Cannot ping between Mikrotik CloudSwitch and RouterBoard when using a VLAN

I have the following setup:


But when I use the built-in option to ping between these devices, I get the following:

I get the same results when selecting the vlan13 devices to ping from. I believe my VLANs are configured correctly and the traffic is also tagged. When I use my laptop to ping, I get the same results. I ave configured the correct VLAN tag, because the DHCP also works fine when doing so. Default firewall rules that would drop traffic are disabled.

This is the config of rt2:

# 2024-11-04 11:50:17 by RouterOS 7.16.1
# software id = 940B-WJH6
#
# model = RB5009UPr+S+
# serial number = HF509BKDP8S
/interface bridge
add admin-mac=78:9A:18:74:B1:94 auto-mac=no comment=defconf name=bridge pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=rt1
set [ find default-name=ether2 ] comment=sw1
set [ find default-name=ether3 ] comment=rp1
set [ find default-name=ether4 ] comment=rp2
set [ find default-name=ether5 ] comment=rp3
set [ find default-name=ether6 ] comment=rp4
set [ find default-name=ether7 ] comment=rp5
set [ find default-name=ether8 ] comment=ws1
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment="K8s management" interface=bridge name=vlan11 vlan-id=11
add comment=Data interface=bridge name=vlan12 vlan-id=12
add comment="Network control plane" interface=bridge name=vlan13 vlan-id=13
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name="K8s management" ranges=172.27.11.100-172.27.11.254
add name=Data ranges=172.27.12.100-172.27.12.254
add name="Network control plane" ranges=172.27.13.100-172.27.13.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m name=defconf
add address-pool="K8s management" interface=vlan11 name="K8s management"
add address-pool=Data interface=vlan12 name=Data
add address-pool="Network control plane" interface=vlan13 name="Network control plane"
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10 trusted=yes
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether3 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether4 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether5 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether6 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether7 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether8 pvid=10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1 pvid=10
add bridge=bridge comment=defconf interface=ether1 pvid=10 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=Public untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge comment="K8s management" tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=11
add bridge=bridge comment=Data tagged=bridge,ether3,ether4,ether5,ether6,ether7 vlan-ids=12
add bridge=bridge comment="Network control plane" tagged=bridge,ether1,ether8 vlan-ids=13
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
/interface wireguard peers
add allowed-address=172.27.10.0/24 interface=wireguard1 name=peer3 preshared-key="" public-key="="
/ip address
add address=172.27.10.2/24 comment=defconf interface=ether2 network=172.27.10.0
add address=172.27.11.1/24 comment="K8s management" interface=vlan11 network=172.27.11.0
add address=172.27.12.1/24 comment=Data interface=vlan12 network=172.27.12.0
add address=172.27.13.1/24 comment="Network control plane" interface=vlan13 network=172.27.13.0
/ip dhcp-client
add disabled=yes interface=bridge
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=172.27.11.0/24 gateway=172.27.11.1
add address=172.27.12.0/24 gateway=172.27.12.1
add address=172.27.13.0/24 gateway=172.27.13.1
/ip dns
set allow-remote-requests=yes servers=172.27.10.1
/ip dns static
add address=172.27.10.2 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INPUT_INVALID
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Forward control plane"
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set winbox disabled=yes
/ip ssh
set host-key-type=ed25519 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=rt2
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

And this is the config of sw1:

# 2024-11-04 11:51:47 by RouterOS 7.16.1
# software id = YSYL-RXMP
#
# model = CRS310-8G+2S+
# serial number = HG209PQRK55
/interface bridge
add admin-mac=D4:01:C3:0E:7A:50 auto-mac=no comment=defconf name=bridge protocol-mode=mstp pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether8 ] comment="Network control plane"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add comment="Network control plane" interface=bridge name=vlan13 vlan-id=13
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10 trusted=yes
add bridge=bridge comment=defconf interface=ether2 pvid=10 trusted=yes
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether6 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge comment=Public untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge comment="Network control plane" tagged=bridge,ether2,ether6,ether8 vlan-ids=13
add bridge=bridge comment="K8s management" tagged=bridge,ether2,ether6 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/ip address
add address=172.27.10.3/24 comment=defconf interface=ether2 network=172.27.10.0
add address=172.27.13.2/24 comment="Network control plane" interface=vlan13 network=172.27.13.0
/ip dhcp-relay
add dhcp-server=172.27.13.1 disabled=no interface=vlan13 name="Network control plane"
/ip dns
set servers=172.27.10.1
/ip firewall filter
add action=accept chain=forward
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=sw1
/system note
set show-at-login=no

You didn’t specify which ports on both devices are used to interconnect. So based on comments: port ether2 on RB5009 connects ether1 on CRS310. Which I guess should be trunk port, but you have on both ports set “frame-types=admit-only-untagged-and-priority-tagged” ?

Hi, thanks for your reply. In the screenshot at the top I list which port is connected to which device. rt2 has port 1 connected to sw1. And on sw1, rt2 is connected via port 2. I see “admit all”. The CLI output of “/export” and web output show the correct setup, right?

But you’re right, the comments in the config are out of date. I see your confusion. I’ve updated them in my config.

Not sure if the next thought actally applies, but you still may want to fix it: LAN interface list membership, which can be important for firewall (it seems to be used in IPv6 firewall though). This interface list has to contain interfaces not bridge ports. Most of times interfaces are those which are configured with IP addresses, in your case that’s bridge and all VLAN interfaces (named vlan11, vlan12 and vlan13).

Hmmm … just noticed that you’ve set bridge mode to MSTP on switch but it’s left to RSTP (default) on router. Make xSTP mode on all network gear set to same mode (functionality-wise order of preference is MSTP → RSTP → STP and use the “highest” one supported by all network gear). Those “dialects” don’t really interwork with each other. And if you don’t intend to make use of physical loops in your network, I’d suggest you to go with RSTP regardless the order of preference written before … if not for other reasons, then because it’s default (and thus probably tested most extensively).

Good one! My plan was to run MSTP everywhere. The docs mention that this works best with VLANs. Also, to simplify my troubleshooting, I’ve disabled IPv6 for now. My IPv4 firewall should not drop anything. Do you maybe know some other testing I could do to hunt down the cause of this issue? I’ll do redo some checks this weekend. I already checked the cabling, that’s correct. So maybe something goes wrong with the VLAN tagging? Even though my laptop gets the proper IP through DHCP, so based on that I would say the VLAN is tagged correctly. It’s also correct to assign the VLAN interfaces to the bridge? And not the interfaces themselves? I’ve already went through the official docs, there I saw it was connected to the bridge. So I did the same.

So far the pinging still isn’t happening.

The configs now look like this, I’ve updated them with the already given feedback. Please note that some firewall rules are disabled and IPv6 is disabled as a whole. I also updated the network drawing a bit. I am still not able to ping between these 2 devices on VLAN 13. I triple checked, the cables are connected in the correct ports.

rt2:

# 2024-11-07 16:59:56 by RouterOS 7.16.1
# software id = 940B-WJH6
#
# model = RB5009UPr+S+
# serial number = HF509BKDP8S
/interface bridge
add admin-mac=78:9A:18:74:B1:94 auto-mac=no comment=defconf name=bridge protocol-mode=mstp pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=sw1
set [ find default-name=ether2 ] comment=rt1
set [ find default-name=ether3 ] comment=rp1
set [ find default-name=ether4 ] comment=rp2
set [ find default-name=ether5 ] comment=rp3
set [ find default-name=ether6 ] comment=rp4
set [ find default-name=ether7 ] comment=rp5
set [ find default-name=ether8 ] comment=ws1
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment="k8s management" interface=bridge name=vlan11 vlan-id=11
add comment=data interface=bridge name=vlan12 vlan-id=12
add comment="network control plane" interface=bridge name=vlan13 vlan-id=13
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name="k8s management" ranges=172.27.11.100-172.27.11.254
add name=data ranges=172.27.12.100-172.27.12.254
add name="network control plane" ranges=172.27.13.100-172.27.13.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m name=defconf
add address-pool="k8s management" interface=vlan11 name="k8s management"
add address-pool=data interface=vlan12 name=data
add address-pool="network control plane" interface=vlan13 name="network control plane"
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10 trusted=yes
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether3 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether4 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether5 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether6 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether7 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether8 pvid=10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1 pvid=10
add bridge=bridge comment=defconf interface=ether1 pvid=10 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment=Public untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge comment="K8s management" tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=11
add bridge=bridge comment=Data tagged=bridge,ether3,ether4,ether5,ether6,ether7 vlan-ids=12
add bridge=bridge comment="Network control plane" tagged=bridge,ether1,ether8 vlan-ids=13
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
/interface wireguard peers
/ip address
add address=172.27.10.2/24 comment=defconf interface=ether2 network=172.27.10.0
add address=172.27.11.1/24 comment="k8s management" interface=vlan11 network=172.27.11.0
add address=172.27.12.1/24 comment=data interface=vlan12 network=172.27.12.0
add address=172.27.13.1/24 comment="network control plane" interface=vlan13 network=172.27.13.0
/ip dhcp-client
add disabled=yes interface=bridge
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=172.27.11.0/24 gateway=172.27.11.1
add address=172.27.12.0/24 gateway=172.27.12.1
add address=172.27.13.0/24 gateway=172.27.13.1
/ip dns
set allow-remote-requests=yes servers=172.27.10.1
/ip dns static
add address=172.27.10.2 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=INPUT_INVALID
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Forward control plane"
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set winbox disabled=yes
/ip ssh
set host-key-type=ed25519 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=rt2
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

sw1:

# 2024-11-07 17:01:13 by RouterOS 7.16.1
# software id = YSYL-RXMP
#
# model = CRS310-8G+2S+
# serial number = HG209PQRK55
/interface bridge
add admin-mac=D4:01:C3:0E:7A:50 auto-mac=no comment=defconf name=bridge protocol-mode=mstp pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=rt1
set [ find default-name=ether2 ] comment=rt2
set [ find default-name=ether3 ] comment=rt1a
set [ find default-name=ether4 ] comment=rt1b
set [ find default-name=ether5 ] comment=ps5
set [ find default-name=ether6 ] comment=ws1
set [ find default-name=ether7 ] comment=rt1c
set [ find default-name=ether8 ] comment="network control plane"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
set [ find default-name=sfp-sfpplus2 ] disabled=yes
/interface vlan
add comment="network control plane" interface=bridge name=vlan13 vlan-id=13
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10 trusted=yes
add bridge=bridge comment=defconf interface=ether2 pvid=10 trusted=yes
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes interface=ether6 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
add bpdu-guard=yes bridge=bridge comment=defconf edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge comment=public untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10
add bridge=bridge comment="network control plane" tagged=bridge,ether2,ether6,ether8 vlan-ids=13
add bridge=bridge comment="k8s management" tagged=bridge,ether2,ether6 vlan-ids=11
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/ip address
add address=172.27.10.3/24 comment=defconf interface=ether2 network=172.27.10.0
add address=172.27.13.2/24 comment="network control plane" interface=vlan13 network=172.27.13.0
/ip dhcp-relay
add dhcp-server=172.27.13.1 disabled=no interface=vlan13 name="network control plane"
/ip dns
set servers=172.27.10.1
/ip firewall filter
add action=accept chain=forward
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=sw1
/system note
set show-at-login=no

I have found some more info though. For some reason I do see tagged VLAN 13 traffic on rt2 sent to sw1, but no return traffic. On sw1 I don’t see any tagged VLAN 13 traffic. Any thoughts on this?


The following VLANs are tagged:

[admin@rt2] > /interface/bridge/vlan/print detail
Flags: X - disabled, D - dynamic 
 0   ;;; Public
     bridge=bridge vlan-ids=10 tagged="" untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 mvrp-forbidden="" current-tagged="" current-untagged=bridge,ether2,ether3,ether4,ether5,ether7,ether1 

 1   ;;; K8s management
     bridge=bridge vlan-ids=11 tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8 untagged="" mvrp-forbidden="" current-tagged=bridge,ether3,ether4,ether5,ether7,ether1 current-untagged="" 

 2   ;;; Data
     bridge=bridge vlan-ids=12 tagged=bridge,ether3,ether4,ether5,ether6,ether7 untagged="" mvrp-forbidden="" current-tagged=bridge,ether3,ether4,ether5,ether7 current-untagged="" 

 3   ;;; Network control plane
     bridge=bridge vlan-ids=13 tagged=bridge,ether1,ether8 untagged="" mvrp-forbidden="" current-tagged=bridge,ether1 current-untagged=""

[admin@sw1] > /interface/bridge/vlan/print detail 
Flags: X - disabled, D - dynamic 
 0   ;;; public
     bridge=bridge vlan-ids=10 tagged="" untagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 mvrp-forbidden="" current-tagged="" current-untagged=bridge,ether1,ether2,ether3,ether7 

 1   ;;; network control plane
     bridge=bridge vlan-ids=13 tagged=bridge,ether2,ether6,ether8 untagged="" mvrp-forbidden="" current-tagged=bridge,ether2 current-untagged="" 

 2   ;;; k8s management
     bridge=bridge vlan-ids=11 tagged=bridge,ether2,ether6 untagged="" mvrp-forbidden="" current-tagged=bridge,ether2 current-untagged=""

It’s like Windows, after a reboot it seems to work!