Hi bought myself a CRS125-24G-1S2HnD-IN and would like to connect to my servers from my workstation. Servers have several tagged/untagged VLANs attached so i configure a hybrid port for them. For the workstation i have one untagged vlan (ingress 888) and one tagged vlan (678) . Currently I'm unable to ping the untagged vlan (888) interfaces of the servers and/or the switch from the workstation (interface 23) or from any other servers (interfaces 3-11). Though I can ping the tagged vlans. Did i do anything wrong with ingress/egress translation rules? Please let me know, i'm busy with this for 3 weeks now ... and i can tell ya, trunks/hybrid ports on a CRS aren't easy to config

[admin@MikroTik] > export

jan/02/1970 07:18:40 by RouterOS 6.23

software id = 09TT-8K3D

/interface wireless
set [ find default-name=wlan1 ] l2mtu=2290
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether2
set [ find default-name=ether8 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether2
set [ find default-name=ether10 ] master-port=ether2
set [ find default-name=ether11 ] master-port=ether2
set [ find default-name=ether23 ] master-port=ether2

/interface vlan
add interface=ether2 l2mtu=1584 name=vlan27 vlan-id=27
add interface=ether2 l2mtu=1584 name=vlan34 vlan-id=34
add interface=ether2 l2mtu=1584 name=vlan49 vlan-id=49
add interface=ether2 l2mtu=1584 name=vlan678 vlan-id=678
add interface=ether2 l2mtu=1584 name=vlan888 vlan-id=888

/port
set 0 name=serial0

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2,ether5,ether8,switch1-cpu vlan-id=27
add tagged-ports=ether2,ether3,ether6,ether10,switch1-cpu vlan-id=34
add tagged-ports=ether2,ether7,ether9,ether11,switch1-cpu vlan-id=49
add tagged-ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ethe
r10,ether11,ether23,switch1-cpu" vlan-id=678

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=888 ports=ether3 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether4 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether5 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether6 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether7 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether8 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether9 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether10 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether11 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether23 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether2 sa-learning=yes

/interface ethernet switch vlan
add ports=ether2,ether5,ether8,switch1-cpu vlan-id=27
add ports=ether2,ether3,ether6,ether10,switch1-cpu vlan-id=34
add ports=ether2,ether7,ether9,ether11,switch1-cpu vlan-id=49
add ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,eth
er11,ether23,switch1-cpu" vlan-id=678
add ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,eth
er11,ether23,switch1-cpu" vlan-id=888

/ip address
add address=10.8.0.1/24 interface=vlan27 network=10.8.0.0
add address=10.9.0.1/24 interface=vlan34 network=10.9.0.0
add address=10.10.0.1/24 interface=vlan49 network=10.10.0.0
add address=10.11.0.1/24 interface=vlan678 network=10.11.0.0
add address=10.12.0.1/24 interface=vlan888 network=10.12.0.0

/ip firewall filter
add action=drop chain=input comment="default configuration" in-interface=
ether1
add chain=forward comment="default configuration" connection-state=
established,related
add action=drop chain=forward comment="default configuration"
connection-state=invalid
add action=drop chain=forward comment="default configuration"
connection-nat-state=!dstnat connection-state=new in-interface=ether1

Seems that you only need to add vlan888 tagging on CPU port to make it work:

/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=888

Seems that your reply is correct because after entering the command, i can now ping all the machines on vlan888. How could i miss such simple fact … thnx!

Edit: Ok, i understand that switch1-cpu port on the switch must be able to egress packets with vlanid888 to the CPU. But how knows the CPU that these packets should then be untagged and to be send to the switch? Is that information derived from the ingress option in some smart way? I’m just trying to understand how this works.

Below what i found in the wiki, thing is, i never specified the untagged format for vlanid888 in my config

Egress VLAN Tag

Sub-menu: /interface ethernet switch egress-vlan-tag

Egress packets can be assigned different VLAN tag format. The VLAN tags can be removed, added, or remained as is when the packet is sent to the egress port (destination port). Each port has dedicated control on the egress VLAN tag format. The tag formats include:

    Untagged
    Tagged
    Unmodified

Edit: Ok, i understand that switch1-cpu port on the switch must be able to egress packets with vlanid888 to the CPU. But how knows the CPU that these packets should then be untagged and to be send to the switch? Is that information derived from the ingress option in some smart way? I’m just trying to understand how this works.

CPU does not know anything about removing the tag, it sends tagged vlan888 through its vlan interface to switch-chip “switch1-cpu” port. The switch-chip then decides whether to remove the vlan tag if the traffic is further forwarded to port which had proper ingress translation rule for that vlan.

Below what i found in the wiki, thing is, i never specified the untagged format for vlanid888 in my config

That setting refers from “egress-vlan-tag” table to each switch port “egress-vlan-mode” which by default is “unmodified”, it allows to override default egress action on specific ports.