VLAN Trunking from RouterOS to SwOS

RouterOS Beginner Basics
1

Hey folks I have a HAP AC3 router with 2 access points and everything finally configured and working with CAPsMAN to control the on-board AP as well as the 2 x CAPs.

It is a bit of a complex setup that I originally put together with multiple SSIDs each of which terminates onto a bridge. I have SSIDs for

Management
Guest
Kids
IOT
Trusted wifi

And each of those has a bridge associated with it. I also have another bridge for wired management (but I may end up merging it with the wifi management)

Works great but now I want to introduce my new CSS326 24 port switch. At first I just want a single trunk port going to the router with VLAN trunking, but eventually want to upgrade it to a dual port LAG trunk.

Anyway I can’t find any examples for this type of setup.

Things I need to do :

  • update each bridge to have a VLAN and VLAN ID
  • designate a port on the router for a trunk port
  • currently the port to my switch is on my management bridge
  • configure VLAN trunk on switch

I’ve made a few attempts at things which usually lead to losing contact with the switch and sometimes factory resetting it.

Are there any good examples out there for this? Or any other help?

2

Why so complex ?
You only need 1 bridge on hAP AC3.
Read this: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

From your explanation it’s for me unclear where your problem is.
On hAP or CSS ?

3

I’ll let people who deal with bridges in RouterOS help you on that end, but on the SwitchOS part, that is insanely easy. I assume that other than the trunk port (or ports after you setup the LAG) all the other ports will be un-tagged ports on an assortment of the VLANs, For those ports, on the VLAN and VLANs tabs, assign the desired VLAN. On the VLAN tab, VLAN Mode = Disabled, VLAN Receive = Only Untagged, and Default VLAN ID is the desired VLAN. For the trunk port or ports, VLAN Mode = Strict, VLAN Receive = Only tagged, and Default VLAN ID is a bogus number. Port 1 in this example is a VLAN trunk. Here is one of mine a while ago:

On the VLANs tab, add each VLAN and check the box for which port or ports will be on that VLAN. Again, here is one of mine:

The LAG is really easy, but I don’t have a screen capture of that already on my website - and I’m not home to be able to add one…

To start with, leave access to the switch (on the system tab, completely unrestricted until you have everything else working, you understand what the restrictions do, AND you have a save backup just before you start restricting it (so if you lock yourself out and need to reset, you don’t lose any effort).

4

Concur with both, one bridge only required, and use vlans to separate groups of users, using bridges is unnecessary complication.
Yes you would trunk all vlans to the Switch (which is very happy to work with VLANS not bridges)

5

OK that’s interesting about only 1 bridge. Last night while trying some things to make this work I locked myself out of my RouterOS - and I went through every possibility and I’m locked out to the point where I have to factory reset. I do have a recent backup but I was already thinking that the best path forward will be to build it all back up from scratch but this time build in the VLANs from the beginning instead of adding them on at the end. And it sounds like the best way to do that will be with just a single bridge.

The multiple bridges worked really well as a way to segregate everything really easily using firewall rules but it seems like that method almost implies not using VLANs

6

I also recommend taking one port OFF the bridge and using it as an emergency access on the router in case the bridge or config burps and some prefer to config the router all the time from the port.

Off bridge - https://forum.mikrotik.com/viewtopic.php?t=182373

Vlan advice Para C. - https://forum.mikrotik.com/viewtopic.php?t=182373

7

OK so I went back to the drawing board and redesigned it all with 1 bridge on my RouterOS side and all the VLANs connected to the bridge. I got it working but there is something strange which you can see from a screen shot of my firewall rules here :

https://photos.app.goo.gl/GWEuGCK2LcNh3w5G9

I was having an issue that when I would ping for the first few seconds it would not ping (which was expected as per my FW rules) but then suddenly the ping would start pinging! It was very strange and I did not get this sort of behavior when I had the same network designed with bridges instead of VLANs

And also some traffic that was supposed to work would not work - and I got a hunch that it was travelling in one direction but was not making its way back. And as part of that hunch I added a rule at the top which duplicated the default rule for existing and related connections, but instead of being on the input interface it was on forward. You see rule 3 at the top.

Then in each section for each of my VLANs I duplicated all existing rules one at a time and each time changed the interface from input to forward. And this looks like it has fixed my issue and it looks like it is wrong. You can see that both the input and forward rules get traffic.

I’m relatively new at Linux-style firewall rules with input, forward, mangle and so on, so I don’t fully understand where the traffic is going that makes this work.

Can someone help me understand the traffic flow here and/or tell me a better way to do my rules. I am nervous going into production like this because it just doesn’t seem like it should be right even though my testing does seem correct.

I also have my VLAN trunk going to the switch, and have a laptop wired into the switch. When I change the switch port VLAN and reload my network stack I get the IP according to the correct VLAN, and the behavior according to that. So really looks like it is working but still it does not seem right.

8

For RouterOS please don’t post screen captures. Export and post the config file. For SwitchOS, you don’t have a choice as the GUI is all you get.

To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.

9

OK thanks I’ll do that - I only use the GUI so that’s what I posted. But I’ll export now and share.

10 
# dec/27/2022 19:00:25 by RouterOS 7.6
# software id = BXS9-F76C
#
# model = RBD53iG-5HacD2HnD
# serial number = HD10846D5W3
/interface bridge
add admin-mac=18:FD:74:85:DD:FC auto-mac=no comment=defconf name=br-mgmt
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether2 ] name=eth2-CAP-01
set [ find default-name=ether3 ] name=eth3-CAP-02
set [ find default-name=ether4 ] name=eth4-SW
set [ find default-name=ether5 ] name=eth5-mgmt poe-out=off
/interface wireless
# managed by CAPsMAN
# channel: 5520/20-eCee/ac/DP(21dBm), SSID: MT-5, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=canada distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name=wlan-5 ssid=MT-5 \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2442/20-eC/gn(27dBm), SSID: MT-24, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
    wlan-24 ssid=MikroTik-85DE00 wireless-protocol=802.11
/interface vlan
add interface=br-mgmt name=vl-guest vlan-id=66
add interface=br-mgmt name=vl-iot vlan-id=55
add interface=br-mgmt name=vl-kids vlan-id=77
add interface=br-mgmt name=vl-mgmt vlan-id=1
add interface=br-mgmt name=vl-tr-wifi vlan-id=99
add interface=br-mgmt name=vl-tr-wired vlan-id=88
/caps-man datapath
add bridge=br-mgmt name=dpath-mgmt vlan-id=1 vlan-mode=use-tag
add bridge=br-mgmt name=dpath-trusted vlan-id=99 vlan-mode=use-tag
add bridge=br-mgmt name=dpath-guest vlan-id=66 vlan-mode=use-tag
add bridge=br-mgmt name=dpath-kids vlan-id=77 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-mgmt
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-trusted
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-kids
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-guest
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-IOT
/caps-man configuration
add channel.band=2ghz-b/g/n country=canada datapath.bridge=br-mgmt \
    .client-to-client-forwarding=no .local-forwarding=no distance=indoors \
    installation=any mode=ap name=capcfg-mgmt-24 security=capsec-mgmt ssid=\
    MT-24
add channel.band=5ghz-a/n/ac country=canada datapath.bridge=br-mgmt distance=\
    indoors installation=any mode=ap name=capcfg-mgmt-5 security=capsec-mgmt \
    ssid=MT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-kids distance=\
    indoors installation=any mode=ap name=capcfg-kids-24 security=capsec-kids \
    ssid=Dity-24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-kids distance=\
    indoors installation=any mode=ap name=capcfg-kids-5 security=capsec-kids \
    ssid=Dity-5
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-guest distance=\
    indoors installation=any mode=ap name=capcfg-guest-5 security=\
    capsec-guest ssid=IDontTrustYou5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-guest distance=\
    indoors installation=any mode=ap name=capcfg-guest-24 security=\
    capsec-guest ssid=IDontTrustYou24
add channel.band=2ghz-b/g/n country=canada datapath=dpath-trusted distance=\
    indoors installation=any mode=ap name=capcfg-trusted-24 security=\
    capsec-trusted ssid=Doviryayu24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-trusted distance=\
    indoors installation=any mode=ap name=capcfg-trusted-5 security=\
    capsec-trusted ssid=Doviryayut5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man datapath
add bridge=br-mgmt interface-list=all name=dpath-iot vlan-id=55 vlan-mode=\
    use-tag
/caps-man configuration
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-iot distance=\
    indoors installation=any mode=ap name=capcfg-iot-5 security=capsec-IOT \
    ssid=IOT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-iot distance=\
    indoors installation=any mode=ap name=capcfg-iot-24 security=capsec-IOT \
    ssid=IOT-24
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.199.22-10.0.199.222
add name=pool-dhcp-iot ranges=10.0.55.22-10.0.55.222
add name=pool-dhcp-guest ranges=10.0.66.22-10.0.66.222
add name=pool-dhcp-kids ranges=10.0.77.22-10.0.77.222
add name=pool-dhcp-tr-wifi ranges=10.0.99.22-10.0.99.222
add name=pool-dhcp-tr-wired ranges=10.0.88.22-10.0.88.222
/ip dhcp-server
add address-pool=dhcp interface=br-mgmt name=defconf
add address-pool=pool-dhcp-iot interface=vl-iot name=dhcp-iot
add address-pool=pool-dhcp-guest interface=vl-guest name=dhcp-guest
add address-pool=pool-dhcp-kids interface=vl-kids name=dhcp-kids
add address-pool=pool-dhcp-tr-wifi interface=vl-tr-wifi name=dhcp-wifi
add address-pool=pool-dhcp-tr-wired interface=vl-tr-wired name=dhcp-tr-wired
/caps-man manager
set ca-certificate=CAPsMAN-CA-18FD7485DDFB certificate=CAPsMAN-18FD7485DDFB \
    enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:85:DE:00 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:85:DE:01 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:99:87:16 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:99:87:17 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:5F:AE:A6 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:5F:AE:A7 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
/interface bridge port
add bridge=br-mgmt comment=defconf interface=eth2-CAP-01
add bridge=br-mgmt comment=defconf interface=eth3-CAP-02
add bridge=br-mgmt comment=defconf interface=eth4-SW
add bridge=br-mgmt comment=defconf interface=eth5-mgmt
add bridge=br-mgmt comment=defconf interface=wlan-24
add bridge=br-mgmt comment=defconf interface=wlan-5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=br-mgmt vlan-ids=55,1
/interface list member
add comment=defconf interface=br-mgmt list=LAN
add comment=defconf interface=eth1-WAN list=WAN
/interface wireless cap
# 
set bridge=br-mgmt caps-man-addresses=127.0.0.1 certificate=\
    CAPsMAN-18FD7485DDFB discovery-interfaces=br-mgmt enabled=yes interfaces=\
    wlan-24,wlan-5
/ip address
add address=10.0.199.1/24 comment=defconf interface=br-mgmt network=\
    10.0.199.0
add address=10.0.55.1/24 interface=vl-iot network=10.0.55.0
add address=10.0.88.1/24 interface=vl-tr-wired network=10.0.88.0
add address=10.0.99.1/24 interface=vl-tr-wifi network=10.0.99.0
add address=10.0.77.1/24 interface=vl-kids network=10.0.77.0
add address=10.0.66.1/24 interface=vl-guest network=10.0.66.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=eth1-WAN
/ip dhcp-server network
add address=10.0.55.0/24 dns-server=10.0.55.1 gateway=10.0.55.1
add address=10.0.66.0/24 dns-server=10.0.66.1 gateway=10.0.66.1
add address=10.0.77.0/24 dns-server=10.0.77.1 gateway=10.0.77.1
add address=10.0.88.0/24 dns-server=10.0.88.1 gateway=10.0.88.1
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
add address=10.0.199.0/24 comment=defconf dns-server=10.0.199.1 gateway=\
    10.0.199.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.199.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.55.0/24 list=SN-WF-IOT
add address=10.0.66.0/24 list=SN-WF-GUEST
add address=10.0.77.0/24 list=SN-WF-KIDS
add address=10.0.88.0/24 list=SN-TR-WIRED
add address=10.0.99.0/24 list=SN-TR-WIFI
add address=10.0.0.0/8 list=RFC1918-10
add address=172.16.0.0/12 list=RFC1918-172-16
add address=192.168.0.0/16 list=RFC1918-192-168
add address=10.0.199.0/24 list=SN-MGMT
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all coming in from WAN" \
    in-interface-list=WAN
add action=accept chain=input comment=\
    "IOT has no access to other internal subnets" dst-address=10.0.55.1 \
    dst-port=67,53,123 in-interface=vl-iot protocol=udp src-address-list=\
    SN-WF-IOT
add action=accept chain=forward dst-address=10.0.55.1 dst-port=67,53,123 \
    in-interface=vl-iot protocol=udp src-address-list=SN-WF-IOT
add action=drop chain=input dst-address-list=RFC1918-10 in-interface=vl-iot \
    src-address-list=SN-WF-IOT
add action=drop chain=forward dst-address-list=RFC1918-10 src-address-list=\
    SN-WF-IOT
add action=drop chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-iot src-address-list=SN-WF-IOT
add action=drop chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-WF-IOT
add action=drop chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-iot src-address-list=SN-WF-IOT
add action=drop chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-WF-IOT
add action=accept chain=input comment=\
    "allow trusted wifi to all internal subnets" connection-nat-state="" \
    dst-address-list=RFC1918-10 in-interface=vl-tr-wifi src-address-list=\
    SN-TR-WIFI
add action=accept chain=forward connection-nat-state="" dst-address-list=\
    RFC1918-10 src-address-list=SN-TR-WIFI
add action=accept chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-tr-wifi src-address-list=SN-TR-WIFI
add action=accept chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-TR-WIFI
add action=accept chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-tr-wifi src-address-list=SN-TR-WIFI
add action=accept chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-TR-WIFI
add action=accept chain=input comment="allow kids to IOT and Guest networks" \
    dst-address=10.0.77.1 dst-port=67,53,123 in-interface=vl-kids protocol=\
    udp src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address=10.0.77.1 dst-port=67,53,123 \
    protocol=udp src-address-list=SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-IOT in-interface=vl-kids \
    src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-IOT src-address-list=\
    SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-GUEST in-interface=\
    vl-kids src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-GUEST \
    src-address-list=SN-WF-KIDS
add action=drop chain=input dst-address-list=RFC1918-10 in-interface=vl-kids \
    src-address-list=SN-WF-KIDS
add action=drop chain=forward dst-address-list=RFC1918-10 src-address-list=\
    SN-WF-KIDS
add action=drop chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-kids src-address-list=SN-WF-KIDS
add action=drop chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-WF-KIDS
add action=drop chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-kids src-address-list=SN-WF-KIDS
add action=drop chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-WF-KIDS
add action=accept chain=input comment=\
    "allow trusted wired to all internal subnets" dst-address-list=RFC1918-10 \
    in-interface=vl-tr-wired src-address-list=SN-TR-WIRED
add action=accept chain=forward dst-address-list=RFC1918-10 src-address-list=\
    SN-TR-WIRED
add action=accept chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-tr-wired src-address-list=SN-TR-WIRED
add action=accept chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-TR-WIRED
add action=accept chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-tr-wired src-address-list=SN-TR-WIRED
add action=accept chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-TR-WIRED
add action=accept chain=input comment=\
    "Block GUESTs from all internal subnets" dst-address=10.0.66.1 dst-port=\
    67,53,123 in-interface=vl-guest protocol=udp src-address-list=SN-WF-GUEST
add action=accept chain=forward dst-address=10.0.66.1 dst-port=67,53,123 \
    protocol=udp src-address-list=SN-WF-GUEST
add action=drop chain=input dst-address-list=RFC1918-10 in-interface=vl-guest \
    src-address-list=SN-WF-GUEST
add action=drop chain=forward dst-address-list=RFC1918-10 src-address-list=\
    SN-WF-GUEST
add action=drop chain=input dst-address-list=RFC1918-172-16 in-interface=\
    vl-guest src-address-list=SN-WF-GUEST
add action=drop chain=forward dst-address-list=RFC1918-172-16 \
    src-address-list=SN-WF-GUEST
add action=drop chain=input dst-address-list=RFC1918-192-168 in-interface=\
    vl-guest src-address-list=SN-WF-GUEST
add action=drop chain=forward dst-address-list=RFC1918-192-168 \
    src-address-list=SN-WF-GUEST
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.99.0/24,10.0.199.0/24,10.0.88.0/24
set www-ssl address=10.0.99.0/24,10.0.199.0/24,10.0.88.0/24
set winbox address=10.0.99.0/24,10.0.199.0/24,10.0.88.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MT-Router-01
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
11

One side question - I don’t use LAN for anything and I did not change the default settings for it.

I see this “set allowed-interface-list=LAN” but I google and cannot find any reference to the “allowed-interface-list” setting to know what this does.

12

OK reviewing some of the VLAN example configs posted in the important reference threads here I see I did not have VLAN filtering enabled on my bridge - that’s got to be an issue of some sort or another.

And I also see some basic stuff that gives me some hints as to the data flows for input and forward chains. Namely this snippit - which I also have a question about but maybe I’ll ask it in that thread rather than here.

##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only"

add chain=forward action=drop comment="Drop"
13

Somewhere in the manual wiki there is a (rather complex) diagram that explains input, forward, mangle and so forth, and the order in which they are applied. But I can’t seem to find it now. It seems I should go re-read this :slight_smile:

14

I don’t seem to be getting a lot of interest in helping me out. I’ve been going through numerous examples in the wiki and the youtube channels that are recommended form the various sticky links like The Network Berg and so on. Those are all great really simple examples of 1 simple thing but the problem is I don’t have 1 simple thing. Here is basically my setup

5 Port HAP AC3
2 x CAP AC3
1 x SwOS 24 Port Switch

Eth1 - WAN - working
Eth2 - bridge br-main → CAP-01
Eth3 - bridge br-main → CAP-02
Eth4 - bridge br-main → Switch (SwOS)
Eth5 - bridge br-mgmt no VLANs → SSID MT-24 and MT-5 tied to this bridge along with the port so that I can mess with the other bridge to get the settings right, without losing connection. This part is working great but I’m not getting anywhere with the config of br-main and its ports

Question: should Eth2 and Eth3 be VLAN trunks with vlan-filtering turned on on the bridge?

From all the examples I am reading it tells me I need to turn on VLAN filtering on the bridge because this is the “new way” and is the only correct way to do VLANs that are compatible with the industry standard protocols. But then I end up with a strange message “port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry” which I track down to this thread : http://forum.mikrotik.com/t/puzzling-bridge-vlan-warning/140606/1 which I think is telling me that my issue is that I have eth2 and eth3 (the CAPs) terminating on the bridge but not tagged trunk ports.

When I turn them on as tagged trunk ports and burn on VLAN filtering on br-main that whole bridge locks up.

I’ll post my config in a moment in another message.

15

Here is my config

# dec/30/2022 20:50:07 by RouterOS 7.6
# software id = BXS9-F76C
#
# model = RBD53iG-5HacD2HnD
# serial number = HD10846D5W3
/caps-man datapath
add name=dpath-mgmt
/interface bridge
add admin-mac=18:FD:74:85:DD:FC auto-mac=no comment=defconf \
    ingress-filtering=no name=br-main vlan-filtering=yes
add name=br-mgmt
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether2 ] name=eth2-CAP-01
set [ find default-name=ether3 ] name=eth3-CAP-02
set [ find default-name=ether4 ] name=eth4-SW
set [ find default-name=ether5 ] name=eth5-mgmt poe-out=off
/interface wireless
# managed by CAPsMAN
# channel: 5520/20-eCee/ac/DP(21dBm), SSID: MT-5, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=canada distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name=wlan-5 ssid=MT-5 \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2442/20-eC/gn(27dBm), SSID: MT-24, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
    wlan-24 ssid=MikroTik-85DE00 wireless-protocol=802.11
/interface vlan
add interface=br-main name=vl-guest vlan-id=66
add interface=br-main name=vl-iot vlan-id=55
add interface=br-main name=vl-kids vlan-id=77
add interface=br-main name=vl-mgmt vlan-id=11
add interface=br-main name=vl-mgmt-old vlan-id=199
add interface=br-main name=vl-tr-wifi vlan-id=99
add interface=br-main name=vl-tr-wired vlan-id=88
/caps-man datapath
add bridge=br-main name=dpath-trusted vlan-id=99 vlan-mode=use-tag
add bridge=br-main name=dpath-guest vlan-id=66 vlan-mode=use-tag
add bridge=br-main name=dpath-kids vlan-id=77 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-mgmt
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-trusted
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-kids
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-guest
add authentication-types=wpa2-psk encryption=aes-ccm name=capsec-IOT
/caps-man configuration
add channel.band=2ghz-b/g/n country=canada datapath.bridge=br-mgmt \
    .client-to-client-forwarding=no .local-forwarding=no distance=indoors \
    installation=any mode=ap name=capcfg-mgmt-24 security=capsec-mgmt ssid=\
    MT-24
add channel.band=5ghz-a/n/ac country=canada datapath.bridge=br-mgmt distance=\
    indoors installation=any mode=ap name=capcfg-mgmt-5 security=capsec-mgmt \
    ssid=MT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-kids distance=\
    indoors installation=any mode=ap name=capcfg-kids-24 security=capsec-kids \
    ssid=Dity-24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-kids distance=\
    indoors installation=any mode=ap name=capcfg-kids-5 security=capsec-kids \
    ssid=Dity-5
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-guest distance=\
    indoors installation=any mode=ap name=capcfg-guest-5 security=\
    capsec-guest ssid=IDontTrustYou5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-guest distance=\
    indoors installation=any mode=ap name=capcfg-guest-24 security=\
    capsec-guest ssid=IDontTrustYou24
add channel.band=2ghz-b/g/n country=canada datapath=dpath-trusted distance=\
    indoors installation=any mode=ap name=capcfg-trusted-24 security=\
    capsec-trusted ssid=Doviryayu24
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-trusted distance=\
    indoors installation=any mode=ap name=capcfg-trusted-5 security=\
    capsec-trusted ssid=Doviryayut5
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man datapath
add bridge=br-main interface-list=all name=dpath-iot vlan-id=55 vlan-mode=\
    use-tag
/caps-man configuration
add channel.band=5ghz-a/n/ac country=canada datapath=dpath-iot distance=\
    indoors installation=any mode=ap name=capcfg-iot-5 security=capsec-IOT \
    ssid=IOT-5
add channel.band=2ghz-b/g/n country=canada datapath=dpath-iot distance=\
    indoors installation=any mode=ap name=capcfg-iot-24 security=capsec-IOT \
    ssid=IOT-24
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=pool-dhcp-default ranges=10.0.199.22-10.0.199.222
add name=pool-dhcp-iot ranges=10.0.55.22-10.0.55.222
add name=pool-dhcp-guest ranges=10.0.66.22-10.0.66.222
add name=pool-dhcp-kids ranges=10.0.77.22-10.0.77.222
add name=pool-dhcp-tr-wifi ranges=10.0.99.22-10.0.99.222
add name=pool-dhcp-tr-wired ranges=10.0.88.22-10.0.88.222
add name=pool-dhcp-mgmt ranges=10.0.11.22-10.0.11.222
/ip dhcp-server
add address-pool=pool-dhcp-default interface=br-main name=defconf
add address-pool=pool-dhcp-iot interface=vl-iot name=dhcp-iot
add address-pool=pool-dhcp-guest interface=vl-guest name=dhcp-guest
add address-pool=pool-dhcp-kids interface=vl-kids name=dhcp-kids
add address-pool=pool-dhcp-tr-wifi interface=vl-tr-wifi name=dhcp-wifi
add address-pool=pool-dhcp-tr-wired interface=vl-tr-wired name=dhcp-tr-wired
add address-pool=pool-dhcp-mgmt interface=br-mgmt name=dhcp-mgmt
/caps-man manager
set ca-certificate=CAPsMAN-CA-18FD7485DDFB certificate=CAPsMAN-18FD7485DDFB \
    enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:85:DE:00 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:85:DE:01 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:99:87:16 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:99:87:17 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-24 \
    radio-mac=18:FD:74:5F:AE:A6 slave-configurations=\
    capcfg-guest-24,capcfg-iot-24,capcfg-kids-24,capcfg-trusted-24
add action=create-dynamic-enabled master-configuration=capcfg-mgmt-5 \
    radio-mac=18:FD:74:5F:AE:A7 slave-configurations=\
    capcfg-guest-5,capcfg-iot-5,capcfg-kids-5,capcfg-trusted-5
/interface bridge port
add bridge=br-main comment=defconf ingress-filtering=no interface=eth2-CAP-01
add bridge=br-main comment=defconf interface=eth3-CAP-02
add bridge=br-main comment=defconf frame-types=admit-only-vlan-tagged \
    interface=eth4-SW
add bridge=br-mgmt comment=defconf interface=eth5-mgmt
add bridge=br-main comment=defconf interface=wlan-24
add bridge=br-main comment=defconf interface=wlan-5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=br-main tagged=eth4-SW vlan-ids=55,1,11,66,77,88,99,199
add bridge=br-mgmt vlan-ids=11,199
/interface list member
add comment=defconf interface=br-main list=LAN
add comment=defconf interface=eth1-WAN list=WAN
/interface wireless cap
# 
set bridge=br-main caps-man-addresses=127.0.0.1 certificate=\
    CAPsMAN-18FD7485DDFB discovery-interfaces=br-main enabled=yes interfaces=\
    wlan-24,wlan-5
/ip address
add address=10.0.199.1/24 interface=br-main network=10.0.199.0
add address=10.0.55.1/24 interface=vl-iot network=10.0.55.0
add address=10.0.88.1/24 interface=vl-tr-wired network=10.0.88.0
add address=10.0.99.1/24 interface=vl-tr-wifi network=10.0.99.0
add address=10.0.77.1/24 interface=vl-kids network=10.0.77.0
add address=10.0.66.1/24 interface=vl-guest network=10.0.66.0
add address=10.0.11.1/24 interface=br-mgmt network=10.0.11.0
/ip dhcp-client
add comment=defconf interface=eth1-WAN
/ip dhcp-server network
add address=10.0.11.0/24 dns-server=10.0.11.1 gateway=10.0.11.1
add address=10.0.55.0/24 dns-server=10.0.55.1 gateway=10.0.55.1
add address=10.0.66.0/24 dns-server=10.0.66.1 gateway=10.0.66.1
add address=10.0.77.0/24 dns-server=10.0.77.1 gateway=10.0.77.1
add address=10.0.88.0/24 dns-server=10.0.88.1 gateway=10.0.88.1
add address=10.0.99.0/24 dns-server=10.0.99.1 gateway=10.0.99.1
add address=10.0.199.0/24 comment=defconf dns-server=10.0.199.1 gateway=\
    10.0.199.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.199.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.55.0/24 list=SN-WF-IOT
add address=10.0.66.0/24 list=SN-WF-GUEST
add address=10.0.77.0/24 list=SN-WF-KIDS
add address=10.0.88.0/24 list=SN-TR-WIRED
add address=10.0.99.0/24 list=SN-TR-WIFI
add address=10.0.0.0/8 list=RFC1918-10
add address=172.16.0.0/12 list=RFC1918-172-16
add address=192.168.0.0/16 list=RFC1918-192-168
add address=10.0.199.0/24 list=SN-OLD-MGMT
add address=10.0.0.0/8 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.0.0/16 list=RFC1918
add address=10.0.11.0/24 list=SN-MGMT
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all coming in from WAN" \
    in-interface-list=WAN
add action=accept chain=input comment=\
    "IOT has no access to other internal subnets" dst-address=10.0.55.1 \
    dst-port=67,53,123 protocol=udp src-address-list=SN-WF-IOT
add action=drop chain=input dst-address-list=RFC1918 in-interface=vl-iot \
    src-address-list=SN-WF-IOT
add action=drop chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-WF-IOT
add action=accept chain=input comment=\
    "allow trusted wifi to all internal subnets" dst-address-list=RFC1918 \
    in-interface=vl-tr-wifi src-address-list=SN-TR-WIFI
add action=accept chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-TR-WIFI
add action=accept chain=input comment=\
    "allow kids to IOT and Guest networks but nothing else" dst-address=\
    10.0.77.1 dst-port=67,53,123 protocol=udp src-address-list=SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-IOT in-interface=vl-kids \
    src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-IOT src-address-list=\
    SN-WF-KIDS
add action=accept chain=input dst-address-list=SN-WF-GUEST in-interface=\
    vl-kids src-address-list=SN-WF-KIDS
add action=accept chain=forward dst-address-list=SN-WF-GUEST \
    src-address-list=SN-WF-KIDS
add action=drop chain=input dst-address-list=RFC1918 in-interface=vl-kids \
    src-address-list=SN-WF-KIDS
add action=drop chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-WF-KIDS
add action=accept chain=input comment="allow MGMT to all internal subnets" \
    dst-address-list=RFC1918 in-interface=br-mgmt src-address-list=SN-MGMT
add action=accept chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-MGMT
add action=accept chain=input comment=\
    "allow trusted wired to all internal subnets" dst-address-list=RFC1918 \
    in-interface=vl-tr-wired src-address-list=SN-TR-WIRED
add action=accept chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-TR-WIRED
add action=accept chain=input comment=\
    "Block GUESTs from all internal subnets" dst-address=10.0.66.1 dst-port=\
    67,53,123 protocol=udp src-address-list=SN-WF-GUEST
add action=drop chain=input dst-address-list=RFC1918 in-interface=vl-guest \
    src-address-list=SN-WF-GUEST
add action=drop chain=forward dst-address-list=RFC1918 src-address-list=\
    SN-WF-GUEST
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.11.0/24,10.0.88.0/24,10.0.99.0/24,10.0.199.0/24
set ssh address=10.0.11.0/24,10.0.88.0/24,10.0.99.0/24,10.0.199.0/24
set www-ssl address=10.0.11.0/24,10.0.88.0/24,10.0.99.0/24,10.0.199.0/24 \
    disabled=no
set winbox address=10.0.99.0/24,10.0.88.0/24,10.0.199.0/24,10.0.11.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/system identity
set name=MT-Router-01
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
16

This is probably what you are remembering: Firewall Filter

or perhaps you were remembering the even more complicated: Packet Flow in RouterOS

17

I still see two bridges, as mentioned earlier please stick to one bridge.
When it comes to VLAN, please use this topic only:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

It has got lots of examples and will guide you to a working environment.
My experience is that there is a lot of crap, escpecially on YouTube when it comes to Mikrotik.

18

Thanks Buckeye those are both the ones I was looking for!

Regarding my management bridge - I think it is irrelevant I am not trying to integrate it in any way with br-main it is just a static configuration that gives me access while I mess around with br-main to get it working so I won’t lose connect to the device. When I get br-main working it is very likely that br-mgmt will disappear.

The thing I am confused with concerning that VLAN thread is that it was created before the “new method” was created - and everything I read since the introduction of the “new method” says it is the only method that should be used. So doesn’t that VLAN thread need revision? Anyway I will do my best to work through that to see what I can come up with.

19

Also erlinden you tell me only one bridge and point me to the VLAN thread - and the first configuration there creates 4 bridges on the router

/queue interface
set bridge-guest queue=no-queue
set bridge-local queue=no-queue
set bridge-untrusted queue=no-queue
set bridge-vlan5 queue=no-queue
set loopback queue=no-queue
/interface vlan
20

Also erlinden you tell me to use only one bridge and then point me at the VLAN thread - and the very first example there creates 4 bridges on the router.