VLAN and Smart home stuff block from internet only for BTH VPN

Hello,

I’m new to MikroTik and have had some success setting up a double WAN configuration with a lot of help, but I’m still learning. I would like to set up a secure smart home network and need assistance with this.

• My goal is to block my cameras and other smart home devices from being accessed from the internet. I plan to access them through a BTH VPN, which works well with my NAS (which already has firewall rules set up in the Synology system to prevent internet access). I haven’t touched the MikroTik setup for this yet.
• I would like to start learning how to configure VLANs. My plan is to separate my trusted devices (e.g., laptops) from my other, less trusted devices. Specifically, I would like to create two VLANs: one for trusted devices and one for untrusted ones.

Thanks!

First, a sanitized config may help to know where you’re starting.

While you can add a VLAN in a few steps to separate out devices, you may want to consider what you exactly mean by “trusted” and “untrusted” & if “untrusted” devices need to use some kinda broadcast/discovery… For example, do you mean you may want “trusted devices” to be able to access “untrusted ones” & also “untrusted ones” being blocked from internet? Keep in mind some devices have control apps, and often app often use discovery to find controller devices – so depending on how seperate things into VLANs, that discovery may not work. There are solution to enable discovery (like newer mdns-repeated and/or using bridge nat) — perhaps not an issue for some devices like NAS or NVR which often have many configuration options, but stuff like “smart home” sensors/devices do often use some method to “find them” on the network.

Also, an alternative approach to VLANs is just using /interface/bridge/filter to block devices based on MAC address, especially if sensors/devices are pretty static or all from same manufacture (since you have have “wildcard” MAC filtering based on the vendor part of MAC).

Main point being what “smart home stuff” may relevant to how you want to split up your LAN side…

On BTH… there is just a boolean “allow-lan=yes/no” option. So need to use allow-lan=yes, but then add custom firewall filter rules to block specific IP/subnet/VLAN as needed.

hey

# 2024-12-12 18:20:47 by RouterOS 7.16.2
# software id = xxxxx
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxx
/interface bridge
add admin-mac=xxxxx auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=HomeSSid_5Ghz \
    disabled=no security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=\
    yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20mhz configuration.mode=ap .ssid=HomeSSid disabled=no \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes
add configuration.mode=ap .ssid=SSidGuest mac-address=xxxxxxx \
    master-interface=wifi1 name=wifi3
add configuration.mode=ap .ssid=SSidGuest disabled=no mac-address=\
    xxxxxxxxx master-interface=wifi2 name=wifi4 \
    security.authentication-types=wpa2-psk
/interface wireguard
add comment=back-to-home-vpn listen-port=23119 mtu=1420 name=back-to-home-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge filter
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward in-interface=wifi3
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=none
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=*1 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.0.100/24 interface=ether2 network=10.0.0.0
add address=192.168.0.11/24 interface=ether1 network=192.168.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=1m
/ip cloud back-to-home-users
add allow-lan=yes comment="iPhone 14 Pro" name=C52 private-key=\
    "qDNl6hzLgfKZpX/Ar3l4kJDP3uhGCy/4EhGsYrtsDmI=" public-key=\
    "XKKiBv80bf5eoHPM1cpjNKaYPriF9nV1CcU0Kl5Jfw0="
add allow-lan=yes name="My MAC" private-key=\
    "+FQK0ziKe0+OGB/5A4LNodtcETnpxzLF3/5e4PR8EXk=" public-key=\
    "Dsbfx1vJI5sSoOTie3NVaxkEbjZr0WZ37KMiAJUWelI="
add allow-lan=yes name=Eszti private-key=\
    "uL/bTVF065QJ/OSc0LldEPWQ9nXTMM5fACZoqGpe420=" public-key=\
    "rL5QoHO0pnAeKDXVO8EF5IVCycM2hiMNceQlQYV01Sw="
/ip dhcp-client
add comment=defconf default-route-distance=2 disabled=yes interface=ether1
add disabled=yes interface=ether2
/ip dhcp-server lease
add address=192.168.88.120 client-id=1:90:9:d0:67:e7:91 mac-address=\
    90:09:D0:67:E7:91 server=defconf
add address=192.168.88.119 client-id=1:34:99:71:e6:4b:e4 mac-address=\
    34:99:71:E6:4B:E4 server=defconf
add address=192.168.88.140 client-id=1:d8:44:89:4d:3a:c9 mac-address=\
    D8:44:89:4D:3A:C9 server=defconf
add address=192.168.88.141 client-id=1:48:22:54:2:a3:54 mac-address=\
    48:22:54:02:A3:54 server=defconf
add address=192.168.88.142 client-id=1:40:ed:0:c8:9d:bd mac-address=\
    40:ED:00:C8:9D:BD server=defconf
add address=192.168.88.121 client-id=1:c0:95:6d:96:31:94 mac-address=\
    C0:95:6D:96:31:94 server=defconf
add address=192.168.88.118 client-id=1:b4:ae:c1:45:f1:4a mac-address=\
    B4:AE:C1:45:F1:4A server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip kid-control device
add mac-address=90:09:D0:67:E7:91 name=Home_NAS user=*1
add mac-address=48:22:54:02:A3:54 name=IPC user=*1
/ip route
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.0.1%ether1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add blackhole disabled=no distance=2 dst-address=8.8.4.4/32 gateway="" \
    routing-table=main scope=30 suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=self-signed-certificate disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=xxxxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script=\
    "/ip route enable [find dst-address=0.0.0.0/0 and gateway=10.0.0.1]" \
    host=8.8.4.4 http-codes="" interval=10s test-script="" timeout=5s type=\
    simple up-script=\
    "/ip route disable [find dst-address=0.0.0.0/0 and gateway=10.0.0.1]"

So my main goal is:
I want to set up two separate VLANs with different internet access restrictions:

First VLAN: For regular devices such as phones, laptops, TVs, iPads, and a NAS (which also downloads from torrents). This VLAN should have full internet access.
Second VLAN: For smart home devices like cameras, alarm systems, and shade controls. I want these devices to remain isolated from the internet, but still be accessible for local control via a VPN from the first VLAN.
Essentially, the first VLAN requires internet access, while the second VLAN should have no internet access, but both VLANs should be able to communicate locally under specific conditions (like through a VPN).

I use BTH VPN for this purpose

Thanks in advance!

I would separate out devices as well. For example cameras separate from media. Just in case something funky happens untrusted company x.y.z do not have access to your cameras.
Vlans are free cheap and easy so make as many as you need.
To be clear you need to block access from these devices to the internet so they dont communicate with cloud instance of said companies.
Nothing hard here except first timer.

The first step I would do is pick an used port or temporarily dedicate a port for what I call off bridge access. This is a safe place to play with bridge vlan filtering without getting kicked out of the router…

/interface ethernet
set [ find default-name=etherX] name=OffBridgeX where X is etherport number
/ip address
add address=192.168.55.1/29 interface=OffBridgeX network=192.168.55.0
/interface list member
add interface=OffbridgeX list=LAN

Now plug in your laptop into etherX, change ipv4 settings to 192.168.55.2 and you should be in!!!
Do the rest of your config from here.

Here is a great guide for vlans → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/303

Once you have a solid VLAN network config, then we tackle BTH after.

I’ve gone through the stuff, but I don’t have the knowledge to set this up myself. However, I’ve planned how I’d like to organize my devices:

• VLAN1: For my Home Assistant Green, which is connected to ether5. This will act as the main hub.
• VLAN2: For IoT devices - wifi2
• The setup I want is for only the Home Assistant Green hub to access VLAN2, so it can control the IoT devices.
• VLAN2 should only communicate with VLAN1 (the Home Assistant Green hub) and nothing else connected to the router.
• Additionally, VLAN2 and VLAN1 must not have internet access.

And VLAN1 (Home Assistant Green hub) must be accessible from the local network only, e.g. via BTH VPN or phones connected to the same wifi

I’m unsure how to proceed with setting this up. I’ve tried looking for someone who can help configure it for me. I’m even willing to pay for assistance, as I don’t have the time or energy to manage it myself.

As long as your not in a rush, I may be able to assist, via discord, or skype and anydesk etc…
Just contact anav_ds on discord,

Hey,

I’d really appreciate that! Once I’m back from my fly around, I’ll work on finding a time that suits us both. Which time zone would be most convenient for you?

Make those - say - VLAN10 and VLAN20.
And here ends all my knowledge on VLANs: DO NOT USE VLAN1.

So as Easy as i understand: From my Point of view it would be easier to build a 4 VLAN Setup in that Case:

VLAN1 → Management
VLAN10 → LAN
VLAN21 → SmartHome Server
VLAN22 → Smarthome Wifi ( not needed to be separated but possible)

Wan needs to be configuered @ether1

then follow up to set the vlans accoring to that description:
https://administrator.de/tutorial/mikrotik-vlan-konfiguration-ab-routeros-version-6-41-367186.html

Best method as well use CAPSman with Wifivave2 to deploy in case other CAP might be used in future…

For Wifi or better WLAN use a master config for 2.4 Mhz and 5 MHz then deploy over MGMT Wireless ( which is hidden) the over needed Wifis as many as the bridge can carry…

• For each WIFI - Freq a configuration has to be done
• For each Band ( 2.4GHz AX / 2.4GHz N / 5 GHz AX) one config
• For each VLAN which shall be brought to Wireless a Security setting should be set differently and linked
• For each VLAN a Datapath has to be configured and linked

of course provisioning has the be created per antenna type ( Not 2.4 and 5 GHz anntennas are different in ROS)

• Band used
• Action : creat dynamic enabled
  Master → hidden MGMT WLAN
  Slave as many slave WLANs as needed not hidden

Then setting an access list which device is allowed to connect to which WLAN

Access Control towards internet can then be done with Firewall Rules by setting something like
/ip firewall filter add action=accept chain=forward src-address=192.168.21.0/24 dst=address=192.168.10.0/24
/ip firewall filter add action=drop chain=forward src-address=192.168.21.0/24 dst=address=0.0.0.0/0