VLAN Trunk - DHCP issue

Hi all, might have an issue with dhcp server deassigning/assigning IP continuously.

-Lease 30m
-Reassignment happens at the same exact time, client gets the same ip

I might know what’s causing this..

Basically I have a trunk port (vlan 99) on ether4 that injects vlan on ubiquiti for the wifi.
If I do an IP scan on my mikrotik’s bridge, I can see also the IPs that come from the unifi switches(80), not only the IPs native on my Tik(99). I don’t think this is normal.

This is my vlan setup, what could be wrong?

# 2024-11-23 12:51:25 by RouterOS 7.16.1
# software id = PT2A-YBM3
#
# model = RB760iGS
# serial number =
/interface bridge
add admin-mac=48:8F:5A:A6:CB:1D auto-mac=no comment=defconf dhcp-snooping=yes \
    name=brLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=e1-WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=brLAN name=vlan99 vlan-id=99
add interface=e1-WAN name=vlan835 vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan835 name=pppoe-WIC user=\
    ac17205371781
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=VPNPOOL ranges=172.30.30.30-172.30.30.40
add name=dhcp_pool2 ranges=192.168.9.2-192.168.9.254
add name=dhcp_pool3 ranges=192.168.99.2-192.168.99.240
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=yes interface=brLAN name=dhcp1
add address-pool=dhcp_pool3 interface=vlan99 lease-time=4h name=dhcp2
/ppp profile
set *FFFFFFFE local-address=VPNPOOL remote-address=VPNPOOL
/interface sstp-client
add authentication=mschap1,mschap2 connect-to=mk.estcom.online disabled=no \
    name=ppp-triestinaanalytics profile=default-encryption user=\
    ppp-triestinaanalytics verify-server-address-from-certificate=no
/snmp community
set [ find default=yes ] name=estcom
/interface bridge port
add bridge=brLAN comment=defconf interface=ether2
add bridge=brLAN comment=defconf interface=ether3 pvid=99
add bridge=brLAN comment=defconf interface=ether5 pvid=99
add bridge=brLAN comment=defconf interface=sfp1
add bridge=brLAN interface=ether4
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=brLAN tagged=brLAN,ether4 untagged=ether5,ether3 vlan-ids=99
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=brLAN list=LAN
add comment=defconf interface=e1-WAN list=WAN
add interface=pppoe-WIC list=WAN
add interface=vlan835 list=WAN
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-port=13231 interface=wireguard1 name=\
    peer1 public-key="78Ehw7OQ9T9KL7BqyEiJT3XEgByKcsbzpdfS5S78mSY="
/ip address
add address=192.168.9.1/24 comment=defconf interface=brLAN network=\
    192.168.9.0
add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0
/ip dhcp-server lease
add address=192.168.99.252 client-id=1:b8:a4:4f:3d:eb:21 mac-address=\
    B8:A4:4F:3D:EB:21 server=dhcp2
add address=192.168.99.251 client-id=1:b8:a4:4f:3d:eb:1d mac-address=\
    B8:A4:4F:3D:EB:1D server=dhcp2
add address=192.168.99.246 client-id=1:5c:e9:1e:7e:b7:b5 mac-address=\
    5C:E9:1E:7E:B7:B5 server=dhcp2
add address=192.168.99.247 client-id=1:32:f2:9d:7:84:88 mac-address=\
    32:F2:9D:07:84:88 server=dhcp2
add address=192.168.99.245 mac-address=80:69:1A:57:2B:78 server=dhcp2
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.9.1
add address=192.168.99.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB max-concurrent-queries=300 \
    max-concurrent-tcp-sessions=60 servers=\
    1.1.1.1,208.67.222.222,208.67.220.220,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=5.8.101.240/28 list=ESTCOM
add address=10.99.99.0/24 list=ESTCOM-REMOTE
add address=10.64.1.0/24 list=ESTCOM-REMOTE
add address=access.estcom.online list=ESTCOM
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input comment=VPN dst-port=8291 in-interface=e1-WAN \
    protocol=tcp src-address-list=ESTCOM
add action=accept chain=input dst-port=4500,500,1723,1701 in-interface=e1-WAN \
    protocol=tcp
add action=accept chain=input dst-port=4500,500,1723,1701 in-interface=e1-WAN \
    protocol=udp
add action=accept chain=input in-interface=e1-WAN protocol=ipsec-esp
add action=accept chain=input in-interface=e1-WAN protocol=ipsec-ah
add action=accept chain=input in-interface=e1-WAN protocol=gre
add action=accept chain=input src-address-list=ESTCOM-REMOTE
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input src-address-list=ESTCOM-REMOTE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip sip-timeout=3m
set pptp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=TriestinaAnalytics
/system logging
add topics=dhcp
/system note
set show-at-login=no
/system scheduler
add interval=4w2d name=AutoBackup on-event=AutoBackup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2021-05-03 start-time=02:00:00

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I am going to assume you are using the other ports as untagged for … vlan 1 ?
Something does show on your screenshot indicating it.

Rule (somewhere between 1 and 3) for Mikrotik admin:
Avoid vlan 1.

If you use vlan on Mikrotik, use it all the way.

Set proper tagged/ untagged ports with correct vlanid for each untagged port.
Set bridge to admit only vlan tagged.

And don’t use vlan 1. Again.

Actually, I just want the vlan 99 to be injected to Unifi switch from ether4 and port 3,5 to be untagged vlan 99. Nothing else, so what could be the issue with vlan 1?

What is the purpose of having this VLAN? From your config (quick scan) you seem to have a single VLAN on the LAN side. Can you give an explanation of your network? Or better, a network diagram?

It’s there by default I know it’s useless. do you know a better config on how to inject that lan on unifi? Would that fix this issue? Is it true that I shouldn’t see other devices (coming from unifi) when I run IO scan on the bridge?

This is a simplified diagram, but keep in mind that there's already a few DHCP servers on that Unifi Switch.

Also, do I have to change the PVID of the bridge to that VLAN 99?

1. Remove serial number from post.
2. DO NOT USE bridge firewall rules, this is an advanced setting for specific cases, use normal firewall rules for most needs.
3. Clean up pools
4. Fixed up /interface bridge port and bridge vlan
5. Wireguard settings are incorrect. It would appear that the MT is acting as a “SERVER peer” for handshake based on the Allowed Addresses setting.
   (no endpoint or endpoint port and no keep alive).
   However, then the allowed IPs is wrong, not 0.0.0.0/0 but the actual wireguard /IP of any connected client peers per different line is required.

Final thought. Since you have no wireguard address, the whole WG entry seems like a waste of time???

6. Remove default rule static IP DNS
   /ip dns static
   add address=192.168.88.1 comment=defconf name=router.lan type=A

7. Rules are in wrong order and also ANY RULE THAT SMACKS OF ALLOWING unencrypted access to the router ( not coming in vlan is REMOVED ). USE VPN to access the router, and then use winbox when behind the router to access config. If that what you are doing okay…

ex. maybe this is a dangerous rule → add action=accept chain=input comment=VPN dst-port=8291
protocol=tcp src-address-list=ESTCOM

8. Dont need to state in-interface for WAN on input rules, in any case the interface used was wrong.

SUMMARY Dont use pptp vpn its obsolete and unsafe.
SUMMARY To access router remotely use wireguard and drop the rest of the vpn attempts.

/interface vlan
add interface=brLAN name=vlan99 vlan-id=99
add interface=brLAN name=homeVLAN vlan-id=10
add interface=e1-WAN name=vlan835 vlan-id=835

/ip pool
add name=VPNPOOL ranges=172.30.30.30-172.30.30.40
add name=dhcp_pool2 ranges=192.168.9.2-192.168.9.254
add name=dhcp_pool3 ranges=192.168.99.2-192.168.99.240

/ip dhcp-server
add address-pool=dhcp_pool2 disabled**=NO** interface=homeVLAN name=dhcp1
add address-pool=dhcp_pool3 interface=vlan99 lease-time=4h name=dhcp2

/interface bridge port
add bridge=brLAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=brLAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=99
add bridge=brLAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4
add bridge=brLAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=99
add bridge=brLAN ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp1 pvid=10

/interface bridge settings
set use-ip-firewall=NO use-ip-firewall-for-vlan=NO Note: Unless needed somehow for pptp which you should not use anyway.
/interface bridge vlan
add bridge=brLAN tagged=brLAN untagged=ether2,sfp1 vlan-ids=10
add bridge=brLAN tagged=brLAN,ether4 untagged=ether5,ether3 vlan-ids=99

/interface list member
add interface=pppoe-WIC list=WAN
add interface=vlan99 list=LAN
add interface=homeVLAN list=LAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-port=13231 interface=wireguard1 name=
peer1 public-key=“78Ehw7OQ9T9KL7BqyEiJT3XEgByKcsbzpdfS5S78mSY=”

/ip address
add address=192.168.9.1/24 comment=defconf interface=brLAN network=
192.168.9.0
add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0
WHERE IS WIREGUARD ADDRESS**???**

/ip firewall address-list
add address=5.8.101.240/28 list=ESTCOM
add address=10.99.99.0/24 list=ESTCOM-REMOTE
add address=10.64.1.0/24 list=ESTCOM-REMOTE
add address=access.estcom.online list=ESTCOM

/ip firewall filter
( default rules to keep)
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
( admin rules )
add action=accept chain=input comment="wireguard handshake dst-port=13231 protocol=udp
add action=accept chain=input dst-port=4500,500,1723 protocol=tcp
add action=accept chain=input dst-port=4500,500,1701 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=gre
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
++++++++++++++++++++++++
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=input src-address-list=ESTCOM-REMOTE

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Really thank you for taking the time to help me. Please ignore the Wireguard incomplete config as I wanted to apply it but then I left it half-way.

I cleaned it up as you said and understood a little more. However, I think that the edit “add bridge=brLAN ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether4” fixed the fact that I could see the other IPs coming from Ubiquiti and now I cannot which is perfect. If I run an IP scan, I can only see vlan 99 assigned IPs. What’s the PVID for that port? Still 1?

As for the 8291 rule, it can be used ONLY from our office’s addresses through the SSTP tunnel.

Why did you have to add a homevlan? I only need a VLAN 99 for Ubiquiti and a management lan (192.168.9.0/24) for local management.

I’ll give you the modified code and please let me know if there’s anything else to fix. Again, thank you so much for the time you’re spending with me on this.

Here it is:

/interface bridge
add admin-mac=48:8F:5A:A6:CB:1D auto-mac=no comment=defconf dhcp-snooping=yes \
    name=brLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=e1-WAN
/interface vlan
add interface=brLAN name=vlan99 vlan-id=99
add interface=e1-WAN name=vlan835 vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan835 name=pppoe-WIC user=\
    ac17205371781
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VPNPOOL ranges=172.30.30.30-172.30.30.40
add name=9pool ranges=192.168.9.2-192.168.9.254
add name=vlan99pool ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=9pool disabled=yes interface=brLAN name=dhcp1
add address-pool=vlan99pool interface=vlan99 lease-time=4h name=dhcp2
/ppp profile
set *FFFFFFFE local-address=VPNPOOL remote-address=VPNPOOL
/interface sstp-client
add authentication=mschap1,mschap2 connect-to=mk.estcom.online disabled=no \
    name=ppp-triestinaanalytics profile=default-encryption user=\
    ppp-triestinaanalytics verify-server-address-from-certificate=no
/snmp community
set [ find default=yes ] name=estcom
/interface bridge port
add bridge=brLAN comment=defconf interface=ether2
add bridge=brLAN comment=defconf interface=ether3 pvid=99
add bridge=brLAN comment=defconf interface=ether5 pvid=99
add bridge=brLAN comment=defconf interface=sfp1
add bridge=brLAN frame-types=admit-only-vlan-tagged interface=ether4
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=brLAN tagged=brLAN,ether4 untagged=ether5,ether3 vlan-ids=99
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=brLAN list=LAN
add comment=defconf interface=e1-WAN list=WAN
add interface=pppoe-WIC list=WAN
add interface=vlan835 list=WAN
add interface=vlan99 list=LAN
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/ip address
add address=192.168.9.1/24 comment=defconf interface=brLAN network=\
    192.168.9.0
add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0
/ip dhcp-server network
add address=192.168.9.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.9.1
add address=192.168.99.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB max-concurrent-queries=300 \
    max-concurrent-tcp-sessions=60 servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=5.8.101.240/28 list=ESTCOM
add address=10.99.99.0/24 list=ESTCOM-REMOTE
add address=10.64.1.0/24 list=ESTCOM-REMOTE
add address=access.estcom.online list=ESTCOM
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input comment=VPN dst-port=8291 in-interface=e1-WAN \
    protocol=tcp src-address-list=ESTCOM
add action=accept chain=input dst-port=4500,500,1723,1701 in-interface=e1-WAN \
    protocol=tcp
add action=accept chain=input dst-port=4500,500,1723,1701 in-interface=e1-WAN \
    protocol=udp
add action=accept chain=input in-interface=e1-WAN protocol=ipsec-esp
add action=accept chain=input in-interface=e1-WAN protocol=ipsec-ah
add action=accept chain=input in-interface=e1-WAN protocol=gre
add action=accept chain=input src-address-list=ESTCOM-REMOTE
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input src-address-list=ESTCOM-REMOTE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip sip-timeout=3m
set pptp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=TriestinaAnalytics
/system logging
add disabled=yes topics=dhcp
/system note
set show-at-login=no
/system scheduler
add interval=4w2d name=AutoBackup on-event=AutoBackup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2021-05-03 start-time=02:00:00
/system script
add dont-require-permissions=no name=AutoBackup owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_AUTOMATED BACKUP TO EXTERNAL FTP - FRANZ\r\
    \n\r\
    \n# ftp configuration\r\
    \n:local ftphost \"remote.estcom.online\"\r\
    \n:local ftpuser \"mikrotik\"\r\
    \n:local ftppassword \"3s7-C0m.=\"\r\
    \n:local ftppath \"/Dati/Mikrotik/TriestinaAnalytics/\"\r\
    \n\r\
    \n# months array\r\
    \n:local months (\"jan\",\"feb\",\"mar\",\"apr\",\"may\",\"jun\",\"jul\",\
    \"aug\",\"sep\",\"oct\",\"nov\",\"dec\");\r\
    \n\r\
    \n# get time\r\
    \n:local ts [/system clock get time]\r\
    \n:set ts ([:pick \$ts 0 2].[:pick \$ts 3 5].[:pick \$ts 6 8])\r\
    \n\r\
    \n# get Date\r\
    \n:local ds [/system clock get date]\r\
    \n# convert name of month to number\r\
    \n:local month [ :pick \$ds 0 3 ];\r\
    \n:local mm ([ :find \$months \$month -1 ] + 1);\r\
    \n:if (\$mm < 10) do={ :set mm (\"0\" . \$mm); }\r\
    \n# set \$ds to format YYYY-MM-DD\r\
    \n:set ds ([:pick \$ds 7 11] . \$mm . [:pick \$ds 4 6])\r\
    \n\r\
    \n\r\
    \n\r\
    \n\r\
    \n\r\
    \n#.rsc FILE -------------------------------\r\
    \n# file name for config export - file name will be MKRSC-servername-date-\
    time.rsc\r\
    \n:local fname2 (\"/MKRSC-\".[/system identity get name].\"-\".\$ds.\"-\".\
    \$ts.\".rsc\")\r\
    \n\r\
    \n/export compact file=\$fname2\r\
    \n:log info message=\"Config export finished.\"\r\
    \n#.rsc FILE -------------------------------\r\
    \n\r\
    \n\r\
    \n#.backup FILE -------------------------------\r\
    \n:local nomecliente (\"/MKBK-\".[/system identity get name].\"-\".\$ds.\"\
    -\".\$ts.\".backup\")\r\
    \n\r\
    \n/system backup save name=\"\$nomecliente\"\r\
    \n\r\
    \n/tool fetch address=\"remote.estcom.online\" src-path=\"\$nomecliente\" \
    \\\r\
    \nuser=\"mikrotik\" mode=ftp password=\"\$ftppassword\" \\\r\
    \ndst-path=\"\$ftppath/\$nomecliente\" upload=yes\r\
    \n#.backup FILE -------------------------------\r\
    \n\r\
    \n\r\
    \n#EXPORT CONFIG FILE FOR .RSC\r\
    \n/export compact file=\$fname2\r\
    \n:log info message=\"Config export finished.\"\r\
    \n\r\
    \n\r\
    \n#UPLOAD CONFIG FILE FOR .RSC\r\
    \n:log info message=\"Uploading config export.\"\r\
    \n/tool fetch address=\"\$ftphost\" src-path=\$fname2 user=\"\$ftpuser\" m\
    ode=ftp password=\"\$ftppassword\" dst-path=\"\$ftppath/\$fname2\" upload=\
    yes\r\
    \n\r\
    \n\r\
    \n\r\
    \n# delay time to finish the upload - increase it if your backup file is b\
    ig\r\
    \n:delay 30s;\r\
    \n# find file name start with MKRSC- then remove\r\
    \n:foreach i in=[/file find] do={ :if ([:typeof [:find [/file get \$i name\
    ] \"MKRSC-\"]]!=\"nil\") do={/file remove \$i}; }\r\
    \n:log info message=\"Configuration backup finished.\";\r\
    \n# find file name start with MKBK- then remove\r\
    \n:foreach i in=[/file find] do={ :if ([:typeof [:find [/file get \$i name\
    ] \"MKBK-\"]]!=\"nil\") do={/file remove \$i}; }\r\
    \n:log info message=\"Configuration backup finished.\";"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none

I believe that was already mentioned in the very first answer you got

So this is the updated situation. Ether4 is the trunk port (only vlan 99 going out). Ether4’s PVID should remain 1?

Once you define a port properly as trunk, pvid setting doesn’t matter anymore.

So does it look fine to you now?
Thanks

Even on the Bridge’s PVID? It was 1 and was working fine, but not sure if it’s correct. Should this remain 1 or 99 as I just edited it to? I mainly need the VLAN 99 to be injected to a Unifi switch, that’s all.