Hello. I have a hex -s router where all ports are bridged together TO A SINGLE BRIDGE with a dhcp server running at 192.168.4.0/24 for my internal network

Eth2 of the router is now connected to a mikrotik cloud router switch with switch os. Eth2 of the router is connected to eth1 of the managed switch.
I would like to create a vlan ,lets call it IOT20, vlan id 20, for ports 5 and 7 of the switch in order to connect iot stuff.
Steps I have taken at the router : At Interfaces, I have created a new interface at the VLAN tab , named IOT20 and selected Eth2 as interface
AT IP-ADDRESSES, I have added a new Address 10.10.10.1 /24 , network 10.10.10.0 and selected the interface as IOT20 (NOT Eth2)
I added a new dhcp server at DHCP SERVER-NETWORKS 10.10.10.0/24 (A 192.168.4.0/24 network is already present) .
On the switch side of things , I have added in the tab vlans a new vlan with ID=20 and included the 5,7 ports only.
In the VLAn tab of the switch I have had ports 5 and 7 checked, vlan mode as strict (also tried optional) and set their default vlan id as 20 .

This setup does not work , the devices in ports 5, 7 do not get an ip at the desired 10.10.10.0/24 range .
I tried adding a dhcp server at the router side for a 10.10.10.0/24 network but still no results.

I am unsure on whether my setup is faulty at the router side, managed switch side, or both
Any helpful suggestions are more than welcome . thank you

My config

\

model = RB760iGS

serial number = 87F209A41194

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=
/interface vlan
add interface=ether2 name=IOT20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=50m name=
defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=
192.168.4.0
add address=10.10.10.1/24 interface=IOT20 network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.4.154 client-id=1:e8:39:35:2c:9e:3d mac-address=
E8:39:35:2C:9E:3D server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=195.170.0.1 gateway=10.10.10.1 netmask=
24
add address=192.168.4.0/24 comment=defconf dns-server=195.170.0.1 gateway=
192.168.4.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ppp secret
add disabled=yes name=vpn
add name=
/system clock
set time-zone-name=
/system identity
set name="MikroTik hex s"
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

It appears to be a confused setup and probably some simplification will help.

A. create vlan for IOT - need full dhcp settings for this (vlan interface is bridge)
B. create vlan for Normal traffic - keep current dhcp settings for this (vlan interface is bridge)
C> remove bridge from dhcp service

Then having all interfaces on bridge make sense.

For all interfaces where the end device is not smart like a PC, becomes an access port and PVID setting for the particular VLAN
For all interfaces where the end device is smart like a switch, becomes a trunk port

Assign bridge ports and Bridge Vlans as applicable.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 is your best reference.


Needs adjusting

/interface vlan
add interface=ether2 name=IOT20 vlan-id=20
add interface (for normal LAN) name=houselan vlan-id=101 for example


/ip dhcp-server
add pool for IOT

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 [If trunk - ingress filtering = yes]
add bridge=bridge comment=defconf interface=ether3 [If access frames allowed priority and untagged]
add bridge=bridge comment=defconf interface=ether5 [If access frames allowed priority and untagged]
add bridge=bridge comment=defconf interface=sfp1 ???
where is ether 7 bridge port???
add bridge=bridge interface=ether4 [If access frames allowed priority and untagged]

/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=
192.168.4.0


Suggested improvements!
The default input chain lets ALL users access the router. Only the admin needs that while all LAN users may need only specific services DNS, NTP come to mind.
On the forward side, the NAT rule is combined with blocking wan traffic. I prefer to separate them out and thus a NAT rule doesnt have to be included. Also the use of drop all else rules means one only has to be concerned with admin user rules where one KNOWS what traffic is to be permitted.

/ip firewall filter
{input chain}
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN**{forward chain}**
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

Becomes:
/ip firewall filter
{input chain}
add action=accept chain=input comment=“allow admin access” \ ***
in-interface=vlan101 src-address-list=admin access
add action=accept (ONE FOR TCP, ONE FOR UDP, in-interface-list=LAN dst-port 53)
add action=drop comment=“Drop all else” CAUTION! this rule should only be added when admin access rule above is in place!!!

*** Firewall address list
add address=IP of admin desktop list=adminaccess
add address=IP of admin laptop list=adminaccess
add address=IP of admin ipad etc… list=adminaccess

in-interface-list=!LAN
{forward chain}
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN [becomes optional]

add action=drop comment=“drop all else” ( stops all wan to lan traffic, all routing between vlans, and anything else you were not aware of )

Dear Anav, thank you very much for your kind help. I will proceed as instructed. My best wishes!

No worries, assign the switch an IP address on the vlan101 (assuming thats your home vlan etc.).
If you wanted to control devices from managment vlan aka 99
Then you would create a third vlan and ensure all devices have an IP on that vlan etc.

Post back here with your new config when ready.

This is my new configuration. I should have mentioned that I am connecting it to a css610-8g-2s-in switch which seems to have a ton of problems with vlans as I just noticed.
In my case , I have the eth2 port of the router connected to port eth1 of the switch.
I have tried setting up port 5 of the switch as belonging to vlan20 (vlan mode strict- vlan id 20) but any device connected to it will not receive any ip in the vlan20 range 10.10.10.0/24.
Notwithstanding buggy firmware that may not allow the switch to vlan properly, am I ok on the router side of things?

Thank you in advance for your valuable help.

add admin-mac=B8:69:F4:02:E4:FC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=
/interface vlan
add interface=bridge name=HOUSELAN vlan-id=101
add interface=bridge name=IOT20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=50m name=
defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=
192.168.4.0
add address=10.10.10.0/24 interface=bridge network=10.10.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.4.154 client-id=1:e8:39:35:2c:9e:3d mac-address=
E8:39:35:2C:9E:3D server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf dns-server=195.170.0.1 gateway=
10.10.10.1 netmask=24
add address=192.168.4.0/24 comment=defconf dns-server=195.170.0.1 gateway=
192.168.4.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan

/system identity
set name=“MikroTik hex s”
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I cannot help with the switch but certainly the router side…

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=50m name=\ I believe this should be HOUSELAN
where is dhcp-server for IOT20?

/interface bridge port
(for ports 3,4,5 sfp1 if they are going to dumb devices PCs etc you can use frame type allowed priority and untagged frames.)

/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=\ I believe this should be HOUSELAN
192.168.4.0
Missing IOT address ???
add address=10.10.10.0/24 interface=bridge network=10.10.10.0 WHERE DID THIS SUBNET COME FROM???

/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf dns-server=195.170.0.1 gateway=\ (WHERE DID THIS SUBNET COME FROM???)
10.10.10.1 netmask=24
add address=192.168.4.0/24 comment=defconf dns-server=195.170.0.1 gateway=
192.168.4.1 netmask=24
Missing IOT dhcp-server network

Without posting your firewall rules, cannot comment on them.

I resetted the router and have done the new configuration manually, hopefully according to instructions.
Should I delete all the 192.168.88.1 references now? My pc gets an ip from that address space for now when it is connected on the router. when it is connected on the switch to a vlan101-homelan port It will not get an ip at all still
I can't thank you enough for your patience and help

\

model = RB760iGS

serial number = 87F209A41194

/interface bridge
add admin-mac=B8:69:F4:02:E4:FC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=
disabled name=pppoe-out1 password= use-peer-dns=yes user=\

/interface vlan
add interface=bridge name=houselan vlan-id=101
add interface=bridge name=iot vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool2 ranges=192.168.80.2-192.168.80.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=houselan lease-time=50m
name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=iot lease-time=50m name=
dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.4.1/24 interface=houselan network=192.168.4.0
add address=192.168.80.1/24 interface=iot network=192.168.80.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.4.0/24 gateway=192.168.4.1
add address=192.168.80.0/24 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Tis getting better but if you had read the link provided you would see that you have no bridge vlan settings???
Just to let you know what you have,
3 subnets.
One is a subnet with dhcp from the bridge and going out on all ports (192.168.88.1 network)
Two are vlans and they go out on ether2 I believe.

Yes if you dont need the 88.1 network for any reason you can delete all references to it but you will need to transition to your HOME VLAN
This will entail in better identifying the bridge ports as trunk ports or access ports (mostly access).
Removing the bridge from providing DHCP
Ensuring the Bridge vlan settings correspond.

SO from
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
TO
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 ingress-filtering=yes [trunk port going to switch carrying vlan101 and 20]
add bridge=bridge comment=defconf interface=ether3 frame type priority and untagged only pvid=101 [ingress port to dumb device etc..]
add bridge=bridge comment=defconf interface=ether4 frame type priority and untagged only pvid=101
add bridge=bridge comment=defconf interface=ether5 frame type priority and untagged only pvid=101
add bridge=bridge comment=defconf interface=sfp1 frame type priority and untagged only pvid=1011

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether3,ether4,ether5,sfp1 pvids=101
add bridge=bridge tagged=bridge,ether2 pvids=20

Looking at the firewall rules one wants to ensure that you control what traffic is allowed in the FORWARD CHAIN.
The best way to do this is to put a last rule that says DROP ANYTHING ELSE.

Before this rule make allowed traffic rules explicitly.
Examples are allow LAN to WAN traffic, or allow users on IOT network to access a shared printer on home network etc…
Allow port forwarding…

So this
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
BECOMES
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN (optional and only required if you do port forward, if not, then simply leave this disabled)
add action=drop chain=forward comment=“Drop All Else”

This is the latest config per your instructions. I can access the router through all three dhcp ranges 4.1, 88.1 , 80.1 although my mac is only getting an ip in the 88 range. I never did a bridge vlan before lol.

If I expunge the 192.168.88.0 references will everything work on. And most importantly is this config correct to pass through (through the eth2 routerport) vlan packets to the managed switch?

Also, may I buy you a beer as a thank you?

/interface bridge
add admin-mac=B8:69:F4:02:E4:FC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=
disabled name=pppoe-out1 password= use-peer-dns=yes user=\

/interface vlan
add interface=bridge name=houselan vlan-id=101
add interface=bridge name=iot vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool2 ranges=192.168.80.2-192.168.80.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=houselan lease-time=50m
name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=iot lease-time=50m name=
dhcp2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether3 pvid=101
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=
ether4 pvid=101
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether5 pvid=101
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=sfp1 pvid=101
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether3,ether4,ether5,sfp1
vlan-ids=101
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=
192.168.88.0
add address=192.168.4.1/24 interface=houselan network=192.168.4.0
add address=192.168.80.1/24 interface=iot network=192.168.80.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.4.0/24 dns-server=8.8.8.8 gateway=192.168.4.1
add address=192.168.80.0/24 dns-server=8.8.8.8 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Yes, although I am not used to assigning an etherport to a bridge and also running a LAN subnet on that port… I feel uncomfortable doing it but it seems you have it working??
Although I dont know how unless you dont have the switch setup on ether2 yet and its just your mac???

You should be able to get rid of the 192.168.88 setup.
You can simply disable them for now vice delete and thus its always available to activate if you keep it.

Let me know if it works out!

Just raise a toast to Canada, the next time you are having a good beer!!

Hello I will indeed raise a toast to Canada and all its good people. Thank you
You mentioned that “Yes, although I am not used to assigning an etherport to a bridge and also running a LAN subnet on that port… I feel uncomfortable doing it but it seems you have it working??”

What is the correct way to do this?
Right now any machine on the router or on the switch can access all three dhcp-pool ip’s of the router (4.1,88.1,80.1) and get a dhcp ip at the 88.1 range only. I cannot ping devices with static ip’s of 4.0 and 80.0 ranged (the vlans)
If I enable a vlan port on the switch (say vlan id 20-strict which should furnish me with a 80.0 ip ) , it will not furnish any ip at all, i.e vlan is still not working.
Granted it may be the switch that is the culprit but I do wonder if the router configuration still needs some tuning

PS disabling the 192.168.88.1 dhcp setup just locked me out, did not furnish any other ips and I had to reset the router. This “pure” networking setup is hard

As stated I cannot help you once the packets reach the switch.
I will have another look at the config so see whats going on.

You are missing some very important settings on the bridge interface, make sure you have a management vlan configured, alternatively, remove ether 5 from bridge so you can still access router if you lock yourself out.

vlan-filtering=yes

https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

CZFAN nailed that.

(1) Missing turning on vlan filtering!
/interface bridge
add admin-mac=B8:69:F4:02:E4:FC auto-mac=no comment=defconf name=bridge ???

(2) You need to get rid of this conflicting rule!! Remember we removed the bridge from any dhcp duties.
/ip dhcp-serveradd address-pool=dhcp disabled=no interface=bridge name=defconf
You have it covered with the other two dhcp-servers!!!

(3) Now everything looks fine!
If you want to use ether5 as a safety net then do the following
Change this from ether2 to ether5
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether**5** network=
192.168.88.0
and dont forget to do this.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
**add interface=ether5 list=LAN (**to ensure subnet follows firewall rules).

In effect you have created a lan subnet that exists on ether 5, which is separate from the bridge structure.
So you should always be able to recover there if there is an issue with your bridge config.
The problem is that port (ether5) is also expecting to talk to a dumb device and tag frames coming from it with vlan101 as per the bridge setup.
SO, just set your PC up manually with static DHCP settings to the 88.1 network.


Once this is up and running we can deal with better filter rules for blocking unwanted traffic and enabling allowed traffic more accurately.

First of all, thank you both for your help
When I enable Vlan filtering on the bridge , I get locked out which I suppose is normal behaviour?
The menu is thus

Do I need to change anything on the ethertype (0x8100, 0x88a8,0x9100), PVid , Frame types (admit all, admit only vlan tagged, admit only untagged and priority tagged) or/and check the Ingress filtering option?



“You need to get rid of this conflicting rule!! Remember we removed the bridge from any dhcp duties.
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf”

When I disable this I lose everything, I can no .longer connect Does it have to do with the defconf comment? Should I comment the homelan vlan-dhcp pool as defconf?

My config is as thus

/interface bridge
add admin-mac=B8:69:F4:02:E4:FC auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=
disabled name=pppoe-out1 password= use-peer-dns=yes user=\

/interface vlan
add interface=bridge name=houselan vlan-id=101
add interface=bridge name=iot vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool2 ranges=192.168.80.2-192.168.80.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=houselan lease-time=50m
name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=iot lease-time=50m name=
dhcp2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether3 pvid=101
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=
ether4 pvid=101
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether5 pvid=101
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=sfp1 pvid=101
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether3,ether4,ether5,sfp1
vlan-ids=101
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether5 network=
192.168.88.0
add address=192.168.4.1/24 interface=houselan network=192.168.4.0
add address=192.168.80.1/24 interface=iot network=192.168.80.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.4.0/24 dns-server=8.8.8.8 gateway=192.168.4.1
add address=192.168.80.0/24 dns-server=8.8.8.8 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

Your setting for the bridge vlan is the same as mine so it looks good!!
Once you make the changes below add the vlan filtering=yes command.
Yeah the router is finicky as shit, it will kick out but the changed setting should stick, may need to do it a few times.

The main issue I see is …
If you are going to use ether5 separate from the bridge (as a safety access) then you need to remove ether5 from the bridge settings!!

/interface bridge port
add bridge=bridge comment=defconf frame-types=
admit-only-untagged-and-priority-tagged interface=ether5 pvid=101 [remove this rule]

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=ether3,ether4,ether5,sfp1 [remove eth5 from this rule]

Nope the default is 1, no need to change anything.