Bridge - VLANs - Switch Chip

Could somebody please advise me where I’m going wrong or if this is a bug in 7.0.

I have:
Bridge:
Ether 1 : vlans 2,4,6,7,9,10,13,20,98,99
Ether2-5: vlans 20
EoIP (vlans 2&9)
WLAN 1/2 vlan 4
WLAN 3/4 vlan 9

Switch vlans in place - all secure - 2-4 as 20 default vlan, all leave as is

Running on hap ac2

I’m using switch vlan to utilise hw offloading and performance has been a hell of a lot better than bridge vlan.

I upgraded to dev fw today as I need to use my usb dongle for failover and needs the drivers due to double Nat stick with storage.

Vlan 2&9 pass through to office pc and phone plus WiFi ssid for bonjour
Vlan 99 is dhcp client for internet modem
Rest are various such as smarthome and guest/kids/vpn

Dev firmware won’t get dhcp lease on vlan 99 if hw offloading is enabled or rtsp.. is this correct?
It all worked (same config before upgrading)

1st of all: if you encounter bug with ROSv7 beta, use appropriate part of forum.

2nd: it’s not right to configure VLAN filtering both on bridge (/interface bridge vlan and /interface bridge port) and on switch chip (/interface ethernet switch subtree) at the same time even though it seems to be working … already in ROSv6.

3rd: on my RB951G (built-in switch chip should be pretty similar to the one in RBD52G) ROSv7 seems to be broken with regard to switch-chip VLAN setup … I didn’t bother to test with bridge vlan-filtering, will rather wait for ROS v7 version which will hopefully fix this problem.

I’m not using bridge vlan filtering. I was as this was the ‘new’ way to setup as per the docs, but the performance was poor. That’s why I switched back to switch chip. They’re not running together (bridge vlan table empty and vlan filtering off).

I didn’t post in the bugs section as I don’t know if it’s a bug or if I’m doing something wrong, so I wanted some advice first.

Vlans that have dhcp etc have interfaces attached to the bridge
And if I moved vlan 99 to ether 1 (even though still on bridge) the dhcp client came up (but this is not right I know)

In this case your description of current status is not clear and I suggest you to post full config (execute /export hide-sensitive and copy-paste result in [__code] [/code] environment).

Why MKX, I think the Op wants us to guess at what the problem may be for the next 20 years!!
Dont show us a network diagram nor the full config, cause then we may find the root problem!!

But I wanna play his game, didn’t you notice? He said he’s using switch-chip VLANs and I mentioned I found ROS v7beta to buggy in this regard in my 3rd point. I just didn’t want to remind him on that.

Sigh.

So downgraded back to 6.47 and dhcp client once again didnt come up.
Disabling RTSP on the bridge allows it to come up. Then i reboot and it doesnt. Change to none and it comes up. viscious circle
This is a cut down version without all firewall rules isolating networks / internet access / DNS redirection
7.0 i still couldnt get it to come up no matter what i did

MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 6.47.1 (c) 1999-2020       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level
[admin@MikroTik] > /export hide-sensitive
# jul/21/2020 13:36:52 by RouterOS 6.47.1
# software id = 9WBF-D6CP
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = 8D150889BCC7
/interface bridge
add mtu=1500 name=bridge1 protocol-mode=none
/interface eoip
add allow-fast-path=no local-address=192.168.3.2 mac-address=02:1E:B8:08:5E:22 mtu=1500 name=EOIP_Work remote-address=192.168.3.1 tunnel-id=0
/interface vlan
add interface=bridge1 name=VLAN_4_LAN vlan-id=4
add interface=bridge1 name=VLAN_6_GuestWifi vlan-id=6
add interface=bridge1 name=VLAN_7_KidsWifi vlan-id=7
add interface=bridge1 name=VLAN_10_VPN vlan-id=10
add interface=bridge1 name=VLAN_13_CCTV vlan-id=13
add interface=bridge1 name=VLAN_20_SmartHome vlan-id=20
add interface=bridge1 name=VLAN_99_Virgin vlan-id=99
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=20 vlan-mode=secure
set 2 default-vlan-id=20 vlan-mode=secure
set 3 default-vlan-id=20 vlan-mode=secure
set 4 default-vlan-id=20 vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Isolated
add name="Mobile Allowed"
/interface lte apn
set [ find default=yes ] passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=dynamic-keys name=Deli supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=ERL supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=dynamic-keys name="Daves iPhone" supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=Deli ssid=Deli station-roaming=enabled vlan-id=4 \
    vlan-mode=use-tag wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=Deli ssid=Deli station-roaming=enabled vlan-id=4 \
    vlan-mode=use-tag wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:EB:1F:99 master-interface=wlan1 multicast-buffering=disabled name=wlan3 security-profile=ERL ssid=ERL station-roaming=enabled vlan-id=9 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=CE:2D:E0:EB:1F:9A master-interface=wlan2 multicast-buffering=disabled name=wlan4 security-profile=ERL ssid=ERL station-roaming=enabled vlan-id=9 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=Pool_LAN ranges=192.168.6.2-192.168.6.254
add name=Pool_SmartHome ranges=192.168.20.2-192.168.20.254
add name=Pool_CCTV ranges=192.168.4.2-192.168.4.10
add name=Pool_GuestWifi ranges=10.0.2.2-10.0.2.254
add name=Pool_KidsWifi ranges=10.0.10.2-10.0.10.254
add name=Pool_VPN ranges=192.168.5.2-192.168.5.254
add name=pool1 ranges=192.168.51.2-192.168.51.254
add name=openvpn ranges=192.168.52.1-192.168.52.3
/ip dhcp-server
add add-arp=yes address-pool=Pool_LAN disabled=no interface=VLAN_4_LAN name=DHCP_LAN
add add-arp=yes address-pool=Pool_KidsWifi disabled=no interface=VLAN_7_KidsWifi name=DHCP_KidsWifi
add add-arp=yes address-pool=Pool_SmartHome disabled=no interface=VLAN_20_SmartHome name=DHCP_SmartHome
add add-arp=yes address-pool=Pool_CCTV disabled=no interface=VLAN_13_CCTV name=DHCP_CCTV
add add-arp=yes address-pool=Pool_GuestWifi disabled=no interface=VLAN_6_GuestWifi name=DHCP_GuestWifi
add address-pool=Pool_VPN disabled=no interface=VLAN_10_VPN name=DHCP_10_VPN
/ppp profile
add name=Work remote-address=192.168.3.1 use-encryption=yes
/interface l2tp-client
add allow=mschap2 allow-fast-path=yes connect-to=**.**.**.** disabled=no keepalive-timeout=disabled name=Work profile=Work use-ipsec=yes user=************
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge filter
add action=accept chain=input disabled=yes in-interface=EOIP_Work mac-protocol=vlan vlan-id=9
add action=accept chain=output disabled=yes mac-protocol=vlan out-interface=EOIP_Work vlan-id=9
add action=accept chain=forward disabled=yes in-interface=EOIP_Work mac-protocol=vlan vlan-id=9
add action=accept chain=forward disabled=yes mac-protocol=vlan out-interface=EOIP_Work vlan-id=9
add action=accept chain=input disabled=yes in-interface=EOIP_Work mac-protocol=vlan vlan-id=2
add action=accept chain=output disabled=yes mac-protocol=vlan out-interface=EOIP_Work vlan-id=2
add action=accept chain=forward disabled=yes in-interface=EOIP_Work mac-protocol=vlan vlan-id=2
add action=accept chain=forward disabled=yes mac-protocol=vlan out-interface=EOIP_Work vlan-id=2
add action=drop chain=input disabled=yes in-interface=EOIP_Work
add action=drop chain=output disabled=yes out-interface=EOIP_Work
add action=drop chain=forward disabled=yes out-interface=EOIP_Work
add action=drop chain=forward disabled=yes in-interface=EOIP_Work
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=EOIP_Work
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=10
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=9
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=98
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=6
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=7
add independent-learning=no ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=20
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=13
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=4
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=2
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=99
/interface list member
add interface=VLAN_4_LAN list=LAN
add interface=VLAN_99_Virgin list=WAN
add interface=VLAN_20_SmartHome list=LAN
add interface=VLAN_13_CCTV list=LAN
add interface=EOIP_Work list=LAN
add interface=Work list=LAN
add interface=VLAN_6_GuestWifi list=LAN
add interface=VLAN_7_KidsWifi list=LAN
add interface=VLAN_10_VPN list=LAN
add interface=VLAN_6_GuestWifi list=Isolated
add interface=VLAN_7_KidsWifi list=Isolated
add interface=VLAN_10_VPN list=Isolated
add interface=VLAN_20_SmartHome list=Isolated
add interface=EOIP_Work list="Mobile Allowed"
add interface=Work list="Mobile Allowed"
add interface=VLAN_4_LAN list="Mobile Allowed"
/ip address
add address=192.168.6.1/24 interface=VLAN_4_LAN network=192.168.6.0
add address=192.168.20.1/24 interface=VLAN_20_SmartHome network=192.168.20.0
add address=192.168.4.1/24 interface=VLAN_13_CCTV network=192.168.4.0
add address=10.0.2.1/24 interface=VLAN_6_GuestWifi network=10.0.2.0
add address=10.0.10.1/24 interface=VLAN_7_KidsWifi network=10.0.10.0
add address=192.168.5.1/24 interface=VLAN_10_VPN network=192.168.5.0
/ip dhcp-client
add disabled=no interface=VLAN_99_Virgin
/ip dhcp-server lease
add address=192.168.4.2 client-id=1:c0:56:e3:a2:80:32 comment="CCTV - Hikvision - DS-2CD2032-I - Front Right" mac-address=C0:56:E3:A2:80:32 server=DHCP_CCTV
add address=192.168.20.250 comment="SmartHome - Shelly - One - Hallway Light" mac-address=B4:E6:2D:55:EB:41 server=DHCP_SmartHome
add address=192.168.20.244 comment="SmartHome - Amazon - Echo - Kitchen" mac-address=00:71:47:3D:DA:FA server=DHCP_SmartHome
add address=192.168.20.253 comment="SmartHome - Shelly - One - Georges Socket" mac-address=3C:71:BF:2C:06:9D server=DHCP_SmartHome
add address=192.168.4.5 client-id=1:c0:56:e3:a2:7f:92 comment="CCTV - Hikvision - DS-2CD2032-I - Garden" mac-address=C0:56:E3:A2:7F:92 server=DHCP_CCTV
add address=192.168.4.3 client-id=1:c0:56:e3:a2:7e:f0 comment="CCTV - Hikvision - DS-2CD2032-I - Front Left" mac-address=C0:56:E3:A2:7E:F0 server=DHCP_CCTV
add address=192.168.20.252 comment="SmartHome - Shelly - One - Bathroom Light" mac-address=B4:E6:2D:55:E4:6D server=DHCP_SmartHome
add address=192.168.20.247 comment="SmartHome - Intesis - Mitsubishi Wifi - Charlies Bedroom" mac-address=CC:3F:1D:01:2C:1D server=DHCP_SmartHome
add address=192.168.20.251 comment="SmartHome - Shelly - One - Charlies Socket" mac-address=B4:E6:2D:55:5B:9B server=DHCP_SmartHome
add address=192.168.20.248 comment="SmartHome - Google - Nest Protect - Hallway" mac-address=18:B4:30:B6:9B:74 server=DHCP_SmartHome
add address=192.168.20.243 client-id=1:40:a2:db:b5:d5:4d comment="SmartHome - Amazon - Echo Show  - Lounge" mac-address=40:A2:DB:B5:D5:4D server=DHCP_SmartHome
add address=192.168.6.4 client-id=1:0:8:9b:e8:74:bc comment="LAN - QNAP - NAS" mac-address=00:08:9B:E8:74:BC server=DHCP_LAN
add address=192.168.6.30 comment="LAN - Virgin - Master Bedroom" mac-address=88:71:B1:AA:CE:B4 server=DHCP_LAN
add address=255.255.0.3 block-access=yes client-id=1:44:0:49:8d:23:fb comment=Blocked mac-address=44:00:49:8D:23:FB server=DHCP_LAN
add address=192.168.6.31 comment="LAN - Virgin - Lounge" mac-address=88:71:B1:AA:D1:8C server=DHCP_LAN
add address=192.168.6.21 client-id=1:e4:e0:a6:a4:85:85 comment="LAN - Apple - iWatch - Jodie" mac-address=E4:E0:A6:A4:85:85 server=DHCP_LAN
add address=192.168.20.249 comment="SmartHome - Google - Nest Protect - Landing" mac-address=18:B4:30:B3:28:C9 server=DHCP_SmartHome
add address=192.168.6.20 client-id=1:f0:18:98:ec:86:db comment="LAN - Apple - iMac - Dave" mac-address=F0:18:98:EC:86:DB server=DHCP_LAN
add address=192.168.6.40 client-id=1:50:1a:c5:df:4:ad comment="LAN - Microsoft - XBox One - Charlie (Wifi)" mac-address=50:1A:C5:DF:04:AD server=DHCP_LAN
add address=192.168.6.24 client-id=1:dc:8:f:38:ee:5 comment="LAN - Apple - iPhone - Jodie" mac-address=DC:08:0F:38:EE:05 server=DHCP_LAN
add address=192.168.6.105 comment="LAN - Netgear - SG108Ev3 - Garage" mac-address=14:59:C0:54:DC:2D server=DHCP_LAN
add address=192.168.6.200 comment="intesis box - should be smarthome" mac-address=CC:3F:1D:01:2C:B1 server=DHCP_LAN
add address=192.168.6.25 client-id=1:74:9e:af:5b:85:39 comment="LAN - Apple - iPhone - Dave" mac-address=74:9E:AF:5B:85:39 server=DHCP_LAN
add address=10.0.10.2 client-id=1:fc:1d:43:85:5c:d9 comment="WifiKids - Apple - iPad - George" mac-address=FC:1D:43:85:5C:D9 server=DHCP_KidsWifi
add address=192.168.20.236 comment="SmartHome - Sonoff - POW_R2 - Swimming Pool" mac-address=80:7D:3A:32:B8:0B server=DHCP_SmartHome
add address=192.168.20.220 client-id=1:0:51:ed:f2:19:d7 comment="SmartHome - LG - TV - Kitchen" mac-address=00:51:ED:F2:19:D7 server=DHCP_SmartHome
add address=192.168.20.50 client-id=1:74:9e:af:5b:85:39 comment="SmartHome - Apple - iPhone - Dave" mac-address=74:9E:AF:5B:85:39 server=DHCP_SmartHome
add address=192.168.6.14 comment="LAN - Nintendo - Switch" mac-address=70:48:F7:61:3A:69 server=DHCP_LAN
add address=192.168.6.104 comment="LAN - Netgear - GS308E - Cupboard" mac-address=08:36:C9:0A:EE:B7 server=DHCP_LAN
add address=192.168.20.241 client-id=1:5c:41:5a:7f:27:a1 comment="SmartHome - Amazon - Echo Dot  - Charlie" mac-address=5C:41:5A:7F:27:A1 server=DHCP_SmartHome
add address=192.168.20.242 client-id=1:cc:9e:a2:85:3c:36 comment="SmartHome - Amazon - Echo Dot  - George" mac-address=CC:9E:A2:85:3C:36 server=DHCP_SmartHome
add address=192.168.20.245 comment="SmartHome - Amazon - Echo Dot  - Master Bedroom" mac-address=F0:81:73:75:E8:64 server=DHCP_SmartHome
add address=255.255.0.2 block-access=yes client-id=1:5c:41:5a:7f:27:a1 comment=Blocked mac-address=5C:41:5A:7F:27:A1 server=DHCP_LAN
add address=255.255.0.1 block-access=yes client-id=1:cc:9e:a2:85:3c:36 comment=Blocked mac-address=CC:9E:A2:85:3C:36 server=DHCP_LAN
add address=192.168.20.235 comment="SmartHome - Drayton Wiser - Heating" mac-address=FC:FE:C2:02:F8:55 server=DHCP_SmartHome
add address=255.255.0.5 block-access=yes comment=Blocked mac-address=00:71:47:3D:DA:FA server=DHCP_LAN
add address=255.255.0.4 block-access=yes comment=Blocked mac-address=F0:81:73:75:E8:64 server=DHCP_LAN
add address=192.168.20.234 comment="SmartHome - LightwaveRf - LinkPlus" mac-address=74:0A:BC:31:0F:88 server=DHCP_SmartHome
add address=192.168.20.210 comment="SmartHome - Phillips Hue - Bridge - Master" mac-address=EC:B5:FA:0B:2F:15 server=DHCP_SmartHome
add address=192.168.20.212 comment="SmartHome - Phillips Hue - Bridge - Charlie" mac-address=EC:B5:FA:0B:20:B1 server=DHCP_SmartHome
add address=192.168.20.211 comment="SmartHome - Phillips Hue - Bridge - George" mac-address=00:17:88:67:76:51 server=DHCP_SmartHome
add address=192.168.6.106 client-id=1:78:d2:94:c2:1:57 comment="LAN - Netgear - GS105Ev2 - Lounge" mac-address=78:D2:94:C2:01:57 server=DHCP_LAN
add address=192.168.6.100 comment="LAN - Netgear - GS724T - Cupboard" mac-address=44:94:FC:9D:52:BE server=DHCP_LAN
add address=192.168.6.101 comment="LAN - Netgear - GS110TP - Cupboard" mac-address=78:D2:94:4F:3A:3C server=DHCP_LAN
add address=192.168.6.103 client-id=1:fc:ec:da:34:9d:53 comment="LAN - Netgear - GS105 - Charlies Bedroom" mac-address=FC:EC:DA:34:9D:53 server=DHCP_LAN
add address=192.168.6.41 client-id=1:50:1a:c5:df:4:af comment="LAN - Microsoft - XBox One - Charlie (LAN)" mac-address=50:1A:C5:DF:04:AF server=DHCP_LAN
add address=192.168.6.102 client-id=1:78:d2:94:c2:1:8e comment="LAN - Netgear - GS105Ev2 - Lounge" mac-address=78:D2:94:C2:01:8E server=DHCP_LAN
add address=192.168.20.49 client-id=1:d0:c5:d3:45:46:d9 comment="SmartHome - Hikvision - CS-DB1" mac-address=D0:C5:D3:45:46:D9 server=DHCP_SmartHome
add address=192.168.20.43 client-id=1:40:16:3b:5a:73:42 comment="SmartHome - Samsung - Lounge TV" mac-address=40:16:3B:5A:73:42 server=DHCP_SmartHome
/ip dhcp-server network
add address=10.0.2.0/24 dns-server=10.0.2.1 gateway=10.0.2.1 netmask=24
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1 netmask=24
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1 netmask=24
add address=192.168.6.0/24 dns-server=192.168.6.1 gateway=192.168.6.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.6.0/24 list=LAN
add address=192.168.23.0/24 list=LAN
add address=192.168.4.0/24 list=LAN
add address=192.168.3.0/24 list=LAN
add address=192.168.20.0/24 list=LAN
add address=10.0.2.0/24 list=LAN
add address=10.0.10.0/24 list=LAN
add address=192.168.5.0/24 list=LAN
add address=192.168.6.0/24 list=4_LAN
add address=192.168.23.0/24 list=9_Work
add address=192.168.4.0/24 list=13_CCTV
add address=192.168.3.0/24 list=0_WorkVPN
add address=192.168.20.0/24 list=20_SmartHome
add address=10.0.2.0/24 list=6_GuestWifi
add address=10.0.10.0/24 list=7_KidsWifi
add address=192.168.5.0/24 list=10_VPN
add address=192.168.2.0/24 list=LAN
add address=192.168.2.0/24 list=0_Canvey
/ip firewall filter
add action=accept chain=forward comment="SmartHome to OpenHab" dst-address=192.168.6.4 in-interface=VLAN_20_SmartHome out-interface=VLAN_4_LAN
add action=accept chain=forward in-interface=VLAN_4_LAN out-interface=VLAN_20_SmartHome src-address=192.168.6.4
add action=drop chain=forward comment="Isolated LANS" in-interface-list=Isolated out-interface-list=Isolated src-address-list=""
add action=accept chain=input comment=VPN dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=output out-interface-list=WAN protocol=udp src-port=500,1701,4500
add action=accept chain=output out-interface-list=WAN protocol=ipsec-esp
add action=accept chain=output out-interface=Work protocol=gre
add action=accept chain=forward comment="Mobile Broadband" disabled=yes dst-address=192.168.6.20 in-interface=wlan1 out-interface=VLAN_4_LAN
add action=accept chain=forward disabled=yes in-interface=VLAN_4_LAN out-interface=wlan1 src-address=192.168.6.20
add action=drop chain=forward disabled=yes in-interface=wlan1
add action=drop chain=forward disabled=yes out-interface=wlan1
add action=log chain=output disabled=yes log=yes log-prefix="OUTPUT MOBILE BROADBAND" out-interface=wlan1
add action=log chain=input disabled=yes in-interface=wlan1 log=yes log-prefix="OUTPUT MOBILE BROADBAND"
add action=accept chain=output comment="Allow to LAN Addresses - ie ICMP, TCP ACK" dst-address-list=LAN out-interface-list=LAN src-address-list=LAN
add action=accept chain=input dst-address-list=LAN in-interface-list=LAN src-address-list=LAN
add action=accept chain=forward dst-address-list=LAN in-interface-list=LAN out-interface-list=LAN src-address-list=LAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=log chain=input disabled=yes log=yes
add action=log chain=forward disabled=yes
add action=log chain=output disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 dst-address=192.168.2.0/24 gateway=Work
add distance=1 dst-address=192.168.23.0/24 gateway=Work
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=28000
set ssh disabled=yes
set winbox port=28001
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=VLAN_4_LAN type=internal
add interface=VLAN_99_Virgin type=external
/system clock
set time-zone-name=Europe/London
/tool graphing interface
add interface=VLAN_99_Virgin
add interface=wlan1
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
#error exporting /tool user-manager database
[admin@MikroTik] >

Hmm switch chip config, will let mkx handle this one. I would have this up and running in no time with simple bridge vlan filtering though.

As it’s randomly failing and random things make it work for a while I don’t think it’s about config at all.

What I’d do: keep ROS 6.47.1, install accompanying routerboot (/system routerboard upgrade) and then power off the device for a couple of minutes. And then see if it starts to behave.

As I said, switch chip handling seems broken … so ROS v7 might do something which in v6 is not un-done. Poweroff is the only way to get rid of such settings.

So I have narrowed it down after hours of trial and error…
The problem is as soon as I add EoIP or wlans to the bridge.
I have manually set the bridge mtu to 1500 as adding the EoIP tunnel is already known to lower the bridge mtu, but the wlans aswell?

I dont know where to start to diagnose why though, any pointers would be most appreciated.

So a little update on this…

I removed wlans and the EoIP tunnel from my bridge to start investigating.

I have now managed to get the EoIP tunnel working alongside the DHCP client, it seems that the mikrotik didnt like the auto assigned MAC address for the EoIP tunnel, by changing this slightly it is now working.

When adding WLANs to the bridge it once again stops the DHCP client on VLAN 99 which is attached to the bridge

Try to assign MAC address to bridge manually like this:

/interface bridge
set [ find name=bridge1 ] admin-mac=<put MAC here> auto-mac=no

When left to default, bridge assumes MAC address of first member port (interface) becoming active which can be pretty random. It might solve some of your problems (probably not all of them )

So I done what you said and set the bridge mac from the iana reserved addresses. As soon as I did this it again didn’t allow the dhcp client to work.
Removed it and it worked again.

Anytime i add a wlan interface into the bridge it breaks it. I cant work it out. HELP!!

Some more testing:

I have moved my WAN to ether 1 with no vlan (switch vlan mode disabled)
everything now works, albeit i have cable accross my floor at present.

I just cant get my head around why this has always worked and now it simply wont.
I have tested both vlan filtering and switch vlans and a dhcp client will simply not work on a vlan interface attached to a bridge - yet it always did before.
I tested this from a fresh reset too with minimal config.

Another thing i keep noticing is it keeps trying to download routeros-arm-7.1beta1.npk so i can only assume there is something wrong in the flash since downgrade. I have reset to defaults multiple times and it still keeps doing it, probably what is causing these other strange issues

So I once again set this up with switch chip vlans, keeping the trunk on ether5 instead of ether1, restarted a few times and it came up and started working. Only god knows what was going on (I have downgraded to the long term release though). It’s working though and the missus and child are happy now that their internet don’t keep going down

And for reference I set bridge Mac independently, EoIP mac independently, all mtu’s to 1500