Basic MikroTik Setup (Cloud Router + Switch)

RouterOS Beginner Basics
1

Hello all,
I’m facing an issue with my MikroTik setup and could really use some guidance. I know I’ve posted here a few times already, but I promise this will be my last one on this topic.

Here’s the situation:
I have a MikroTik Cloud Router connected to a MikroTik Switch. The goal is for the Cloud Router to function as the default gateway for the switch, as well as the DHCP server for the network.

  1. The Cloud Router’s IP address is 10.61.x.27 with a /21 subnet and a gateway of 10.61.x.1.
  2. I have several servers connected to the switch, but they are unreachable, and I can’t seem to figure out why.
  3. I’ve tried various ARP settings, routing adjustments, and other troubleshooting steps, but nothing seems to work. The servers are set to use 10.61.x.27 (the Cloud Router) as their default gateway, but they remain unreachable.

I honestly don’t know what to try anymore. I have read a lot of documentation on how to create VLANs, activate them, and other MikroTik-specific setups. I’ve also watched numerous videos on YouTube to better understand MikroTik configurations. Most of this has been very understandable, but it seems that the devices I’m using may require some additional configuration or a different approach that I haven’t figured out yet.

I understand this is a very basic setup, and it should be straightforward. However, since I’m coming from a different vendor, the MikroTik world feels a bit unfamiliar.

I would greatly appreciate it if someone could take a few minutes to look at my configuration and setup to help me resolve this issue.

Below, I’ve provided the configuration of both the MikroTik Cloud Router and the MikroTik Switch, along with an overview of how they are connected. I apologize again for any inconvenience, and thanks in advance for any help.

Also, I really appreciate the help of @anav, @Larsa, @jaclaz, and other great fellas. Your support means a lot!

Mikrotik Cloud Router:

[code]# 2025-03-12 11:49:02 by RouterOS 7.18.1
# software id = 
#
# model = CCR2116-12G-4S+
# serial number = 
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether13 ] name=ISP
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no loop-protect=off \
    mtu=1400 speed=10M-baseT-full
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus1 name=MGMT_VLAN vlan-id=1
add interface=sfp-sfpplus1 name=vlan10 vlan-id=10
add interface=sfp-sfpplus1 mvrp=yes name=vlan20 vlan-id=20
add interface=sfp-sfpplus1 name=vlan30 vlan-id=30
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.16.0.20-172.16.0.254
add name=dhcp ranges=172.16.0.3-172.16.0.254
add name=dhcp_pool3 ranges=192.168.10.20-192.168.10.254

/ip dhcp-server
add address-pool=dhcp interface=sfp-sfpplus1 name=dhcp1
# No IP address on interface
# No IP address on interface
add address-pool=dhcp_pool3 interface=vlan20 name=dhcp_vlan20
# No IP address on interface
add address-pool=dhcp_pool4 interface=vlan30 name=dhcp_vlan30
/port
set 0 name=serial0
/ip neighbor discovery-settings
set discover-interface-list=all lldp-mac-phy-config=yes lldp-max-frame-size=\
    yes lldp-vlan-info=yes
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1 vlan-ids=10
add bridge=bridge1 tagged=ether5,ether6,ether7 vlan-ids=20
add bridge=bridge1 tagged=ether8,ether9,ether10 vlan-ids=30
/interface list member
add interface=ISP list=WAN
add interface=*1C list=LAN
add interface=*1D list=LAN
add interface=bridge1 list=LAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/ip address
add address=10.61.x.27/21 interface=ISP network=10.61.x.0
add address=10.61.x.26/21 interface=sfp-sfpplus1 network=10.61.x.0
/ip arp
add address=10.61.x.32 interface=sfp-sfpplus1 mac-address=xxxxxxxxxxxxxxxxx
add address=10.61.x.29 interface=sfp-sfpplus1 mac-address=xxxxxxxxxxxxxxxxx
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
/ip firewall filter
add action=accept chain=forward src-address=10.61.x.0/21
add action=accept chain=forward dst-address=10.61.x.0/21 src-address=\
    10.61.x.0/21
add action=accept chain=forward dst-address=10.61.x.0/21 src-address=\
    10.61.x.0/21
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no dst-address=10.61.x.29/32 gateway=10.61.x.32 routing-table=\
    main suppress-hw-offload=no
/ip smb shares
set [ find default=yes ] directory=flash/pub
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add

[/code]
[/code]

Mikrotik Switch:

[code]# 2025-03-12 12:51:15 by RouterOS 7.18
# software id = 
#
# model = CRS354-48G-4S+2Q+
# serial number = 
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=\
    10M-baseT-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=ether25
add bridge=bridge1 interface=ether26
add bridge=bridge1 interface=ether27
add bridge=bridge1 interface=ether28
add bridge=bridge1 interface=ether29
add bridge=bridge1 interface=ether30
add bridge=bridge1 interface=ether31
add bridge=bridge1 interface=ether32
add bridge=bridge1 interface=ether33
add bridge=bridge1 interface=ether34
add bridge=bridge1 interface=ether35
add bridge=bridge1 interface=ether36
add bridge=bridge1 interface=ether37
add bridge=bridge1 interface=ether38
add bridge=bridge1 interface=ether39
add bridge=bridge1 interface=ether40
add bridge=bridge1 interface=ether41
add bridge=bridge1 interface=ether42
add bridge=bridge1 interface=ether43
add bridge=bridge1 interface=ether44
add bridge=bridge1 interface=ether45
add bridge=bridge1 interface=ether46
add bridge=bridge1 interface=ether47
add bridge=bridge1 interface=ether48
add bridge=bridge1 interface=ether49
add bridge=bridge1 interface=qsfpplus1-1
add bridge=bridge1 interface=qsfpplus1-2
add bridge=bridge1 interface=qsfpplus1-3
add bridge=bridge1 interface=qsfpplus1-4
add bridge=bridge1 interface=qsfpplus2-1
add bridge=bridge1 interface=qsfpplus2-2
add bridge=bridge1 interface=qsfpplus2-3
add bridge=bridge1 interface=qsfpplus2-4
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus1
/ip neighbor discovery-settings
set lldp-mac-phy-config=yes lldp-max-frame-size=yes lldp-vlan-info=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=ether25 list=LAN
add interface=ether26 list=LAN
add interface=ether27 list=LAN
add interface=ether28 list=LAN
add interface=ether29 list=LAN
add interface=ether30 list=LAN
add interface=ether31 list=LAN
add interface=ether32 list=LAN
add interface=ether33 list=LAN
add interface=ether34 list=LAN
add interface=ether35 list=LAN
add interface=ether36 list=LAN
add interface=ether37 list=LAN
add interface=ether38 list=LAN
add interface=ether39 list=LAN
add interface=ether40 list=LAN
add interface=ether41 list=LAN
add interface=ether42 list=LAN
add interface=ether43 list=LAN
add interface=ether44 list=LAN
add interface=ether45 list=LAN
add interface=ether46 list=LAN
add interface=ether47 list=LAN
add interface=ether48 list=LAN
add interface=ether49 list=LAN
add interface=qsfpplus1-1 list=LAN
add interface=qsfpplus1-2 list=LAN
add interface=qsfpplus1-3 list=LAN
add interface=qsfpplus1-4 list=LAN
add interface=qsfpplus2-1 list=LAN
add interface=qsfpplus2-2 list=LAN
add interface=qsfpplus2-3 list=LAN
add interface=qsfpplus2-4 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/ip address
add address=10.61.x.32/21 interface=sfp-sfpplus1 network=10.61.x.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward dst-address=10.61.x.0/21 src-address=\
    10.61.x.0/21
/system clock
set time-zone-name=
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

[/code]

================================================================================


mikrotik situation.jpg

2

Can you please add all VLAN’s to the network diagram?
And have a good look at this topic, which really handles all config questions when doing VLAN:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

The very first thing I notice is already in the second line of your routers config…vlan filtering is not enabled:

/interface bridge
add name=bridge1

Furthermore, please place all configs (great you already supplied this information) between code tags (just as I did above) by using the </> button in the full text editor.

3

@UltraIsp4883:

Please use proper code tags ( button </> in the editor) for exported code. It makes reading easier.

4

========================================

There are no additional VLANs, what I’ve shared is the complete setup. Also, I enabled VLAN filtering, but still the same situation…

5

The diagram is the image you supplied, please add all VLAN’s in there.
Did you have a look at the link I supplied.
If no, please do so. If yes, do it again (untill it works :sunglasses: ).

6

Yes, the article referenced contains examples for both the router and the switch, Use those.
Also a video by https://www.youtube.com/watch?v=YLtGQAQ8iS0&pp=ygUhdmxhbnMgc3dpdGNoIG1pa3JvdGlrIDMwMFggc2VyaWVz
is good for the switch.

The main differences, only the management or base vlan needs to be identified on the switch at /interface vlan.
Further the associated vlan is the ONLY VLAN-ID, in /interface bridge vlan settings, that needs tagging to the bridge itself.
The switch will get its own IP address on this vlan, best set statically.

For both router and switch I recommend taking an unused port OFF the bridge ( remove from /interface bridge port )
Then:
/interface ethernet
set etherX name=OffBridgeX
/interface list member
add interface=OffBridgeX list=LAN
add interface=OffBridgeX list=BASE ( or management )
/ip address
add address=192.168.78.0/30 interface=OffBridgeX network=192.168.78.0

Now simply plug your laptop into etherX and change your IPV4 settings on the laptop to 192.168.78.2
You will be able to reach the router now for config purposes. More importantly you will be able to configure vlans and vlan filtering FROM A SAFE SPOT ( not associated with vlans or the bridge ).

With the reference information and the above please apply new knowledge to your config and repost an updated config for review!!

7

===================================================================================================================

Thank you for the detailed instructions. I followed everything you mentioned, and below you’ll find the configurations for both the MikroTik Cloud Router and the switch:

2025-03-12 14:58:36 by RouterOS 7.18.1

software id =

model = CCR2116-12G-4S+

serial number =

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether13 ] name=ISP
set [ find default-name=ether5 ] name=OffBridgeX
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no loop-protect=off
mtu=1400 speed=10M-baseT-full
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface vlan
add interface=sfp-sfpplus1 name=MGMT_VLAN vlan-id=1
add interface=sfp-sfpplus1 name=vlan10 vlan-id=10
add interface=sfp-sfpplus1 mvrp=yes name=vlan20 vlan-id=20
add interface=sfp-sfpplus1 name=vlan30 vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=172.16.0.20-172.16.0.254
add name=dhcp ranges=172.16.0.3-172.16.0.254
add name=dhcp_pool3 ranges=192.168.10.20-192.168.10.254
/ip dhcp-server

DHCP server can not run on slave interface!

add address-pool=dhcp interface=sfp-sfpplus1 name=dhcp1
add address-pool=dhcp_pool_10.61 interface=vlan10 name=dhcp_vlan10

No IP address on interface

add address-pool=dhcp_pool3 interface=vlan20 name=dhcp_vlan20

No IP address on interface

add address-pool=dhcp_pool4 interface=vlan30 name=dhcp_vlan30
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=all lldp-mac-phy-config=yes lldp-max-frame-size=
yes lldp-vlan-info=yes
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1 vlan-ids=10

OffBridgeX,ether6,ether7 not a bridge port

add bridge=bridge1 tagged=OffBridgeX,ether6,ether7 vlan-ids=20

ether8,ether9,ether10 not a bridge port

add bridge=bridge1 tagged=ether8,ether9,ether10 vlan-ids=30
/interface list member
add interface=ISP list=WAN
add interface=*1C list=LAN
add interface=*1D list=LAN
add interface=bridge1 list=LAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=OffBridgeX list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
add interface=OffBridgeX list=BASE
/ip address
add address=10.61.x.27/21 interface=ISP network=10.61.x.0
add address=10.61.x.26/21 interface=sfp-sfpplus1 network=10.61.x.0
add address=192.168.78.1/30 interface=OffBridgeX network=192.168.78.0
add address=10.61.x.27/21 interface=vlan10 network=10.61.x.0
/ip arp
add address=10.61.x.32 interface=sfp-sfpplus1 mac-address=xxxx
add address=10.61.x.29 interface=sfp-sfpplus1 mac-address=xxxx
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
/ip firewall filter
add action=accept chain=forward src-address=10.61.x.0/21
add action=accept chain=forward dst-address=10.61.x.0/21 src-address=
10.61.x.0/21
add action=accept chain=forward dst-address=10.61.x.0/21 src-address=
10.61.x.0/21
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip smb shares
set [ find default=yes ] directory=flash/pub
/system clock
set time-zone-name=x
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add

=========================================================================

Mikrotik Switch:

2025-03-12 15:04:47 by RouterOS 7.18

software id = =

model = CRS354-48G-4S+2Q+

serial number = =

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=
10M-baseT-full
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether25
add bridge=bridge1 interface=ether26
add bridge=bridge1 interface=ether27
add bridge=bridge1 interface=ether28
add bridge=bridge1 interface=ether35
add bridge=bridge1 interface=ether46
add bridge=bridge1 interface=ether47
add bridge=bridge1 interface=ether48
add bridge=bridge1 interface=sfp-sfpplus1 point-to-point=yes
/ip neighbor discovery-settings
set lldp-mac-phy-config=yes lldp-max-frame-size=yes lldp-vlan-info=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus1 untagged=ether2 vlan-ids=10
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=10.61.x.32/21 interface=bridge1 network=10.61.x.0
add address=10.61.x.28/21 interface=vlan10 network=10.61.x.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.2
/ip service
set www-ssl disabled=no
/system clock
set time-zone-name=x
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key