Here is my problem. We are moving over to a mikrotik as our main router device. When I plug in the tagged cable on eth3 and my internet on eth1 it eventually gives me internet throughout my network however it is on the wrong network.

Please ignore the eth2 ramblings here as we are in the process of moving to a more organized (and correct) ip ranges and new vlans. What I am going for right now is that if I plug in a tagged cable into eth3 and my internet into eth1 i get my properly segregated network.

Here is my current settings

2023-07-27 13:31:07 by RouterOS 7.10.2

software id = PX4R-TYGY

model = CCR2116-12G-4S+

serial number = HDJ08S6BPMG

/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface vlan
add interface=ether2 name=Admin vlan-id=200
add interface=ether2 name=Camera vlan-id=204
add interface=ether2 name=Dante vlan-id=208
add interface=ether2 name=Finance vlan-id=2012
add interface=ether2 name=Guest vlan-id=2016
add interface=ether2 name=IOT vlan-id=2024
add interface=ether3 name="Old 108" vlan-id=108
add interface=ether3 name=Oldadmin vlan-id=1
add interface=ether2 name=Printer vlan-id=2028
add interface=ether2 name=Production vlan-id=2032
add interface=ether2 name=Staff vlan-id=2036
add interface=ether2 name=Student vlan-id=2040
add interface=ether2 name=Voip vlan-id=2048
add interface=ether3 name="old 120" vlan-id=120
add interface=ether3 name="old 128" vlan-id=128
add interface=ether3 name="old 140" vlan-id=140
add interface=ether3 name="old 160" vlan-id=160
add interface=ether3 name="old 190" vlan-id=190
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface="old 128" pvid=128
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=Oldadmin
add bridge=bridge1 interface="old 140" pvid=140
/interface bridge vlan
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=108
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=120
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=128
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=140
add bridge=bridge1 tagged=ether3,bridge1 vlan-ids=160
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add interface=ether3 list=LAN
/ip address
add address=192.168.0.250/24 interface=ether3 network=192.168.0.0
add address=72.2.11.146/28 interface=ether1 network=72.2.11.144
add address=10.20.0.99/22 interface=ether2 network=10.20.0.0
add address=172.10.8.1/24 interface="Old 108" network=172.10.8.0
add address=172.10.28.1/24 interface="old 128" network=172.10.28.0
/ip dhcp-client
add disabled=yes interface=ether13
/ip dhcp-relay
add dhcp-server=192.168.0.4 disabled=no interface="old 140" name=relay1
add dhcp-server=192.168.0.7 disabled=no interface=ether2 name=relay2
add dhcp-server=192.168.0.4 disabled=no interface="old 128" name=relay3
add dhcp-server=192.168.0.4 disabled=no interface=Oldadmin name=relay4
/ip dns
set allow-remote-requests=yes servers=149.112.121.30
/ip firewall filter
add action=passthrough chain=forward dst-address=192.168.0.4 in-interface=
bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=72.2.11.145 routing-table=main
suppress-hw-offload=no
/system clock
set time-zone-name=America/Winnipeg
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

Provide a network diagram of what you want to have occur… the more details on the diagram the better.

Obvious errors are various /interface vlan and /ip address items being attached to interfaces which are members of a bridge, also ether1 which appears to be the WAN connection being a member of the bridge.

Here is my basic network diagram

Sorry the gentleman who introduced me to the mikrotik world always had me put my wan in the bridge to allow internet to the different ports. Was I misinformed?

So i have completely reloaded back to factory then went through the basic vlan configuration with only changing to my information. (see updated config) I am still not getting the vlan traffic to relay to my dhcp server

Any help is appreciated I am underwater here.
newsetup.rsc (3.26 KB)

-Get rid of vlan1 for any data purposes change it to vlan11 for example.
-Firewall rules are very sparse, are you presuming an upstream router is taking care of firewall?
-additionally lack of logic, admin is already part of vlan so input chain rule, for admin interface is useless ( note not supporting current fw structure)
-why the duplicate source nat rules
-missing neighbours discovery which should be set to BASE interface.
-all downstream devices should get their IP address on the Admin subnet.

-Get rid of vlan1 for any data purposes change it to vlan11 for example.

Ok ill make that change

-Firewall rules are very sparse, are you presuming an upstream router is taking care of firewall?

first goal will be getting addresses and internet connection working. Then was going to take care of firewall.

-additionally lack of logic, admin is already part of vlan so input chain rule, for admin interface is useless ( note not supporting current fw structure)

Taken care of

-why the duplicate source nat rules

I only see the one on winbox. with it being a sourcnat masquarade on the wan interface list.

-missing neighbours discovery which should be set to BASE interface.

Done
-all downstream devices should get their IP address on the Admin subnet.

Roger that, my error meant to say duplicate IP routes, not sourcnat.

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(admin rules)
add action=accept chain=input in-interface-list=base src-address-list=Authorized
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=vlan protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=vlan protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
(default rules to keep)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=vlan out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { disable if not required }
add action=drop chain=forward comment=“drop all else”

Note, although the BASE contains the admin subnet, I never assume that all users on the admin network need access to config the router, hence the src-address-list.
Moreover if at somepoint you includes VPN such as wireguard, you will want to add it the potential for you to config the router remotely and thus the obvious thing to do is add the wireguard interface to BASE. However, if you have multiple road warriors, then the others would not need access to the router and again, hence a source address list.

In any case, this probably suffices for now…
add action=accept chain=input in-interface-list=base

Appreciate it. Going to do another test cutover when we are on a downtime tomorrow morning.