ports bridge,sfp to carry vlan52(MOCA)  out of 5009
4   bridge        52  bridge                          
                      sfp-sfpplus1                    
;;; ports bridge,sfp to carry vlan62 (server) frames out of 5009 AND assign vlan62 to frames arriving at ether3
5   bridge        62  bridge                          
                      sfp-sfpplus1                    
;;; ports bridge,sfp to carry vlan72 (vonage) frames out of 5009
6   bridge        72  bridge                          
                      sfp-sfpplus1                    
7   bridge        82  bridge                          
                      sfp-sfpplus1                    
;;; added by vlan on bridge
8 D bridge        22  bridge

KexyBiscuit · October 24, 2025, 3:15pm

With this result, you haven’t set bridge’s pvid to 32 yet, since it’s not automatically added to untagged ports of vlan 32.

Josephny · October 24, 2025, 3:22pm

KexyBiscuit · October 24, 2025, 3:24pm

Josephny:

;;; ports bridge,4,5,sfp to carry vlan32 (MGMT) out of 5009 AND assign vlan32 to frames arriving on ports 6,7; access 32 for ether2, 6, 7
2   bridge        32  bridge          ether6          
                      sfp-sfpplus1                    
                      ether4

Remove bridgefrom tagged port list of vlan 32.

KexyBiscuit · October 24, 2025, 3:26pm

Why is this static route disabled?

Josephny · October 24, 2025, 3:41pm

I really don’t want to just keep trying things because then I will end up with a completely non-functioning config.

Josephny · October 25, 2025, 3:53am

Is there something specific in either or both of the configs that prevents traffic flow?

Josephny · October 25, 2025, 11:46am

When I ping from RB5009-New 192.168.2.2 (the IP address of RB5009), packet sniffer does not show the packets and the ping message is: “no route to host”

I tried adding a direct route to 192.168.2.0/24 as well as 192.168.2.2/32 via ether4 as well as via Bridge and the message changes to: “22 (Invalid argument)”

I even tried disabling vlan filtering in the bridge and that did not help.

Josephny · October 25, 2025, 11:37pm

I figured it out:

The multiple cables connecting RB5009-New (VLAN-aware router) resulted in multiple paths and the devices got “confused.”

After removing the source of confusion (disabling SFP2 interface) , I was able to add 192.168.2.33/24 to ether6 and it works.

Buckeye · October 28, 2025, 1:39am

Since ether6 is a member of the bridge,

Josephny:

/interface bridge port
...
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    "JRS PC; assign vlan32; access port" disabled=no edge=auto fast-leave=no \
    frame-types=admit-only-untagged-and-priority-tagged horizon=none hw=yes \
    ingress-filtering=yes interface=ether6 !internal-path-cost learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 \
    pvid=32 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes

you should not be applying an ip address to it. It should be applied to the bridge itself. Adding the ip address to a bridge-port is like putting a license plate on a passenger in the car, instead of on the car.

You may want to consider adding a dhcp-client to the bridge on RB5009-New, and setting a reserved ip address for the bridge's mac address to the dhcp server on RB5009 (aka RB5009-1) for 192.168.1.0/24. Then RB5009-New (aka RB5009vlan-1) will automatically get a default gateway via the RB5009-1 bridge.

Also, in the future when you are posting configs, leave off the "verbose"; using export verbose makes finding the significant information much harder. The config for the RB5009 (RB5009-1) was fine, it was the RB5009-New (RB5009vlan-1) that was hard to read.