I have following network up and running without any problems.
However, I would like to add a second LAN with it's own IP address and DHCP server. I scrambled through the forum and couldn't find
the exact information I would understand to implement on my router.

Someone please inform me about what is required to implement a second LAN to separate office PC's traffic from the WiFi Unifi Lan.

Here's the existing setup - ROS V6.7
------------------------------------------

ISP-Internet
|
RB 951G
|
Ether Port 1: WAN 199.9.60.xxx
|
Ether Port 2: LAN - UniFi WiFi - 192.168.0.x
|
Ether Port 3, 4, 5 are switched of Master Port 3.





#
/interface bridge
add l2mtu=1598 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=\
"LAN - All ports are switched off Ether2"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/interface wireless
set [ find default-name=wlan1 ] ht-rxchains=0 ht-txchains=0 l2mtu=2290 ssid=\
MikroTik
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment="LAN - All ports are switched off Ether2"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.0.1/24 comment="LAN IP Subnet" interface=ether2 network=\
192.168.0.0
add address=199.9.60.xxx/24 interface=ether1 network=199.9.60.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,4.2.2.2 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.0.0/24 list=OurLocalLAN
/ip firewall filter
add chain=input comment="Allow access to the router from the LAN using address \
list - PROTECTING ROUTER" src-address-list=OurLocalLAN
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add chain=forward comment="Allow Connections from LAN" connection-state=new \
in-interface=bridge1
add chain=forward comment="Allow Established Connection from LAN" \
connection-state=established
add chain=forward comment="Allow Related Connection" connection-state=related
add action=drop chain=forward comment=\
"Drop all other traffic through the router"
add chain=input comment="Allow established connection to the router" \
connection-state=established
add chain=input comment="Allow related connection to the router" \
connection-state=related
add action=drop chain=input comment=\
"Drop All Other Traffic to Router - PROTECTING ROUTER"
/ip firewall nat
add action=masquerade chain=srcnat comment="PAT outside" dst-address=\
0.0.0.0/0 out-interface=ether1 src-address=192.168.0.0/24
/ip route
add comment="default route" distance=1 gateway=199.9.60.1
/ip service
set api disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB951ui
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=63.44.154.34 secondary-ntp=\
63.240.161.99

Choose a free ethernet port.
Give the ethernet port a IP-address:
http://www.wirelessinfo.be/index.php/mikrotik/pages/ip

Configure DHCP server on it
http://www.wirelessinfo.be/index.php/mi ... pages/dhcp

Nat the port with the wan
http://www.wirelessinfo.be/index.php/mikrotik/pages/nat

I have following network up and running without any problems.
However, I would like to add a second LAN with it's own IP address and DHCP server. I scrambled through the forum and couldn't find
the exact information I would understand to implement on my router.

Someone please inform me about what is required to implement a second LAN to separate office PC's traffic from the WiFi Unifi Lan.

Here's the existing setup - ROS V6.7
------------------------------------------

ISP-Internet
|
RB 951G
|
Ether Port 1: WAN 199.9.60.xxx
|
Ether Port 2: LAN - UniFi WiFi - 192.168.0.x
|
Ether Port 3, 4, 5 are switched of Master Port 3.





#
/interface bridge
add l2mtu=1598 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=\
"LAN - All ports are switched off Ether2"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/interface wireless
set [ find default-name=wlan1 ] ht-rxchains=0 ht-txchains=0 l2mtu=2290 ssid=\
MikroTik
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment="LAN - All ports are switched off Ether2"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.0.1/24 comment="LAN IP Subnet" interface=ether2 network=\
192.168.0.0
add address=199.9.60.xxx/24 interface=ether1 network=199.9.60.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,4.2.2.2 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.0.0/24 list=OurLocalLAN
/ip firewall filter
add chain=input comment="Allow access to the router from the LAN using address \
list - PROTECTING ROUTER" src-address-list=OurLocalLAN
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid
add chain=forward comment="Allow Connections from LAN" connection-state=new \
in-interface=bridge1
add chain=forward comment="Allow Established Connection from LAN" \
connection-state=established
add chain=forward comment="Allow Related Connection" connection-state=related
add action=drop chain=forward comment=\
"Drop all other traffic through the router"
add chain=input comment="Allow established connection to the router" \
connection-state=established
add chain=input comment="Allow related connection to the router" \
connection-state=related
add action=drop chain=input comment=\
"Drop All Other Traffic to Router - PROTECTING ROUTER"
/ip firewall nat
add action=masquerade chain=srcnat comment="PAT outside" dst-address=\
0.0.0.0/0 out-interface=ether1 src-address=192.168.0.0/24
/ip route
add comment="default route" distance=1 gateway=199.9.60.1
/ip service
set api disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB951ui
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=63.44.154.34 secondary-ntp=\
63.240.161.99

Are you trying to have multiple wireless networks?...

What you need to do then is add a VLAN to pass to the Unifis... then just treat the VLAN as a new network.

reply to @ plisken

I followed your instructions (pictures only, I can't read the language) from the links and got the best I could do. Please see the config below and let me know what I did wrong.
I couldn't get IP when I had port 5 independent and assigned DHCP to the port.

/interface bridge
add l2mtu=1598 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ht-rxchains=0 ht-txchains=0 l2mtu=2290
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=\
"LAN - All ports are switched off Ether2"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment="LAN - All ports are switched off Ether2"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool2 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp2 relay=\
192.168.1.0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.0.1/24 comment="LAN IP Subnet" interface=ether2 network=\
192.168.0.0
add address=199.9.60.xxx/24 interface=ether1 network=199.9.60.0
add address=192.168.1.0/24 interface=ether5 network=192.168.1.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,4.2.2.2 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.0,4.2.2.2 gateway=192.168.1.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.0.0/24 list=OurLocalLAN
/ip firewall filter
add chain=input comment="Allow access to the router from the LAN using addres \
list - PROTECTING ROUTER" src-address-list=OurLocalLAN
add action=drop chain=forward comment="Drop invlaid cnnections" \
connection-state=invalid
add chain=forward comment="Allow Connections from LAN" connection-state=new \
in-interface=bridge1
add chain=forward comment="Allow Established Connection from LAN" \
connection-state=established
add chain=forward comment="Allow Related Connection" connection-state=related
add action=drop chain=forward comment=\
"Drop all other traffice throught the router"
add chain=input comment="Allow established connection to the router" \
connection-state=established
add chain=input comment="Allow related connection to the router" \
connection-state=related
add action=drop chain=input comment=\
"Drop All Other Traffice to Router - PROTECTING ROUTER"
/ip firewall nat
add action=masquerade chain=srcnat comment="PAT outside" dst-address=\
0.0.0.0/0 out-interface=ether1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="PAT outside" dst-address=\
0.0.0.0/0 out-interface=ether5 src-address=192.168.1.0/24
/ip route
add comment="default route" distance=1 gateway=199.9.60.1
/ip service
set api disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB951g
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=63.44.154.34 secondary-ntp=\
63.240.161.99



reply to @ efaden

No, I am not trying to have multiple wifi. I am not even using the Wireless interface on RB951. The UniFi AP I have are being
used for guest wifi only.

I see that ether 3,4,5 is bridged.
Remove an interface from the bridge, for example ether5 and add than an IP address to this interface. en configure the DHCP server.
This is the reason that it fails
Ether5 becomes your new network
The screenshots that I made to my website will help you without the text to configure the routerboard.

Goodluck

Hello!
I did as you mentioned using the screen shot. However, I am not sure if it's done correctly.
I have doubt about the NAT rules on Port 5 and I also, created second bridge.

Please let me know...

Sandip



/interface bridge
add l2mtu=1598 name=bridge1
add name=bridge2
/interface wireless
set [ find default-name=wlan1 ] ht-rxchains=0 ht-txchains=0 l2mtu=2290
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=\
"LAN - ports 3,4 are switched off Ether2"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment="LAN - ports 3,4 are switched off Ether2"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool2 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool3 ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=bridge2 name=dhcp2
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge2 interface=ether5
/ip address
add address=192.168.0.1/24 comment="LAN IP Subnet" interface=ether2 network=\
192.168.0.0
add address=199.9.xx.xxx/24 interface=ether1 network=199.9.60.0
add address=192.168.1.1/24 interface=ether5 network=192.168.1.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,4.2.2.2 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1,4.2.2.2 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.0.0/24 list=OurLocalLAN
/ip firewall filter
add chain=input comment="Allow access to the router from the LAN using addres \
list - PROTECTING ROUTER" src-address-list=OurLocalLAN
add action=drop chain=forward comment="Drop invlaid cnnections" \
connection-state=invalid
add chain=forward comment="Allow Connections from LAN" connection-state=new \
in-interface=bridge1
add chain=forward comment="Allow Established Connection from LAN" \
connection-state=established
add chain=forward comment="Allow Related Connection" connection-state=related
add action=drop chain=forward comment=\
"Drop all other traffic through the router"
add chain=input comment="Allow established connection to the router" \
connection-state=established
add chain=input comment="Allow related connection to the router" \
connection-state=related
add action=drop chain=input comment=\
"Drop All Other Traffic to Router - PROTECTING ROUTER"
/ip firewall nat
add action=masquerade chain=srcnat comment="PAT outside" dst-address=\
0.0.0.0/0 out-interface=ether1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=PORT-5_NETWORK dst-address=\
0.0.0.0/0 out-interface=ether1 src-address=192.168.1.0/24
/ip route
add comment="default route" distance=1 gateway=199.9.60.1
/ip service
set api disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB951ui
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=63.44.154.34 secondary-ntp=\
63.240.161.99

If you connect with port 5 can you use internet?

I am able to get the 1.xxx ip however, the internet is not working.
I ping yahoo.com from the router's terminal and it responses.

I am not sure if my NAT rule is correct for Port 5.

Sandip

Take a screenshot from your nat settings pleace
I look than of it is OK

Please see the attached file.

Nat settings see printscreens that i made.

Src Address= 192.168.1.0/24
Out interface is your WAN interface by action select masquerade

Try this

I verified what you mentioned. Still not luck.

Later this weekend I am may remove all configuration and start from scratch.

I will need some time.

I will update you on this.
Sandip

Problem Resovled.

Under the Firewall Rules (NAT)
- I created a new rule for NAT to allow LAN traffic from Bridge 2, which is on private LAN on Port 5.

Hope I did this properly...

Thank You! to "plisken" as well for helping me along the way.

Great
You re welcome

You also should configure the secondary ip to bridge2 instead of ether5.

@ Rudios

I will look into on configuring your recommendation.

Any idea on where this should be done?