x
I have not tested, but i would try something like:
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2 hw=yes
add bridge=bridge1 interface=ether3 hw=yes
add bridge=bridge1 interface=ether4 hw=yes
add bridge=bridge1 interface=ether5 hw=yes
/interface ethernet switch ingress-vlan-translation
add ports=ether2 customer-vid=0 new-customer-vid=20 sa-learning=yes
add ports=ether3 customer-vid=0 new-customer-vid=30 sa-learning=yes
add ports=ether4 customer-vid=0 new-customer-vid=40 sa-learning=yes
add ports=ether5 customer-vid=0 new-customer-vid=50 sa-learning=yes
/interface ethernet switch egress-vlan-tag
add vlan-id=20
add vlan-id=30
add vlan-id=40
add vlan-id=50
/interface ethernet switch vlan
add ports=switch1-cpu,ether2 vlan-id=20 learn=yes
add ports=switch1-cpu,ether3 vlan-id=30 learn=yes
add ports=switch1-cpu,ether4 vlan-id=40 learn=yes
add ports=switch1-cpu,ether5 vlan-id=50 learn=yes
/interface vlan
add interface=bridge1 vlan-id=20 name=VLAN20
add interface=bridge1 vlan-id=30 name=VLAN30
add interface=bridge1 vlan-id=40 name=VLAN40
add interface=bridge1 vlan-id=50 name=VLAN50
/ip address
add address=192.168.20.1/24 interface=VLAN20
add address=192.168.30.1/24 interface=VLAN30
add address=192.168.40.1/24 interface=VLAN40
add address=192.168.50.1/24 interface=VLAN50
## Create DHCP Server for every VLAN
Assuming that your other firewalls are handling routing, etc. and the CRS is just being a switch then https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Example_1_.28Trunk_and_Access_ports.29 for the access ports, and the incremental changes https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Example_2_.28Trunk_and_Hybrid_ports.29 for the AP hybrid port.
x
Definitely go with single bridge. Use of multiple bridge is a) old school and b) not hardware accelerated … Mind that on CRS1xx you need to do VLAN config in /interface ethernet to have it HW-accelerated (if done in /interface bridge then it’s done by CPU and can’t be wirespeed).
The wiki examples tend to be command-line, but making the equivalent changes through Winbox is fine. Note that many of the examples expect there to be no configuration present - if you try running the commands on a device with a default configuration you will likely get errors about ports already being members of a bridge, for example.
VLAN/switch configuration can easily leave you unable to access the device if you make a mistake - using safe mode, MAC (rather than IP) communications on a port you are not currently changing, or a serial console on devices which support it are options.
Many blogs and videos are either outdated (as RouterOS evolves with different / better ways of implementing things), or are less than optimal / just plain wrong (they may have worked for the author in their specific case but could cause issues in more general cases).
x
Please make a simple network diagram it will help…
x
Nothing obvious to stop communications, if you configure a VLAN directly on DEV-PC and connect it directly to FW1 without the CRS does it work?
There are a few minor points but nothing affecting your immediate issue…
As you are just using the CRS as a switch the default configuration ‘WAN’ and ‘LAN’ interface lists are not really relevant, either
/interface list member
add interface=ether1 list=LAN
add …
/interface list
add name=WAN
add name=LAN
or remove /interface list and /interface list member entirely.
The IP address should be bound to the parent interface, not a child member
/ip address
add address=10.0.83.20/24 comment=defconf interface=bridge network=10.0.83.0
The /interface vlan and switch1-cpu references under /interface ethernet switch vlan are only required for any VLANs which need to communicate with the CPU directly, if VLANs are passing through these are not required. Typically you would have either untagged or one tagged VLAN for management access.
I am curious why would create a new bridge1 and not use the existing bridge?
x
Check my #2 post and use the sa-learning and learn values…
x
I removed switch1-cpu from switch vlan and everything is working as expected.
I am not sure why this was the problem, switch1-cpu just gives access to CPU, needed or not i don’t see why it caused a problem…
x
I had the same problem, try what this user indicates and it has served me wonderfully
All I can think of is including the switch1-cpu port as a member of multiple VLANs without tagging traffic on that port is doing something weird, if you did want CPU access to the VLANs it should be
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether5,ether7 vlan-id=20
add tagged-ports=switch1-cpu,ether5,ether7 vlan-id=30
add tagged-ports=switch1-cpu,ether5,ether7 vlan-id=40
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether2
add customer-vid=0 new-customer-vid=30 ports=ether3
add customer-vid=0 new-customer-vid=40 ports=ether4
/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether5,ether7 vlan-id=20
add ports=switch1-cpu,ether3,ether5,ether7 vlan-id=30
add ports=switch1-cpu,ether4,ether5,ether7 vlan-id=40
As others mentioned, switch shouldn’t be doing that. So I’m guessing some other config is causing it. But one can’t do any more guessing without you posting complete config (/export hide-sensitive) … yes, we need to see complete config because config is complex thing and one part affects the rest of it … even if it is not obvious.
As others mentioned, switch shouldn’t be doing that.
Nice to clarify that @mkx…
My logic was saying that this could not be causing a problem but i also had my doubts…