# Home Office Network Setup Guide

### <span style="text-decoration: underline;">**Below is a MikroTik configuration tailored to your requirements.** </span>

##### **This configuration includes:**

- **4 VLANs**: Home (VLAN 10), Office (VLAN 20), Guest (VLAN 30), and IoT (VLAN 40).
- **Subnetting**: Each VLAN uses the `10.x.x.x/24` subnet, with the subnet identifier matching the VLAN ID.
- **Firewall Rules**: Home and Office VLANs can access the IoT VLAN; IoT and Guest VLANs are isolated from other VLANs.
- **Security Enhancements**: Hardened router security with essential services only and restricted management access.

### **1. Bridge and VLAN Setup**

#### **Create a Bridge Interface with VLAN Filtering**

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code-"><div class="overflow-y-auto p-4" dir="ltr">`/interface bridgeadd name=bridge1 vlan-filtering=yes`</div></div>#### **Add Physical Ports to the Bridge**

Assuming `ether2` to `ether5` are your LAN ports:

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--1"><div class="overflow-y-auto p-4" dir="ltr">`/interface bridge portadd bridge=bridge1 interface=ether2 pvid=10add bridge=bridge1 interface=ether3 pvid=20add bridge=bridge1 interface=ether4 pvid=30add bridge=bridge1 interface=ether5 pvid=40`</div></div>#### **Define VLANs on the Bridge**

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--2"><div class="overflow-y-auto p-4" dir="ltr">`/interface bridge vlanadd bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=10add bridge=bridge1 tagged=bridge1 untagged=ether3 vlan-ids=20add bridge=bridge1 tagged=bridge1 untagged=ether4 vlan-ids=30add bridge=bridge1 tagged=bridge1 untagged=ether5 vlan-ids=40`</div></div>#### **Create VLAN Interfaces**

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--3"><div class="overflow-y-auto p-4" dir="ltr">`/interface vlanadd interface=bridge1 name=VLAN10 vlan-id=10add interface=bridge1 name=VLAN20 vlan-id=20add interface=bridge1 name=VLAN30 vlan-id=30add interface=bridge1 name=VLAN40 vlan-id=40`</div></div>---

### **2. IP Addressing**

Assign IP addresses to each VLAN interface, matching the subnet with the VLAN ID:

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--4"><div class="overflow-y-auto p-4" dir="ltr">`/ip addressadd address=10.10.10.1/24 interface=VLAN10 network=10.10.10.0add address=10.10.20.1/24 interface=VLAN20 network=10.10.20.0add address=10.10.30.1/24 interface=VLAN30 network=10.10.30.0add address=10.10.40.1/24 interface=VLAN40 network=10.10.40.0`</div></div>---

### **3. DHCP Server Configuration**

#### **Create IP Pools for Each VLAN**

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--5"><div class="overflow-y-auto p-4" dir="ltr">`/ip pooladd name=dhcp_pool_vlan10 ranges=10.10.10.10-10.10.10.254add name=dhcp_pool_vlan20 ranges=10.10.20.10-10.10.20.254add name=dhcp_pool_vlan30 ranges=10.10.30.10-10.10.30.254add name=dhcp_pool_vlan40 ranges=10.10.40.10-10.10.40.254`</div></div>#### **Set Up DHCP Servers**

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--6"><div class="overflow-y-auto p-4" dir="ltr">`/ip dhcp-serveradd address-pool=dhcp_pool_vlan10 interface=VLAN10 lease-time=12h name=dhcp_vlan10add address-pool=dhcp_pool_vlan20 interface=VLAN20 lease-time=12h name=dhcp_vlan20add address-pool=dhcp_pool_vlan30 interface=VLAN30 lease-time=12h name=dhcp_vlan30add address-pool=dhcp_pool_vlan40 interface=VLAN40 lease-time=12h name=dhcp_vlan40`</div></div>#### **Define DHCP Networks**

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--7"><div class="overflow-y-auto p-4" dir="ltr">`/ip dhcp-server networkadd address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1add address=10.10.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.20.1add address=10.10.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.30.1add address=10.10.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.40.1`</div></div>---

### **4. Firewall Configuration**

#### **Basic Firewall Rules**

- Accept established and related connections.
- Drop invalid packets.

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--8"><div class="sticky top-9 md:top-[5.75rem]">  
</div><div class="overflow-y-auto p-4" dir="ltr">`/ip firewall filteradd chain=forward connection-state=established,related action=acceptadd chain=forward connection-state=invalid action=drop`</div></div>#### **Inter-VLAN Communication Rules**

- **Allow** Home and Office VLANs to access the IoT VLAN.

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--9"><div class="sticky top-9 md:top-[5.75rem]">  
</div><div class="overflow-y-auto p-4" dir="ltr">`add chain=forward src-address=10.10.10.0/24 dst-address=10.10.40.0/24 action=acceptadd chain=forward src-address=10.10.20.0/24 dst-address=10.10.40.0/24 action=accept`</div></div>- **Allow** Home and Office VLANs to access the internet.

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--10"><div class="sticky top-9 md:top-[5.75rem]">  
</div><div class="overflow-y-auto p-4" dir="ltr">`add chain=forward src-address=10.10.10.0/24 action=accept out-interface-list=WANadd chain=forward src-address=10.10.20.0/24 action=accept out-interface-list=WAN`</div></div>#### **Restrict IoT and Guest VLANs**

- **Drop** traffic from IoT VLAN to other VLANs.

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--11"><div class="sticky top-9 md:top-[5.75rem]">  
</div><div class="overflow-y-auto p-4" dir="ltr">`add chain=forward src-address=10.10.40.0/24 dst-address=10.10.10.0/24 action=dropadd chain=forward src-address=10.10.40.0/24 dst-address=10.10.20.0/24 action=dropadd chain=forward src-address=10.10.40.0/24 dst-address=10.10.30.0/24 action=drop`</div></div>- **Drop** traffic from Guest VLAN to other VLANs.

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--12"><div class="sticky top-9 md:top-[5.75rem]">  
</div><div class="overflow-y-auto p-4" dir="ltr">`add chain=forward src-address=10.10.30.0/24 dst-address=10.10.10.0/24 action=dropadd chain=forward src-address=10.10.30.0/24 dst-address=10.10.20.0/24 action=dropadd chain=forward src-address=10.10.30.0/24 dst-address=10.10.40.0/24 action=drop`</div></div>- **Allow** IoT and Guest VLANs to access the internet.

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--13"><div class="sticky top-9 md:top-[5.75rem]">  
</div><div class="overflow-y-auto p-4" dir="ltr">`add chain=forward src-address=10.10.40.0/24 action=accept out-interface-list=WANadd chain=forward src-address=10.10.30.0/24 action=accept out-interface-list=WAN`</div></div>#### **Drop All Other Traffic**

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--14"><div class="overflow-y-auto p-4" dir="ltr">`add chain=forward action=drop`</div></div>---

### **5. NAT Configuration**

Ensure that all VLANs can access the internet:

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--15"><div class="overflow-y-auto p-4" dir="ltr">`/ip firewall natadd chain=srcnat out-interface-list=WAN action=masquerade`</div></div>---

### **6. Security Hardening**

#### **Restrict Router Access**

- Allow management access only from Home and Office VLANs.

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--16"><div class="sticky top-9 md:top-[5.75rem]">  
</div><div class="overflow-y-auto p-4" dir="ltr">`/ip firewall filteradd chain=input connection-state=established,related action=acceptadd chain=input connection-state=invalid action=dropadd chain=input src-address=10.10.10.0/24 action=acceptadd chain=input src-address=10.10.20.0/24 action=acceptadd chain=input action=drop`</div></div>#### **Disable Unnecessary Services**

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--17"><div class="overflow-y-auto p-4" dir="ltr">`/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh disabled=yesset api disabled=yesset api-ssl disabled=yesset winbox address=10.10.10.0/24,10.10.20.0/24`</div></div>> **Note:** Only Winbox is enabled for management, and access is restricted to Home and Office VLANs.

#### **Set Strong Passwords**

Ensure the router's admin password is strong:

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--18"><div class="overflow-y-auto p-4" dir="ltr">`/user set 0 name=admin password=YourStrongPassword`</div></div>Replace `YourStrongPassword` with a strong, unique password.

#### **Additional Security Measures**

- **System Updates**: Regularly update your router's firmware to the latest stable version.
- **Backup Configuration**: Keep backups of your configuration in a secure location.
- **Logging**: Enable system logging for monitoring.

---

### **7. Final Notes**

- **Adjust Interface Names**: Replace `ether2`, `ether3`, etc., with your actual interface names if they differ.
- **WAN Interface**: Ensure your WAN interface is added to the `WAN` interface list.

<div class="dark bg-gray-950 contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative" id="bkmrk-plaintext-copy-code--19"><div class="sticky top-9 md:top-[5.75rem]">  
</div><div class="overflow-y-auto p-4" dir="ltr">`/interface listadd name=WAN/interface list memberadd interface=ether1 list=WAN`</div></div>Assuming `ether1` is your WAN interface.

- **DNS Servers**: You can replace `8.8.8.8,8.8.4.4` with your preferred DNS servers.
- **Safe Mode**: When applying configurations, use Safe Mode in Winbox or CLI to prevent lockouts.

---

**By implementing this configuration, you'll have a secure and segmented network that meets your home office needs.**