I have a trunk port set up on the MT that's doing DHCP across multiple interfaces.
I have multiple VLANs and their corresponding interface IP addresses. The issue is that when accessing the management IP address from the different subnet, it doesn't work. Presumably because of asymmetric routing. But I can access it by the IP address of the same subnet that the device is on. So we have two issues

1. how can I restrict the management to only one IP address of the MT. Currently the MT has multiple management IPs which could be accessed from different subnets.
2. how can I properly use that IP address without asymmetric routing getting in the way.

Not sure what you are asking?

a. all smart devices attached to the MT router should have an IP address on the managment subnet.
b. all trunk ports to smart devices should carry the management subnet (VLAN), regardless if there is a data port or not that will use the management vlan.

Are you saying you want to access the router from a non trusted vlan??

1. Firewall filter.
2. I don't think that's it, try to share some more info, config, ...

To clarify. There is no bridge. Eth2 has all the VLANs plus the native VLAN as interfaces. Eth2 is connected to the switch port that is trunk with all those same VLANs.

The issue is that the management IP address is as many as there’re IPs per VLAN. How can I restrict the management IP to only address.

Also AFAIK, the issue is “automatic intervlan routing”. When I try to access the management IP that’s on VLAN1 from a different subnet, the packet goes from my laptop, into the firewall, then into the MTs VLAN1 IP. But then instead of going back to the firewall (MT’s default gateway), it gets routed to the interface that shares the subnet with my laptop.

This essentially creates an asymmetric routing scenario. Although I don’t understand why it breaks web and ssh access, but works for ping.
On Wireshark on my laptop, I can see that the return ICMP frame is coming from the MT and not the default gateway of the laptop.

Few things:

- "Automatic intervlan routing" is not issue, that's expected behaviour. Router's purpose is to route, so it routes anything it knows how, between all available interfaces. If you don't want something routed, you have to block it.

- Same with connections to different local addresses. If you have several, but only one should be responding, you need to block others using firewall (in chain=input).

- I still don't see any asymmetric routing. Let's say that router has 192.168.1.1/24 on one interface and 192.168.2.1/24 on another, be it vlan, ethernet or anything. If client 192.168.1.100 connected to first interface sends packet to 192.168.2.1, it doesn't actually go to the other interface. Router knows it's for its own address, so it processes it, and sends response back to 192.168.1.100, i.e. to first interface, so it reaches client and everything works. That's unless you're doing something unusual, e.g. some overriding of normal routing using routing rules can break it.

- When you say that "return ICMP frame is coming from the MT and not the default gateway of the laptop", it sounds like you have a bit more complex network than I thought (which was this router as gateway for all connected subnets). In that case, a lot of important info is missing.

The default gateway for the Wi-Fi is the firewall. It has DGs for multiple subnets. My point is that I don’t intend to use the MT as a router, but as a DHCP server. I only have the multiple VLANs trunked on one port because I don’t want to use DHCP helpers.

I understand that I could block intervlan routing with a firewall rule. I wonder if I could completely turn it off. If I do that, would it automatically use the MT’s default gateway.
On the MT, I have a static route for 0.0.0.0/0 “firewall’s IP for VLAN 1”. My guess is that MT designates DG that way, right?

That's not nearly enough info. Everything matters, how it is connected physically, how it is configured in software, addresses, subnets, routes, ... You know all that, but someone else can hardly get it from your description so far.

You can disable all routing with "/ip settings set ip-forward=no", but it's probably not what you want.

Another thing, router can only route what other devices send to it. So if you want it only as some kind of stay aside dhcp server, then just don't give it to anything as gateway, nothing will be sending traffic destined for other subnets to this router, and there will be no routing. And sure, maybe I'm missing the point somewhere, but again, I still know almost nothing about your network.

I’ll try to post the config when I get to work. To answer your question, I want routing, in the sense that it needs a default gateway to be reachable from other subnets. But I don’t want routing between it’s connected interfaces (intervlan routing)

Then firewall is your friend, allow only what should work (each VLAN -> upstream GW), unconditionally block the rest, live happily ever after.

Ok, thanks. I found a firewall rule
My worry is that when trying to reach from another subnet, the packet on its return trip, will always chose the directly connected route instead, and then drop that packet, instead of sending back to the MT’s default gateway.

You can still explain your network, and we can try to find solution for any special needs.

The whole point of dhcp on an MT is routing.........
otherwise simply setup the MT as a switch

I have never seen an MT device used for firewall and DHCP but not routing. Makes no sense to me but my experience is limited.

I turned off IP forward but it's still doing inter-vlan routing

here are my settings

/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:67 mtu=1500 name=ether1 orig-mac-address=2C:C8:1B:A1:E4:67 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:68 mtu=1500 name=ether2 orig-mac-address=2C:C8:1B:A1:E4:68 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:69 mtu=1500 name=ether3 orig-mac-address=2C:C8:1B:A1:E4:69 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:6A mtu=1500 name=ether4 orig-mac-address=2C:C8:1B:A1:E4:6A \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:6B mtu=1500 name=ether5 orig-mac-address=2C:C8:1B:A1:E4:6B \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:6D mtu=1500 name=ether6 orig-mac-address=2C:C8:1B:A1:E4:6D \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:6E mtu=1500 name=ether7 orig-mac-address=2C:C8:1B:A1:E4:6E \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:6F mtu=1500 name=ether8 orig-mac-address=2C:C8:1B:A1:E4:6F \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:70 mtu=1500 name=ether9 orig-mac-address=2C:C8:1B:A1:E4:70 \
rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
full-duplex=yes l2mtu=1598 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:71 mtu=1500 name=ether10 orig-mac-address=2C:C8:1B:A1:E4:71 \
poe-out=auto-on poe-priority=10 power-cycle-interval=none !power-cycle-ping-address power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off speed=1Gbps tx-flow-control=off
set [ find default-name=sfp1 ] advertise="" arp=enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1600 loop-protect=default \
loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=2C:C8:1B:A1:E4:6C mtu=1500 name=sfp1 orig-mac-address=2C:C8:1B:A1:E4:6C rx-flow-control=off sfp-rate-select=high \
sfp-shutdown-temperature=95C speed=1Gbps tx-flow-control=off
/interface vlan
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN12 use-service-tag=no vlan-id=12
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN100-phones use-service-tag=no vlan-id=100
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN200 use-service-tag=no vlan-id=200
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN205 use-service-tag=no vlan-id=205
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN206 use-service-tag=no vlan-id=206
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN210 use-service-tag=no vlan-id=210
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN220 use-service-tag=no vlan-id=220
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN250 use-service-tag=no vlan-id=250
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN260 use-service-tag=no vlan-id=260
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN270 use-service-tag=no vlan-id=270
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN280 use-service-tag=no vlan-id=280
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN290 use-service-tag=no vlan-id=290
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN300 use-service-tag=no vlan-id=300
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN310 use-service-tag=no vlan-id=310
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN320 use-service-tag=no vlan-id=320
add arp=enabled arp-timeout=auto disabled=no interface=ether2 loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mtu=1500 name=VLAN330-WiFiguest use-service-tag=no vlan-id=\
330
/queue interface
set VLAN12 queue=no-queue
set VLAN100-phones queue=no-queue
set VLAN200 queue=no-queue
set VLAN205 queue=no-queue
set VLAN206 queue=no-queue
set VLAN210 queue=no-queue
set VLAN220 queue=no-queue
set VLAN250 queue=no-queue
set VLAN260 queue=no-queue
set VLAN270 queue=no-queue
set VLAN280 queue=no-queue
set VLAN290 queue=no-queue
set VLAN300 queue=no-queue
set VLAN310 queue=no-queue
set VLAN320 queue=no-queue
set VLAN330-WiFiguest queue=no-queue
/interface ethernet switch
set 0 cpu-flow-control=yes l3-hw-offloading=no mirror-source=none mirror-target=none name=switch1
set 1 cpu-flow-control=yes l3-hw-offloading=no mirror-source=none mirror-target=none name=switch2
/interface ethernet switch port
set 0 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 1 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 2 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 3 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 4 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 5 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 6 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 7 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 8 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 9 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 10 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
set 11 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=disabled
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=ipv4 name=default use-network-apn=yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" disable-pmkid=no eap-methods=passthrough group-ciphers=aes-ccm group-key-update=5m interim-update=0s management-protection=disabled mode=none \
mschapv2-username="" name=default radius-called-format=mac:ssid radius-eap-accounting=no radius-mac-accounting=no radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=\
XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=none static-sta-private-algo=none static-transmit-key=key-0 supplicant-identity=\
MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers=aes-ccm
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip dhcp-server option
add code=42 name=time value="'10.5.7.11'"
add code=156 name=bootstring value="'ftpservers=10.5.7.11,configservers=10.5.7.11'"
/ip dhcp-server option sets
add name=phones options=time,bootstring
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default \
rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=default !parent-queue !queue-type shared-users=1 \
status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=dhcp_pool1 ranges=10.1.8.10-10.1.8.200
add name=dhcp_pool2 ranges=10.5.1.101-10.5.1.199
add name=dhcp_pool3 ranges=10.5.2.10-10.5.2.90
add name=dhcp_pool4 ranges=10.1.0.11-10.1.0.240
add name=dhcp_pool5 ranges=10.1.1.10-10.1.1.120
add name=dhcp_pool6 ranges=10.1.2.10-10.1.3.9
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=yes disabled=no interface=VLAN330-WiFiguest lease-script="" lease-time=10m name=dhcp-vlan330-WiFiguest use-radius=no
add address-pool=dhcp_pool2 authoritative=yes disabled=yes interface=ether2 lease-script="" lease-time=10m name=dhcp-VLAN1 use-radius=no
add address-pool=dhcp_pool3 authoritative=yes disabled=no interface=VLAN100-phones lease-script="" lease-time=10m name=dhcp-VLAN100-phones use-radius=no
add address-pool=dhcp_pool4 authoritative=yes disabled=yes interface=VLAN200 lease-script="" lease-time=10m name=dhcp-VLAN200-server use-radius=no
add address-pool=dhcp_pool5 authoritative=yes disabled=yes interface=VLAN205 lease-script="" lease-time=10m name=dhcp-VLAN205-facilitymgmt use-radius=no
add address-pool=dhcp_pool6 authoritative=yes disabled=no interface=VLAN210 lease-script="" lease-time=10m name=dhcp-VLAN210-clients use-radius=no
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=serial0 parity=none stop-bits=1
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before \
!interface-list !local-address name=default on-down="" on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
use-encryption=default use-ipv6=yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server !idle-timeout !incoming-filter !insert-queue-before \
!interface-list !local-address name=default-encryption on-down="" on-up="" only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=\
default use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set ether6 queue=only-hardware-queue
set ether7 queue=only-hardware-queue
set ether8 queue=only-hardware-queue
set ether9 queue=only-hardware-queue
set ether10 queue=only-hardware-queue
set sfp1 queue=only-hardware-queue
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,rest-api,!ftp,!write,!policy,!dude skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,rest-api,!ftp,!policy,!dude skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,rest-api,!dude skin=default
/caps-man aaa
set called-format=mac:ssid interim-update=disabled mac-caching=disabled mac-format=XX:XX:XX:XX:XX:XX mac-mode=as-username
/caps-man manager
set ca-certificate=none certificate=none enabled=no package-path="" require-peer-certificate=no upgrade-policy=none
/caps-man manager interface
set [ find default=yes ] disabled=no forbid=no interface=all
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic lldp-med-net-policy-vlan=disabled protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=no max-neighbor-entries=8192 route-cache=yes rp-filter=no \
secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=yes forward=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address default-profile=default-encryption enabled=no \
keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled \
one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5 cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 mac-address=FE:81:9A:DB:17:1F max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp \
require-client-certificate=no tls-version=any
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any \
verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 frames-per-second=25 receive-all=no ssid-all=no
/interface wireless cap
set bridge=none caps-man-addresses="" caps-man-certificate-common-names="" caps-man-names="" certificate=none discovery-interfaces="" enabled=no interfaces="" lock-to-caps-man=no static-virtual=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip address
add address=10.5.1.90/24 disabled=no interface=ether2 network=10.5.1.0
add address=10.1.8.9/24 disabled=no interface=VLAN330-WiFiguest network=10.1.8.0
add address=10.1.1.9/25 disabled=no interface=VLAN205 network=10.1.1.0
add address=10.5.2.9/24 disabled=no interface=VLAN100-phones network=10.5.2.0
add address=10.1.0.9/24 disabled=no interface=VLAN200 network=10.1.0.0
add address=10.1.3.9/23 disabled=no interface=VLAN210 network=10.1.2.0
add address=10.1.13.9/24 disabled=no interface=VLAN280 network=10.1.13.0
add address=10.1.6.9/24 disabled=no interface=VLAN310 network=10.1.6.0
/ip cloud
set ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dhcp-server network
add address=10.1.0.0/24 caps-manager="" dhcp-option="" dns-server=10.1.0.10,10.0.96.86 gateway=10.1.0.254 !next-server ntp-server="" wins-server=""
add address=10.1.1.0/25 caps-manager="" dhcp-option="" dns-server=10.1.0.10,10.0.96.86 gateway=10.1.1.126 !next-server ntp-server="" wins-server=""
add address=10.1.2.0/23 caps-manager="" dhcp-option="" dns-server=10.1.0.10,10.0.96.86 gateway=10.1.3.254 !next-server ntp-server="" wins-server=""
add address=10.1.8.0/24 caps-manager="" dhcp-option="" dns-server=208.67.220.220,208.67.222.222 gateway=10.1.8.254 !next-server ntp-server="" wins-server=""
add address=10.5.1.0/24 caps-manager="" dhcp-option="" dns-server=1.1.1.1,1.0.0.1 gateway=10.5.1.1 !next-server ntp-server="" wins-server=""
add address=10.5.2.0/24 caps-manager="" dhcp-option="" dhcp-option-set=phones dns-server=10.1.0.10,10.0.96.86 gateway=10.5.2.1 !next-server ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 query-server-timeout=2s query-total-timeout=10s \
servers=1.1.1.1,1.0.0.1 use-doh-server="" verify-doh-cert=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no max-cache-object-size=2048KiB max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.5.1.1 pref-src="" routing-table=main suppress-hw-offload=no
/ip service
set telnet address="" disabled=no port=23 vrf=main
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80 vrf=main
set ssh address="" disabled=no port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any vrf=main
set api address="" disabled=no port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any vrf=main
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=256k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes igmp-type=yes in-interface=yes ip-header-length=yes \
ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes \
protocol=yes src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no dns="" hop-limit=unspecified interface=all managed-address-configuration=no mtu=unspecified other-configuration=no \
ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/lcd
set backlight-timeout=30m color-scheme=dark default-screen=main-menu enabled=yes flip-screen=no read-only-mode=no time-interval=min touch-screen=enabled
/lcd pin
set hide-pin-number=no pin-number=1234
/lcd interface
set ether1 disabled=no max-speed=auto timeout=10s
set ether2 disabled=no max-speed=auto timeout=10s
set ether3 disabled=no max-speed=auto timeout=10s
set ether4 disabled=no max-speed=auto timeout=10s
set ether5 disabled=no max-speed=auto timeout=10s
set sfp1 disabled=no max-speed=auto timeout=10s
set ether6 disabled=no max-speed=auto timeout=10s
set ether7 disabled=no max-speed=auto timeout=10s
set ether8 disabled=no max-speed=auto timeout=10s
set ether9 disabled=no max-speed=auto timeout=10s
set ether10 disabled=no max-speed=auto timeout=10s
/lcd interface pages
set 0 interfaces=ether1,ether2,ether3,ether4,ether5,sfp1,ether6,ether7,ether8,ether9,ether10
/lcd screen
set 0 disabled=no timeout=10s
set 1 disabled=no timeout=10s
set 2 disabled=no timeout=10s
set 3 disabled=no timeout=10s
set 4 disabled=no timeout=10s
set 5 disabled=no timeout=10s
/ppp aaa
set accounting=yes interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/snmp
set contact="" enabled=no engine-id="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" trap-version=1
/system clock
set time-zone-autodetect=yes time-zone-name=America/Chicago
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
/system identity
set name=MikroTik
/system leds
set 0 disabled=no interface=sfp1 leds=user-led type=interface-activity
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=unicast servers=""
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set sfp1 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
set ether8 disabled=yes
set ether9 disabled=yes
set ether10 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard settings
set auto-upgrade=no baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet boot-protocol=bootp enable-jumper-reset=yes enter-setup-on=any-key force-backup-booter=no protected-routerboot=\
disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set address=0.0.0.0 from=<> port=25 tls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" auto-erase=no channel=0 port=none receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-interface="" filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" filter-mac-address="" filter-mac-protocol="" \
filter-operator-between-entries=or filter-port="" filter-size="" filter-stream=no memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0

That's weird, turning off IP forwarding kills it very reliably here.

As for what exactly happens, just router's config is not enough. Try to give some detailed example, source address a.a.a.a trying to access destination address b.b.b.b, network config of both devices and other relevant config of all involved devices, what is connected to what, what you think should happen, and what actually happens (as far as you can tell), etc.

I put the firewall rule and also "/ip settings set ip-forward=no". On wireshark, the frames still have the MAC address of the MT. Which means it's sending back the ping reply through the MT, instead the default gateway of the laptop.

As for what exactly happens, just router's config is not enough. Try to give some detailed example, source address a.a.a.a trying to access destination address b.b.b.b, network config of both devices and other relevant config of all involved devices, what is connected to what, what you think should happen, and what actually happens (as far as you can tell), etc.

my laptop is 10.1.6.95, DG 10.1.6.254
MT's VLAN1 interface is 10.5.1.90/24
VLAN310 interface is 10.1.6.9/24
when I ping the MT (10.5.1.90), it works. But on Wireshark, you can see that the reply echo's frame has the MT MAC as the source, not the laptop's DG.
So the request ping has LAPTOP MAC to FIREWALL (DG) MAC
but the reply ping has MT MAC (belonging to the same wifi VLAN as my laptop) to LAPTOP MAC.

So, even though ping works; web login or SSH to 10.5.1.90 doesn't. I can see some traffic in Wireshark, but the web login doesn't work. I have to disable VLAN 310 to enter the MT from 10.5.1.90. As it stands, I have to use MT's whichever interface IP that the device is on. So if I'm connecting from WIfi, I have to use, 10.1.6.9. If from ethernet, 10.1.3.9.

Ok, this makes sense, and you were right about asymmetric routing. Packet from laptop to 10.5.1.90 goes to DG (not RB), from there it goes to RB, and RB responds directly to laptop, because it has direct connected route for laptop's subnet. There's no problem with ping, because that's individual packets. But if there's stateful firewall on DG, tcp can't work, because DG sees packets only in one direction, and that doesn't make valid connection.

One way, if you don't need any filtering between vlans, would be to tell DG to not worry about this, and allow these half-connections. But it's not great, because it's likely that you do need some filtering.

Other way would be to tell RB to ignore other connected subnets. That's certainly doable, you should need few extra routing tables, each containing only one vlan subnet and default route, and then use routing rules, to tell router that when source address is from given vlan, it should look up destination in routing table assigned for that vlan, so it would be able to find only addresses from same subnet, and everything else would go to DG. I'd give you a sample config, but I'm afraid that my thinking capabilities are exhausted for today, from doing other stuff. But you should be able to do it yourself. It's also possible that the thing you're looking for is VRF, unfortunately my knowledge about it is severely lacking.

ok, thanks. I still don't understand why inter-vlan routing is enabled even when ip-forward: no .
I did a packet capture on the RB. See, if this is any use. It looks like the RB is sending back the reply from eth2, but to the MAC of the laptop, not the DG. And there's a VLAN 210 in one of the columns. Does that mean it's sending it out on VLAN 1 or VLAN 210? Also I tried turning on ip-forward and pinging from inside the RB. Picking an interface that isn't on the same subnet as the destination IP. To test if the inter-vlan routing works. So ping 10.1.13.19 interface=VLAN210. It failed. So when pinging form outside to RB, the RB routes between VLANs. When pinging from RB to outside, it doesn't. I'm puzzled. Here's the routing table also. Thanks for the help, BTW.

Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; + - ecmp
0 As dst-address=0.0.0.0/0 routing-table=main pref-src="" gateway=10.5.1.1 immediate-gw=10.5.1.1%ether2 check-gateway=ping distance=1 scope=30 target-scope=10 suppress-hw-offload=no

DAc dst-address=10.1.0.0/24 routing-table=main gateway=VLAN200 immediate-gw=VLAN200 distance=0 scope=10 suppress-hw-offload=no local-address=10.1.0.9%VLAN200

DAc dst-address=10.1.1.0/25 routing-table=main gateway=VLAN205 immediate-gw=VLAN205 distance=0 scope=10 suppress-hw-offload=no local-address=10.1.1.9%VLAN205

DAc dst-address=10.1.2.0/23 routing-table=main gateway=VLAN210 immediate-gw=VLAN210 distance=0 scope=10 suppress-hw-offload=no local-address=10.1.3.9%VLAN210

DAc dst-address=10.1.8.0/24 routing-table=main gateway=VLAN330-WiFiguest immediate-gw=VLAN330-WiFiguest distance=0 scope=10 suppress-hw-offload=no local-address=10.1.8.9%VLAN330-WiFiguest

DAc dst-address=10.1.13.0/24 routing-table=main gateway=VLAN280 immediate-gw=VLAN280 distance=0 scope=10 suppress-hw-offload=no local-address=10.1.13.9%VLAN280

DAc dst-address=10.5.1.0/24 routing-table=main gateway=ether2 immediate-gw=ether2 distance=0 scope=10 suppress-hw-offload=no local-address=10.5.1.90%ether2

DAc dst-address=10.5.2.0/24 routing-table=main gateway=VLAN100-phones immediate-gw=VLAN100-phones distance=0 scope=10 suppress-hw-offload=no local-address=10.5.2.9%VLAN100-phones

packet capture

VLAN210 0.903 5 -> 2C:C8:1B:A1:E4:68 8C:8C:AA:8C:43:03 10.5.1.90 10.1.3.5 ip:icmp 74 1
ether2 0.903 6 -> 2C:C8:1B:A1:E4:68 8C:8C:AA:8C:43:03 210 10.5.1.90 10.1.3.5 ip:icmp 78 1
ether2 1.866 7 <- 40:F0:78:E1:CB:85 2C:C8:1B:A1:E4:68 10.1.0.13 10.5.1.90 ip:icmp 74 0
VLAN200 1.866 8 -> 2C:C8:1B:A1:E4:68 14:02:EC:05:32:31 10.5.1.90 10.1.0.13 ip:icmp 74 0
ether2 1.866 9 -> 2C:C8:1B:A1:E4:68 14:02:EC:05:32:31 200 10.5.1.90 10.1.0.13 ip:icmp 78 0
ether2 1.927 10 <- 40:F0:78:E1:CB:85 2C:C8:1B:A1:E4:68 10.1.3.5 10.5.1.90 ip:icmp 74 1
VLAN210 1.927 11 -> 2C:C8:1B:A1:E4:68 8C:8C:AA:8C:43:03 10.5.1.90 10.1.3.5 ip:icmp 74 1
ether2 1.927 12 -> 2C:C8:1B:A1:E4:68 8C:8C:AA:8C:43:03 210 10.5.1.90 10.1.3.5 ip:icmp 78 1
ether2 2.872 13 <- 40:F0:78:E1:CB:85 2C:C8:1B:A1:E4:68 10.1.0.13 10.5.1.90 ip:icmp 74 0
VLAN200 2.872 14 -> 2C:C8:1B:A1:E4:68 14:02:EC:05:32:31 10.5.1.90 10.1.0.13 ip:icmp 74 0
ether2 2.872 15 -> 2C:C8:1B:A1:E4:68 14:02:EC:05:32:31 200 10.5.1.90 10.1.0.13 ip:icmp 78 0
ether2 2.946 16 <- 40:F0:78:E1:CB:85 2C:C8:1B:A1:E4:68 10.1.3.5 10.5.1.90 ip:icmp 74 1
VLAN210 2.946 17 -> 2C:C8:1B:A1:E4:68 8C:8C:AA:8C:43:03 10.5.1.90 10.1.3.5 ip:icmp 74 1
ether2 2.946 18 -> 2C:C8:1B:A1:E4:68 8C:8C:AA:8C:43:03 210 10.5.1.90 10.1.3.5 ip:icmp 78 1
ether2 3.877 19 <- 40:F0:78:E1:CB:85 2C:C8:1B:A1:E4:68 10.1.0.13 10.5.1.90 ip:icmp 74 0
VLAN200 3.878 20 -> 2C:C8:1B:A1:E4:68 14:02:EC:05:32:31 10.5.1.90 10.1.0.13 ip:icmp 74 0
ether2 3.878 21 -> 2C:C8:1B:A1:E4:68 14:02:EC:05:32:31 200 10.5.1.90 10.1.0.13 ip:icmp 78 0
ether2 3.962 22 <- 40:F0:78:E1:CB:85 2C:C8:1B:A1:E4:68 10.1.3.5 10.5.1.90 ip:icmp 74 1
VLAN210 3.962 23 -> 2C:C8:1B:A1:E4:68 8C:8C:AA:8C:43:03 10.5.1.90 10.1.3.5 ip:icmp 74 1
ether2 3.962 24 -> 2C:C8:1B:A1:E4:68 8C:8C:AA:8C:43:03 210 10.5.1.90 10.1.3.5 ip:icmp 78 1

Edit: Now it's even crazier. The firewall rule is on ip-forward: no and the firewall rule is set. And it's still sending the reply ICMP from VLAN 210.

0 chain=forward action=drop in-interface=all-vlan out-interface=all-vlan log=no log-prefix=""

One important detail, if you're communicating with router itself, it's not inter-vlan routing. In fact, it's not any routing. It doesn't matter that you're in one vlan, and used router's address is in another. In this case, router doesn't route anything, it just behaves as multi-homed host. It receives request via one interface, but responds via another, because that's where the route points to.

It also explains why disabled forwarding doesn't change anything, and why you can't succeed with anything in chain=forward, because this traffic will never go there. As you can see in this nice diagram:

https://wiki.mikrotik.com/wiki/Manual:P ... ng_Diagram

To make it do what you want, this should do the trick:
Add same rules for other router's addresses and subnets.

So create a route for every subnet I need to access from?
Do I give a new name for every new mark?
/ip route
add dst-address=0.0.0.0/0 gateway=10.5.1.1 routing-mark=gw
/ip route
add dst-address=0.0.0.0/0 gateway=10.5.1.1 routing-mark=gw2

And so on…?

Add this set of two rules for each router's address that you want to send packets to other subnets via GW, instead of directly via other interfaces.

Just understand what they do and it should be clear. Both apply when source is router's address in given subnet. First rule says that if destination is the same subnet, it should be looked up in main routing table, which contains connected routes, so it will find local interface with that subnet. Second is for any other destination, which will be looked up in the new routing table, which contains only one route via GW, so everything will go there.

Route can be common for all, it's the same gateway, there's no need to duplicate it.

I wonder is there's any other way, I tried to play with VRF, which I want to learn, but did not have any success with that.

I tried to play with VRF, which I want to learn, but did not have any success with that.

OMFS(ob) you are not a GOD? I may have to burn my Sob Shrine.
MTUNA Revelations Chapter 10...... new addition, List of Strike Down Thee Pagan MT Gods
(better known as the list of "I am not worthy" to know them, the list is dwindling, I still see a pretty pony though).

@anav: I don't know if you have the same saying, but "among the blind, one-eyed is king", in other words, you don't have to be all-knowing god to impress some people.

So if I understand you correctly

add src-address=10.1.6.9/32 action=lookup table=gw

Is for the remedy the asymmetric part.

The packet goes from my laptop (10.1.6.x) to 10.5.1.90. My firewall received it and sends it to the Eth2 interface of the RB. But to send it back, instead of the RB sending it straight from its 10.1.6.9 interface to my laptop; the above rule makes it send to the firewall (10.5.1.1)

Did I get that right? So I need a rule for every subnet I would be planning to connect from?

Then why do I need the first rule? If I’m connecting from the Wi-Fi subnet of the laptop to the RB’s Wi-Fi interface IP (10.1.6.9) the packet would go straight and back, without any routing.

Also another question. Do I remove the default gateway static route in the main table that I already had?

First rule (src-address=10.1.6.9/32 dst-address=10.1.6.0/24 action=lookup table=main), as you can see, is for same subnet as the given address belongs to. It's for when some 10.1.6.X device wants to communicate with router's 10.1.6.9, you want to send packets to it directly. Without this rule and only with the second one, even this would be sent to GW, creating yet another asymmetric routing.

You need this set of two rules for each subnet that should behave this way.

Current default route should not be required anymore, but I'm not completely sure if something might need it anyway. But I'm big fan of trial & error approach, so just try it and see if it breaks anything or not. Or keep it, it shouldn't make any problems.

sorry, but I tried and none of the commands worked on RouterOS 7.1.
I created a new table "gw" and added it to the FIB. Then created the route. Are the two equivalent?
/ip route rule isn't at all, so I couldn't add the rules in the CLI. I added them in the web GUI. but connecting to 10.5.1.90 from 10.1.6.x still doesn't work

Thanks in advance

You're a bit ahead with 7.1, but it should be mostly the same. Routes renamed the parameted for routing table, as you found. And routing rules moved to /routing/rule.

entering the web admin of 10.5.1.90 still doesn't work. I can only enter 10.1.6.9 from wifi or 10.1.3.9 from ethernet

You added rules for 10.1.6.9, they don't affect 10.5.1.90. And ok, it's partly my fault, because I chose that subnet as example, but forgot that you're testing from 10.1.6.95.

Try these:

Thanks. Also, do you know why the route that’s in the gw table doesn’t show up in IP/routes in the GUI. I have to do a “print” from the CLI.

It should be there, and all routes show in my one 7.1 I have for testing. But given that 7.1 is quite new, and there are several non-polished things, it's possible that this could be another. You can try to remove the route, add it again using GUI, and see if it makes a difference.

Ok. I tried today and it didn’t work. Should I add the routing table to the FIB or not?

Probably yes (all examples I've seen had it, and I'm still looking for explanation why I may not want it). In any case, you can always try both, that's not too many. And why it doesn't work, I don't know, it worked here. Admittedly, not with v7, so it'll try to test it later.

I don't see any problem with v7 either, so you'll need to look closely what happens. For example with some helpful logging rules:
Without routing rules, you should see incoming request on one interface and outgoing response on another (where client is connected):

prerouting: in:ether2 out:(unknown 0), proto TCP (SYN), 10.1.6.95:58727->10.5.1.90:8291, len 52
output: in:(unknown 0) out:VLAN310, proto TCP (SYN,ACK), 10.5.1.90:8291->10.1.6.95:58727, len 52
postrouting: in:(unknown 0) out:VLAN310, proto TCP (SYN,ACK), 10.5.1.90:8291->10.1.6.95:58727, len 52

Enable routing rules for target address (here 10.5.1.90) and outgoing interface should be the one with GW:

prerouting: in:ether2 out:(unknown 0), proto TCP (SYN), 10.1.6.95:58727->10.5.1.90:8291, len 52
output: in:(unknown 0) out:ether2, proto TCP (SYN,ACK), 10.5.1.90:8291->10.1.6.95:58727, len 52
postrouting: in:(unknown 0) out:ether2, proto TCP (SYN,ACK), 10.5.1.90:8291->10.1.6.95:58727, len 52

ok. figured it out. it was doing asymmetric routing again. I had to make the route the same gateway as the interface that the ICMP request is coming from.

Yeah, you're right, it's my simplified testing setup. I fixed router responding to client directly, but because of common gateway, responses sent to upstream router used wrong interface.

for the last part. How can I restrict the management interface only as 10.5.1.90. I don't want the interface to be available for every subnet, even though it's password protected. So that the wifi users can't see the web login on 10.1.6.9, and so on...

You can limit service availability in /ip/service, but the port will still show as open, even if it won't allow access. Or use firewall filter.

Can you please help me out with the firewall filter rule. I want to block winbox, ssh and web access on those other interfaces, but not other traffic, because my DHCP clients are on it. I’m assuming I have to make an interface list that includes all those interfaces other than 10.5.1.90

Thanks

I prefer to allow selected things and block everything else. This way it's easier to not leave something allowed by mistake. For example:
Start like this, with the last rule disabled. Test all things that should work (mainly access to admin interface from where it should be allowed) and check that they don't get logged with BLOCK prefix. If you find out that you forgot to allow something, add it. Once everything is ok, it's safe to enable last rule, which will block everything else.

If you have ip-forward=no, then chain=forward rules are not needed.

And dhcp server uses raw sockets, so it doesn't care about firewall.

I think we nailed it. Awesome sauce.