if I unplug ISP cable from ether1 and plug pc there I would get LAN IP assigned, but I want that port only accept dchp client request for ISP.
DHCP is running on the bridge, and ether1 belong to bridge that I believe why PC gets ip assigned once it is plugged in to that port.
I was trying to move lan to it's vlan, but not really helped
I needed to reset my router, so I hope the config is fine and it is the same it was
Update: current config is working as expected, internal LAN cannot be reached through ether1
Current config
/interface bridge
add admin-mac=***** auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
add name=bridge-loopback
/interface vlan
add interface=bridge name=landata-vl10 vlan-id=10
add comment=wandata interface=bridge name=wandata-vl11 vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip ipsec policy group
add name="group 2.2.2.2"
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name="profile 2.2.2.2"
/ip ipsec peer
add exchange-mode=ike2 local-address=2.2.2.2 name="peer 2.2.2.2" \
passive=yes profile="profile 2.2.2.2"
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name="proposal 2.2.2.2" pfs-group=none
/ip pool
add name=dhcp ranges=192.168.100.100-192.168.100.120
add name="vpn pool" ranges=10.0.70.2-10.0.70.25
/ip dhcp-server
add address-pool=dhcp interface=landata-vl10 name="LAN DHCP"
/ip ipsec mode-config
add address-pool="vpn pool" address-prefix-length=32 name=\
"modeconf 2.2.2.2" split-include=0.0.0.0/0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=10
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=wlan1 pvid=10
add bridge=bridge comment=defconf interface=wlan2 pvid=10
add bridge=bridge interface=ether1 pvid=11
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=11
add bridge=bridge tagged=ether1,ether5 vlan-ids=6
#untag vlan10 only for these specific interfaces
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wandata-vl11 list=WAN
add interface=landata-vl10 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.100.254/24 interface=landata-vl10 network=192.168.100.0
add address=10.0.70.1/24 interface=bridge-loopback network=10.0.70.0
/ip dhcp-client
add interface=wandata-vl11 use-peer-dns=no
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.254,1.1.1.2 gateway=\
192.168.100.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.2
/ip firewall filter
add action=drop chain=input connection-state=established,related,new \
dst-port=53 in-interface-list=WAN log=yes protocol=udp
add action=drop chain=input connection-state=established,related,new \
dst-port=53 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"Allow UDP 500,4500IPSec for 2.2.2.2" dst-address=2.2.2.2 \
dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp for 2.2.2.2" \
dst-address=2.2.2.2 protocol=ipsec-esp
add action=accept chain=input comment=\
"IKE2: Allow ALL incoming traffic from 10.0.70.0/24 to this RouterOS" \
ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=\
"IKE2: Allow ALL forward traffic from 10.0.70.0/24 to HOME network" \
dst-address=192.168.100.0/24 ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=accept chain=forward comment=\
"IKE2: Allow ALL forward traffic from 10.0.70.0/24 to ANY network" \
dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from 10.0.70.0/24 to ANY" ipsec-policy=in,ipsec \
new-mss=1360 passthrough=yes protocol=tcp src-address=10.0.70.0/24 \
tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from ANY to 10.0.70.0/24" dst-address=10.0.70.0/24 \
ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp \
tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment=\
"SRC-NAT IKE2:10.0.70.0/24 --> ether1 traffic" ipsec-policy=out,none \
out-interface=wandata-vl11 src-address=10.0.70.0/24 to-addresses=\
2.2.2.2
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none log=yes out-interface-list=WAN
/ip ipsec policy
add dst-address=10.0.70.0/24 group="group 2.2.2.2" proposal=\
"proposal 2.2.2.2" src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 dhcp-client
add disabled=yes interface=ether1 pool-name=wan-ipv6 request=prefix \
use-peer-dns=no
/routing igmp-proxy
set quick-leave=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN