VLAN Internet problem - No traffic is found from VLAN to BR1 nor WAN

In short, I cannot access Internet after applying a slightly modified setup from http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

High level network diagram:
ISP modem+router → router → switch → host
router → other servers

Devices:
Router: CRS326-24G-2S+, V7.6
Switch: CSS610-8G-2S+, V2.17

# sep/01/2023 19:47:21 by RouterOS 7.6
# software id = KI2X-PHFS
#
# model = CRS326-24G-2S+
# serial number = XXX
/interface bridge
add admin-mac=aa::bb::cc::dd::ee::ff auto-mac=no comment=defconf name=BR1
/interface vlan
add interface=BR1 name=CAMERA_VLAN vlan-id=30
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=IOT_VLAN vlan-id=40
add interface=BR1 name=MGMT_VLAN vlan-id=99
add interface=BR1 name=TRUST_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=TRUST_POOL ranges=172.20.0.2-172.20.255.254
add name=GUEST_POOL ranges=172.21.0.2-172.21.255.254
add name=CAMERA_POOL ranges=172.22.0.2-172.22.255.254
add name=IOT_POOL ranges=172.23.0.2-172.23.255.254
add name=MGMT_POOL ranges=172.30.0.2-172.30.255.254
/ip dhcp-server
add address-pool=TRUST_POOL interface=TRUST_VLAN name=TRUST_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=CAMERA_POOL interface=CAMERA_VLAN name=CAMERA_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 comment=defconf interface=ether1
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether2
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether3
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether4
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether5
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether6
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether7
add bridge=BR1 comment=defconf interface=ether8
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=10
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10 pvid=10
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether11 pvid=10
add bridge=BR1 comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether12 pvid=10
add bridge=BR1 comment=defconf interface=ether13
add bridge=BR1 comment=defconf interface=ether14
add bridge=BR1 comment=defconf interface=ether15
add bridge=BR1 comment=defconf interface=ether16
add bridge=BR1 comment=defconf interface=ether17
add bridge=BR1 comment=defconf interface=ether18
add bridge=BR1 comment=defconf interface=ether19
add bridge=BR1 comment=defconf interface=ether20
add bridge=BR1 comment=defconf interface=ether21
add bridge=BR1 comment=defconf interface=ether22
add bridge=BR1 comment=defconf interface=ether23
add bridge=BR1 comment=defconf interface=ether24
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    sfp-sfpplus1
add bridge=BR1 comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=10
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=30
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=40
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=TRUST_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=CAMERA_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
/ip address
add address=172.30.0.1/22 interface=MGMT_VLAN network=172.30.0.0
add address=172.20.0.1/22 interface=TRUST_VLAN network=172.20.0.0
add address=172.21.0.1/22 interface=GUEST_VLAN network=172.21.0.0
add address=172.22.0.1/22 interface=CAMERA_VLAN network=172.22.0.0
add address=172.23.0.1/22 interface=IOT_VLAN network=172.23.0.0
/ip dhcp-client
add comment="to connect isp modem+router" interface=BR1
/ip dhcp-server network
add address=172.20.0.0/22 dns-server=172.20.0.1 gateway=172.20.0.1
add address=172.21.0.0/22 dns-server=172.21.0.1 gateway=172.21.0.1
add address=172.22.0.0/22 dns-server=172.22.0.1 gateway=172.22.0.1
add address=172.23.0.0/22 dns-server=172.23.0.1 gateway=172.23.0.1
add address=172.30.0.0/22 dns-server=172.30.0.1 gateway=172.30.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related Input" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT_VLAN Full Access" \
    in-interface=MGMT_VLAN
add action=drop chain=input comment=Drop
add action=log chain=forward comment="Log traffic from WAN back to VLAN" \
    in-interface-list=WAN out-interface-list=VLAN
add action=log chain=forward comment="Log traffic from BR1 to WAN" \
    in-interface=BR1 out-interface-list=WAN
add action=log chain=forward comment="Log traffic from BR1 to VLAN" \
    in-interface=BR1 out-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related Forward" \
    connection-state=established,related
add action=drop chain=forward comment="Drop Camera from Internet" \
    in-interface=CAMERA_VLAN out-interface-list=WAN
add action=log chain=forward comment="VLAN -> WAN HTTPS log" \
    connection-state=new dst-port=443 in-interface-list=VLAN \
    out-interface-list=WAN protocol=tcp
add action=log chain=forward comment="VLAN -> BR1 HTTPS log" \
    connection-state=new disabled=yes dst-port=443 in-interface-list=VLAN \
    out-interface=BR1 protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=router
/system routerboard settings
set boot-os=router-os

Since my switch only comes with SwOs Lite, I cannot export the config. But I only modify one thing from the default. I tag one port’s default VLAN ID as 10 (TRUST_LAN) and another port’s default VLAN ID as 99 (MGMT_LAN).

When my host is connected thru the switch’s port which is tagged as VLAN 10 and the switch connect the router thru a trunk port:
I am able to get IP and GW from the TRUST_LAN’s DHCP (PVID10) of my host. I can also see other servers from my host within the same VLAN. But I cannot access Internet, not even by IP.

When my host is connected thru the port which is untagged (VLAN ID 1) and the switch connect the router thru a regular port:
I am able to get IP and GW of the subnet from the ISP modem+router’s DHCP. I cannot see other servers because of different VLAN. I can access Internet.

When I deepdive by adding log in the firewall, I get a few observations:

1. There has lots of traffic in “VLAN → BR1 HTTPS log”
2. There has no traffic:
   i) from WAN back to VLAN
   ii) from BR1 to WAN
   iii) BR1 to VLAN

If I understand correctly, when a package is being sent from my host to my switch, the package is tagged as VLAN 10 if I mark the port as default VLAN 10. The package is then forwarded from my switch to my router thru the trunk port. The router would route the VLAN 10 package from VLAN → BR1 → WAN to my ISP modem+router. If I add the log action firewall rule, I assume I should able to see the traffic. The returning traffic logging is more complicated since the mikrotik’s firewall is stateful and it should allow traffic back to the src, so does it mean firewall rule won’t apply to the returning traffic?

And why can’t I access the Internet? I thought the firewall rule

add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment=“VLAN Internet Access only”

allows all VLANs to access the Internet only, NOT each other.

Do I miss anything? I’ve tried various ways to loosen up different constraints, but nothing work. I am really lost at this point. Any suggestions are welcome. Thanks for your time and patient.

The /ip dhcp-server network entries lack explicit setting of property netmask, which should be 22 in your case. I’m suspecting the default is 24. Combined with behaviour of ROS DHCP server, which allocates addresses from pool from top down, this means that DHCP clients receive leases which don’t allow them to connect their default gateway.

Note that property address in this section doesn’t define anything sent out in leases, it’s a matcher for DHCP server to select proper settings to be sent with selected address (after DHCP server selects an address, it looks in dhcp-server properties for matching settings package … selected IP address has to match the address property).

Thanks for your quick reply and suggestions. I am surprised the DHCP setting is the root cause. You are right, my VLAN’s IP pool doesn’t match with the DHCP’s allocated address block. Here is the original config section for this VLAN:

# TRUST_VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=TRUST_VLAN vlan-id=10
/ip address add interface=TRUST_VLAN address=172.20.0.1/22
/ip pool add name=TRUST_POOL ranges=172.20.0.2-172.20.255.254
/ip dhcp-server add address-pool=TRUST_POOL interface=TRUST_VLAN name=TRUST_DHCP disabled=no
/ip dhcp-server network add address=172.20.0.0/22 dns-server=172.20.0.1 gateway=172.20.0.1

The IP pool is /16 (172.20.0.1 - 172.20.255.254) and the DHCP’s allocated address block is /22 (172.20.0.1 - 172.20.3.254). The reason for this setting is because I try to share this VLAN’s IP pool with Cilium + metalLB for my k3s cluster. MetalLB will reserve and assign IPs from 172.20.0.0/17 for virtual loadbalancers while the physical hosts will use IPs from 172.20.128.0/17 via DHCP. (Yes, I should change the setting to

/ip dhcp-server network add address=172.20.128.0/17 dns-server=172.20.0.1 gateway=172.20.0.1

according to my plan. Computers in VLAN10 can connect to 172.20.0.0/17 freely because they are in the same VLAN ip pool. And computers from other VLANs can access 172.20.0.0/17 by individual firewall rules. For example,

/ip firewall filter add chain=forward action=accept connection-state=new in-interface-list=IOT_VLAN out-interface=TRUST_VLAN dst-port=X protocol=tcp to-addresses=172.20.128.Y comment=“Allow IOT_VLAN to access a specific Loadbalancer on TRUST_VLAN”

. My previous post http://forum.mikrotik.com/t/cannot-connect-to-the-internet-after-setting-up-vlan/168542/1 has more context if anyone is interested.

So I would try to sync up the VLAN’s IP pool and DHCP pool to verify if the pool mismatch is the root cause (even against my objective). Let’s break the problem down first.

This shared pool setup works fine for opnsense and I would like to switch to mikrotik + k3s (Cilium + metalLB) if possible. What if I don’t use DHCP server in TRUST_VLAN, will it work? It is no big deal if no DHCP server for TRUST_VLAN, I can assign static IP. I would also try this route if the DHCP is the root cause.

If anyone can show me how to share a network pool between physical servers via DHCP/static IP and virtual loadbalancers via BGP, I would be really appreciate.

Sharing a pool of addresses is … well, interesting.

One has to think in layers, bottom up. In networking, Layer 1 is physical connections (UTP, fiber, …) which in reality doesn’t matter much if individual segments work. Layer 2 is ethernet broadcast domain, which glues together multiple L1 segments using hubs (these days only rarely), bridges and switches. Layer 3 is the IP with subnets.
In ethernet, one L1 segment can only support single L2 broadcast domain, this limitation is eliviated by using VLANs. When using VLANs, these can be seen as individual L2 broadcast domains, but with gotchas.
Single L2 domain can easily carry multiple L3 subnets, but with a gotcha … which seems to be biting you: DHCP servers, being L3 (or even higher layer) entities, are hooked into L2 … initial communication between DHCP client and server uses L2 mechanisms, meaning that there’s a problem when there’s more than one DHCP server present in single L2 broadcast domain … specially so if one expects different servers to serve specific clients (which DHCP protocol doesn’t really envision). The other thing to keep in mind: L3 devices expect that communication with other devices inside same L3 subnet (IP subnet) can be direct (from L3 point of view), the rest are then accessible via one or more gateways (routing table). There are some tricks to get around this (e.g. proxy arp), but let’s try to stick to basics. And in principle gateways have to be in same IP subnet (except in some particular layouts, but let’s stick to basics), which seems to be another gotcha in your topology.

I’m not sure how all of this directly applies to your case, from what you wrote your network topology is not clear to me. Looking at your other thread I’m thinking that your network segmentation strategy is not clear and perhaps not very well thought out. Since you’re essentially building your network from scratch, try to stick to basics and clean L2/L3 segmentation, without tricks … because tricks then often rely on their availability on some vendor’s equipment. Don’t be afraid of routing between subnets, your CRS326 supports IP routing in hardware (L3HW) wirespeed. It comes with some gotchas (if limitations are not met then device reverts to slooow CPU-bound routing), but it might work for you.

Thanks.

I have run a few tests to verify if the DHCP settings is the root cause of the Internet problem. In short, it seems DHCP is NOT the root cause of the problem based on the following results. I’ve tested with the mask bits /16 and /24 as suggested and disabling the DHCP in the VLAN. All three settings yield the same result unfortunately.

Here are the config in case anyone want to double check:
/24:

# sep/02/2023 15:19:03 by RouterOS 7.6
# software id = KI2X-PHFS
#
# model = CRS326-24G-2S+
# serial number = D9260D352571
# serial number = XXX
/interface bridge
add admin-mac=aa:bb:cc:dd:ee:ff auto-mac=no comment=defconf name=BR1 \
    vlan-filtering=yes
/interface vlan
add interface=BR1 name=CAMERA_VLAN vlan-id=30
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=IOT_VLAN vlan-id=40
add interface=BR1 name=MGMT_VLAN vlan-id=99
add interface=BR1 name=TRUST_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=TRUST_POOL ranges=172.20.0.2-172.20.0.254
add name=GUEST_POOL ranges=172.21.0.2-172.21.255.254
add name=CAMERA_POOL ranges=172.22.0.2-172.22.255.254
add name=IOT_POOL ranges=172.23.0.2-172.23.255.254
add name=MGMT_POOL ranges=172.30.0.2-172.30.255.254
/ip dhcp-server
add address-pool=TRUST_POOL interface=TRUST_VLAN name=TRUST_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=CAMERA_POOL interface=CAMERA_VLAN name=CAMERA_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 comment=defconf interface=ether1
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether2
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether3
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether4
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether5
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether6
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether7
add bridge=BR1 comment=defconf interface=ether8
add bridge=BR1 comment=defconf interface=ether9
add bridge=BR1 comment=defconf interface=ether10
add bridge=BR1 comment=defconf interface=ether11
add bridge=BR1 comment=defconf interface=ether12
add bridge=BR1 comment=defconf interface=ether13
add bridge=BR1 comment=defconf interface=ether14
add bridge=BR1 comment=defconf interface=ether15
add bridge=BR1 comment=defconf interface=ether16
add bridge=BR1 comment=defconf interface=ether17
add bridge=BR1 comment=defconf interface=ether18
add bridge=BR1 comment=defconf interface=ether19
add bridge=BR1 comment=defconf interface=ether20
add bridge=BR1 comment=defconf interface=ether21
add bridge=BR1 comment=defconf interface=ether22
add bridge=BR1 comment=defconf interface=ether23
add bridge=BR1 comment=defconf interface=ether24
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    sfp-sfpplus1
add bridge=BR1 comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=10
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=30
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=40
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=TRUST_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=CAMERA_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
/ip address
add address=172.30.0.1/16 interface=MGMT_VLAN network=172.30.0.0
add address=172.20.0.1/24 interface=TRUST_VLAN network=172.20.0.0
add address=172.21.0.1/16 interface=GUEST_VLAN network=172.21.0.0
add address=172.22.0.1/16 interface=CAMERA_VLAN network=172.22.0.0
add address=172.23.0.1/16 interface=IOT_VLAN network=172.23.0.0
/ip dhcp-client
add comment="to connect isp modem+router" interface=BR1
/ip dhcp-server network
add address=172.20.0.0/24 dns-server=172.20.0.1 gateway=172.20.0.1
add address=172.21.0.0/16 dns-server=172.21.0.1 gateway=172.21.0.1
add address=172.22.0.0/16 dns-server=172.22.0.1 gateway=172.22.0.1
add address=172.23.0.0/16 dns-server=172.23.0.1 gateway=172.23.0.1
add address=172.30.0.0/16 dns-server=172.30.0.1 gateway=172.30.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related Input" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT_VLAN Full Access" \
    in-interface=MGMT_VLAN
add action=drop chain=input comment=Drop
add action=log chain=forward comment="Log traffic from WAN back to VLAN" \
    in-interface-list=WAN out-interface-list=VLAN
add action=log chain=forward comment="Log traffic from BR1 to WAN" \
    in-interface=BR1 out-interface-list=WAN
add action=log chain=forward comment="Log traffic from BR1 to VLAN" \
    in-interface=BR1 out-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related Forward" \
    connection-state=established,related
add action=drop chain=forward comment="Drop Camera from Internet" \
    in-interface=CAMERA_VLAN out-interface-list=WAN
add action=log chain=forward comment="VLAN -> WAN HTTPS log" \
    connection-state=new dst-port=443 in-interface-list=VLAN \
    out-interface-list=WAN protocol=tcp
add action=log chain=forward comment="VLAN -> BR1 HTTPS log" \
    connection-state=new disabled=yes dst-port=443 in-interface-list=VLAN \
    out-interface=BR1 protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=router
/system routerboard settings
set boot-os=router-os

/16:

# sep/02/2023 15:38:10 by RouterOS 7.6
# software id = KI2X-PHFS
#
# model = CRS326-24G-2S+
# serial number = XXX
/interface bridge
add admin-mac=aa:bb:cc:dd:ee:ff auto-mac=no comment=defconf name=BR1 \
    vlan-filtering=yes
/interface vlan
add interface=BR1 name=CAMERA_VLAN vlan-id=30
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=IOT_VLAN vlan-id=40
add interface=BR1 name=MGMT_VLAN vlan-id=99
add interface=BR1 name=TRUST_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=TRUST_POOL ranges=172.20.0.2-172.20.255.254
add name=GUEST_POOL ranges=172.21.0.2-172.21.255.254
add name=CAMERA_POOL ranges=172.22.0.2-172.22.255.254
add name=IOT_POOL ranges=172.23.0.2-172.23.255.254
add name=MGMT_POOL ranges=172.30.0.2-172.30.255.254
/ip dhcp-server
add address-pool=TRUST_POOL interface=TRUST_VLAN name=TRUST_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=CAMERA_POOL interface=CAMERA_VLAN name=CAMERA_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 comment=defconf interface=ether1
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether2
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether3
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether4
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether5
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether6
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether7
add bridge=BR1 comment=defconf interface=ether8
add bridge=BR1 comment=defconf interface=ether9
add bridge=BR1 comment=defconf interface=ether10
add bridge=BR1 comment=defconf interface=ether11
add bridge=BR1 comment=defconf interface=ether12
add bridge=BR1 comment=defconf interface=ether13
add bridge=BR1 comment=defconf interface=ether14
add bridge=BR1 comment=defconf interface=ether15
add bridge=BR1 comment=defconf interface=ether16
add bridge=BR1 comment=defconf interface=ether17
add bridge=BR1 comment=defconf interface=ether18
add bridge=BR1 comment=defconf interface=ether19
add bridge=BR1 comment=defconf interface=ether20
add bridge=BR1 comment=defconf interface=ether21
add bridge=BR1 comment=defconf interface=ether22
add bridge=BR1 comment=defconf interface=ether23
add bridge=BR1 comment=defconf interface=ether24
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    sfp-sfpplus1
add bridge=BR1 comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=10
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=30
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=40
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=TRUST_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=CAMERA_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
/ip address
add address=172.30.0.1/16 interface=MGMT_VLAN network=172.30.0.0
add address=172.20.0.1/16 interface=TRUST_VLAN network=172.20.0.0
add address=172.21.0.1/16 interface=GUEST_VLAN network=172.21.0.0
add address=172.22.0.1/16 interface=CAMERA_VLAN network=172.22.0.0
add address=172.23.0.1/16 interface=IOT_VLAN network=172.23.0.0
/ip dhcp-client
add comment="to connect isp modem+router" interface=BR1
/ip dhcp-server network
add address=172.20.0.0/16 dns-server=172.20.0.1 gateway=172.20.0.1
add address=172.21.0.0/16 dns-server=172.21.0.1 gateway=172.21.0.1
add address=172.22.0.0/16 dns-server=172.22.0.1 gateway=172.22.0.1
add address=172.23.0.0/16 dns-server=172.23.0.1 gateway=172.23.0.1
add address=172.30.0.0/16 dns-server=172.30.0.1 gateway=172.30.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related Input" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT_VLAN Full Access" \
    in-interface=MGMT_VLAN
add action=drop chain=input comment=Drop
add action=log chain=forward comment="Log traffic from WAN back to VLAN" \
    in-interface-list=WAN out-interface-list=VLAN
add action=log chain=forward comment="Log traffic from BR1 to WAN" \
    in-interface=BR1 out-interface-list=WAN
add action=log chain=forward comment="Log traffic from BR1 to VLAN" \
    in-interface=BR1 out-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related Forward" \
    connection-state=established,related
add action=drop chain=forward comment="Drop Camera from Internet" \
    in-interface=CAMERA_VLAN out-interface-list=WAN
add action=log chain=forward comment="VLAN -> WAN HTTPS log" \
    connection-state=new dst-port=443 in-interface-list=VLAN \
    out-interface-list=WAN protocol=tcp
add action=log chain=forward comment="VLAN -> BR1 HTTPS log" \
    connection-state=new disabled=yes dst-port=443 in-interface-list=VLAN \
    out-interface=BR1 protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=router
/system routerboard settings
set boot-os=router-os

No DHCP/static:

# sep/02/2023 15:56:32 by RouterOS 7.6
# software id = KI2X-PHFS
#
# model = CRS326-24G-2S+
# serial number = XXX
/interface bridge
add admin-mac=aa:bb:cc:dd:ee:ff auto-mac=no comment=defconf name=BR1 \
    vlan-filtering=yes
/interface vlan
add interface=BR1 name=CAMERA_VLAN vlan-id=30
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=IOT_VLAN vlan-id=40
add interface=BR1 name=MGMT_VLAN vlan-id=99
add interface=BR1 name=TRUST_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=TRUST_POOL ranges=172.20.0.2-172.20.255.254
add name=GUEST_POOL ranges=172.21.0.2-172.21.255.254
add name=CAMERA_POOL ranges=172.22.0.2-172.22.255.254
add name=IOT_POOL ranges=172.23.0.2-172.23.255.254
add name=MGMT_POOL ranges=172.30.0.2-172.30.255.254
/ip dhcp-server
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=CAMERA_POOL interface=CAMERA_VLAN name=CAMERA_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP
/port
set 0 name=serial0
/interface bridge port
add bridge=BR1 comment=defconf interface=ether1
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether2
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether3
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether4
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether5
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether6
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    ether7
add bridge=BR1 comment=defconf interface=ether8
add bridge=BR1 comment=defconf interface=ether9
add bridge=BR1 comment=defconf interface=ether10
add bridge=BR1 comment=defconf interface=ether11
add bridge=BR1 comment=defconf interface=ether12
add bridge=BR1 comment=defconf interface=ether13
add bridge=BR1 comment=defconf interface=ether14
add bridge=BR1 comment=defconf interface=ether15
add bridge=BR1 comment=defconf interface=ether16
add bridge=BR1 comment=defconf interface=ether17
add bridge=BR1 comment=defconf interface=ether18
add bridge=BR1 comment=defconf interface=ether19
add bridge=BR1 comment=defconf interface=ether20
add bridge=BR1 comment=defconf interface=ether21
add bridge=BR1 comment=defconf interface=ether22
add bridge=BR1 comment=defconf interface=ether23
add bridge=BR1 comment=defconf interface=ether24
add bridge=BR1 comment=defconf frame-types=admit-only-vlan-tagged interface=\
    sfp-sfpplus1
add bridge=BR1 comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=10
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=20
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=30
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=40
add bridge=BR1 tagged=\
    BR1,ether2,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=VLAN
add interface=TRUST_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=CAMERA_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
/ip address
add address=172.30.0.1/16 interface=MGMT_VLAN network=172.30.0.0
add address=172.20.0.1/16 interface=TRUST_VLAN network=172.20.0.0
add address=172.21.0.1/16 interface=GUEST_VLAN network=172.21.0.0
add address=172.22.0.1/16 interface=CAMERA_VLAN network=172.22.0.0
add address=172.23.0.1/16 interface=IOT_VLAN network=172.23.0.0
/ip dhcp-client
add comment="to connect isp modem+router" interface=BR1
/ip dhcp-server network
add address=172.21.0.0/16 dns-server=172.21.0.1 gateway=172.21.0.1
add address=172.22.0.0/16 dns-server=172.22.0.1 gateway=172.22.0.1
add address=172.23.0.0/16 dns-server=172.23.0.1 gateway=172.23.0.1
add address=172.30.0.0/16 dns-server=172.30.0.1 gateway=172.30.0.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related Input" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow MGMT_VLAN Full Access" \
    in-interface=MGMT_VLAN
add action=drop chain=input comment=Drop
add action=log chain=forward comment="Log traffic from WAN back to VLAN" \
    in-interface-list=WAN out-interface-list=VLAN
add action=log chain=forward comment="Log traffic from BR1 to WAN" \
    in-interface=BR1 out-interface-list=WAN
add action=log chain=forward comment="Log traffic from BR1 to VLAN" \
    in-interface=BR1 out-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related Forward" \
    connection-state=established,related
add action=drop chain=forward comment="Drop Camera from Internet" \
    in-interface=CAMERA_VLAN out-interface-list=WAN
add action=log chain=forward comment="VLAN -> WAN HTTPS log" \
    connection-state=new dst-port=443 in-interface-list=VLAN \
    out-interface-list=WAN protocol=tcp
add action=log chain=forward comment="VLAN -> BR1 HTTPS log" \
    connection-state=new disabled=yes dst-port=443 in-interface-list=VLAN \
    out-interface=BR1 protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=router
/system routerboard settings
set boot-os=router-os

All three settings yield the same result:

1. There has lots of traffic in “VLAN → BR1 HTTPS log”
2. There has no traffic:
   i) from WAN back to VLAN
   ii) from BR1 to WAN
   iii) BR1 to VLAN
3. I can ping 8.8.8.8 from my router
4. I CANNOT ping 8.8.8.8 from my host: 100% package lost

In addition, I’ve found something new when I desperately troubleshooting this problem. I can ping the IP(192.168.1.X) of my router’s WAN IP, which is from my ISP’s router+modem subnet, from my host, but I cannot ping the gateway IP(192.168.1.Y) of my ISP’s router+modem IP from my host(100% package lost). Of course, I can ping the gateway IP(192.168.1.Y) of my ISP’s router+modem IP from my router.

So it seems something drop the package from VLAN to WAN or not routing from VLAN to WAN. I don’t see any packages in my log from VLAN to WAN.

Any ideas please?

PS:

1. I 100% agree I should try a basic setup first before moving to a more complicated setup.
2. I won’t say the metalLB(https://github.com/metallb/metallb) is battle tested, but the metalLB’s setup is working well for lots of people. At least it works fine with opnsense without VLAN. (I want to try out mikrotik’s VLAN first if possible)