Hello again.

I would like to have comments about my config.

My idea is:

Eth1 is WAN
Eth2-7 are LAN
Eth8 is MGMT (for management, configuration).

As You can see, there is a VLAN for each interface Eth2-Eth7.

All VLANs have their own dhcp-server, address pool, IP-addresses and so on.

Eth6, there is a Zyxel Access Point connected with 2 SSIDs. (VLAN-capable).
Both SSIDs have their own VLAN (60 and 65).

In firewall, there is a rule to allow Zyxel-configuration. (Zyxel and config-PC have fixed addresses).

I'm a worried about the Bridge section. Is my idea correct, to get VLAN 60 and 65 to the Zyxel?
And is there something missing, or is it possible to do this more simple?
At this point I don't want to get headache about bogons and so on and how to deal with them.
I want to get this part of the config "perfect" first.

In one of my earlier post, I told I will get fiber connection later. Operator sent a message that there is a "delay". Nice.
So I have not been testing this config in real world.
Anyway, firewall rule for Zyxel-configuration seems to be working, I can get connection to the AP from Eth8.

Waiting for Your intelligent comments....


# sep/15/2022 13:16:33 by RouterOS 7.5
# software id = XXXXX
#
# model = RB5009UG+S+
# serial number = XXXXX

/interface bridge
add ingress-filtering=no name=BR1 protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=BR1 name=M_LAPTOP_VLAN vlan-id=30
add interface=BR1 name=OMALAPTOP_VLAN vlan-id=40
add interface=BR1 name=OMA_PC_VLAN vlan-id=20
add interface=BR1 name=PI_VLAN vlan-id=50
add interface=BR1 name=TV_VLAN vlan-id=70
add interface=ether6 name=WLAN_BOX_SSID1_VLAN vlan-id=60
add interface=ether6 name=WLAN_BOX_SSID2_VLAN vlan-id=65

/interface list
add name=WAN
add name=LAN
add name=MGMT

/ip pool
add name=OMA_PC_POOL ranges=10.0.20.2-10.0.20.254
add name=M_LAPTOP_POOL ranges=10.0.30.2-10.0.30.254
add name=OMALAPTOP_POOL ranges=10.0.40.2-10.0.40.254
add name=PI_POOL ranges=10.0.50.2-10.0.50.254
add name=WLAN_BOX_SSID1_POOL ranges=10.0.60.2-10.0.60.254
add name=TV_POOL ranges=10.0.70.2-10.0.70.254
add name=WLAN_BOX_SSID2_POOL ranges=10.0.65.2-10.0.65.254

/ip dhcp-server
add address-pool=OMA_PC_POOL interface=OMA_PC_VLAN name=OMA_PC_DHCP
add address-pool=M_LAPTOP_POOL interface=M_LAPTOP_VLAN name=M_LAPTOP_DHCP
add address-pool=OMALAPTOP_POOL interface=OMALAPTOP_VLAN name=OMALAPTOP_DHCP
add address-pool=PI_POOL interface=PI_VLAN name=PI_DHCP
add address-pool=WLAN_BOX_SSID1_POOL interface=WLAN_BOX_SSID1_VLAN name=WLAN_BOX_SSID1_DHCP
add address-pool=TV_POOL interface=TV_VLAN name=TV_DHCP
add address-pool=WLAN_BOX_SSID2_POOL interface=WLAN_BOX_SSID2_VLAN name=WLAN_BOX_SSID2_DHCP

/interface bridge port
add bridge=BR1 comment="Only allow ingress packets without tags on Access Ports" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=70
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=WLAN_BOX_SSID1_VLAN pvid=60
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=WLAN_BOX_SSID2_VLAN pvid=65

/ip neighbor discovery-settings
set discover-interface-list=none

/ipv6 settings
set disable-ipv6=yes

/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=40
add bridge=BR1 tagged=BR1 vlan-ids=50
add bridge=BR1 tagged=BR1 vlan-ids=60
add bridge=BR1 tagged=BR1 vlan-ids=70
add bridge=BR1 tagged=BR1 vlan-ids=65

/interface list member
add interface=ether1 list=WAN
add interface=OMA_PC_VLAN list=LAN
add interface=M_LAPTOP_VLAN list=LAN
add interface=OMALAPTOP_VLAN list=LAN
add interface=PI_VLAN list=LAN
add interface=ether8 list=MGMT
add interface=WLAN_BOX_SSID1_VLAN list=LAN
add interface=TV_VLAN list=LAN
add interface=WLAN_BOX_SSID2_VLAN list=LAN

/ip address
add address=10.0.20.1/24 interface=OMA_PC_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=M_LAPTOP_VLAN network=10.0.30.0
add address=10.0.40.1/24 interface=OMALAPTOP_VLAN network=10.0.40.0
add address=10.0.50.1/24 interface=PI_VLAN network=10.0.50.0
add address=10.0.60.1/24 interface=WLAN_BOX_SSID1_VLAN network=10.0.60.0
add address=10.0.70.1/24 interface=TV_VLAN network=10.0.70.0
add address=10.0.80.1/24 interface=ether8 network=10.0.80.0
add address=10.0.65.1/24 interface=WLAN_BOX_SSID2_VLAN network=10.0.65.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
add address=10.0.40.0/24 dns-server=10.0.40.1 gateway=10.0.40.1
add address=10.0.50.0/24 dns-server=10.0.50.1 gateway=10.0.50.1
add address=10.0.60.0/24 dns-server=10.0.60.1 gateway=10.0.60.1
add address=10.0.65.0/24 dns-server=10.0.65.1 gateway=10.0.65.1
add address=10.0.70.0/24 dns-server=10.0.70.1 gateway=10.0.70.1

/ip dns
set servers=1.1.1.2,1.0.0.2

/ip firewall filter
add action=accept chain=input comment="\"Accept established, related, untracked\"" connection-state=established,related,untracked
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="\"Accept ICMP\"" protocol=icmp
add action=accept chain=input comment="\"Allow MGMT-list Full Access\"" in-interface-list=MGMT src-address=10.0.80.5
add action=accept chain=input comment="\"Allow LAN DNS queries\"" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="\"Allow LAN DNS queries\"" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="\"Drop all else\""

add action=accept chain=forward comment="\"Accept established, related, untracked\"" connection-state=established,related,untracked
add action=drop chain=forward comment="\"Drop invalid\"" connection-state=invalid
add action=drop chain=forward comment="\"drop access to clients behind NAT from WAN\"" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="\" Allow all VLANs to access the Internet only, NOT each other\"" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="\"Zyxel Access Point configuration\"" connection-state=established,related,new dst-address=10.0.60.254 in-interface=ether8 out-interface=WLAN_BOX_SSID1_VLAN src-address=10.0.80.5
add action=drop chain=forward comment="\"Drop all else\""

/ip firewall nat
add action=masquerade chain=srcnat comment="\"NAT\"" out-interface-list=WAN

Nope your config is confused with respect to the zyxel.

Suggest you stick to the plan and be clear simple and consistent.
a. ALL vlans on the bridge. (forget that zyxel vlans to ether6 crap)
b. single interface bridge port setting to zyxel (trunk carries both ssid vlans)
c. adjust bridge vlan settings accordingly
d. where is management vlan it should also go to zyxel (its where the zyxels IP address resides in management subnet usually entered manually and set static on MT dhcp leases)

e. should be set to management interface list (MGMT)
/ip neighbor discovery-settings
set discover-interface-list=none

The managment access on ether8 is a great idea to config initially and for emerg access if the bridge for whatever reason goes funky on you.
HOwever typically the admin is also on the home LAN.

In other words, I would do this a bit differently and since you dont use a home LAN or so it seems, then I would still create a base or management vlan, vlan 11
and plug your computer into it lets say on etherport9, and LEAVE ether8 alone as a separate off bridge access available at all times.

Then it would be clear............. and you would sent three vlans to the zyxel as it needs to be on the managment vlan for IP purposes and for you to access it for configuration purposes.

f. firewall rules are almost there,
add action=accept chain=forward comment="\"Accept established, related, untracked\"" connection-state=established,related,untracked
add action=drop chain=forward comment="\"Drop invalid\"" connection-state=invalid
add action=drop chain=forward comment="\"drop access to clients behind NAT from WAN\"" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="\" Allow all VLANs to access the Internet only, NOT each other\"" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="\"Zyxel Access Point configuration\"" connection-state=established,related,new dst-address=10.0.60.254 in-interface=ether8 out-interface=WLAN_BOX_SSID1_VLAN src-address=10.0.80.5
add action=drop chain=forward comment="\"Drop all else\""

First you have a drop rule, so you dont need to drop in the dst nat rule, it should be simpler, cleaner like so.
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat

This rule YIKES< what are you trying to accomplish?? The drop rule at the end ensures no vlans can talk to each other!!
add action=accept chain=forward comment="\"Zyxel Access Point configuration\"" connection-state=established,related,new dst-address=10.0.60.254 in-interface=ether8 out-interface=WLAN_BOX_SSID1_VLAN src-address=10.0.80.5

Okay so you want admin access to the vlan for some purpose? If its for configuration, as I suspect, then Ive already described how to do that.......... and no forward rule would be required.

Why should I have management VLAN, I can do all the management (configuration) from Eth8? And as I told, I can connect to Zyxel with my firewall rule.( add action=accept chain=forward comment="\"Zyxel Access Point configuration\"" connection-state=established,related,new dst-address=10.0.60.254 in-interface=ether8 out-interface=WLAN_BOX_SSID1_VLAN src-address=10.0.80.5). This rule works, but I don't know if it is beautiful or most simple.
Normally Eth8 is empty, my PC is normally connected to OMA_PC_VLAN.
I have no problem to put my CAT-cable to the other port. Eth8 is dedicated for configuration, and only Eth8. Once my config is ready, i will not play inside my RB5009 all the time. I have a life.

Do it whatever way you want......
I am just saying the norm is that all smart devices get their IP from the management subnet or trusted subnet which in this case would include the zyxel and any managed switches you may add later.

Changes in blue...

/interface bridge
add ingress-filtering=no name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=M_LAPTOP_VLAN vlan-id=30
add interface=BR1 name=OMALAPTOP_VLAN vlan-id=40
add interface=BR1 name=OMA_PC_VLAN vlan-id=20
add interface=BR1 name=PI_VLAN vlan-id=50
add interface=BR1 name=TV_VLAN vlan-id=70
add interface=BR1 name=WLAN_BOX_SSID1_VLAN vlan-id=60
add interface=BR1 name=WLAN_BOX_SSID2_VLAN vlan-id=65
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=30
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=40
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=50
add bridge=BR1 frame-types=admit-only-vlan tagged ingress-filtering=yes interface=ether6 { trunk port }
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=70
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether6 untagged=ether2 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=30
add bridge=BR1 tagged=BR1 vlan-ids=40
add bridge=BR1 tagged=BR1 vlan-ids=50
add bridge=BR1 tagged=BR1 vlan-ids=70
add bridge=BR1 tagged=BR1,ether6 vlan-ids=60,65
/interface list member
add interface=ether1 list=WAN
add interface=OMA_PC_VLAN list=LAN
add interface=M_LAPTOP_VLAN list=LAN
add interface=OMALAPTOP_VLAN list=LAN
add interface=PI_VLAN list=LAN
add interface=WLAN_BOX_SSID1_VLAN list=LAN
add interface=TV_VLAN list=LAN
add interface=WLAN_BOX_SSID2_VLAN list=LAN
add interface=ether8 list=MGMT
add interface=OMA_PC_VLAN list=MGMT
/ip firewall filter
add action=accept chain=input comment="\"Accept established, related, untracked\"" connection-state=established,related,untracked
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="\"Accept ICMP\"" protocol=icmp
add action=accept chain=input comment="\"Allow MGMT-list Full Access\"" in-interface-list=MGMT src-address-list=authorized
add action=accept chain=input comment="\"Allow LAN DNS queries\"" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="\"Allow LAN DNS queries\"" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="\"Drop all else\""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="\"Accept established, related, untracked\"" connection-state=established,related,untracked
add action=drop chain=forward comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="\"Drop all else\""
/ip firewall address list
add address=10.0.80.5 list=authorized comment="access from ether8"
add address=10.0.20.5 list=authorized comment="access from admin pc" { or whatever IP you have statically set }
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Thus, you will have full access to config everything from either the normal LAN you use or ether8. The difference is that ether8 is independent from the bridge, in case the config is screwed up on the bridge side.
Also, you are bringing three vlans to the zyxel, the two SSID vlans for traffic and the management vlan only to the zyxel itself, so its accessible only to the admin to access and configure.

Thank You anav, Your blue comments make sense. I will modify my config like You suggested and then I will lock it down for a moment.
(If there are no more good and brilliant ideas to change it).
I choose this VLAN per SSID for Zyxel because it might be much more secure than "intra-bss traffic blocking" what is possible in Zyxel. Or who knows.
Intra-bss blocking works inside of same SSID and it should block wireless clients to see each others.
Anyway, making things like above, a little more work to do but when it's done it's done.
And I can still use intra-bss blocking inside my SSIDs.
Even if I create separate VLAN for every single wireless thing in my house.
Perhaps not...

I used to sell Zyxel Networking Equipment as a hobby business and thus know your pain LOL.

Wondering all the options...

What if I trust Zyxel's "intra-bss traffic blocking" is doing it's job and is really isolating wireless clients inside of same SSID?
In that case there is only one SSID.
Intra-bss blocking is working only inside of Zyxel access point.
But that SSID is getting addresses from the router from the same port. Same address pool. From the same CAT-cable connected from Zyxel to routerport.
What should I do to make sure that wireless clients can not listen each others through the router?
Or is it possible to stop at all because they have same IP area?

What device exactly model are you using.
Typically if one uses a wifi router as an AP, some functionalities are lost.
If its a business class AP, it should have all the functionality.

My understanding was that it was designed so wifi users could not see each other over wifi when on the same SSID.
So I dont see why that should not work.
Since you have them on a vlan, they will not be able to see any other subnets.
If you have the firewall rules set correctly the router will not be able to route between vlans (L3)

Scenario:
Zyxel NWA55AXE is connected to RB5009 to for example to eth6. Eth6 have it's own VLAN, subnet, pool and all necessary things. So it is isolated from the other RB5009 traffic, from the other VLANs with firewall rules.
Zyxel have only one SSID, wireless clients are isolated with "intra-bss traffic blocking".
Question was, is this safe method because wireless clients are in the same VLAN, same subnet inside of the RB5009? Can they see each others through RB5009?
Because all wireless clients have access to internet through wired connection to RB5009 eth6. I quess "intra-bss blocking" is not working inside of RB5009? How to make firewall rules to isolate clients inside of the same VLAN, same subnet? Or have I missed something?
Of course there is a way to have VLAN per SSID but I would like to make things clear with the situation above, using only one SSID.

1 - all vlans are separated from each other at L2 (mac addresses) due to being in vlans.

2 - correct usage of forward chain firewall rules blocks the router from routing between vlans so safe at L3.
(easily done by putting this rule at end of forward chain
add chain=forward action=drop comment="drop all else"

3- Intra BSS blocking is ONLY to stop wifi clients on the same SSID, from reaching each other over wifi.
Any vlan given access only to the internet connection of the router will not be able to see any other vlans and vice versa.
So if a WLAN is assigned a vlan, anyone using the associated SSID, will not see any other vlans.

4- On the zyxel each SSID, each WLAN interface you create can be on a separate SSID.

5- You dont need to assign a vlan to an etherport, you start to make the config more complex then necessary.

6. DO you have either a separate management subnet or VLAN, or is one planned and if not do you have a trusted subnet,
one that you are on all the time and from where you will want to configure the zyxel and the router?

6- ONE BRIDGE, assign all vlans to the BRIDGE, each vlan gets an IP pool, ip address, dhcp server, dhcp-server network

I provided the solution that will work already.
As noted you have a trunk port to the zyxel router.
You should enter the zyxel get its wired ethernet mac address and then go to the MT router and decide which IP you are going to give the zyxel and then make that static.
Then attach your pc directly to the zyxel or via the zon utility and assign it the Ip address manually.

Go to the MANAGEMENT page on the web utility and modify the Management vlan to 20 and select TAGGED.
Now only folks on vlan20 will be able to access the config of the Zyxel Access point. The Access point will expect vlan20 tagged frames to config the router,
as well as tagged frames from vlans 60 and 65 which will go out wifi.

Thank you anav, very valuable info again.
But can you answer to the question: If there is only one ssid in zyxel (intra-bss blocking activated) and that ssid is getting its connection from rb5009 eth6. There is own vlan and subnet for eth6.
So all wireless clients are inside of the same subnet. Can they see each others through rb5009 when they are in the same subnet?
Of course they are isolated from the other vlans by firewall but what about inside the same vlan in rb5009?

So all wireless clients are inside of the same subnet. Can they see each others through rb5009 when they are in the same subnet?

Basic operating principle of ethernet switches and bridges: never ever forward a frame through ingress port.
Meaning: if a frame, sent by client of Zyxel, is targeting another Zyxel client, and even if RB (or any switch or bridge) knows that that target is behind that port (appropriate ARP entry exists), it will never ever pass the frame back to Zyxel.

So iz Zyxel takes care of client isolation, MT will not breach that.

The way my simple mind works is that the client requesting access to another client happens when on WIFI and behind the ZYXEL Control panel.
Thus, when the client makes that request on wifi by accident or on purpose to reach another client behind the same ssid, it is blocked by Zyxel, END OF STORY.

The traffic from the users that is on the actual wired part of the network and into the MT router is ONLY there to go out internet (destination addresses on the internet).
Zyxel didnt block IP addresses heading for the internet, only blocked mac addresses asking to reach other mac addresses all within the SSID on the wifi side.

SO there is no way wifi user is going to see any other wifi user past the zyxel. There is simply no mechanism to do so.

Thank You both anav and mkx, finally I got an answer!
This make everything more simple. So even I have only one ssid in my Zyxel access point I can reach privacy between wireless clients. And RB5009 config will be more simple.
And if I am correct, every ssid need it's own channel. So it is a good idea to keep minimum number of ssids, to avoid overlapping, there are few neighbours around with their wifi networks.

I would approach it differently. I would create as many SSIDs as I need within reason.
For example a single wifi device could have lets say 4 WLANs, two 5ghz and two 2ghz ( think home 5ghz, guest 5ghz, home 2ghz, IOT 2ghz).
That would be four SSIDs potentially if you wanted to split home into two different ssids.

In your case I think you have 2 radios and only one profile and one SSID can be used per radio. The zyxel cannot have more than two SSIDs at any one time.
Thus the max number of SSIDs you can have is 2 and both can be set to block traffic as the setting for this is on the SSID settings.

So you should easily be able to have two different vlans, one for each SSID (and radio) without any concerns