First: I am new to Mikrotik and routerOS

Second: I just got my RB4011. I already have a Ubiquiti Switch and 3 Ubiquiti NanoHDs.

Third: the RB4011 is great. Reduced the number of network devices, all in one

Scenario: I have set up 3 VLANs (secure, guest, IoT) in the ubiquiti ecosystem. My main network is not a VLAN for the ease of plugging in devices and configuring

The RB4011 is my router to the internet and should also handle the DHCP for the different VLANs. At the RB4011, several other network devices are connected without VLAN setting like switch, server.

The RB4011 does not do any VLAN tagging, that is done via the NanoHDs and the Ubiquiti switch.
I have outgoing IPSEC connections to my private VPS and an incoming IPSEC connection from my mobile (roadwarrior).

Problem: so far each network works separately, but I cannot make e.g the guest VLAN accessible from the secure VLAN etc.
It is also not possible to reach any devices in the 192.168.88.0 network from the IPSEC roadwarrior connection (192.168.200.0/24).

Any configuration problems?


The configuration of the RB4011 is the following (removes some elements that are not relevant)
[admin@MikroTik] > export

# jul/24/2019 11:06:27 by RouterOS 6.45.2
# software id = 5FMV-E258
#
# model = RB4011iGS+

/interface bridge
add admin-mac=74:4D:28:B3:B0:F7 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1UP
set [ find default-name=ether2 ] name=ether2CBL

/interface vlan
add interface=bridge name=vlan100.secure vlan-id=100
add interface=bridge name=vlan200.iot vlan-id=200
add interface=bridge name=vlan300.guest vlan-id=300

/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/ip pool
add name=dhcp.home ranges=192.168.88.101-192.168.88.200
add name=dhcp.secure100 ranges=192.168.89.101-192.168.89.200
add name=dhcp.iot200 ranges=192.168.90.101-192.168.90.200
add name=dhcp.guest300 ranges=192.168.91.101-192.168.91.200
add name=vpn-pool ranges=192.168.200.100-192.168.200.200

/ip dhcp-server
add address-pool=dhcp.home disabled=no interface=bridge name=defconf
add address-pool=dhcp.secure100 disabled=no interface=vlan100.secure lease-time=1h name=secure
add address-pool=dhcp.iot200 disabled=no interface=vlan200.iot lease-time=1h name=iot
add address-pool=dhcp.guest300 disabled=no interface=vlan300.guest lease-time=1h name=guest

/interface bridge port
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10LITE
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=ether1UP
add bridge=bridge interface=vlan300.guest
add bridge=bridge interface=vlan200.iot
add bridge=bridge interface=vlan100.secure

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip settings
set rp-filter=loose

/interface bridge vlan
add bridge=bridge vlan-ids=300
add bridge=bridge vlan-ids=200
add bridge=bridge vlan-ids=100

/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN wan-interface-list=WAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether2CBL list=WAN

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.90.1/24 interface=vlan200.iot network=192.168.90.0
add address=192.168.91.1/24 interface=vlan300.guest network=192.168.91.0
add address=192.168.89.1/24 interface=vlan100.secure network=192.168.89.0

/ip cloud
set ddns-enabled=yes

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1 domain=intranet gateway=192.168.88.1
add address=192.168.89.0/24 comment="Secure network" dns-server=192.168.89.1 domain=intranet gateway=192.168.89.1 netmask=24
add address=192.168.90.0/24 comment="IoT network" dns-server=1.1.1.1,9.9.9.9 domain=intranet gateway=192.168.90.1 netmask=24
add address=192.168.91.0/24 comment="Guest network" dns-server=1.1.1.1,9.9.9.9 domain=intranet gateway=192.168.91.1 netmask=24

/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IPsec IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow IPsec l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec ssh,webadmin,winbox from VPN" dst-port=22,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp src-address=192.168.200.0/24
add action=accept chain=input comment="allow IPsec access to home network" dst-address=192.168.88.0/24 src-address=192.168.200.0/24
add action=accept chain=forward comment="Allow Home net to Guest" disabled=yes dst-address=192.168.91.0/24 src-address=192.168.88.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="Fastforward with IPSEC disabled" connection-mark="" connection-state=established,related disabled=yes routing-mark=routedsl
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat comment="IPsec masq. vpn traffic" src-address=192.168.200.0/24

All VLAN setup on RB4011 is ... well, wrong. I suggest you to read through this tutorial. Come back if things don't work after reading and understanding the tutorial.

As to the roadwarior access ... it's hard to tell as you didn't post complete setup (at least /ip firewall mangle section is missing from posted configuration, God knows what else).

ok, will do. thanks for pointing me to the (hopefully) right direction, and will post then the full configuration.
Step by step...

I have a similar home setup in that I have two wifi devices and managed switches and have
-main network, wired and wireless
-special computer wired (wanted it separated from all else)
-streaming devices
-smart devices.
-external access to home services (septic and solar panel)
Devices: RB450Gx4, two capACs, four managed switches, voip modem, cable modem, fiberop modem

All are on separate VLANS as per the ref MKX gave you and even the main network is on vlan.
Its clean, dirt simple and works. The key for me was to remove the bridge from any responsibilities other than hosting the vlans.
As for access as ADMIN FW rules provide access to all lans/devices necessary and all others have access within their own VLAN and internet.

..... All are on separate VLANS as per the ref MKX gave you and even the main network is on vlan.
Its clean, dirt simple and works. The key for me was to remove the bridge from any responsibilities other than hosting the vlans.
As for access as ADMIN FW rules provide access to all lans/devices necessary and all others have access within their own VLAN and internet.

Could you direct me to the section in the reference from MKX? I am not sure how to identify the right "scenario".
Or could you even post your VLAN/Bridge configuration?