VLANs - different address on different ports

Hello!
I’m new here, so, please, be tender

I have MT hEX router with (almost) default configuration. Want to do such:

1. on every ether ports (2-5) different VLANs (vlan_2 on ether_2 and so on)
2. want to offer on DHCP server different addresses for different ether/VLAN. For example 192.168.2.X on ether2 (vlan_2), For example 192.168.3.X on ether3 (vlan_3)
3. block access to Internet all devices connected to ether3 (vlan_3) - I don’t want to my CCTV cameras send anything outside LAN

Thats all Im stuck, so It will be really helpful to do such configuration..

Thanks in advance!

http://forum.mikrotik.com/t/dhcp-over-multiple-vlans/149285/1
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

THe problem is you are stating requirements based on configuration which is the wrong approach complicates matters and confuses you.
Ports have nothing to do with DHCP, unless you are attaching a subnet directly to a port.
IF using just vlans, then ports are transparent.

Read the article, and if you want help state a clear set of requirements based on what you want users/devices to be able to do or not od, WITHOUT any mention of config.
DOesnt matter if its 5,10,20 lines long, the clearer the requirement the better an optimized solution can be had.

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Thank you for quick support!

I’ve read “Using RouterOS to VLAN your network” but something goes wrong and lost my MT access, so must reset it. Now works fine, beginner problems

My idea is such:

MT is connected to server which offer 192.168.0.50 via DHCP. I’d like to attach different LAN segment to MT.

• port eth2 for one PC, I’d like to offer this client IP from subnet 192.168.20.XX via DHCP from MT
• port eth3 will be attached to unmanaged switch, where IP Cams are connected. I’d like offer them IPs from subnet 192.168.30.XX via DHCP from MT
• port eth4 for one NAS, I’d like to offer this client IP from subnet 192.168.40.XX via DHCP from MT
• port eth5 will be attached to unmanaged switch, where will PC clients will be connected (192.168.50.10..100 via DHCP from MT), WiFi clients (192.168.50.101..200) and IoT/sensors (192.168.50.201..250)

PCs will be NATed

My idea is to use VLANS for separate subnets on MT and DHCP for subnets addressing. Does it can be done better/faster/less complicated?

Next. I’m planning to prepare different policies to each subnets/ranges (for example block internet access for IP cams, allow only PC clients access to NAS, block IoT clients access to IP Cams and so on).

If you’ll have exactly as per your diagram, i.e. one LAN per port, each port different LAN, then you don’t need VLANs at all. Simply remove all ports from bridge (then remove bridge), set appropriate IP address to each physical port and you’re done. Add DHCP servers to interfaces you need (or configure DHCP relay if you want to have one central DHCP server not on router itself). The rest (firewall etc.) is usually not bound to interfaces but rather IP subnets. Ditto for routing.

@mikrotikshell What you are doing with your hEX is almost exactly what I am doing with mine except that I do have one port that is a VLAN trunk for a few additional LANs. The router is exclusively functioning as a router and all the switch functions are being handled in separate switches. Therefore there is no bridge set up in the router. My firewall requirements are a bit different than yours, but the basic functionality is similar. Each LAN or VLAN has a separate DHCP server and IP pool.

BTW (and I’m surprised that anav has not already requested this), if you are going to show us all or a part of your configuration, you are far batter off instead of posting screen captures, export the router configuration and post the resulting file. To do that (and I’m assuming you are using WebFig or Winbox), open a terminal window, type /export hide-sensitive file=any-filename-you-wish Then open the files section and download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.

Thanks for response.
Just for educational purpose: is this available without removing bridge and using VLANs? For example, when I’ll want to different VLANS on single ethernet port?

You sure can keep bridge and use VLANs for port separation. If you haven’t already, have a look at this tutorial. What is special in your case is that only single physical port will be untagged member of corresponding VLAN while bridge interface will be tagged member of all VLANs.

Thank you very much. I’ve try to do such - think there is only bridge interface tagged member od VLANs (dont’t know how to do that…)

/interface bridge
add admin-mac=XXXXXX auto-mac=no comment=defconf name=bridge \
    protocol-mode=none
/interface vlan
add interface=ether2 name=vlan-ether2-PC vlan-id=20
add interface=ether3 name=vlan-ether3-CAMS vlan-id=30
add interface=ether4 name=vlan-ether4-NAS vlan-id=40
add interface=ether5 name=vlan-ether5-LAN vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.40.2-192.168.40.254
add name=dhcp_pool4 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=vlan-ether2-PC name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan-ether3-CAMS name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=vlan-ether4-NAS name=dhcp3
add address-pool=dhcp_pool4 disabled=no interface=vlan-ether5-LAN name=dhcp4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.20.1/24 interface=bridge network=192.168.20.0
add address=192.168.30.1/24 interface=vlan-ether3-CAMS network=192.168.30.0
add address=192.168.40.1/24 interface=vlan-ether4-NAS network=192.168.40.0
add address=192.168.50.1/24 interface=vlan-ether5-LAN network=192.168.50.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

The config you posted has nothing to do with bridge vlan-filtering which is nicely explained by tutorial I mentioned in my previous post.

Trying to understand bridges and VLANs… Is this have more sense?

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

/interface bridge port
add bridge=BR1 interface=ether2 pvid=20
add bridge=BR1 interface=ether3 pvid=30
add bridge=BR1 interface=ether4 pvid=40
add bridge=BR1 interface=ether5 pvid=50

/interface bridge port
add bridge=BR1 interface=ether1

/interface bridge vlan
set bridge=BR1 tagged=ether1 [find vlan-ids=20]
set bridge=BR1 tagged=ether1 [find vlan-ids=30]
set bridge=BR1 tagged=ether1 [find vlan-ids=40]
set bridge=BR1 tagged=ether1 [find vlan-ids=50]
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99

/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.3/24 interface=BASE_VLAN
/ip route add distance=1 gateway=192.168.0.1

/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]

/interface bridge port set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]

/interface bridge set BR1 vlan-filtering=yes

Again, if the diagram is your stated method of showing us your requirments why are you farting around with vlans?
MKX said quite clearly you dont need any. Suggesting you setup your router without vlans according to the diagram you want.
When you have that done post your FULL config, not just what you think you need to show!! (not the sensitive stuff).

THEN and only then should you contemplate the addition of additional requirements or functionality.
One step at a time, walk before you run, keep it simple.

Adding vlans will be dirt simple after the fact but your stuck halfway in between spinning in circles.

You’re almost there.
Just make sure that other end-point of ether1 link is using tagged VLANs, configuration for ether1 port should match configuration of the other end.

Since device will be doing routing between different IP subnets (in your original config device has IP addresses in all VLANs), you’ll have to add bridge interface as tagged member of all needed VLANs, so all VLANs should have /interface bridge vlan configuration command similar to the one configuring VLAN 99. Then you’ll need appropriate /interface vlan interfaces for the rest of VLANs (in same manner as you have BASE_VLAN).

Maybe it is stupid, but there is two reasons:

1. Most important - I’d like to know how VLANs works. I’ve build few small networks/servers, but I never had the need VLANs. Now I have MT and building network from scratch and have ability to understand how it works.
2. Want to prepare my networks for future changes. Of course I can build one LAN on one physical port, but maybe there will be need to build two LANs on single port. Then will be easier to add new VLAN than rearranged whole configuration.

So, yes, I know that isn’t as simple as it could be (yep, KISS), but educational purpose is important for me.

Hope there isn’t nothing wrong with my path of thought

None at all, but in terms of learning,
a. its really cool to see that you setup your network without vlans and without the use of bridge.
b. then add a bridge and a few vlans ( a mix of both worlds).
c. and then screw subnets and ports join the borg and ONLY do vlans.

In this way you still learn about vlans but get a wider appreciation of the routers wide scope of possibilities.
In any case if you want to change the requirements , then post a different diagram (or modify the one you have) of what you would like to achieve (make it accurate or config to the diagram)

OK First step: no VLANs, no bridge.
My setup without VLANS looks now:

# aug/30/2021 20:37:55 by RouterOS 6.48.4
# software id = ICTI-3408
#
# model = RB750Gr3
# serial number = XXXXXXXXXXXX
/interface list
add comment=defconf name=WAN
add name=LAN-ether2
add name=LAN-ether3
add name=LAN-ether4
add name=LAN-ether5
add comment=defconf include=LAN-ether2,LAN-ether3,LAN-ether4,LAN-ether5 name=\
    LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_ether2_192.168.20.0 ranges=192.168.20.20-192.168.20.200
add name=dhcp_ether3_192.168.30.0 ranges=192.168.30.10-192.168.30.200
add name=dhcp_ether4_192.168.40.0 ranges=192.168.40.10-192.168.40.200
add name=dhcp_ether5_192.168.50.0 ranges=192.168.50.10-192.168.50.200
/ip dhcp-server
add address-pool=dhcp_ether2_192.168.20.0 disabled=no interface=ether2 name=\
    DHCP-ether2
add address-pool=dhcp_ether3_192.168.30.0 disabled=no interface=ether3 name=\
    DHCP-ether3
add address-pool=dhcp_ether4_192.168.40.0 disabled=no interface=ether4 name=\
    DHCP-ether4
add address-pool=dhcp_ether5_192.168.50.0 disabled=no interface=ether5 name=\
    DHCP-ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN-ether2
add interface=ether3 list=LAN-ether3
add interface=ether4 list=LAN-ether4
add interface=ether5 list=LAN-ether5
/ip address
add address=192.168.30.1/24 interface=ether3 network=192.168.30.0
add address=192.168.40.1/24 interface=ether4 network=192.168.40.0
add address=192.168.50.1/24 interface=ether5 network=192.168.50.0
add address=192.168.20.1/24 interface=ether2 network=192.168.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="MY FW STARTS HERE" in-interface-list=\
    LAN-ether2
add action=accept chain=forward in-interface-list=LAN-ether2
add action=accept chain=input in-interface-list=LAN-ether3
add action=accept chain=forward in-interface-list=LAN-ether3
add action=accept chain=input in-interface-list=LAN-ether4
add action=accept chain=forward in-interface-list=LAN-ether4
add action=accept chain=input in-interface-list=LAN-ether5
add action=accept chain=forward in-interface-list=LAN-ether5
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Till now it works fine, different ETH got different IP-ranges, all of them got internet access and access to MT (access limit will do in the future).
Does my configuration is OK?

Yikes what did you do LOL…

This is what your interface list should look like
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

This is what your interface list members should look like (just modify the interface name to what you are using.)
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether1 list=WAN

I think whats screwed up is at the start your ETHERNET INTERFACE is not setup.

You should only have four of everything , pools, dhcp servers etc. if you have four subnets??
Understand you are probably keeping the default original while configuring so okay!

Firewall rules are partially okay, where you kept the defaults mostly okay, the rest needs review.
/ip firewall filter
a_dd action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1_
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN {note- should be here in the order of rules}

add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

*Everything below is suspect!!!
and dependent upon requirements.
Suggesting you get rid of them and state the requirements of what your trying to do without talking about the config but simply in terms of users/devices.

*
(add action=accept chain=input comment=“MY FW STARTS HERE” in-interface-list=
LAN-ether2
add action=accept chain=forward in-interface-list=LAN-ether2
add action=accept chain=input in-interface-list=LAN-ether3
add action=accept chain=forward in-interface-list=LAN-ether3
add action=accept chain=input in-interface-list=LAN-ether4
add action=accept chain=forward in-interface-list=LAN-ether4
add action=accept chain=input in-interface-list=LAN-ether5
add action=accept chain=forward in-interface-list=LAN-ether5


TO CONTROL internet access simply add an Interface list ENTRY
like so.
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=internet_access name=With_INT

/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=With_INT
add interface=ether4 list=With_INT
add interface=ether5 list=With_INT

In firewall rules.

Add last rule
add chain=forward action=drop comment=drop all else.
Right before this last rule add
add chain=forward action=accept in-interface-list=With_INT out-interface-list=WAN

Now only lans 2,4,5 will have access to the internet.
As an added bonus all connectivity between the subnets should be blocked as well.
LAN2 should not be able to reach any other LAN for example.
If you wish to ensure routing between them is possible
then you would add BEFORE THE LAST DROP ALL RULE…(for all of these)

add chain=forward actioni=accept in-interface=ether2 out-interface=ether3 I think you get the idea.

If you only wanted one IP address in LAN2 to access LAN3
add chain=forward action=accept source-address=LAN2 IP address out-interface=ether3

If you wanted a few IP addresses to access LAN 3 then create a firewall address list containing those IPs and call it TOLAN3
add chain=forward action=accept source-address-list=TOLAN3 out-interface=ether3

Great Scott! Yoy’re great Thanks for help!
LAN rules idea is now such:

and my configuration is such (is OK now?):

# aug/31/2021 19:32:47 by RouterOS 6.48.4
# software id = ICTI-3408
#
# model = RB750Gr3
# serial number = XXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="NO internet access" name=ALLOW_INTERNET
/ip pool
add name=dhcp_ether2_PC ranges=192.168.20.20-192.168.20.200
add name=dhcp_ether3_CAMS ranges=192.168.30.10-192.168.30.200
add name=dhcp_ether4_NAS ranges=192.168.40.10-192.168.40.200
add name=dhcp_ether5_WiFi ranges=192.168.50.10-192.168.50.200
/ip dhcp-server
add address-pool=dhcp_ether2_PC disabled=no interface=ether2 lease-time=2w \
    name=DHCP-PC
add address-pool=dhcp_ether3_CAMS disabled=no interface=ether3 lease-time=2w \
    name=DHCP-CAMS
add address-pool=dhcp_ether5_WiFi disabled=no interface=ether5 lease-time=2w \
    name=DHCP-WiFi
add address-pool=dhcp_ether4_NAS disabled=no interface=ether4 lease-time=2w\
    name=DHCP-NAS
/system logging action
add disk-file-name=disk1/log name=usb target=disk
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add comment=WAN interface=ether1 list=WAN
add comment="LAN - PC" interface=ether2 list=LAN
add comment="LAN - CAMS" interface=ether3 list=LAN
add comment="LAN - NAS" interface=ether4 list=LAN
add comment="LAN - WiFi" interface=ether5 list=LAN
add interface=ether2 list=ALLOW_INTERNET
add interface=ether5 list=ALLOW_INTERNET
/ip address
add address=192.168.30.1/24 interface=ether3 network=192.168.30.0
add address=192.168.40.1/24 interface=ether4 network=192.168.40.0
add address=192.168.50.1/24 interface=ether5 network=192.168.50.0
add address=192.168.20.1/24 interface=ether2 network=192.168.20.0
add address=192.168.10.1 interface=ether1 network=192.168.10.1
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server config
set store-leases-disk=1d
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.10.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.10.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.10.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.10.1 gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=NOT_LAN
add action=accept chain=input comment="MY FW: accept INPUT from LAN" \
    in-interface-list=LAN
add action=accept chain=forward comment=\
    "MY FW: accept only ALLOWED FORWARD from LAN" in-interface-list=\
    ALLOW_INTERNET
add action=accept chain=forward comment="MY FW: allow PCs access to all LAN" \
    in-interface=ether2 out-interface-list=LAN
add action=drop chain=forward comment=\
    "MY FW: drop IoT clients INTERNET access" src-address=\
    192.168.50.201-192.168.50.250
add action=accept chain=forward comment=\
    "MY FW: allow WiFis access to all LAN" in-interface=ether5 \
    out-interface-list=LAN
add action=accept chain=forward comment="MY FW: allow NAS access to CAMs" \
    in-interface=ether4 out-interface=ether3
add action=drop chain=forward comment="MY FW: drop ALL else" log=yes \
    log-prefix=DROP_ELSE
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.50.50 name=xxxxxx profile=default-encryption \
    remote-address=192.168.50.100 service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system logging
set 0 action=usb
set 1 action=usb
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

LUV the diagram!!!
Just looking at it quickly ascertained you need another port or a managed switch!.

You cannot separate users on the subnet attached to ether5. They are all on the same LAN.
You should separate users and IOT devices into two different ports and subnets!!
It is also not clear if the pc clients are separate from the wifi clients in terms of security dont think so but do you have a guest wifi separate from home wifi?

You also have to spend money as you now have run out of ports and need a managed switch.
This also means you will need at least two vlans.

You crack me up, with this interface name, are you coming or going…
add comment=“NO internet access” name=ALLOW_INTERNET

Firewall rules are overly complex but not point in addressing till we get an overall design that will work

“add comment=“NO internet access” name=ALLOW_INTERNET” - forgot to change comment

Yes, I know, WiFi, PC and IoT users are connected to unmanaged switch and have access to each others on 192.168.50.XX subnet. I have not managed switch and another port.
Does separation of IoT and (WiFi + PC) can be done using VLANs?