CRS328 using RoS doesn't get DHCP address from router

Hello all, I am about to lose my mind and would request some assistance and mercy. I’ve set up a CRS328 and have everything working great for my network. However, the issue is that the only way I can administer the switch is to connect to it and access it by mac address via winbox. I have set the dhcp client to run, but it is just “searching.” Only interface that can be used for the client is the bridge since all other ports are slave to the bridge.

CRS328 is connected via trunk port on ether1/sfp-plus1 to an RB5009. The RB5009 serves 4 subnets: 10.20.100.0/24 [VLAN 100; MGMT VLAN], 10.20.120.0/24 [VLAN 120], 10.20.140.0/24 [VLAN 140], and 10.20.160.0/24 [VLAN 160]. The CRS bridge PVID is 1, vlan-filtering=yes, allow all. ether1/sfp-plus1 are also PVID 1, filtering set to “admit only VLAN tagged”.

I want to believe that the bridge PVID needs to be 100, since that is what the MGMT VLAN is. I’m frazzled and would greatly appreciate a bump in the right direction.

No dont mess with the bridge it should do nothing but bridge…
All vlans and thus dhcp NOT utilizing the bridge etc…

The key is to ensure that all devices after the RB5009 get their IP address from the management vlan. Normally I set those manually and then set at static DHCP lease.
This way winmac access works smoothly and in most cases, just ensure you set in RoS.
neighbours discovery list = Manage (where the management vlan is part of that list)
same with the setting
mac server winmac server interface-list=Manage.

Best thing is to provide your RB5009 config and CRS config to see where a mismatch may be.
Also to clarify where are you trying to connect to the CRS, from what vlan or what PC on what port??

Finally if trying to access using winbox and IP address dont forget you need IPaddress:Port#

+++++++++++++++++++++

In summary, winbox is the best way to access any MT device, what other method did you want to use?

Anav! Look forward to the butt kicking I’m probably about to get.

I’ll leave the bridge alone. I know you are protective of it.

I would like to be able to see the router and switches while connected on the MGMT vlan of my network. This would be via an access port using WinBox. I don’t use anything other than Winbox.

As for the configs, hold on to your butt:

RB5009

# aug/20/2022 21:05:10 by RouterOS 7.4.1
# software id = 7ZLE-935S
#
# model = RB5009UG+S+
# serial number = 
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_MGMT
set [ find default-name=ether5 ] name=ether5_TRUNK
set [ find default-name=ether6 ] name=ether6_MGMT
set [ find default-name=ether7 ] name=ether7_KIDS
set [ find default-name=ether8 ] name=ether8_PARENTS
set [ find default-name=sfp-sfpplus1 ] rx-flow-control=auto speed=1Gbps \
    tx-flow-control=auto
/interface wireguard
add listen-port=51820 mtu=1420 name="Remote Access Wireguard"
add listen-port=51821 mtu=1420 name=Utah
add listen-port=51888 mtu=1420 name=UtahRB5009
/interface vlan
add interface=bridge1 name=CAMERAS_VLAN vlan-id=140
add interface=bridge1 name=KIDS_VLAN vlan-id=120
add interface=bridge1 name=MGMT_VLAN vlan-id=100
add interface=bridge1 name=PARENTS_VLAN vlan-id=160
/interface list
add name=WAN
add name=VLANS
add name=WinAccess
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-128 lifetime=8h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc,aes-128-cbc,aes-128-gcm
/ip pool
add name=MGMT_POOL ranges=10.20.100.100-10.20.100.254
add name=KIDS_POOL ranges=10.20.120.100-10.20.120.254
add name=CAMERAS_POOL ranges=10.20.140.100-10.20.140.254
add name=PARENTS_POOL ranges=10.20.160.100-10.20.160.254
/ip dhcp-server
add address-pool=MGMT_POOL interface=MGMT_VLAN lease-time=1h name=MGMT_DHCP
add address-pool=KIDS_POOL interface=KIDS_VLAN lease-time=1h name=KIDS_DHCP
add address-pool=CAMERAS_POOL interface=CAMERAS_VLAN lease-time=1h name=\
    CAMERAS_DHCP
add address-pool=PARENTS_POOL interface=PARENTS_VLAN lease-time=1h name=\
    PARENTS_DHCP
/ppp profile
set *FFFFFFFE bridge=bridge1 use-ipv6=no
/queue type
add kind=fq-codel name=fqcodel
add kind=cake name=cake_WAN_down
add kind=cake name=cake_WAN_up
add kind=cake name=cake_VPN_down
add kind=cake name=cake_VPN_up
add kind=cake name=cake1
add kind=cake name=cake2
/queue simple
add max-limit=100M/25M name=WAN queue=cake_WAN_up/cake_WAN_down target=\
    ether1_WAN total-queue=cake2
add max-limit=25M/10M name=UtahVPN queue=cake_VPN_up/cake_VPN_down target=\
    Utah total-queue=cake1
add disabled=yes dst=Utah max-limit=2M/15M name=FireTVwired queue=\
    fqcodel/fqcodel target=10.200.2.3/32 total-queue=fqcodel
add disabled=yes dst=Utah max-limit=2M/15M name=AppleTV queue=fqcodel/fqcodel \
    target=10.200.2.5/32 total-queue=fqcodel
add disabled=yes dst=Utah max-limit=1M/5M name=KidTablet1 queue=\
    fqcodel/fqcodel target=10.20.20.30/32 total-queue=fqcodel
add disabled=yes dst=Utah max-limit=1M/5M name=KidTablet2 queue=\
    fqcodel/fqcodel target=10.20.20.31/32 total-queue=fqcodel
add disabled=yes dst=Utah max-limit=2M/15M name=FireTVwireless queue=\
    fqcodel/fqcodel target=10.200.2.4/32 total-queue=fqcodel
/routing id
add disabled=no id=192.168.150.254 name=id-1 select-dynamic-id=only-loopback
/routing ospf instance
add disabled=no name=ospf-instance-1 router-id=id-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-1
/routing table
add disabled=no fib name=Utah
add disabled=no fib name=UtahRB5009
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether5_TRUNK
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6_MGMT pvid=100
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7_KIDS pvid=120
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8_PARENTS pvid=160
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=WinAccess
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1,ether5_TRUNK untagged=\
    ether8_PARENTS vlan-ids=160
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1,ether5_TRUNK vlan-ids=140
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1,ether5_TRUNK untagged=\
    ether7_KIDS vlan-ids=120
add bridge=bridge1 tagged=sfp-sfpplus1,bridge1,ether5_TRUNK untagged=\
    ether6_MGMT vlan-ids=100
/interface detect-internet
set detect-interface-list=WAN wan-interface-list=WAN
/interface list member
add interface=ether1_WAN list=WAN
add interface="Remote Access Wireguard" list=VLANS
add interface=Utah list=VLANS
add interface=KIDS_VLAN list=VLANS
add interface=CAMERAS_VLAN list=VLANS
add interface=PARENTS_VLAN list=VLANS
add interface=ether2_MGMT list=WinAccess
add interface=PARENTS_VLAN list=WinAccess
add interface=MGMT_VLAN list=VLANS
add interface=MGMT_VLAN list=WinAccess
add interface="Remote Access Wireguard" list=WinAccess
add interface=Utah list=WinAccess
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=\
    51821 interface=Utah persistent-keepalive=30s public-key=\
    "publickey="
add allowed-address=10.103.103.2/32 interface="Remote Access Wireguard" \
    persistent-keepalive=30s public-key=\
    "publickey="
add allowed-address=0.0.0.0/0 endpoint-address=192.168.88.13 endpoint-port=\
    51888 interface=UtahRB5009 persistent-keepalive=30s public-key=\
    "publickey="
/ip address
add address=10.20.100.1/24 interface=MGMT_VLAN network=10.20.100.0
add address=10.20.120.1/24 interface=KIDS_VLAN network=10.20.120.0
add address=10.102.102.2/30 interface=Utah network=10.102.102.0
add address=10.103.103.1/24 interface="Remote Access Wireguard" network=\
    10.103.103.0
add address=10.20.140.1/24 interface=CAMERAS_VLAN network=10.20.140.0
add address=10.20.160.1/24 interface=PARENTS_VLAN network=10.20.160.0
add address=192.168.99.1/24 interface=ether2_MGMT network=192.168.99.0
add address=10.188.188.2/30 interface=UtahRB5009 network=10.188.188.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=no
/ip dhcp-client
add interface=ether1_WAN use-peer-dns=no
/ip dhcp-server lease
add address=10.20.120.30 mac-address=10:09:F9:17:CB:1C server=KIDS_DHCP
add address=10.20.120.31 mac-address=74:E2:0C:75:AF:EB server=KIDS_DHCP
add address=10.20.120.5 mac-address=74:40:BB:AA:46:51 server=KIDS_DHCP
add address=10.20.120.40 mac-address=9C:DA:3E:AD:E1:84 server=KIDS_DHCP
add address=10.20.100.13 mac-address=F0:9F:C2:C3:16:DE server=MGMT_DHCP
add address=10.20.100.12 mac-address=80:2A:A8:DE:F4:4A server=MGMT_DHCP
add address=10.20.100.23 mac-address=74:AC:B9:B0:4C:4A server=MGMT_DHCP
add address=10.20.100.10 mac-address=74:83:C2:79:9F:3D server=MGMT_DHCP
add address=10.20.100.22 mac-address=74:AC:B9:B0:4B:EE server=MGMT_DHCP
add address=10.20.100.15 mac-address=CC:32:E5:73:FF:EE server=MGMT_DHCP
add address=10.20.100.11 mac-address=80:2A:A8:1D:A1:3F server=MGMT_DHCP
add address=10.20.100.5 mac-address=00:11:32:21:53:FD server=MGMT_DHCP
add address=10.20.120.35 client-id=1:bc:83:85:7e:a7:85 mac-address=\
    BC:83:85:7E:A7:85 server=KIDS_DHCP
add address=10.20.100.71 client-id=1:b8:31:b5:92:69:d2 mac-address=\
    B8:31:B5:92:69:D2 server=MGMT_DHCP
add address=10.20.100.72 client-id=1:54:8c:a0:df:b6:4b mac-address=\
    54:8C:A0:DF:B6:4B server=MGMT_DHCP
add address=10.20.100.73 client-id=1:a0:78:17:a4:6f:55 mac-address=\
    A0:78:17:A4:6F:55 server=MGMT_DHCP
add address=10.20.140.30 client-id=1:fc:ec:da:1f:5f:c8 mac-address=\
    FC:EC:DA:1F:5F:C8 server=CAMERAS_DHCP
add address=10.20.140.31 client-id=1:fc:ec:da:1f:60:af mac-address=\
    FC:EC:DA:1F:60:AF server=CAMERAS_DHCP
add address=10.20.160.73 mac-address=A0:78:17:A4:6F:55 server=PARENTS_DHCP
add address=10.20.160.4 mac-address=1C:12:B0:66:D9:F3 server=PARENTS_DHCP
add address=10.20.160.5 mac-address=F0:B3:EC:2A:09:C9 server=PARENTS_DHCP
add address=10.20.160.70 mac-address=54:8C:A0:DF:B6:4B server=PARENTS_DHCP
add address=10.20.160.71 mac-address=D6:C4:0E:9E:F7:F7 server=PARENTS_DHCP
add address=10.20.160.72 mac-address=16:7D:64:09:54:1B server=PARENTS_DHCP
add address=10.20.160.3 mac-address=60:6D:3C:17:00:FD server=PARENTS_DHCP
add address=10.20.160.74 mac-address=B8:31:B5:92:69:D2 server=PARENTS_DHCP
add address=10.20.160.75 client-id=1:5c:85:7e:35:72:af mac-address=\
    5C:85:7E:35:72:AF server=PARENTS_DHCP
add address=10.20.120.32 client-id=1:b8:63:4d:b7:fe:f mac-address=\
    B8:63:4D:B7:FE:0F server=KIDS_DHCP
add address=10.20.100.14 client-id=1:8:55:31:91:ad:2b mac-address=\
    08:55:31:91:AD:2B server=MGMT_DHCP
add address=10.20.100.21 client-id=1:80:2a:a8:96:41:cb mac-address=\
    80:2A:A8:96:41:CB server=MGMT_DHCP
add address=10.20.100.7 client-id=\
    ff:33:d9:db:b6:0:2:0:0:ab:11:eb:4a:16:bc:6b:58:7a:f mac-address=\
    E4:5F:01:6C:BF:AD server=MGMT_DHCP
/ip dhcp-server network
add address=10.20.100.0/24 dns-server=10.20.100.7 domain=ooverseas.home \
    gateway=10.20.100.1 ntp-server=10.20.100.1
add address=10.20.120.0/24 dns-server=10.20.100.7 domain=ooverseas.home \
    gateway=10.20.120.1 ntp-server=10.20.120.1
add address=10.20.140.0/24 dns-none=yes domain=overseas.home gateway=\
    10.20.140.1 ntp-server=10.20.140.1
add address=10.20.160.0/24 dns-server=10.20.100.7 domain=overseas.home \
    gateway=10.20.160.1 ntp-server=10.20.160.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=10.20.100.0/24 comment="Local Subnets" list="Local Subnets"
add address=10.10.1.0/24 comment="Utah Subnets" list="Utah Subnets"
add address=10.10.10.0/24 list="Utah Subnets"
add address=10.10.30.0/24 list="Utah Subnets"
add address=10.10.50.0/24 list="Utah Subnets"
add address=10.20.120.0/24 list="Local Subnets"
add address=10.20.160.0/24 list="Local Subnets"
add address=10.20.160.3 comment=Streaming list=Streaming
add address=192.168.88.0/24 list="Local Subnets"
add address=10.20.160.5 list=Streaming
add address=10.102.102.0/24 comment="Utah Wireguard" list="Utah Wireguard"
add address=10.20.120.30 list=Streaming
add address=10.20.120.31 list=Streaming
add address=10.103.103.0/24 list="Local Subnets"
add address=10.20.160.70 comment="Management devices" list=\
    "Management Devices"
add address=10.103.103.0/24 list="Management Devices"
add address=10.20.140.0/24 list="Local Subnets"
add address=10.20.160.71 list="Management Devices"
add address=10.20.160.72 list="Management Devices"
add address=10.20.160.73 list="Management Devices"
add address=10.20.160.74 list="Management Devices"
add address=10.20.160.75 list="Management Devices"
add address=10.20.160.76 list="Management Devices"
add address=10.20.160.4 list=Streaming
add address=10.20.100.100-10.20.100.254 list="Management Devices"
add address=10.10.1.0/24 list="Management Devices"
/ip firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related log-prefix=WHAT
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="allow ssh" dst-port=55512 \
    in-interface=ether1_WAN protocol=tcp
add action=accept chain=input comment="remote access wireguard" dst-port=\
    51820 in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment="utah wireguard" dst-port=51821 \
    in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment="utah wireguard" dst-port=51888 \
    in-interface=ether1_WAN protocol=udp
add action=accept chain=input comment=OSPF protocol=ospf
add action=accept chain=input comment="management devices to router" \
    connection-state="" src-address-list="Management Devices"
add action=accept chain=input comment=NTP dst-port=123 in-interface-list=\
    VLANS protocol=udp
add action=accept chain=input comment=DHCP dst-port=67 in-interface-list=\
    VLANS protocol=udp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=VLANS \
    protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=VLANS protocol=\
    udp
add action=drop chain=input comment="drop everything else" log-prefix=\
    "drop all"
add action=accept chain=forward comment="allow established and related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
    log-prefix=invalid
add action=accept chain=forward comment="remote wireguard" in-interface=\
    "Remote Access Wireguard"
add action=accept chain=forward comment=VLANS_DNS_PIHOLE dst-address=\
    10.20.100.7 dst-port=53 in-interface-list=VLANS protocol=tcp
add action=accept chain=forward dst-address=10.20.100.7 dst-port=53 \
    in-interface-list=VLANS log-prefix=KidsDNS protocol=udp
add action=accept chain=forward comment="LAN firewall" in-interface=MGMT_VLAN \
    log-prefix=LAN
add action=accept chain=forward comment="PARENTS firewall" dst-address-list=\
    "Local Subnets" in-interface=PARENTS_VLAN log-prefix=LAN \
    src-address-list="Management Devices"
add action=accept chain=forward dst-address-list="Utah Subnets" in-interface=\
    PARENTS_VLAN out-interface=Utah src-address-list="Management Devices"
add action=accept chain=forward dst-address=10.20.100.5 in-interface=\
    PARENTS_VLAN
add action=accept chain=forward in-interface=PARENTS_VLAN log-prefix=LAN \
    out-interface=ether1_WAN
add action=accept chain=forward comment="PARENTS streaming" in-interface=\
    PARENTS_VLAN log-prefix=streaming out-interface=Utah
add action=accept chain=forward comment="KIDS streaming" in-interface=\
    KIDS_VLAN log-prefix=streaming out-interface=Utah src-address-list=\
    Streaming
add action=accept chain=forward comment="Kids Internet" in-interface=\
    KIDS_VLAN out-interface=ether1_WAN
add action=accept chain=forward comment="Cameras firewall" dst-address=\
    10.20.100.10 in-interface=CAMERAS_VLAN log-prefix=cameras_NVR
add action=drop chain=forward comment="drop everything else" log-prefix=\
    "drop all"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec policy
set 0 dst-address=10.10.50.0/24 src-address=10.200.2.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Utah routing-table=\
    Utah scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=55512
set api disabled=yes
set winbox port=56473
set api-ssl disabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
/ip ssh
set always-allow-password-login=yes strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/routing ospf interface-template
add area=ospf-area-1 disabled=no interfaces=Utah type=ptp
add area=ospf-area-1 disabled=no interfaces=\
    CAMERAS_VLAN,KIDS_VLAN,PARENTS_VLAN,MGMT_VLAN passive
/routing rule
add action=lookup disabled=no src-address=10.20.100.7/32 table=main
add action=lookup disabled=no dst-address=10.20.100.7/32 src-address=\
    0.0.0.0/0 table=main
add action=lookup-only-in-table disabled=no interface=PARENTS_VLAN \
    src-address=10.20.160.3/32 table=Utah
add action=lookup-only-in-table disabled=no interface=PARENTS_VLAN \
    src-address=10.20.160.4/32 table=Utah
add action=lookup-only-in-table disabled=no interface=PARENTS_VLAN \
    src-address=10.20.160.5/32 table=Utah
add action=lookup-only-in-table disabled=no interface=KIDS_VLAN src-address=\
    10.20.120.30/32 table=Utah
add action=lookup-only-in-table disabled=no interface=KIDS_VLAN src-address=\
    10.20.120.31/32 table=Utah
/snmp
set enabled=yes trap-target=0.0.0.0
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Kuwait
/system identity
set name=Overseas_RB5009
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=1.pool.ntp.org
add address=0.pool.ntp.org
/system routerboard reset-button
set enabled=yes hold-time=30s..0s
/tool bandwidth-server
set enabled=no
/tool graphing
set store-every=24hours
/tool mac-server
set allowed-interface-list=WinAccess
/tool mac-server mac-winbox
set allowed-interface-list=WinAccess
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=Utah

CRS328

# aug/18/2022 22:00:36 by RouterOS 7.4.1
# software id = H7RS-H84M
#
# model = CRS328-24P-4S+
# serial number = 
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-TRUNK poe-out=off poe-priority=1
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] name=ether3-RB5009
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] name=ether5-LtAP
set [ find default-name=ether6 ] poe-out=off
set [ find default-name=ether7 ] name=ether7-SG5100
set [ find default-name=ether8 ] poe-out=off
set [ find default-name=ether9 ] poe-out=off
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=ether11 ] poe-out=off
set [ find default-name=ether12 ] poe-out=off
set [ find default-name=ether13 ] poe-out=off
set [ find default-name=ether14 ] poe-out=off
set [ find default-name=ether15 ] poe-out=off
set [ find default-name=ether16 ] poe-out=off
set [ find default-name=ether17 ] name=ether17_downstairs
set [ find default-name=ether18 ] poe-out=off
set [ find default-name=ether19 ] poe-out=off
set [ find default-name=ether20 ] poe-out=off
set [ find default-name=ether21 ] name=ether21-NAS poe-out=off
set [ find default-name=ether22 ] name=ether22-AP
set [ find default-name=ether23 ] name=ether23-AP
set [ find default-name=ether24 ] name=ether24-CK
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1-TRUNK
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1-TRUNK
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-RB5009 pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-LtAP pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10 pvid=100
add bridge=bridge interface=ether16
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether22-AP
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether23-AP
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether24-CK pvid=100
add bridge=bridge frame-types=admit-only-vlan-tagged interface=\
    sfp-sfpplus1-TRUNK
add bridge=bridge interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7-SG5100 pvid=5
add bridge=bridge interface=ether8
add bridge=bridge interface=ether9
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge frame-types=admit-only-vlan-tagged interface=\
    ether17_downstairs
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether21-NAS pvid=100
add bridge=bridge interface=ether20
add bridge=bridge interface=sfp-sfpplus2
add bridge=bridge interface=sfp-sfpplus3
add bridge=bridge interface=sfp-sfpplus4
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged="sfp-sfpplus1-TRUNK,ether22-AP,ether23-AP,ether1-TRUN\
    K,ether17_downstairs,bridge" vlan-ids=100
add bridge=bridge tagged="ether23-AP,ether22-AP,ether17_downstairs,ether1-TRUN\
    K,bridge,sfp-sfpplus1-TRUNK" vlan-ids=120
add bridge=bridge tagged=\
    bridge,ether1-TRUNK,ether17_downstairs,sfp-sfpplus1-TRUNK vlan-ids=140
add bridge=bridge tagged="bridge,ether1-TRUNK,ether17_downstairs,ether22-AP,et\
    her23-AP,sfp-sfpplus1-TRUNK" vlan-ids=160
/ip dhcp-client
add interface=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=55512
set api disabled=yes
set winbox port=56473
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system identity
set name=CRS328
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports="p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p\
    17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28" allow-from-vlan=100 \
    identity=CRS328 static-ip-address=10.20.100.14

I may have licked this one. I just added a vlan from the ip/interface/vlan menu using the MGMT vlan. Added that to the bridge. Then I set the DHCP client to run on the MGMT VLAN interface and viola! The switch picked up the IP address I had statically set on the RB5009. And I am now able to connect to the switch via IP address on WinBox. Was it really that @!$% easy?

of course, I still welcome any suggestions/input that anav or anyone else might have. This is all being used on a home network so I do try to use best practices but don’t lose any sleep if things aren’t 100% the way they would/should be in an enterprise environment. That said, I am constantly learning and realize there are better, safer, more secure ways to do things that I can then implement in my home network so please fire away.

Yes and NO LOL.

Yes, on the CRS model you need to identify the management VLAN,
/interface vlan
add interface=bridge name=MVLAN vlan-ids=100
but its not a router,
you should remove any IP client reference and any dhcp reference.
/ip dhcp-client
add interface=bridge

You need to add the IP address youve assigned to the CRS34
/ip address
add interface=MVLAN address=10.20.100.??


Add the gateway of the management vlan as the dns server just to be on the safe side.
/ip dns
set allow-remote-requests=yes servers=10.20.100.1 comment=“dns through trusted subnet gateway”
Add the manual route
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.20.100.1 comment=“ensures route avail through trusted subnet gateway”

ADD the interface list…
/interface list
add name=Base

and the associated
/interface list members
add interface=MVLAN list=Base
as usual…
/ip neighbor discovery-settings
set discover-interface-list=Base

as usual…
/tool mac-server mac-winbox
set allowed-interface-list=Base

Recommend setting this to NONE.
/interface detect-internet
set detect-interface-list=WAN wan-interface-list=WAN

Lets understand your CRS ports
ether1 trunk port assuming to ???
ether3 RB 5009 access port, trunk port or hybrid port ???
ether4 trunk port
ether5 access port to ltap ??? Isnt that device supposed to connect to the RB5009???
ether7 access port - SG5100
ether10 is setup as an access port on management vlan100 ??? what purpose???
Reason I ask is that its missing on /interface vlan bridge settings, I f you want to have port that you can access OFF the bridge that would explain it but then why did you note it in /interface bridge ports??? You would need to remove it, only add an ip address for a separate subnet of your choosing and add it to the wininterface list as a member.

ether16 unknown.
ether17 downstairs
ether21 NAS MISSING on bridge ports
ether22 AP trunk port to smart AP
ether23 AP trunk port to smart AP
ether 24 CK access port on management vlan.
sfpplus1-Trunk

???
In summary your assignments are confused and should be cleaned up.
For example it looks like you have to connections to the RB5009, both ether1 and ether5 ???

If you provide a diagram ( and not the confusing one you posted in SWOS LOL) to show everything, the config will be much easier to match up.

Anav, thanks a million. So let me ask you really quick, what is the advantage to setting up the CSR ip and all manually versus letting the switch get a dhcp assignment from the RB5009 which would then tell it what it’s route, dns, etc all was. Is that a preference thing or is there a strong reason I’m too thick to recognize?

On RB looks pretty decent,
Set this to NONE< not using a secure protocol.
/tool mac-server
set allowed-interface-list=[color=#BF8000WinAccess[/color]

Also suggest besides the ether6 management port you take a port OFF the bridge,
assigne an IP address only and then you can access the router separate from the bridge which avoids many headaches.
dont forget to add the IP address you will use to the winbox access list and the firewall Winaccess list…

Like this article… https://forum.mikrotik.com/viewtopic.php?t=181718
add etherX address=192.168.5.1/24
and connect your laptop to that port and type in 192.68.5.5 for your ipv4 settings and your in.

So you would add
etherX to the interface list as a member of Winaccess
and
192.168.5.5 to firewall address list management devices… DO YOU REALLY NEED all those devices access to config the router???

You can sure, but I prefer to choose what IP I want my smart devices to have and typically I assign them outside the pool and in dhcp leases on the router I set them to static leases.
Control freak LOL… There is mininal settings required and I like to do it that way, personal preference…

This is exactly what I have done except on the router end. The pool for the MGNT network starts at 10.20.100.100. I create static entries for all the devices once I get them initially connected. So everything is static and, while the switch will request an IP via DHCP, the router will always give it the one I have statically set, along with all the other info the switch needs. I’m lazy like that. Will review your thoughts on the switch and RB configs. It’s 2331 here where I’m at and my router isn’t going to help me wake up tomorrow so I might have to call it here very soon.

I assume you mean the telnet server one? Done if so…

Also suggest besides the ether6 management port you take a port OFF the bridge,
assigne an IP address only and then you can access the router separate from the bridge which avoids many headaches.
dont forget to add the IP address you will use to the winbox access list and the firewall Winaccess list…

Already had this done via ether2 which has a 192.168.99.1 IP address - no dhcp etc. Port is added to the Winaccess list.

DO YOU REALLY NEED all those devices access to config the router???

No, I’m just very lazy and want to access my stuff from whatever device I might be on at the time. I’ll tighten things up.

ether1 is a trunk port to RB5009 port 5 trunk

ether3 RB 5009 access port, trunk port or hybrid port

ports 3, 5, and 7 are on a vlan 5 which only exists on the switch in order to isolate them. I use the CRS POE to power the 2 x RB5009 and 1 x LtAP. Then, the RB5009’s get their IP addresses via DHCP from the LtAP. Basically, I’ve made a switch within a switch solely for the powering and dhcp assignments/requests of those 3 devices.

ether4 trunk port

ether4, along with a good number of others isn’t used. I know I should remove them from the bridge but the laziness I’ve mentioned wins sometimes.

ether5 access port to ltap ??? Isnt that device supposed to connect to the RB5009???

already explained above

ether7 access port - SG5100

already explained above

ether10 is setup as an access port on management vlan100 ??? > what purpose???
Reason I ask is that its missing on /interface vlan bridge settings, I f you want to have port that you can access OFF the bridge that would explain it but then why did you note it in /interface bridge ports??? You would need to remove it, only add an ip address for a separate subnet of your choosing and add it to the wininterface list as a member.

I set this up just to make sure that the switch was doing what I thought I was telling it to do. Will be removed but an MGMT access port will be created.

ether16 unknown.

unused

ether17 downstairs

yup

ether21 NAS > MISSING on bridge ports

Don’t follow you here, the NAS resides on MGMT vlan 100. Switch port is set up to be an access port for that VLAN.

ether22 AP trunk port to smart AP
ether23 AP trunk port to smart AP
ether 24 CK access port on management vlan.
sfpplus1-Trunk

Mostly right. ether22 and ether23 carry VLAN100, 120, and 160 (no VLAN140). 100 is the management network that the AP resides on. 120 and 160 provide connectivity to the two VLAN-based SSIDs running on the APs. CK only resides on VLAN100 and so it put on an access port.

In summary your assignments are confused and should be cleaned up.
For example it looks like you have to connections to the RB5009, both ether1 and ether5 ???

Think I explained this clearly as to what it accomplishes. If not let me know and I’ll try again.

If you provide a diagram ( and not the confusing one you posted in SWOS LOL) to show everything, the config will be much easier to match up.

I was in rare form yesterday. I am not sure this is needed assuming my explanation to the above made sense. In the end, there are a number of ports that we removed from the bridge or otherwise turned off. One port will be set up as a MGMT access port outside of the bridge.

Up to you…
A diagram will clear my mind and possibly point something out to you that was not obvious, doesnt hurt…

no not telnet but (never use telnet LOL)
mac server set to NONE.

The only one you keep
is mac server winmac server because that uses a secure protocol by MT.