One bridge,
three vlans.
a. home wifi and home wired vlan10
b. guest wifi - vlan 20
c. management vlan - 99
each vlan is identified to bridge
each vlan gets ip pool, dhcp-server, dhcp-server network
assign etherports in /interface bridge ports as part of bridge identified as either trunk, access or hybrid port.
assign vlans accordingly in /interface bridge vlans
Since Unifi APs by default seem to want the management vlan untagged and the rest of the vlans tagged its will require a hybrid port.
RB5009
ether1 - wan
ether2- UNK
ether3 - hybrid port to unifi (untagged vlan 99, tagged, 10,20 - assuming you want the unifi to provide two wlans )
ether3- UNK
if any ether ports are going to a managed switch they will be trunk ports, carrying at least vlan99 and likely vlan10
The rest of the etherports if used for LAN will be access ports untagged for vlan10.
All smart devices attached to router (aps, managed switches get their IP address from managment vlan).
Just hand out password for guest SSID to guests.........
Via firewall rules one allows guests to only go to the internet (forward chain).
+++++++++++++++
ex.
/interface bridge ports
add bridge=bridge interface=ether2 pvid=10 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge interface=ether3 pvid=20
add bridge=bridge interface=ether4 pvid=10 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge interface=ether5 pvid=10 ingress-filtering=yes frame-types=admit-priority-and-untagged
add bridge=bridge interface=ether6 pvid=99 ingress-filtering=yes frame-types=admit-priority-and-untagged
/interface bridge vlans
add bridge=bridge tagged=bridge,ether3 untagged=ether2,ether4,ether5 vlan-id=10
add bridge=bridge tagged=bridge,ether3 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether3,ether6 vlan-id=99
.....
The idea here is that ether2,4-6 are access ports which can have one untagged vlan. Ether3 is a hybrid port allowing one untagged vlan and as many tagged vlans as necessary.
I added an access port on ether6 in case you wanted a separate port on the router to login as admin directly on management port.
Its not really required as you can always allow yourself , on the trusted LAN to access the managment LAN.
Instead I recommend taking an unused port like ether7 and simply assign an IP address to it thats all, and ensure it is NOT identified as being part of the bridge.
like 192.68.5.1/24 and nothing else. You will be able to access the router in an emergency or simply configure the router at all times by plugging your laptop into this port and setting your ipv4 nic card to an IP of 192.168.5.5 for example.
viewtopic.php?t=181718
As for firewall rules something like
/
ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=Manage src-address=adminPC { or src-address-list = all admin devices:desktop,laptop,ipad,smartphone, off bridge IP }
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="drop all else
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
............
Where
/interface list
add name=WAN
add name=LAN
add name=Manage
/interface list members
add interface=ether1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan99 list=LAN
add interface=vlan10 list=Manage
add interface=vlan99 list=Manage