Access Management IP in dedicated vlan

Hi there,

I have a crs328-24p-4s+rm and every now and then I switch from swos to routeros to get used to routeros a little bit more. This time due to the fact, that swos doesn’t boot anymore - but that’s a different story.

My setup is:
Firewall → Port1 on CRS (Trunk)

I managed to set up all needed vlans on that switch by reseting routeros with “no default config” and “do not backup” and starting from scratch. I connect to CRS via Winbox on a Windows client on Port 24.

/
# create bridge
interface bridge
add name=bridge1 vlan-filtering=no

# set up Trunk Ports
/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes
add bridge=bridge1 interface=ether6 hw=yes
add bridge=bridge1 interface=ether22 hw=yes

# set up Access Ports
add bridge=bridge1 interface=ether8 hw=yes pvid=100
add bridge=bridge1 interface=ether9 hw=yes pvid=100
add bridge=bridge1 interface=ether16 hw=yes pvid=10
add bridge=bridge1 interface=ether17 hw=yes pvid=2
add bridge=bridge1 interface=ether18 hw=yes pvid=2
add bridge=bridge1 interface=ether19 hw=yes pvid=10
add bridge=bridge1 interface=ether20 hw=yes pvid=2
add bridge=bridge1 interface=ether21 hw=yes pvid=20
add bridge=bridge1 interface=ether23 hw=yes pvid=100
add bridge=bridge1 interface=sfp-sfpplus2 hw=yes pvid=20
add bridge=bridge1 interface=sfp-sfpplus3 hw=yes pvid=100
add bridge=bridge1 interface=sfp-sfpplus4 hw=yes pvid=100

# Assign Ports to Vlans
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=1
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=ether17,ether18,ether20 vlan-ids=2
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=ether16,ether19 vlan-ids=10
add bridge=bridge1 tagged=ether1,ether6 untagged=ether21,sfp-sfpplus2 vlan-ids=20
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=ether8,ether9,ether23,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=100

# Activate Vlan Filtering
/interface bridge
set bridge1 vlan-filtering=yes

Now I’d like to assign an IP address to CRS which belongs to Vlan2

/interface vlan
add interface=bridge1 vlan-id=2 name=MGMT
/ip address
add address=192.168.2.55/24 interface=MGMT

The way I’d like to access the Management IP of CRS is the following:
from client on Vlan100 via port sfp-sfpplus4 → Trunk Port1 on CRS to Firewall → Firewall back to CRS

Vlan routing for all vlans is done by the firewall and this is set up correctly since I can reach vlan2 clients on ether17, ether18 & ether20 this way.

What am I missing regarding the set up of the ip address?

thx & Best

EDIT:
here’s my config:

# jan/02/1970 00:04:57 by RouterOS 6.44.6
# software id = PCUM-HC59
#
# model = CRS328-24P-4S+
# serial number = C7810C418392
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=MGMT vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether8 pvid=100
add bridge=bridge1 interface=ether9 pvid=100
add bridge=bridge1 interface=ether16 pvid=10
add bridge=bridge1 interface=ether17 pvid=2
add bridge=bridge1 interface=ether18 pvid=2
add bridge=bridge1 interface=ether19 pvid=10
add bridge=bridge1 interface=ether20 pvid=2
add bridge=bridge1 interface=ether21 pvid=20
add bridge=bridge1 interface=ether23 pvid=100
add bridge=bridge1 interface=sfp-sfpplus2 pvid=20
add bridge=bridge1 interface=sfp-sfpplus3 pvid=100
add bridge=bridge1 interface=sfp-sfpplus4 pvid=100
/interface bridge vlan
add bridge=bridge1 tagged=ether1 vlan-ids=1
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=\
    ether17,ether18,ether20 vlan-ids=2
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=ether16,ether19 \
    vlan-ids=10
add bridge=bridge1 tagged=ether1,ether6 untagged=ether21,sfp-sfpplus2 \
    vlan-ids=20
add bridge=bridge1 tagged=ether1,ether6,ether22 untagged=\
    ether8,ether9,ether23,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=100
/ip address
add address=192.168.2.55/24 interface=MGMT network=192.168.2.0
/system routerboard settings
set boot-os=router-os

You need to add bridge1 to the tagged list for VLAN 2.
You don’t need to set all those untagged ports either - they are implicitly (dynamically) defined as untagged by virtue of setting the PVID.
(ether22 is missing from your trunk ports tagged list for VLAN 20 - I don’t know whether this is what you intended. VLAN 1 is not used anywhere and is not a good idea anyway.)
So:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether6,ether22 vlan-ids=2
add bridge=bridge1 tagged=ether1,ether6,ether22 vlan-ids=10,20,100

thanks a lot.
vlan1 was a mistake and has been removed and ether22 is not supposed to be part of vlan20. So that’s intended.

your advice to add bridge1 tagged on bridge1 help me to keep going. That way CRS was available via any vlan2 access port.
After that I just needed to add the gateway for vlan2 to reach the firewall.

Best