Bridge VLAN Filtering Blocks Traffic

benico13 · Thu Sep 01, 2022 12:31 am

Good evening,

I'm setting up my RB5009UG+S+ on ROS 7.5, and I cannot, for the life of me, get traffic flowing when I enable VLAN-filtering on the bridge interface. I'm making ethernet ports 6 and 7 trunk ports for the 4 VLANs, and the system works just fine when I don't enable VLAN-filtering, but fails once I enable it.

What am I doing wrong here? Please see attached and scold me as needed.

# aug/31/2022 17:17:38 by RouterOS 7.5
# software id = NZ0U-HY3B
#
# model = RB5009UG+S+
# serial number = XYZ
/interface bridge
add admin-mac=XX:YY:ZZ:11:22:33 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Internet uplink"
set [ find default-name=ether2 ] comment="regular port, no VLAN"
set [ find default-name=ether3 ] comment=\
    "NOT Ready - IoT Interface, VLAN 200 untagged"
set [ find default-name=ether4 ] comment="regular port, no VLAN"
set [ find default-name=ether5 ] comment=\
    "NOT Ready, HOME Interface, VLAN 300 untagged"
set [ find default-name=ether6 ] comment=\
    "NOT Ready, Wireless Access Point Port Interface, VLAN trunk, #1"
set [ find default-name=ether7 ] comment=\
    "NOT Ready, Wireless Access Point Port Interface, VLAN trunk, #2"
set [ find default-name=ether8 ] comment="regular port, no VLAN"
set [ find default-name=sfp-sfpplus1 ] comment=unused disabled=yes
/interface wireguard
add listen-port=4444 mtu=1420 name=wireguard1
/interface vlan
add comment="Guest VLAN 100" interface=bridge name=VL100Guest vlan-id=100
add comment="IoT VLAN 200" interface=bridge name=VL200IoT vlan-id=200
add comment="Home VLAN 300" interface=bridge name=VL300Home vlan-id=300
add comment="MGMT VLAN 500" interface=bridge name=VL500MGMT vlan-id=500
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.20.202.40-172.20.202.254
add name=POOL100Guest ranges=172.20.210.10-172.20.210.240
add name=POOL200IoT ranges=172.20.220.10-172.20.220.99
add name=POOL300Home ranges=172.20.230.10-172.20.230.200
add name=POOL500MGMT ranges=172.20.250.10-172.20.250.99
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=POOL100Guest interface=VL100Guest name=DHCP100Guest
add address-pool=POOL200IoT interface=VL200IoT name=DHCP200IoT
add address-pool=POOL300Home interface=VL300Home name=DHCP300Home
add address-pool=POOL500MGMT interface=VL500MGMT name=DHCP500MGMT
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether6
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge tagged=ether6,ether7 vlan-ids=100
add bridge=bridge tagged=ether6,ether7 vlan-ids=200
add bridge=bridge tagged=ether6,ether7 vlan-ids=300
add bridge=bridge tagged=ether6,ether7 vlan-ids=500
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=listBridge
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.20.203.2/32 interface=wireguard1 \
    public-key="KEY1"
add allowed-address=172.20.203.3/32  interface=\
    wireguard1 public-key="KEY2"
/ip address
add address=172.20.202.1/24 comment=defconf interface=bridge network=\
    172.20.202.0
add address=172.20.203.1/24 interface=wireguard1 network=172.20.203.0
add address=172.20.210.1/24 interface=VL100Guest network=172.20.210.0
add address=172.20.220.1/24 interface=VL200IoT network=172.20.220.0
add address=172.20.230.1/24 interface=VL300Home network=172.20.230.0
add address=172.20.250.1/24 interface=VL500MGMT network=172.20.250.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.20.202.0/24 comment=defconf dns-server=172.20.202.1 gateway=\
    172.20.202.1 netmask=24
add address=172.20.210.0/24 comment="Guest DHCP Server Network" dns-server=\
    1.1.1.1 gateway=172.20.210.1
add address=172.20.220.0/24 comment="IoT DHCP Server Network" dns-server=\
    172.20.220.1 gateway=172.20.220.1
add address=172.20.230.0/24 comment="Home DHCP Server Network" dns-server=\
    172.20.230.1 gateway=172.20.230.1
add address=172.20.250.0/24 comment="MGMT DHCP Server Network" dns-server=\
    1.1.1.1 gateway=172.20.250.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=172.20.202.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.20.202.2-172.20.202.254 list=allowed_to_router_1
add address=0.0.0.0/8 comment=RFC6890 list=not_on_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_on_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_on_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_on_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_on_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_on_internet
add address=224.0.0.0/4 comment=Multicast list=not_on_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_on_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_on_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_on_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_on_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_on_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_on_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_on_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_on_internet
add address=172.20.210.2-172.20.210.254 list=allowed_to_router_100
add address=172.20.220.2-172.20.220.254 list=allowed_to_router_200
add address=172.20.230.2-172.20.230.254 list=allowed_to_router_300
add address=172.20.250.2-172.20.250.254 list=allowed_to_router_500
/ip firewall filter
add action=accept chain=input comment="Allow WireGuard" dst-port=4444 \
    log-prefix="Allow WireGuard" protocol=udp
add action=accept chain=input comment="Allow WireGuard Traffic" log-prefix=\
    "Allow Wireguard Traffic" src-address=172.20.203.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=#4
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=#7
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=#12invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=#13!NAT
add action=accept chain=input src-address-list=allowed_to_router_1
add action=accept chain=input log=yes log-prefix=#15Guest src-address-list=\
    allowed_to_router_100
add action=accept chain=input src-address-list=allowed_to_router_200
add action=accept chain=input src-address-list=allowed_to_router_300
add action=accept chain=input src-address-list=allowed_to_router_500
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_on_internet in-interface=bridge log=yes log-prefix=\
    #19!public_from_LAN out-interface=!bridge
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=#21!public src-address-list=not_on_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\
    yes log-prefix=#22LAN_!LAN src-address=!172.20.202.0/24
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types" log=yes log-prefix=\
    #30
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.20.202.0/24,172.20.203.0/24 port=2200
set api disabled=yes
set winbox address=172.20.202.0/24,172.20.203.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=ROS
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
/system scheduler
add interval=15m name=DuckDNS-Update-Scheduler on-event=DuckDNS-Updater \
    policy=read,test start-date=aug/13/2022 start-time=00:00:00
/system script
add dont-require-permissions=no name=DuckDNS-Updater owner=admin policy=\
    read,test source="
    \n:log warning message=\"START: DuckDNS.org DDNS Update\"\r\
    \n\r\
    \n:log warning message=\"END: DuckDNS.org DDNS Update finished\"\r\
    \n"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

aglabs · Thu Sep 01, 2022 1:59 am

/interface bridge vlan
add bridge=bridge tagged=ether6,ether7 vlan-ids=100
add bridge=bridge tagged=ether6,ether7 vlan-ids=200
add bridge=bridge tagged=ether6,ether7 vlan-ids=300
add bridge=bridge tagged=ether6,ether7 vlan-ids=500

Add the bridge interface to tag section: i.e. add bridge=bridge tagged=ether6,ether7,bridge vlan-ids=300

anav · Thu Sep 01, 2022 4:18 am

Yes it can be rather annoying, and sometimes the router reboots itself when you add vlan-filtering=yes.
Its why, besides always using safemode, I often recommend using one etherport (spare) off bridge to do the configuring and as an ermerg access if the bridge goes wonky on me.
viewtopic.php?t=181718

Now onto the config............
(1) I am not a fan of mixing apples and oranges, often leads to confusion.
Also in general I like the bridge not to be involved in dhcp or much else.
Hence, that regular so called LAN of yours, just make it a vlan lets say vlan11

Relatively Easy to switch over.
add interface=bridge name=unknown-vlan vlan-id=11 { unknown because if its not home, iot, guest or management wt... do you use it for..... by giving a name then the network becomes clearer. }
add address-pool=dhcp interface=unknown-vlan name=defconf
add address=172.20.202.1/24 comment=defconf interface=unknown-vlan network=172.20.202.0

(2) Your interface list members is not quite right anyway so it will need to be fixed.
.........................

/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=VL100Guest list=LAN
add interface=VL200IoT list=LAN
add interface=VL300Home list=LAN
add interface=unknown-vlan list=LAN
add interface=wireguard1 list=LAN
add interface=VL500MGMT list=LAN
add interface=VL500MGMT list=Management

..............................
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Management

(3) Neighbours discovery is primarily best used for discovering all smart devices (switches, APs othe routers) that should all have their IP address from the MGMT vlan. Hence......
/ip neighbor discovery-settings
set discover-interface-list=Management

(4) Same for winbox and the plain mac server is not encrypted and should be set to none.
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=Management

(5) In terms of bridge ports.......

/interface bridge port
add bridge=bridge comment=defconf interface=ether2  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether3  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether4  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether5  pvid=11   ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether6  ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge comment=defconf interface=ether7  ingress-filtering=yes frame-types=admit-only-vlan-tagged 
add bridge=bridge comment=defconf interface=ether8  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=sfp-sfpplus1  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged

6. In terms of bridge vlans
.........................

/interface bridge vlan
add bridge=bridge tagged=bridge,ether6,ether7 vlan-ids=100,200,300,500
add bridge=bridge tagged=bridge  untagged=ether2,ether3,ether4,ether5,ether8,sfp-sfpplus1  vlan-ids=11

......................

(7) I am curious. I see you have a rule to allow your wireguard remote road warriors to access the router, presumably so you can config the router remotely. (from 172.20.203.0)
However you also have a rule that says drop all traffic not coming from the LAN interface.
Seeing as you defined the wireguard interface as being part of the LAN interface.................. I was wondering if you really needed the wireguard allow rule just for the wg interface users.
In other words, disable that rule and see if you still get access to config the router remotely via wireguard.
I suspect you dont.................

However I like and would keep the single rule for the wireguard users because the first thing I would do is remove all lan user access to the router.
Add chain=input action=accept in-interface-list=Management { only those on this network should be configing the router }
Add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp {only provide lan users with needed router services, maybe NTP as well?)
Add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp {only provide lan users with needed router services, maybe NTP as well?)
Add chain=input action=drop comment="drop all else" { all other wan to router and lan to router traffic is dropped cold }

(8) Dont like the bloatware in the forward chain, but too tired to go over it.

(9) Your confused or the Management VLAN is completely bogus according to this line.
set winbox address=172.20.202.0/24,172.20.203.0/24

It would appear the management vlan is your bridge subnet, that I changed to vlan11, AND NOT vlan500 >>>>not knowing what it was for......
So please confess some truth here

anav · Thu Sep 01, 2022 4:22 am

If you hadnt figured out your error, it was failing to tag the bridge in the /interface bridge vlan settings.................

benico13 · Thu Sep 01, 2022 6:11 am

Code: Select all
/interface bridge vlan
add bridge=bridge tagged=ether6,ether7 vlan-ids=100
add bridge=bridge tagged=ether6,ether7 vlan-ids=200
add bridge=bridge tagged=ether6,ether7 vlan-ids=300
add bridge=bridge tagged=ether6,ether7 vlan-ids=500
Add the bridge interface to tag section: i.e. add bridge=bridge tagged=ether6,ether7,bridge vlan-ids=300

Thank you for this. I went ahead and tried this from the command line, only to recieve a failure message, saying that it already existed... Using WinBox, I saw that it was actually listed, removed each entry, then added it via command line. After adding each line, I turned on the Brdige VLAN filtering and was unable to have my device connect and get a DHCP address on the VLAN 100 (guest). Once I turned off the vlan filtering on the bridge, the device was able to pull a DHCP address from the system and connect to the Internet.

Attached is my updated code if you have a suggestion to make.

benico13 · Thu Sep 01, 2022 6:36 am

Yes it can be rather annoying, and sometimes the router reboots itself when you add vlan-filtering=yes.
Its why, besides always using safemode, I often recommend using one etherport (spare) off bridge to do the configuring and as an ermerg access if the bridge goes wonky on me.
viewtopic.php?t=181718

Now onto the config............
(1) I am not a fan of mixing apples and oranges, often leads to confusion.
Also in general I like the bridge not to be involved in dhcp or much else.
Hence, that regular so called LAN of yours, just make it a vlan lets say vlan11

Relatively Easy to switch over.
add interface=bridge name=unknown-vlan vlan-id=11 { unknown because if its not home, iot, guest or management wt... do you use it for..... by giving a name then the network becomes clearer. }
add address-pool=dhcp interface=unknown-vlan name=defconf
add address=172.20.202.1/24 comment=defconf interface=unknown-vlan network=172.20.202.0

(2) Your interface list members is not quite right anyway so it will need to be fixed.
.........................
Code: Select all
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=VL100Guest list=LAN
add interface=VL200IoT list=LAN
add interface=VL300Home list=LAN
add interface=unknown-vlan list=LAN
add interface=wireguard1 list=LAN
add interface=VL500MGMT list=LAN
add interface=VL500MGMT list=Management
..............................
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Management

(3) Neighbours discovery is primarily best used for discovering all smart devices (switches, APs othe routers) that should all have their IP address from the MGMT vlan. Hence......
/ip neighbor discovery-settings
set discover-interface-list=Management

(4) Same for winbox and the plain mac server is not encrypted and should be set to none.
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=Management

(5) In terms of bridge ports.......
Code: Select all
/interface bridge port
add bridge=bridge comment=defconf interface=ether2  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether3  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether4  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether5  pvid=11   ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=ether6  ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge comment=defconf interface=ether7  ingress-filtering=yes frame-types=admit-only-vlan-tagged 
add bridge=bridge comment=defconf interface=ether8  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge comment=defconf interface=sfp-sfpplus1  pvid=11  ingress-filtering=yes frame-types=admit-priority-and-untagged
6. In terms of bridge vlans
.........................
Code: Select all
/interface bridge vlan
add bridge=bridge tagged=bridge,ether6,ether7 vlan-ids=100,200,300,500
add bridge=bridge tagged=bridge  untagged=ether2,ether3,ether4,ether5,ether8,sfp-sfpplus1  vlan-ids=11
......................

(7) I am curious. I see you have a rule to allow your wireguard remote road warriors to access the router, presumably so you can config the router remotely. (from 172.20.203.0)
However you also have a rule that says drop all traffic not coming from the LAN interface.
Seeing as you defined the wireguard interface as being part of the LAN interface.................. I was wondering if you really needed the wireguard allow rule just for the wg interface users.
In other words, disable that rule and see if you still get access to config the router remotely via wireguard.
I suspect you dont.................

However I like and would keep the single rule for the wireguard users because the first thing I would do is remove all lan user access to the router.
Add chain=input action=accept in-interface-list=Management { only those on this network should be configing the router }
Add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=tcp {only provide lan users with needed router services, maybe NTP as well?)
Add chain=input action=accept in-interface-list=LAN dst-port=53 protocol=udp {only provide lan users with needed router services, maybe NTP as well?)
Add chain=input action=drop comment="drop all else" { all other wan to router and lan to router traffic is dropped cold }

(8) Dont like the bloatware in the forward chain, but too tired to go over it.

(9) Your confused or the Management VLAN is completely bogus according to this line.
set winbox address=172.20.202.0/24,172.20.203.0/24

It would appear the management vlan is your bridge subnet, that I changed to vlan11, AND NOT vlan500 >>>>not knowing what it was for......
So please confess some truth here

Wow, thanks for the fast reply. There's a lot of stuff in here and I'll need some time to digest and implement. Will respond back when I've tried some of this. Thank you.

And yes, my management VLAN should have been for managing the router, but, it's not completely implemented yet... RouterOS is taking me more time to get used to than I had hoped for.

Take care.

mkx · Thu Sep 01, 2022 8:27 am

Replying to original post: what exactly breaks when you enable vlan-filtering? Is it device not passing frames between the two trunk ports (ether6 and ether7) or is it that device itself can't participate in VLANs 100 and 200? If the later, you have to add bridge interface to the list of tagged ports members of respective VLANs:

/interface bridge vlan
add bridge=bridge tagged=bridge,ether6,ether7 vlan-ids=100
add bridge=bridge tagged=bridge,ether6,ether7 vlan-ids=200
add bridge=bridge tagged=ether6,ether7 vlan-ids=300
add bridge=bridge tagged=ether6,ether7 vlan-ids=500

Without it, bridge interface will never receive or send any frames on those VLANs because bridge (the switch-like entity) will rightfully block them.

benico13 · Thu Sep 01, 2022 4:48 pm

Replying to original post: what exactly breaks when you enable vlan-filtering? Is it device not passing frames between the two trunk ports (ether6 and ether7) or is it that device itself can't participate in VLANs 100 and 200? If the later, you have to add bridge interface to the list of tagged ports members of respective VLANs:

/interface bridge vlan
add bridge=bridge tagged=bridge,ether6,ether7 vlan-ids=100
add bridge=bridge tagged=bridge,ether6,ether7 vlan-ids=200
add bridge=bridge tagged=ether6,ether7 vlan-ids=300
add bridge=bridge tagged=ether6,ether7 vlan-ids=500

Without it, bridge interface will never receive or send any frames on those VLANs because bridge (the switch-like entity) will rightfully block them.

@mkx, that did it! my devices are now getting their IP addresses and are able to connect without issue. Thank you so much, this really stumped me!

Bridge VLAN Filtering Blocks Traffic [SOLVED]

Bridge VLAN Filtering Blocks Traffic

Re: Bridge VLAN Filtering Blocks Traffic

Re: Bridge VLAN Filtering Blocks Traffic

Re: Bridge VLAN Filtering Blocks Traffic

Re: Bridge VLAN Filtering Blocks Traffic

Re: Bridge VLAN Filtering Blocks Traffic

Re: Bridge VLAN Filtering Blocks Traffic [SOLVED]

Re: Bridge VLAN Filtering Blocks Traffic

Who is online