Hello Folks!

This is about CCR1009-8 with the switch chip.
The CCR is used as primary router between various vlans and is also default gw for some of them.

I wanted to use the builtin switch chip, having ether1 and ether4 as vlan trunks going to one each CRS125.
ether2 I connect to incoming internet (a /28 subnet) as access port connected to one of the internal vlans that is trunked out to the CRS:es.

This topic is alos threaded from: VLAN in pre 6.39 "Bridge Only" config but with a little different setup.

Everything works, except one little detail, the accessport ether2, it has no connection to incoming internet and the public gw.
I tried to reconfigure so ether2 was access point to one of the internal network that has a DHCP server, and then attach a laptop to ether2, I got link up but that is all.

I must have missed or misunderstood something, yet I followed, how hard can it be :

(I know, I should get another "core" switch for it, my vendor told me, and I will put in one such later on. Meanwhile I would like to have something like this below.)

Here is how I set it up:

CCR vlans

/interface bridge
add name=bridge1 protocol-mode=none

/interface bridge port
add bridge=bridge1 interface=ether1 hw=yes comment=trunk
add bridge=bridge1 interface=ether2 hw=yes comment=pub1
add bridge=bridge1 interface=ether4 hw=yes comment=trunk

/interface ethernet switch vlan
add ports switch1-cpu,ether1,ether4 switch=switch1 vlan-id=20
add ports ether1,ether4 switch=switch1 vlan-id=110
add ports switch1-cpu,ether1,ether2,ether4 switch=switch1 vlan-id=112
add ports switch1-cpu,ether1,ether4 switch=switch1 vlan-id=200
add ports switch1-cpu,ether1,ether4 switch=switch1 vlan-id=220
add ports switch1-cpu,ether1,ether4 switch=switch1 vlan-id=300
add ports switch1-cpu,ether1,ether4 switch=switch1 vlan-id=310
add ports ether1,ether4 switch=switch1 vlan-id=320
add ports switch1-cpu,ether1,ether4 switch=switch1 vlan-id=400

/interface ethernet switch port
set ether1 vlan-mode=secure vlan-header=add-if-missing
set ether2 vlan-mode=secure vlan-header=always-strip default-vlan-id=112 comment=pub1
set ether4 vlan-mode=secure vlan-header=add-if-missing
set switch1-cpu vlan-header=leave-as-is vlan-mode=secure

Accessible IP addresses on one VLAN

/interface vlan
add interface=bridge1 vlan-id=20 name=vlan20
add interface=bridge1 vlan-id=112 name=pub1
add interface=bridge1 vlan-id=200 name=vlan200
add interface=bridge1 vlan-id=220 name=vlan220
add interface=bridge1 vlan-id=300 name=vlan300
add interface=bridge1 vlan-id=310 name=vlan310
add interface=bridge1 vlan-id=400 name=vlan400

/ip address
add address= interface=pub1
add address=192.168.1.1/24 interface=vlan20
add address=172.16.1.1/24 interface=vlan200
add address=10.30.0.1/24 interface=vlan220
add address=192.168.2.254/24 interface=vlan300
add address=192.168.2.254/24 interface=vlan310
add address=172.16.16.3/24 interface=vlan400

Just stating the obvious: the in line

/ip address
add address=<public-ip-addess> interface=pub1

surely includes subnet mask?

What happens if you dont connect the public IP (WANIP) to the bridge.
Its not on my bridge and my setup works great with many vlans.
Probably because I am using routerOS and not some switch specific OS??

Yes.

I tried that to, no traffic comes in/out from ether2.

Is internet provided as a layer 2 or layer 3 service? Currently you have it configured as layer 2.

Maybe add a diagram so we an clearly see how things are connected

Just to confirm, are you sure the CCR1009 has a switch chip, it is my understanding that only fairly old CCR1009’s have switch chips

Internet is provides as layer 2, ethernet.
I confirm my CCR1009 has switch chip Atheros 8327.

Provider gigabit ethernet L2 → ether2 CCR1009 vlan tagging and trunking → ether1 and ether4
CCR1009 ether1 vlan trunk → CRS125 SW ether1
CCR1009 ether4 vlan trunk → CRS125 SW ether1

ether2 is supposed to be a L2 access port that internally CCR1009 is attached to vlan112. vlan112 is vlan trunked with other vlans to ether1 and ether4 using CCR1009 switch chip. VLAN trunk on ether1 and ether4 is working but ether2 as access port to vlan112 does not work, it is more or less isolated.

We tried to put ether2 as access port to vlan200, but it was still isolated, no traffic in and no traffic out and no contact with vlan200.

I am confused about the internet access port / vlan 112 part. Usually you will tag traffic going out, not coming in.

Can you elaborate a bit more what you are trying to achieve here, maybe confirm with the service provider how you are suppose to access internet services?

I think I remember that if you use interfaces you need to tag one direction on the bridge and the other one on the port. Then it works.
but it won’t work if you tag both on the port.
This I found quit strange so due to this I now tag DL via IP address: DL is destination “local IP addresses”,
UL is “source” local IP address and packet mark them accordingly.

Works like a charme

(you still use only connections from the parent mangle rule that marks in interface/out interface WAN.
So local traffic won’t get hit.

I think I remember that if you use interfaces you need to tag one direction on the bridge and the other one on the port. Then it works.
but it won’t work if you tag both on the port.
This I found quit strange so due to this I now tag DL via IP address: DL is destination “local IP addresses”,
UL is “source” local IP address and packet mark them accordingly.

Works like a charme

(you still use only connections from the parent mangle rule that marks in interface/out interface WAN.
So local traffic won’t get hit.

I will try I want ether2 to be an access port, for untagged traffic. Like this)

From provider tag traffic from provider with vlan112)
Provider internet link with untagged (no vlan tags on data packages) → ether2 inside ccr1009 tag ether2 packages with vlan112 → to ether1 and ether4 (the vlan trunks).

To provider untag vlan112 packets that is going out from ether2)
VLAN tagged traffic from ether1 and ether4 “grab” traffic with vlan112 going towards the provider and untag the packets ether2 → untagged traffic coming from vlan112 to provider.