I received a CRS125-24G-1S-RM on Friday and since then I've been trying to get a management IP assigned to a VLAN. I've been following the CRS examples guide and have managed to get a port based VLAN working (except that it leaks tagged traffic from other VLANs, but from what I hear that's the best that can be done at the moment). Down at the bottom of the page, it explains how to set a management IP for the VLAN, which I'd like to do so that the switch can act as the gateway. However, it doesn't seem to work.

I ran Wireshark on a host in the VLAN and attempted to ping it from the switch. In Wireshark, I can see the ARP requests from the switch (untagged) and the ARP responses from the host (also untagged). I've even reset the configuration of the router (removing what I already had configured) and tried just the VLAN configuration from scratch, but no luck. My export is below. Does anyone know what I'm doing wrong? Does anyone have this working?
[admin@MikroTik] > export

jan/02/1970 00:35:59 by RouterOS 6.11

software id = 76PM-XHVB

/interface ethernet
set [ find default-name=ether1 ] name=ether1-master-local
set [ find default-name=ether2 ] master-port=ether1-master-local name=ether2-slave-local
set [ find default-name=ether3 ] master-port=ether1-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether1-master-local name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether1-master-local name=ether5-slave-local
set [ find default-name=ether6 ] master-port=ether1-master-local name=ether6-slave-local
set [ find default-name=ether7 ] master-port=ether1-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether1-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether1-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether1-master-local name=ether10-slave-local
set [ find default-name=ether11 ] master-port=ether1-master-local name=ether11-slave-local
set [ find default-name=ether12 ] master-port=ether1-master-local name=ether12-slave-local
set [ find default-name=ether13 ] master-port=ether1-master-local name=ether13-slave-local
set [ find default-name=ether14 ] master-port=ether1-master-local name=ether14-slave-local
set [ find default-name=ether15 ] master-port=ether1-master-local name=ether15-slave-local
set [ find default-name=ether16 ] master-port=ether1-master-local name=ether16-slave-local
set [ find default-name=ether17 ] master-port=ether1-master-local name=ether17-slave-local
set [ find default-name=ether18 ] master-port=ether1-master-local name=ether18-slave-local
set [ find default-name=ether19 ] master-port=ether1-master-local name=ether19-slave-local
set [ find default-name=ether20 ] master-port=ether1-master-local name=ether20-slave-local
set [ find default-name=ether21 ] master-port=ether1-master-local name=ether21-slave-local
set [ find default-name=ether22 ] master-port=ether1-master-local name=ether22-slave-local
set [ find default-name=ether23 ] master-port=ether1-master-local name=ether23-slave-local
set [ find default-name=ether24 ] master-port=ether1-master-local name=ether24-slave-local
set [ find default-name=sfp1 ] master-port=ether1-master-local name=sfp1-slave-local
/interface vlan
add interface=ether1-master-local l2mtu=1584 name=vlan200 vlan-id=200
/interface ethernet switch
set bridge-type=customer-vid-used-as-lookup-vid
/port
set 0 name=serial0
/interface ethernet switch egress-vlan-translation
add customer-vid=200 new-customer-vid=0 ports=ether2-slave-local
add customer-vid=200 new-customer-vid=0 ports=ether3-slave-local
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=200 ports=ether2-slave-local sa-learning=yes
add customer-vid=0 new-customer-vid=200 ports=ether3-slave-local sa-learning=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether1-master-local network=192.168.88.0
add address=192.168.1.1/24 interface=vlan200 network=192.168.1.0
/ip upnp
set allow-disable-external-interface=no
/lcd interface
set ether1-master-local interface=ether1-master-local
set ether2-slave-local interface=ether2-slave-local
set ether3-slave-local interface=ether3-slave-local
set ether4-slave-local interface=ether4-slave-local
set ether5-slave-local interface=ether5-slave-local
set ether6-slave-local interface=ether6-slave-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-slave-local interface=ether10-slave-local
set ether11-slave-local interface=ether11-slave-local
set ether12-slave-local interface=ether12-slave-local
set ether13-slave-local interface=ether13-slave-local
set ether14-slave-local interface=ether14-slave-local
set ether15-slave-local interface=ether15-slave-local
set ether16-slave-local interface=ether16-slave-local
set ether17-slave-local interface=ether17-slave-local
set ether18-slave-local interface=ether18-slave-local
set ether19-slave-local interface=ether19-slave-local
set ether20-slave-local interface=ether20-slave-local
set ether21-slave-local interface=ether21-slave-local
set ether22-slave-local interface=ether22-slave-local
set ether23-slave-local interface=ether23-slave-local
set ether24-slave-local interface=ether24-slave-local
set sfp1-slave-local interface=sfp1-slave-local
/lcd interface pages
set 0 interfaces="ether1-master-local,ether2-slave-local,ether3-slave-local,ether4-slave-local,ether5-slave-local,ether6-slave-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,ether10-slave-l
ocal,ether11-slave-local,ether12-slave-local"
set 1 interfaces="ether13-slave-local,ether14-slave-local,ether15-slave-local,ether16-slave-local,ether17-slave-local,ether18-slave-local,ether19-slave-local,ether20-slave-local,ether21-slave-local,ether22
-slave-local,ether23-slave-local,ether24-slave-local"

Nobody got this working? Has the functionality actually be implemented yet?

My eventual goal is to implement VLANs, so if I can get my crs125 to work at all, I’m subscribed to this thread and can read up…

We gave up on ours… We use them, but without management vlan. Keen to hear if someone gets that going.

I went back to my Cisco L3 Switch … Mikrotik should stop selling them!

I have it partially working… there are some bugs currently though. There are a bunch of fixes in 6.12 and supposedly there will be more examples documented.

I have it partially working… there are some bugs currently though. There are a bunch of fixes in 6.12 and supposedly there will be more examples documented.[/quote]

Please… can you post a working VLAN configuration with a tagged VLAN Uplink port (to another switch)
That would be very nice

After 6.12 is released and the full documentation updated I’d be glad to.

Any updates guys?

Thanks

Team,

I have the same switch.
I went trough some issues but with help I was able to get it to work.

Though my requirements where a bit different it might help or give others an idea…
Here are my notes:

Ok first create a vlan under the interfaces = add vlan and attach it to “bridge-local”
or you can do:
/interface vlan add interface=bridge-local name=vlan2 vlan-id=2Than assign an IP to that vlan in this example we are using vlan2:
/ip address add address=10.30.10.1 netmask=255.255.255.0 interface=vlan2Now we add a pool range:
/ip pool add ranges=10.30.10.100-10.30.10.200 name=vlan2Now we create a dhcp server:
/ip dhcp-server add name=guest_vlan2 interface=vlan2
Now we add a network to the dhcp server:
/ip dhcp-server network add address=10.30.10.0/24 dns-server=8.8.8.8 gateway=10.30.10.1now we select the pool in the dhcp server

use the pool you created before named “vlan2”
You can edit the dhcp server to do this on the gui and select the pool.

rememebr that the interface is vlan2 and the address pool is vlan2.

Make sure you have nat enable on the gateway interface, and it allready is

now we work with the firewall:

Lets create a address list… you can browse the gui to see the results:
/ip firewall address-list add list=bogons address=10.0.0.0/8
/ip firewall address-list add list=bogons address=172.16.0.0/26
/ip firewall address-list add list=bogons address=192.168.0.0/16and now we do:
/ip firewall filter add dst-address-list=bogons chain=forward action=log in-interface=vlan2what this is saying is log traffic coming in the vlan2 interface going to any of the private IP addresses. you can then change this from action=log to action=drop in the gui.

move this to the top of the list. now guests can have a destination address of anything except the bogons list. bogons being a bit of a misnomer, usually reserved for private ip ranges coming in a wan interface but I like usingit here.

note that guests can still target the router’s addresses because the rule is on the forward chain.

you can add more rules to the input chain such as blocking anything coming in the vlan2 interface, or allowing ICMP so you can still ping the gateway. you can experiment with this. If your guest network has a splash page, make sure that the splash page’s ip address is allowed through.

so if your splash page is hosted on a server on the LAN, just add an allow rule on the forward chain right above the block rule. rules are matched top down.


To print and confirm some of your work:
/ip address print where interface=vlan2
/ip pool print
/ip dhcp-server print
/ip dhcp-server network printHere is a port forward example:
/ip firewall nat add chain=dstnat dst-address=YOURWANIP protocol=tcp dst-port=8088 action=dstnat to-address=YOURLANIP to-port=8088Good luck.

Where is that “birdge-local” comming from… I don’t see it defined anywhere ?

Also looking at the topic starter… I would think the config is correct but I’ve a similar one and it neither works ?

The question is however simple… define a VLAN on the CRS, link a DHCP client or server to it and have the packets comming out UNTAGGED on a port.

That’s exactly what I did.

bridge-local is the default switch config and it came from factory that way. All I did was create a vlan and attach it to the bridge and of course configure the dhcp, pool, etc..