Community discussions

MikroTik App
 
commerce9659
just joined
Topic Author
Posts: 2
Joined: Sun May 12, 2024 9:09 pm

Looking to add a guest vlan and iot vlan to my network setup which also requires vlan40 tagging for internet access

Sun Jun 08, 2025 9:53 pm

I have a Mikrotik hap ac3 router running routeros 7.19.1

I want to add an IoT vlan that would not be able to access my main trusted devices network, except for perhaps a raspberry pi or docker instance running on my NAS. I also want a seperate guest vlan which would only have internet access and no access to devices on my main network. How would i go about confguring this?

Here is my config file:
add admin-mac=[sanitized] auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Canada .hide-ssid=no .manager="(unknown)" .mode=ap .ssid=[sanitized] disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] configuration.country=Canada .mode=ap .ssid=[sanitized] disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
add configuration.hide-ssid=yes .mode=ap .ssid=[sanitized]-work mac-address=[sanitized] master-interface=wifi2 name=wifi3 \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface vlan
add interface=wifi3 name=guest_vlan10 vlan-id=10
add interface=ether1 name=vlan40 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.2.16
add name=dhcp_pool2 ranges=10.0.1.2-10.0.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=guest_vlan10 name=guestdhcp
/ip smb users
set [ find default=yes ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan40 max-mru=1500 max-mtu=1500 name=pppoe-out1 profile=default-encryption user=\
    [sanitized]
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wifi2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment="configured for [sanitized] which requires vlan 40 tag for internet" interface=vlan40 list=WAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=[sanitized] name=ovpn-server1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.1/24 interface=guest_vlan10 network=10.10.10.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.232 client-id=[sanitized] mac-address=[sanitized] server=defconf
add address=192.168.88.207 client-id=[sanitized] mac-address=[sanitized] server=defconf
add address=192.168.88.233 comment="sony bravia" mac-address=[sanitized] server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip smb shares
set [ find default=yes ] directory=/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/Toronto
/system leds
set 0 interface=*1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 leds=poe-led type=poe-out
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
erlinden
Forum Guru
Forum Guru
Posts: 3126
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Looking to add a guest vlan and iot vlan to my network setup which also requires vlan40 tagging for internet access

Sun Jun 08, 2025 11:18 pm

In the beginning there was...the Bible of VLAN:
viewtopic.php?t=143620
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 23825
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Looking to add a guest vlan and iot vlan to my network setup which also requires vlan40 tagging for internet access

Mon Jun 09, 2025 1:29 am

One bridge, no dchp by bridge, if you have a house subnet, simply use a vlan for that as well. Do not use vlan-id=1

Now for best of luck and trouble free its best to take one port off the bridge and do all the configuration from there ( the last step being turning bridge vlan filtering on ).
How to:

Notes:
1. FIRST STEP add Offbridge settings, and do all vlan configuration from this safe spot. ( using port 9). Recommend this for all devices.....
2. added Management Interface List entity
3 Removed duplicate IP Pool
4. Assume 3 vlans, one is management vlan (all devices get IP address on this vlan) / Trusted VLAN (like home users) / Guest or IOT Vlan
5. Since RB4011 has two groupings of ports, put the first five ports together same bridge, moved WAN port to 6.
6. Normally for PPPOE one does NOT use ip dhcp client OR an ip address for WAN.
7. Changed ppoe peer dns server to NO. Reason it appears you want users to go via 1.1.1.1 and not ISP..

STEP1:
To work on vlans as it can get sticky when applying vlans or trying to change from default to your steup, its best to do so from a safe spot. Saves much grief!
So use an off bridge port for the configuration and also as an emerg access port on the device at any time..... or revert back to normal bridge port for any specific purpose using vlans.

Associated config entries ( remove ETHER5 from the bridge in /interface bridge port settings) :
/interface ethernet
set [ find default-name=ether5] name=OffBridge5
/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0 comment="Offbridge and Emerg access"
/interface list member
add interface=OffBridge5=MGMT ( if you have a separate base or management vlan }
add interface=OffBridge5 list=LAN


Note: to access the router simply plug your device into port 5 and configure your PC/laptop with IPV4 settings of 192.168.77.2 and via username and password you should have access.