@anav, thanks for the detailed answer
1) Frame types on the bridge is to forbid the default VLAN ID =1 traffic if I understood everything right. It is part of the MikroTik VLAN tutorial and I have been using this on my current RB5009 setup.
2) I learnt this one the hard way when I was setting up the RB5009 initially (I had to wipe it and reconfigure it...)
3) Ingress filtering is checked by default and does not appear in the configuration file
4) My point was to setup inter-VLAN routing first before adding the NAT and the rest. I found what my issue was on Windows side and now, inter-VLAN routing works fine (all VLANs can access all VLANs, I will lock that up later on). I changed all VLANs and IPs to make sure there are no overlap with any of my currently used setup. I will change configuration before putting everything live.
5) I have untagged ports on CRS317 as well (future 10G devices), I need to tag those ports and have some IP addresses set if I want to be able to route between VLANs.
To give a bit more context and background about my setup: I'm running a little homelab at home, mainly built around NUCs right now but I will retire those to get devices that can support 10G NIC. My current Ceph cluster is on 2.5Gbe and consumer drives, it works but it is far from being optimal.
"An image is worth a thousand words"
Here is what I'm trying to achieve right now:
I managed to get the L3HW offloading working on both switches. Just need to remember to disable/reenable L3HW to get modifications taken in (I think the rules are "copied" over to the switch chip when you do that).
I'm now connected to the Internet via the RB5009 (sfp-sfpplus13 on CRS317). I have set the MTUs and I will now try to test with iperf3 to see how much I get performance wise.
# 2024-03-25 13:21:39 by RouterOS 7.14.1
# software id = IZBV-VVB6
#
# model = CRS317-1G-16S+
# serial number =
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus2 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus3 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus4 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus5 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus6 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus7 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus8 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus10 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus11 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus12 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus14 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus15 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus16 ] l2mtu=10218 mtu=10218
/interface vlan
add interface=bridge name=vlan110 vlan-id=110
add interface=bridge name=vlan120 vlan-id=120
add interface=bridge name=vlan130 vlan-id=130
add interface=bridge name=vlan199 vlan-id=199
/interface bonding
add lacp-rate=1sec mode=802.3ad name=bond_15-16 slaves=sfp-sfpplus15,sfp-sfpplus16 transmit-hash-policy=layer-2-and-3
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 12 l3-hw-offloading=no
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus3 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus4 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus5 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus6 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus7 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus8 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus9 pvid=130
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus10 pvid=130
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus11 pvid=130
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus12 pvid=130
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_15-16
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge tagged=bridge,bond_15-16 untagged=sfp-sfpplus4 vlan-ids=110
add bridge=bridge tagged=bridge,bond_15-16 vlan-ids=120
add bridge=bridge tagged=bridge,bond_15-16 untagged=sfp-sfpplus9,sfp-sfpplus12 vlan-ids=130
add bridge=bridge tagged=bridge,bond_15-16 vlan-ids=199
/ip address
add address=192.168.110.2/24 interface=vlan110 network=192.168.110.0
add address=192.168.120.2/24 interface=vlan120 network=192.168.120.0
add address=192.168.130.2/24 interface=vlan130 network=192.168.130.0
add address=192.168.199.2/24 interface=vlan199 network=192.168.199.0
add address=192.168.30.254/24 interface=sfp-sfpplus13 network=192.168.30.0
/ip dns
set servers=192.168.10.101
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus13
/ip route
add gateway=192.168.30.1
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
# 2024-03-25 13:58:10 by RouterOS 7.14.1
# software id = H7ZT-96GQ
#
# model = CRS328-24P-4S+
# serial number =
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus2 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus3 ] l2mtu=10218 mtu=10218
set [ find default-name=sfp-sfpplus4 ] l2mtu=10218 mtu=10218
/interface vlan
add interface=bridge name=vlan199 vlan-id=199
/interface bonding
add lacp-rate=1sec mode=802.3ad name=bond_3-4 slaves=sfp-sfpplus3,sfp-sfpplus4 transmit-hash-policy=layer-2-and-3
/interface ethernet switch
set 0 l3-hw-offloading=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=110
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether11 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether12 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether13 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether14 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether15 pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether17 pvid=130
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether18 pvid=130
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether19 pvid=130
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether20 pvid=130
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether21 pvid=130
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether22 pvid=130
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether23 pvid=130
add bridge=bridge frame-types=admit-only-vlan-tagged interface=bond_3-4 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bond_3-4 vlan-ids=110
add bridge=bridge tagged=bond_3-4 vlan-ids=120
add bridge=bridge tagged=bond_3-4 vlan-ids=130
add bridge=bridge tagged=bridge,bond_3-4 vlan-ids=199
/ip address
add address=192.168.199.3/24 interface=vlan199 network=192.168.199.0
/ip dns
set servers=192.168.10.101
/ip route
add gateway=192.168.199.2
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
Your point is something that I did not realise: double nat. Do you have any ideas how I could prevent that? I could remove the NAT from RB5009 and treat it as firewall/bridge, no?
Thanks,
D.