[Assistance] - VLAN configuration on CRS1xx

Good day,
I am sure I am missing the last piece of config in order to get VLANs on my CRS106 working, I am asking for assistance and guidance on what I might have missed on the configuration or recommendations on how to resolve the problem I am facing.

The Setup
I bought 2 CRS106 switches, 2 hosts one on each switch, both switches have been reset to factory default.
Single VLAN ID of 99 - this is a lab and the idea is to have this as a management VLAN with an interface on VLAN99.
The switches are connected together using sfp1 and the hosts are using either sfp3 or sfp4 - the other port config that may appear in the code below would be due to me doing some testing.
The config below, is for 1 of the switches, the config is the exact same for the other switch bar the IP addressing.

What did I configure
I added the ports to a bridge and did not configure anything further on that as specified in the CRS1xx/2xx VLAN guide.
I then moved to setup the VLANs on the switch chip menu and not the bridge:

• I configured the switch VLAN table and added in switch1-cpu per inter-vlan routing guide, added in the sfp3 and 4 interfaces.
• I configured the ingress translation customer-id = 0 and new-customer-id=99.
• I configured the egress translation as well on the opposite to the ingress translation, customer-id = 99 and new-customer-id=0.
• I configured the VLAN99 interface referencing the bridge named br99.
• I then applied the drop-if-vlan-invalid command to the ports.

Whats not working
I cannot ping the VLAN IP address of the switch from any of the hosts, I can however ping the hosts from each other, (host 1 can ping host 2) if i connect them onto the same switch.
From a host, I cannot ping the other host when they are separated into each switch, so, host 1 plugged on switch 1 cannot ping host 2 on switch 2 and vice versa.
When I torch the bridge vlan interface, I can see VLANID 99 sourcing from the router destined for the IP address of the host (if i ping from terminal) but i do not see return traffic.
I also do not see any traffic hitting the bridge from the host when I ping the VLAN IP from the host.

What is Working
I can ping the neighbouring switches, so switch 1 terminal can ping switch 2 on the VLAN IP and vice versa, I also can see this in the torch, I can see ICMP traffic between the 2 switches tagged as VLAN 99.

What I think is wrong
I have a feeling I have not configured the port translation correctly or I have left a step out in the configuration, the problem seems to be from the hosts on the Access port side, trunk between the 2 switches work perfectly fine apart from the hosts

What research have I done and used before posting to a forum
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches
http://forum.mikrotik.com/t/crs1xx-access-management-on-hybrid-vlan-port/170489/1
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_VLANs_with_Trunks
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835#CRS1xx/2xxseriesswitches-VLANTable

Config Code

# 1970-01-03 06:38:00 by RouterOS 7.15.2
/interface bridge
add name=br99 protocol-mode=none
/interface vlan
add interface=br99 name=vlan99 vlan-id=99
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=combo1,sfp1,sfp3,sfp4
/port
set 0 name=serial0
/interface bridge port
add bridge=br99 interface=sfp1
add bridge=br99 interface=sfp3
add bridge=br99 interface=sfp4
add bridge=br99 interface=combo1
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,sfp1 vlan-id=99
/interface ethernet switch egress-vlan-translation
add customer-vid=99 new-customer-vid=0 ports=sfp3,sfp4
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=99 ports=sfp3,sfp4
/interface ethernet switch vlan
add ports=switch1-cpu,combo1,sfp1,sfp3,sfp4 vlan-id=99
/ip address
add address=10.0.0.11/24 interface=br99 network=10.0.0.0
add address=192.168.2.254/24 interface=vlan99 network=192.168.2.0
/system note
set show-at-login=no

I think that there is no need for egress-vlan-translation and that is causing the problem:

When an entry is created under

/interface ethernet switch ingress-vlan-translation

>
> , then the switch chip will add a VLAN tag on ingress frames on the specified port. To remove the VLAN tag on the same port for egress frames, an 
>
> ```text
/interface ethernet switch egress-vlan-tag

entry should be created for the same VLAN ID where only tagged ports are specified. If a specific VLAN is forwarded only between access ports, the

/interface ethernet switch egress-vlan-tag

>
>  entry should still be created without any tagged ports. Another option is to create extra entries under 
>
> ```text
/interface ethernet switch egress-vlan-translation

menu to set untagged (VLAN0) traffic.

Thank you kindly for your reply - I appreciate your time.

I added that config post initial configuration, I did initially follow the referenced guides and did not include that egress-vlan-translation, it was added as my understanding of the quote was egress frames back to the host from the switch - I added it in as an attempt to try getting it working.
I am happy to omit the egress-vlan-translation portion if its not needed, however the results are still the same.

What kind of “hosts” are connected to sfp3 and sfp4, could it be that they simply do not respond to pings? Can you sniff on the hosts themselves to see what is coming through their SFP ports when you ping from the switch?

They are computers, firewalls disabled, I can ping and connect to them without the VLAN configuration, have also swapped one out for my laptop - I will do so and get back with findings, will be a few hours.

Perhaps the problem is in the firewall. That’s why it’s not good to work with sniplets of config. Would you export your whole config and post it here?

/export file=anynanmeyoulike (minus sensitive information like serial numbers, public IPs, etc.)

I thought that as well, so what I did was factory reset the unit to default config and did not apply any other config other than trying to get the VLANs to work.
Sure, I will attach the config, however the snippet is the actual code that I posted, got nothing else on there but I will attach for you.

I do have some feedback:
Turns out, If I add in a VLAN to the computer, it works, I can ping the switches VLAN interface, so VLANs do work however they have to be tagged from the computer, so theres definitely something I am doing wrong with the access port section, potential software bug ? considering I followed the guides but I highly doubt that.

So sniffing the ports, I can see IP addresses and replies when using the above, I add the VLAN tag on my BSD PC
I do not however see anything when sniffing using the proposed access port setup, but I do see ARP requests that page through on the packets tab of Packet Sniffer, so there is some communications happening but the ARP stays incomplete.

Some more troubleshooting I did, I ran a tcpdump on one of my computers that should be on the 99 VLAN and I seem to be picking up traffic from the actual bridge interface itself rather than the VLAN, so I just placed an IP on the bridge of 10.0.0.0/24 on br99, and used the same config used for ingress vlan translation, its almost as if this is being ignored, I’m not entering the VLAN99, I’m staying on the actual bridge itself as I am picking up traffic from the other untagged interfaces rather than the one that its supposed to be in, I just pinged the broadcast IP and saw that on my PC (SFP3)

Here is the tcpdump portion, in theory I should not see this, I should see untagged traffic for the 192.168,2 network rather than the 10.0.0.0 network.
00:35:12.553046 IP 10.0.0.11 > 10.0.0.255: ICMP echo request, id 839, seq 0, length 36
configdump.rsc (1014 Bytes)

https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching

With mikrotik you have generally 2 choices with vlan switching.
Do it all on the devices switch chip (wirespeed )
OR
Do in in CPU( the processor ) usually much slower.

Doing it in switch chip is always choice 1 where you can.
CRS 1 + 2 Series in router-os suck ( as there is some extra time and effort required to get it to work at switch chip level , but is fine grained ! )
CRS 3 +5 series switches is a lot nicer to apply switch config to withing routeros, and make more sense.

Do carefully read the link at the top

If you learn from videos, I recommend Mikrotik VLANs - CRS1xx & CRS2xx - Mikrotik Tutorial by Wilmer Almazan / The Network Trip

In the example he is configuring there are two switches connected by trunk link, and access ports. And an external router for routing between vlans.

This video is three years old and is using ROS v6.46, and using the switch method. I don’t know if this has changed with v7 or not. I also don’t have any CRS switches, the only MikroTik switch I have is a RB260 aka CSS106-5G-1S, and it uses SwitchOS.

https://foisfabio.it/index.php/2024/01/19/mikrotik-vlan/

I don’t know if the default items in /export have changed in v7, but certainly in RouterOS v6 /interface ethernet switch ingress-vlan-translation entries have explicit customer-vid=0.

Also, are the bridge ports actually hardware-offloaded - they should have an H flag showing in /interface bridge port print