CRS125, VLANs and WLAN

I have my CRS 125 configured per
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples
https://wiki.mikrotik.com/wiki/Manual:CRS_Router
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches

I have 3 vlans defined, a WAN1 port, and a trunk with all 3 vlans successfully passing across a trunk to a hAP AC, with DHCP for each vlan/subnet. I have wlan1 in the same bridge.

Now I want to enable three SSIDs, each on one of the 3 VLANs (3 additional vlans I could probably handle, but it’s a lot more config of filters, DHCP, etc).

My plan was to create three virtual WLAN interfaces for each VLAN. But it’s not working.

I can see the SSIDs, but am not getting an IP address from the DHCP server configured on the vlan.

Setting the interface to VLAN Mode: no tag and use tag doesn’t help (with the VLAN ID set to the vlan).

Setting the IP Address on the client (so skipping over DHCP) doesn’t help. I’m trying to use the non-CPU VLAN config on the CRS125, but I don’t see how that interacts with WLAN.

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united states" disabled=no frequency=auto mode=ap-bridge ssid=wlan
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=rWireless
add authentication-types=wpa2-psk comment="Wireless LAN" eap-methods="" mode=dynamic-keys name=wlanLAN supplicant-identity=""
add authentication-types=wpa2-psk comment="Wireless GUEST" eap-methods="" mode=dynamic-keys name=wlanGUEST supplicant-identity=""
add authentication-types=wpa2-psk comment="Wireless DMZ" eap-methods="" mode=dynamic-keys name=wlanDMZ supplicant-identity=""
/interface wireless
add comment="wlanDMZ Virtual Interface" keepalive-frames=disabled mac-address=WH:YD:OE:SH:ID:ES master-interface=wlan1 multicast-buffering=disabled name=\
    wlanDMZ security-profile=wlanDMZ ssid=sD vlan-id=14 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment="wlanGUEST Virtual Interface" keepalive-frames=disabled mac-address=SE:NS:IT:VE:NO master-interface=wlan1 multicast-buffering=disabled name=\
    wlanGUEST security-profile=wlanGUEST ssid=sG vlan-id=17 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment="wlanLAN Virtual Interface" disabled=no keepalive-frames=disabled mac-address=THI:DE:TH:EM:AC master-interface=wlan1 multicast-buffering=\
    disabled name=wlanLAN security-profile=wlanLAN ssid=sL vlan-id=2 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlanDMZ comment="wlanDMZ Virtual Interface"
set wlanGUEST comment="wlanGUEST Virtual Interface"
set wlanLAN comment="wlanLAN Virtual Interface"
/interface wireless nstreme
set *25 comment="wlanDMZ Virtual Interface"
set *24 comment="wlanGUEST Virtual Interface"
set *22 comment="wlanLAN Virtual Interface"

OK, I’m going to bet that my problem is related to the fact that the wlan1 interface isn’t in the Switch config for Vlan, Egress VLan Tag, and Ingres Vlan Trans.

I think the solution is to create 3 bridges w/ IPs for the virtual WLANs, 3 new VLANs for the virtual WLANs, and 3 new DHCP environments for the virtual WLANs.

Assign the DHCP servers to the 3 bridges.
Assign each vlan interface to the associated wlan virtual interface
Assign the associated vlan and wlan to each bridge

/interface bridge
add name=bridgeWLAN-DMZ vlan-filtering=yes
add name=bridgeWLAN-GUEST vlan-filtering=yes
add name=bridgeWLAN-LAN vlan-filtering=yes

/interface vlan
add interface=wlanDMZ name=vlanDMZWlan vlan-id=7
add interface=wlanGUEST name=vlanGUESTWlan vlan-id=5
add interface=wlanLAN name=vlanLANWlan vlan-id=3

/interface bridge port
add bridge=bridgeWLAN-LAN interface=vlanLANWlan
add bridge=bridgeWLAN-LAN interface=wlanLAN
add bridge=bridgeWLAN-GUEST interface=vlanGUESTWlan
add bridge=bridgeWLAN-GUEST interface=wlanGUEST
add bridge=bridgeWLAN-DMZ interface=vlanDMZWlan
add bridge=bridgeWLAN-DMZ interface=wlanDMZ

/interface wireless
add comment="wlanDMZ Virtual Interface" disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:3D:F5:06 master-interface=wlan1 multicast-buffering=\
    disabled name=wlanDMZ security-profile=wlanDMZ ssid=sD vlan-id=7 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment="wlanGUEST Virtual Interface" disabled=no keepalive-frames=disabled mac-address=DE:2C:6E:3D:F5:05 master-interface=wlan1 multicast-buffering=\
    disabled name=wlanGUEST security-profile=wlanGUEST ssid=sG vlan-id=5 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment="wlanLAN Virtual Interface" disabled=no keepalive-frames=disabled mac-address=BA:69:F4:F5:53:C2 master-interface=wlan1 multicast-buffering=\
    disabled name=wlanLAN security-profile=wlanLAN ssid=sL vlan-id=3 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

I don’t think that’s quite right either, but suspect it’s the right direction?

No, you most probably don’t need 3 bridges. But before explaining what needs to be done, post full config of your CRS … because correct config of L2 for wireless interfaces very much depend on actual config of L2 for ethernet interfaces. After all, the idea is to make wireless interfaces part of corresponding VLAN/ethernet networks.

As I understand it, if I’m using the switching function of the CRS 125 , it doesn’t matter as much, as I can’t put the two together?

# may/03/2022 11:32:52 by RouterOS 6.49.6
# software id = AKR0-XZSF
#
# model = CRS125-24G-1S-2HnD
/interface bridge
add name=bridgeVLAN
add name=bridgeWLAN-DMZ vlan-filtering=yes
add name=bridgeWLAN-GUEST vlan-filtering=yes
add name=bridgeWLAN-LAN vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country="united states" disabled=no frequency=auto mode=ap-bridge ssid=\
    wlan
/interface ethernet
set [ find default-name=ether23 ] comment="WAN uplink to AT&T" name=wan1
/interface l2tp-server
add name=L2TP-Interface user=EUUser
/interface vlan
add interface=bridgeVLAN name=vlanDMZ vlan-id=6
add interface=bridgeVLAN name=vlanGUEST vlan-id=4
add interface=bridgeVLAN name=vlanLAN vlan-id=2
add interface=bridgeVLAN name=vlanTH vlan-id=33
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=rsWireless
add authentication-types=wpa2-psk comment="Wireless LAN" eap-methods="" mode=\
    dynamic-keys name=wlanLAN supplicant-identity=""
add authentication-types=wpa2-psk comment="Wireless GUEST" eap-methods="" \
    mode=dynamic-keys name=wlanGUEST supplicant-identity=""
add authentication-types=wpa2-psk comment="Wireless DMZ" eap-methods="" mode=\
    dynamic-keys name=wlanDMZ supplicant-identity=""
/interface wireless
add comment="wlanDMZ Virtual Interface" disabled=no keepalive-frames=disabled \
    mac-address=DE:2C:6E:3D:F5:06 master-interface=wlan1 multicast-buffering=\
    disabled name=wlanDMZ security-profile=wlanDMZ ssid=sD vlan-id=7 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment="wlanGUEST Virtual Interface" disabled=no keepalive-frames=\
    disabled mac-address=DE:2C:6E:3D:F5:05 master-interface=wlan1 \
    multicast-buffering=disabled name=wlanGUEST security-profile=wlanGUEST \
    ssid=sG vlan-id=5 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add comment="wlanLAN Virtual Interface" disabled=no keepalive-frames=disabled \
    mac-address=BA:69:F4:F5:53:C2 master-interface=wlan1 multicast-buffering=\
    disabled name=wlanLAN security-profile=wlanLAN ssid=sL vlan-id=3 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlanDMZ comment="wlanDMZ Virtual Interface"
set wlanGUEST comment="wlanGUEST Virtual Interface"
set wlanLAN comment="wlanLAN Virtual Interface"
/interface wireless nstreme
set *25 comment="wlanDMZ Virtual Interface"
set *24 comment="wlanGUEST Virtual Interface"
set *22 comment="wlanLAN Virtual Interface"
/interface vlan
add interface=wlanDMZ name=vlanDMZWlan vlan-id=7
add interface=wlanGUEST name=vlanGUESTWlan vlan-id=5
add interface=wlanLAN name=vlanLANWlan vlan-id=3
/ip pool
add name=poolLAN ranges=192.168.2.100-192.168.2.199
add name=poolGUEST ranges=192.168.4.100-192.168.4.199
add name=poolL2TP ranges=10.2.2.50-10.2.2.99
add name=poolDMZ ranges=192.168.6.100-192.168.6.199
add name=poolLANWlan ranges=192.168.3.100-192.168.3.199
add name=poolGUESTWLan ranges=192.168.5.100-192.168.5.199
add name=poolDMZWlan ranges=192.168.7.100-192.168.7.199
/ip dhcp-server
add address-pool=poolLAN disabled=no interface=vlanLAN name=dhcpLAN
add address-pool=poolGUEST disabled=no interface=vlanGUEST name=dhcpGUEST
add address-pool=poolDMZ disabled=no interface=vlanDMZ name=dhcpDMZ
add address-pool=poolLANWlan disabled=no interface=bridgeWLAN-LAN name=\
    dhcpLANWlan
add address-pool=poolGUESTWLan disabled=no interface=bridgeWLAN-GUEST name=\
    dhcpGUESTWlan
add address-pool=poolDMZWlan disabled=no interface=bridgeWLAN-DMZ name=\
    dhcpDMZWlan
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,1.1.1.1 local-address=10.2.2.1 \
    name=L2TP remote-address=poolL2TP use-encryption=yes
/interface bridge port
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether3
add bridge=bridgeVLAN interface=ether4
add bridge=bridgeVLAN interface=ether5
add bridge=bridgeVLAN interface=ether6
add bridge=bridgeVLAN interface=ether7
add bridge=bridgeVLAN interface=ether8
add bridge=bridgeVLAN interface=ether9
add bridge=bridgeVLAN interface=ether10
add bridge=bridgeVLAN interface=ether11
add bridge=bridgeVLAN interface=ether12
add bridge=bridgeVLAN interface=ether13
add bridge=bridgeVLAN interface=ether14
add bridge=bridgeVLAN interface=ether15
add bridge=bridgeVLAN interface=ether16
add bridge=bridgeVLAN interface=ether17
add bridge=bridgeVLAN interface=ether18
add bridge=bridgeVLAN interface=ether20
add bridge=bridgeVLAN interface=ether21
add bridge=bridgeVLAN interface=ether22
add bridge=bridgeVLAN interface=ether24
add bridge=bridgeVLAN interface=sfp1
add bridge=bridgeVLAN interface=ether1
add bridge=bridgeWLAN-LAN interface=vlanLANWlan
add bridge=bridgeWLAN-LAN interface=wlanLAN
add bridge=bridgeWLAN-GUEST interface=vlanGUESTWlan
add bridge=bridgeWLAN-GUEST interface=wlanGUEST
add bridge=bridgeWLAN-DMZ interface=vlanDMZWlan
add bridge=bridgeWLAN-DMZ interface=wlanDMZ
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=strict
/interface ethernet switch egress-vlan-tag
add comment=LAN tagged-ports=ether24,switch1-cpu vlan-id=2
add comment=GUEST tagged-ports=ether24,switch1-cpu vlan-id=4
add comment=DMZ tagged-ports=ether24,switch1-cpu vlan-id=6
add comment=TH tagged-ports=switch1-cpu vlan-id=33
/interface ethernet switch ingress-vlan-translation
add comment=:LAN customer-vid=0 new-customer-vid=2 ports="ether1,ether2,ether3\
    ,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13\
    ,ether14,ether15,ether16" service-dei=0
add comment=GUEST customer-vid=0 new-customer-vid=4 ports=ether17,ether18
add comment=DMZ customer-vid=0 new-customer-vid=6 ports=ether21,ether22
add comment=TH customer-vid=0 new-customer-vid=33 ports=ether19
/interface ethernet switch vlan
add comment=LAN ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sw\
    itch1-cpu" vlan-id=2
add comment=GUEST ports=ether17,ether18,ether24,switch1-cpu vlan-id=4
add comment=DMZ ports=ether21,ether22,ether24,switch1-cpu vlan-id=6
add comment=TH ports=ether19 vlan-id=33
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes \
    use-ipsec=required
/ip address
add address=192.168.2.1/24 interface=vlanLAN network=192.168.2.0
add address=192.168.4.1/24 interface=vlanGUEST network=192.168.4.0
add address=192.168.15.3/24 interface=wan1 network=192.168.15.0
add address=192.168.6.1/24 interface=vlanDMZ network=192.168.6.0
add address=10.33.33.34/16 interface=vlanTH network=10.33.0.0
add address=192.168.3.1/24 interface=bridgeWLAN-LAN network=192.168.3.0
add address=192.168.5.1/24 interface=bridgeWLAN-GUEST network=192.168.5.0
add address=192.168.7.1/24 interface=bridgeWLAN-DMZ network=192.168.7.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.36,8.8.8.8 domain=\
    home.s.net gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 dns-server=8.8.8.8 domain=home2.s.net \
    gateway=192.168.3.1 netmask=24
add address=192.168.4.0/24 dns-server=8.8.8.8 domain=guest.s.net \
    gateway=192.168.4.1 netmask=24
add address=192.168.5.0/24 dns-server=8.8.8.8 domain=guest2.s.net \
    gateway=192.168.5.1 netmask=24
add address=192.168.6.0/24 dns-server=8.8.8.8,8.8.4.4 domain=dmz.s.net \
    gateway=192.168.6.1 netmask=24
add address=192.168.7.0/24 dns-server=8.8.8.8 domain=dmz2.s.net \
    gateway=192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=192.168.2.0-192.168.2.254 list=allowed_to_router
add address=192.0.0.0/24 comment=RFC6890 list=bogons
add address=100.64.0.0/10 comment=RFC6890 list=bogons
add address=240.0.0.0/4 comment=RFC6890 list=bogons
/ip firewall filter
add action=accept chain=forward comment="ALL ICMP Input" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="ALL ICMP INPUT" disabled=yes protocol=\
    icmp
add action=accept chain=output comment="ALL ICMP OUTPUT" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="Accept established related input" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop input: invalid" connection-state=\
    invalid
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="L2TP Ports" dst-port=500,1701,4500 \
    in-interface=wan1 protocol=udp
add action=accept chain=input comment="L2TP ipsec-esp" in-interface=wan1 \
    protocol=ipsec-esp
add action=accept chain=input comment="L2TP ipsec-ah" in-interface=wan1 \
    protocol=ipsec-esp
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=jump chain=input comment="Jump for SSH input" jump-target=SSH \
    protocol=xns-idp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="Allow Input Management" src-address=\
    192.168.2.0/24
add action=drop chain=input comment="block everything else WAN1" \
    in-interface=wan1
add action=drop chain=input comment="drop all input" log=yes log-prefix=\
    "Drop Input:"
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=accept chain=forward comment="Accept established related forward" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="drop forward: invalid" \
    connection-state=invalid
add action=drop chain=forward comment="VLAN Internet Access Only - GUEST" \
    connection-state=new in-interface=vlanGUEST out-interface=!wan1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons log=yes log-prefix="DROP BOGON:"
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump for SSH forward" jump-target=SSH
add action=drop chain=forward comment="drop all not NAT WAN1" \
    connection-nat-state=!dstnat connection-state=new in-interface=wan1
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=SSH comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=SSH connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=SSH connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=SSH connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=SSH connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=SSH comment="drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT LAN 192.168.2.0/23" \
    ipsec-policy=out,none out-interface=wan1 src-address=192.168.2.0/23
add action=masquerade chain=srcnat comment="NAT GUEST 192.168.4.0/23" \
    out-interface=wan1 src-address=192.168.4.0/23
add action=masquerade chain=srcnat comment="NAT DMZ 192.168.6.0/23" \
    out-interface=wan1 src-address=192.168.6.0/23
add action=masquerade chain=srcnat comment="NAT TH 10.33.0.0/16" \
    out-interface=wan1 src-address=10.33.0.0/24
/ip route
add distance=1 gateway=192.168.15.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=L2TPUser profile=L2TP service=l2tp
/system identity
set name=CRS125-24G-1S-2
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool sniffer
set file-name=sniff

Basically what you want to do is make your wireless interfaces VLAN tagged by setting vlan-id= vlan-mode=use-tag (you have them already) and then make them members of bridgeVLAN. Ditch the bridgeWLAN-* bridges. And use additional vlan interdaces for those extra VLANs … if you actually need them.

Note: in order to use switch chip to offload etgernet pirts you don’t have to have bridge exclusive for those ports. You can add other ports, traffic will still be offloaded for ports capable of doing it.

Here is another example too https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless
it consists of Wifi tagging and Bridge VLAN filtering, similar to what @mkx suggested i think.

Notice, though, i don’t know if it has been mentioned, CRS1xx does not support bridge VLAN filtering in hardware.

Can I have the wireless in the same vlan (in other words, guest lan and wlan in the same vlan) if I’m using the switch chip for the other ports? (I ask in part because that was NOT working)

I believe that’s the foundational part of my question, as many of the docs are for using the CPU, not the switch chip. I’m using the switch chip configuration for the non-wlan interfaces. So I don’t think that’s my problem (based on the support articles I started out with). If that’s wrong, if you could point out where so I can fix it!

Bridge VLAN-filtering was introduced with 6.41. Before that, VLAN tags had to be dealt with by hardware (e.g. switch chip) or device drivers (e.g. wireless driver with settings I mentioned in previous post). Bridge was very similar to “dumb switches”, passing VLAN tags without considering them and only using destination MAC addresses to determine egress port.

The same setup is still possible, also in 7.2 (I’m running ROS 7.2.1 on one of RB951G, featuring AR8327 switch chip which doesn’t offliad bridge vlan filtering).

Thanks! So does that mean if I use only the bridge only for VLAN setup, in the current 6.x I get the same advantages from the switch chip?

(A lot of the resources don’t always specify which version of RouterOS, chip, etc).

With setup you posted in pist #4 above, intra-vlan inter-ethernet traffic is handled by switch chip and thus wirespeed without any impact on CPU load. Only use of multiple bridges to handle wireless traffic is convoluted and probably slightly heavier on CPU than would the simplified setup I proposed even if it was done correctly. And I hesitate to dig into the mess of configuration to see where it might be broken.

OK, well I:
-Moved all the wlan ports to the main bridge
-Removed the 3 WLAN bridges
-All of the virtual wlan interfaces were already use-tag, with the associated vlan.
-Moved all the ip addresses for the virtual wlan interfaces to their associated vlan.
-Added the WLAN vlans to the bridge
-I can’t move the DHCP Server interface(s) to the wireless vlans (error)

Before I did that, DHCP didn’t work, but static addresses on the wireless clients worked. Now wlan DHCP and static addresses appear to work. Will test more!

# may/04/2022 02:59:01 by RouterOS 6.49.6
# software id = AKR0-XZSF
#
# model = CRS125-24G-1S-2HnD
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country="united states" disabled=no frequency=auto mode=ap-bridge ssid=\
    wlan
/interface ethernet
set [ find default-name=ether23 ] comment="WAN uplink to AT&T" name=wan1
/interface l2tp-server
add name=L2TP-Interface user=ERUUser
/interface vlan
add interface=bridgeVLAN name=vlanDMZ vlan-id=6
add interface=bridgeVLAN name=vlanDMZWlan vlan-id=7
add interface=bridgeVLAN name=vlanGUEST vlan-id=4
add interface=bridgeVLAN name=vlanGUESTWlan vlan-id=5
add interface=bridgeVLAN name=vlanLAN vlan-id=2
add interface=bridgeVLAN name=vlanLANWlan vlan-id=3
add interface=bridgeVLAN name=vlanTH vlan-id=33
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=rgsWireless
add authentication-types=wpa2-psk comment="Wireless LAN" eap-methods="" mode=\
    dynamic-keys name=wlanLAN supplicant-identity=""
add authentication-types=wpa2-psk comment="Wireless GUEST" eap-methods="" \
    mode=dynamic-keys name=wlanGUEST supplicant-identity=""
add authentication-types=wpa2-psk comment="Wireless DMZ" eap-methods="" mode=\
    dynamic-keys name=wlanDMZ supplicant-identity=""
/interface wireless
add comment="wlanDMZ Virtual Interface" disabled=no keepalive-frames=disabled \
    mac-address=DE:2C:6E:3D:F5:06 master-interface=wlan1 multicast-buffering=\
    disabled name=wlanDMZ security-profile=wlanDMZ ssid=sD vlan-id=7 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment="wlanGUEST Virtual Interface" disabled=no keepalive-frames=\
    disabled mac-address=DE:2C:6E:3D:F5:05 master-interface=wlan1 \
    multicast-buffering=disabled name=wlanGUEST security-profile=wlanGUEST \
    ssid=sG vlan-id=5 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add comment="wlanLAN Virtual Interface" disabled=no keepalive-frames=disabled \
    mac-address=BA:69:F4:F5:53:C2 master-interface=wlan1 multicast-buffering=\
    disabled name=wlanLAN security-profile=wlanLAN ssid=sL vlan-id=3 \
    vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlanDMZ comment="wlanDMZ Virtual Interface"
set wlanGUEST comment="wlanGUEST Virtual Interface"
set wlanLAN comment="wlanLAN Virtual Interface"
/interface wireless nstreme
set *25 comment="wlanDMZ Virtual Interface"
set *24 comment="wlanGUEST Virtual Interface"
set *22 comment="wlanLAN Virtual Interface"
/ip pool
add name=poolLAN ranges=192.168.2.100-192.168.2.199
add name=poolGUEST ranges=192.168.4.100-192.168.4.199
add name=poolL2TP ranges=10.2.2.50-10.2.2.99
add name=poolDMZ ranges=192.168.6.100-192.168.6.199
add name=poolLANWlan ranges=192.168.3.100-192.168.3.199
add name=poolGUESTWLan ranges=192.168.5.100-192.168.5.199
add name=poolDMZWlan ranges=192.168.7.100-192.168.7.199
/ip dhcp-server
add address-pool=poolLAN disabled=no interface=vlanLAN name=dhcpLAN
add address-pool=poolGUEST disabled=no interface=vlanGUEST name=dhcpGUEST
add address-pool=poolDMZ disabled=no interface=vlanDMZ name=dhcpDMZ
add address-pool=poolLANWlan disabled=no interface=vlanLANWlan name=\
    dhcpLANWlan
add address-pool=poolGUESTWLan disabled=no interface=vlanGUESTWlan name=\
    dhcpGUESTWlan
add address-pool=poolDMZWlan disabled=no interface=vlanDMZWlan name=\
    dhcpDMZWlan
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,1.1.1.1 local-address=10.2.2.1 \
    name=L2TP remote-address=poolL2TP use-encryption=yes
/interface bridge port
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether3
add bridge=bridgeVLAN interface=ether4
add bridge=bridgeVLAN interface=ether5
add bridge=bridgeVLAN interface=ether6
add bridge=bridgeVLAN interface=ether7
add bridge=bridgeVLAN interface=ether8
add bridge=bridgeVLAN interface=ether9
add bridge=bridgeVLAN interface=ether10
add bridge=bridgeVLAN interface=ether11
add bridge=bridgeVLAN interface=ether12
add bridge=bridgeVLAN interface=ether13
add bridge=bridgeVLAN interface=ether14
add bridge=bridgeVLAN interface=ether15
add bridge=bridgeVLAN interface=ether16
add bridge=bridgeVLAN interface=ether17
add bridge=bridgeVLAN interface=ether18
add bridge=bridgeVLAN interface=ether20
add bridge=bridgeVLAN interface=ether21
add bridge=bridgeVLAN interface=ether22
add bridge=bridgeVLAN interface=ether24
add bridge=bridgeVLAN interface=sfp1
add bridge=bridgeVLAN interface=ether1
add bridge=bridgeVLAN interface=wlanLAN
add bridge=bridgeVLAN interface=wlanGUEST
add bridge=bridgeVLAN interface=wlanDMZ
add bridge=bridgeVLAN interface=vlanDMZWlan
add bridge=bridgeVLAN interface=vlanGUESTWlan
add bridge=bridgeVLAN interface=vlanLANWlan
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set rp-filter=strict
/interface ethernet switch egress-vlan-tag
add comment=LAN tagged-ports=ether24,switch1-cpu vlan-id=2
add comment=GUEST tagged-ports=ether24,switch1-cpu vlan-id=4
add comment=DMZ tagged-ports=ether24,switch1-cpu vlan-id=6
add comment=TH tagged-ports=switch1-cpu vlan-id=33
/interface ethernet switch ingress-vlan-translation
add comment=:LAN customer-vid=0 new-customer-vid=2 ports="ether1,ether2,ether3\
    ,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13\
    ,ether14,ether15,ether16" service-dei=0
add comment=GUEST customer-vid=0 new-customer-vid=4 ports=ether17,ether18
add comment=DMZ customer-vid=0 new-customer-vid=6 ports=ether21,ether22
add comment=TH customer-vid=0 new-customer-vid=33 ports=ether19
/interface ethernet switch vlan
add comment=LAN ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,sw\
    itch1-cpu" vlan-id=2
add comment=GUEST ports=ether17,ether18,ether24,switch1-cpu vlan-id=4
add comment=DMZ ports=ether21,ether22,ether24,switch1-cpu vlan-id=6
add comment=TH ports=ether19 vlan-id=33
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=L2TP enabled=yes \
    use-ipsec=required
/ip address
add address=192.168.2.1/24 interface=vlanLAN network=192.168.2.0
add address=192.168.4.1/24 interface=vlanGUEST network=192.168.4.0
add address=192.168.15.3/24 interface=wan1 network=192.168.15.0
add address=192.168.6.1/24 interface=vlanDMZ network=192.168.6.0
add address=10.33.33.34/16 interface=vlanTH network=10.33.0.0
add address=192.168.3.1/24 network=192.168.3.0 interface=vlanLANWlan
add address=192.168.5.1/24 network=192.168.5.0 interface=vlanGUESTWlan
add address=192.168.7.1/24 network=192.168.7.0 interface=vlanDMZWlan
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.36,8.8.8.8 \
    gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 dns-server=8.8.8.8 \
    gateway=192.168.3.1 netmask=24
add address=192.168.4.0/24 dns-server=8.8.8.8 \
    gateway=192.168.4.1 netmask=24
add address=192.168.5.0/24 dns-server=8.8.8.8  \
    gateway=192.168.5.1 netmask=24
add address=192.168.6.0/24 dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.6.1 netmask=24
add address=192.168.7.0/24 dns-server=8.8.8.8 domain= \
    gateway=192.168.7.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=192.168.2.0-192.168.2.254 list=allowed_to_router
add address=192.0.0.0/24 comment=RFC6890 list=bogons
add address=100.64.0.0/10 comment=RFC6890 list=bogons
add address=240.0.0.0/4 comment=RFC6890 list=bogons
/ip firewall filter
add action=accept chain=forward comment="ALL ICMP Input" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="ALL ICMP INPUT" disabled=yes protocol=\
    icmp
add action=accept chain=output comment="ALL ICMP OUTPUT" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="Accept established related input" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop input: invalid" connection-state=\
    invalid
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="L2TP Ports" dst-port=500,1701,4500 \
    in-interface=wan1 protocol=udp
add action=accept chain=input comment="L2TP ipsec-esp" in-interface=wan1 \
    protocol=ipsec-esp
add action=accept chain=input comment="L2TP ipsec-ah" in-interface=wan1 \
    protocol=ipsec-esp
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=jump chain=input comment="Jump for SSH input" jump-target=SSH \
    protocol=xns-idp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="Allow Input Management" src-address=\
    192.168.2.0/24
add action=drop chain=input comment="block everything else WAN1" \
    in-interface=wan1
add action=drop chain=input comment="drop all input" log=yes log-prefix=\
    "Drop Input:"
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=accept chain=forward comment="Accept established related forward" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="drop forward: invalid" \
    connection-state=invalid
add action=drop chain=forward comment="VLAN Internet Access Only - GUEST" \
    connection-state=new in-interface=vlanGUEST out-interface=!wan1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons log=yes log-prefix="DROP BOGON:"
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump for SSH forward" jump-target=SSH
add action=drop chain=forward comment="drop all not NAT WAN1" \
    connection-nat-state=!dstnat connection-state=new in-interface=wan1
add action=accept chain=ICMP comment=\
    "Echo request - Avoiding Ping Flood, adjust the limit as needed" \
    icmp-options=8:0 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=drop chain=SSH comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=SSH connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=SSH connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=SSH connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=SSH connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=SSH comment="drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT LAN 192.168.2.0/23" \
    ipsec-policy=out,none out-interface=wan1 src-address=192.168.2.0/23
add action=masquerade chain=srcnat comment="NAT GUEST 192.168.4.0/23" \
    out-interface=wan1 src-address=192.168.4.0/23
add action=masquerade chain=srcnat comment="NAT DMZ 192.168.6.0/23" \
    out-interface=wan1 src-address=192.168.6.0/23
add action=masquerade chain=srcnat comment="NAT TH 10.33.0.0/16" \
    out-interface=wan1 src-address=10.33.0.0/24
/ip route
add distance=1 gateway=192.168.15.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=L2TPUser profile=L2TP service=l2tp
/system identity
set name=CRS125-24G-1S-2
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool sniffer
set file-name=sniff

You shouldn’t set VLAN interface, anchored to a bridge, as a port of same bridge. This is a huge NO-NO.

MKX what an odd way of phrasing that.
More directly a VLAN does not qualify as a bridge port. An etherport or WLAN port are considered bridge ports.
VLANs are what are tagged and untagged on /interface bridge vlans and for access ports, the access port needs to be identified with the associated PVID on the appropriate /interface bridge port line.

OK, between the two of you you lost me. I thought I had an understanding of how it should be, and got everything working based on what I thought were previous comments.

/interface bridge
add name=bridgeVLAN

/interface vlan
add interface=bridgeVLAN name=vlanDMZ vlan-id=6
add interface=bridgeVLAN name=vlanGUEST vlan-id=4
add interface=bridgeVLAN name=vlanLAN vlan-id=2
add interface=bridgeVLAN name=vlanTH vlan-id=33

/interface bridge port
add bridge=bridgeVLAN interface=ether24
add bridge=bridgeVLAN interface=wlanLAN
add bridge=bridgeVLAN interface=wlanGUEST
add bridge=bridgeVLAN interface=wlanDMZ
add bridge=bridgeVLAN interface=ether1
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether3
add bridge=bridgeVLAN interface=ether4
add bridge=bridgeVLAN interface=ether5
add bridge=bridgeVLAN interface=ether6
add bridge=bridgeVLAN interface=ether7
add bridge=bridgeVLAN interface=ether8
...
add bridge=bridgeVLAN interface=ether24

/interface ethernet switch egress-vlan-tag
add comment=LAN tagged-ports=ether24,switch1-cpu vlan-id=2
add comment=GUEST tagged-ports=ether24,switch1-cpu vlan-id=4
add comment=DMZ tagged-ports=ether24,switch1-cpu vlan-id=6
add comment=TH tagged-ports=ether24,switch1-cpu vlan-id=33

/interface ethernet switch ingress-vlan-translation
add comment=:LAN customer-vid=0 new-customer-vid=2 ports="ether1,ether2,ether3,e\
    ther4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,eth\
    er14,ether15,ether16" service-dei=0
add comment=GUEST customer-vid=0 new-customer-vid=4 ports=ether17,ether18
add comment=DMZ customer-vid=0 new-customer-vid=6 ports=ether21,ether22
add comment=TH customer-vid=0 new-customer-vid=33 ports=ether19,ether20
/interface ethernet switch vlan
add comment=LAN ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,e\
    ther9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,switch\
    1-cpu" vlan-id=2
add comment=GUEST ports=ether17,ether18,ether24,switch1-cpu vlan-id=4
add comment=DMZ ports=ether21,ether22,ether24,switch1-cpu vlan-id=6
add comment=TH ports=ether19,ether20,ether24,switch1-cpu vlan-id=33

This configuration appears to work. Is there something in specific wrong with it? (and why?). Each port is assigned VLAN tags at the switch level which I thought was necessary to utilize the switch chip.