For awhile now I’ve had OPNsense act as both firewall and router. I’m working on decoupling that so my CRS354 (192.168.5.3) can act as my core router with my OPNsense (192.168.5.1) upstream from that. 192.168.5.0/24 is my main network (essentially VLAN 1). I have 3 more networks: vlan10 on 192.168.10.0/24; vlan65 on 192.168.65.0/24; vlan99 on 172.16.5.0/24. When I follow the instructions on Mikrotik’s website, for me, only vlan10 ends up with L3HW Offload.
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
# DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
0 As 0.0.0.0/0 192.168.5.1 main 1
DAc 172.16.5.0/24 vlan99 main 0
DAc 192.168.5.0/24 bridge main 0
DAcH 192.168.10.0/24 vlan10 main 0
DAc 192.168.65.0/24 vlan65 main 0
I assume I’m missing something very obvious here and I’m hoping another pair of eyes can point out the issue. Below is output from /export. I’m running latest RouterOS 7.19.
# 2025-05-23 11:59:04 by RouterOS 7.19
# software id = YMTS-7WM1
#
# model = CRS354-48G-4S+2Q+
# serial number = ###
/interface bridge
add admin-mac=C4:AD:34:DC:FA:9D auto-mac=no comment=defconf name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ONT
set [ find default-name=ether2 ] comment="FW WAN"
set [ find default-name=ether3 ] comment="wall02 IPMI"
set [ find default-name=ether5 ] comment="wall01 IPMI"
set [ find default-name=ether8 ] comment="Upstairs Unifi"
set [ find default-name=ether9 ] comment=pihole
set [ find default-name=ether10 ] comment="martin IPMI"
set [ find default-name=ether12 ] comment="proxmox01 IPMI"
set [ find default-name=ether13 ] comment="Proxmox03 LACP 1"
set [ find default-name=ether14 ] comment="Proxmox02 IPMI"
set [ find default-name=ether15 ] comment="Proxmox03 LACP 2"
set [ find default-name=ether16 ] comment="Proxmox03 IPMI"
set [ find default-name=ether17 ] comment=HDHomerun
set [ find default-name=ether27 ] comment=MOCA
set [ find default-name=ether46 ] comment=APC1500
set [ find default-name=ether47 ] comment="Rack Unifi"
set [ find default-name=ether48 ] comment="Desk Switch"
set [ find default-name=qsfpplus1-1 ] auto-negotiation=no comment="Switch LACP" speed=10G-baseCR
set [ find default-name=qsfpplus1-2 ] auto-negotiation=no
set [ find default-name=qsfpplus1-3 ] auto-negotiation=no
set [ find default-name=qsfpplus1-4 ] auto-negotiation=no
set [ find default-name=qsfpplus2-1 ] comment=martin
set [ find default-name=sfp-sfpplus3 ] comment="FW LAN"
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan65 vlan-id=65
add interface=bridge name=vlan99 vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether17 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether20 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether21 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether25 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether26 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether27 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether28 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether29 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether30 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether31 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether32 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether33 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether34 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether35 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether36 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether37 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether38 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether39 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether40 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether41 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether42 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether43 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether44 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether45 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether46 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether47 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether48 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether49 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus1-1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus1-2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus1-3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus1-4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ovpn-server server
add mac-address=FE:CD:80:12:5A:F9 name=ovpn-server1
/ip address
add address=192.168.5.3/24 comment=defconf interface=bridge network=192.168.5.0
add address=192.168.10.3/24 interface=vlan10 network=192.168.10.0
add address=172.16.5.3/24 interface=vlan99 network=172.16.5.0
add address=192.168.65.3/24 interface=vlan65 network=192.168.65.0
/ip dhcp-relay
add add-relay-info=yes dhcp-server=192.168.5.7 disabled=no interface=vlan10 name=vlan10 relay-info-remote-id=""
add add-relay-info=yes dhcp-server=192.168.5.7 disabled=no interface=vlan65 name=vlan65 relay-info-remote-id=""
add add-relay-info=yes dhcp-server=192.168.5.7 disabled=no interface=vlan99 name=vlan99 relay-info-remote-id=""
/ip dns
set servers=192.168.5.7
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/system clock
set time-zone-name=America/New_York
/system identity
set name=48p
/system routerboard settings
set boot-device=nand-only boot-protocol=dhcp
/system swos
set address-acquisition-mode=static identity=48p static-ip-address=192.168.5.3
I’ve made a few more changes to the config and now I’m getting HW Offload on the vlans, but not on the bridge itself. I suppose I could just create vlan5 on that subnet but before I do that, what else could I be missing?
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
# DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
0 As 0.0.0.0/0 192.168.5.1 main 1
DAcH 172.16.5.0/24 vlan99 main 0
DAc 192.168.5.0/24 bridge main 0
DAcH 192.168.10.0/24 vlan10 main 0
DAcH 192.168.65.0/24 vlan65 main 0
New config. Mostly just changed my qsfp breakout to a bonded lacp to the next switch.
# 2025-05-23 12:42:25 by RouterOS 7.19
# software id = YMTS-7WM1
#
# model = CRS354-48G-4S+2Q+
# serial number = ###
/interface bridge
add admin-mac=C4:AD:34:DC:FA:9D auto-mac=no comment=defconf name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ONT
set [ find default-name=ether3 ] comment="wall02 IPMI"
set [ find default-name=ether5 ] comment="wall01 IPMI"
set [ find default-name=ether8 ] comment="Upstairs Unifi"
set [ find default-name=ether9 ] comment=pihole
set [ find default-name=ether10 ] comment="martin IPMI"
set [ find default-name=ether12 ] comment="proxmox01 IPMI"
set [ find default-name=ether13 ] comment="Proxmox03 LACP 1"
set [ find default-name=ether14 ] comment="Proxmox02 IPMI"
set [ find default-name=ether15 ] comment="Proxmox03 LACP 2"
set [ find default-name=ether16 ] comment="Proxmox03 IPMI"
set [ find default-name=ether17 ] comment=HDHomerun
set [ find default-name=ether27 ] comment=MOCA
set [ find default-name=ether46 ] comment=APC1500
set [ find default-name=ether47 ] comment="Rack Unifi"
set [ find default-name=ether48 ] comment="Desk Switch"
set [ find default-name=qsfpplus1-1 ] auto-negotiation=no comment="Switch LACP" speed=10G-baseCR
set [ find default-name=qsfpplus1-2 ] auto-negotiation=no
set [ find default-name=qsfpplus1-3 ] auto-negotiation=no
set [ find default-name=qsfpplus1-4 ] auto-negotiation=no
set [ find default-name=qsfpplus2-1 ] comment=martin
set [ find default-name=sfp-sfpplus3 ] comment="FW LAN"
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan65 vlan-id=65
add interface=bridge name=vlan99 vlan-id=99
/interface bonding
add mode=802.3ad name=switch-bond slaves=qsfpplus1-1,qsfpplus1-2,qsfpplus1-3,qsfpplus1-4 transmit-hash-policy=layer-2-and-3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether17 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether20 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether21 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether25 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether26 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether27 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether28 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether29 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether30 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether31 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether32 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether33 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether34 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether35 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether36 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether37 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether38 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether39 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether40 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether41 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether42 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether43 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether44 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether45 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether46 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether47 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether48 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether49 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=switch-bond
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge tagged=ether8,qsfpplus2-1,switch-bond vlan-ids=10,65,99
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ovpn-server server
add mac-address=FE:CD:80:12:5A:F9 name=ovpn-server1
/ip address
add address=192.168.5.3/24 comment=defconf interface=bridge network=192.168.5.0
add address=192.168.10.3/24 interface=vlan10 network=192.168.10.0
add address=172.16.5.3/24 interface=vlan99 network=172.16.5.0
add address=192.168.65.3/24 interface=vlan65 network=192.168.65.0
/ip dhcp-relay
add add-relay-info=yes dhcp-server=192.168.5.7 disabled=no interface=vlan10 name=vlan10 relay-info-remote-id=""
add add-relay-info=yes dhcp-server=192.168.5.7 disabled=no interface=vlan65 name=vlan65 relay-info-remote-id=""
add add-relay-info=yes dhcp-server=192.168.5.7 disabled=no interface=vlan99 name=vlan99 relay-info-remote-id=""
/ip dns
set servers=192.168.5.7
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/system clock
set time-zone-name=America/New_York
/system identity
set name=48p
/system routerboard settings
set boot-device=nand-only boot-protocol=dhcp
/system swos
set address-acquisition-mode=static identity=48p static-ip-address=192.168.5.3
The more I think of this, you wouldn’t see hardware offloading on the bridge interface because any routing that happens within that network is happening at L2, not L3 and thus Offloading isn’t necessary. I just tested this with iperf3 and I can saturate 10Gb from within 192.168.5.0/24 without the CPU going above 2%.
I guess my new issue is clearly using CPU when routing upstream to my firewall. I have 1Gbps fiber service and if I do a speedtest from a client within 192.168.5.0/24, the CRS354 CPU spikes to 100% and my overall speed is limited. I’m not exactly sure how to solve this part. Hoping someone has some input here to help.
Hrm, my suspicion with HW Offload on 192.168.5.0/24 was somewhat correct. Transfers within 192.168.5.0/24 are at wirespeed since it’s L2. Transfers between HW Offloaded vlans are at wirespeed (ie, vlan65 to vlan10). However, vlan65 to bridge (or vice versa) I hit the CPU and line speed tanks. I think I’ve resigned to the fact
My upstream route also isn’t HW Offloaded which leads me to believe I need to not configure the bridge itself and move everything into their own vlans.
Well, it seems I was correct. I created vlan5 and moved the bridge subnet (192.168.5.0/24) onto that. Once I redid all the ports to match the new PVID, I turned on HW Offload and and now all the routes are offloaded.
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
# DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
0 AsH 0.0.0.0/0 192.168.5.1 main 1
DAcH 172.16.5.0/24 vlan99 main 0
DAcH 192.168.5.0/24 vlan5 main 0
DAcH 192.168.10.0/24 vlan10 main 0
DAcH 192.168.65.0/24 vlan65 main 0
The final config if it helps anyone is attached. Now I can focus my attention on switch ACLs to limit some of the inter-vlan traffic.
# 2025-05-23 15:04:52 by RouterOS 7.19
# software id = YMTS-7WM1
#
# model = CRS354-48G-4S+2Q+
# serial number = ###
/interface bridge
add admin-mac=C4:AD:34:DC:FA:9D auto-mac=no comment=defconf name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ONT
set [ find default-name=ether3 ] comment="wall02 IPMI"
set [ find default-name=ether5 ] comment="wall01 IPMI"
set [ find default-name=ether8 ] comment="Upstairs Unifi"
set [ find default-name=ether9 ] comment=pihole
set [ find default-name=ether10 ] comment="martin IPMI"
set [ find default-name=ether12 ] comment="proxmox01 IPMI"
set [ find default-name=ether13 ] comment="Proxmox03 LACP 1"
set [ find default-name=ether14 ] comment="Proxmox02 IPMI"
set [ find default-name=ether15 ] comment="Proxmox03 LACP 2"
set [ find default-name=ether16 ] comment="Proxmox03 IPMI"
set [ find default-name=ether17 ] comment=HDHomerun
set [ find default-name=ether27 ] comment=MOCA
set [ find default-name=ether46 ] comment=APC1500
set [ find default-name=ether47 ] comment="Rack Unifi"
set [ find default-name=ether48 ] comment="Desk Switch"
set [ find default-name=qsfpplus1-1 ] auto-negotiation=no comment="Switch LACP" speed=10G-baseCR
set [ find default-name=qsfpplus1-2 ] auto-negotiation=no
set [ find default-name=qsfpplus1-3 ] auto-negotiation=no
set [ find default-name=qsfpplus1-4 ] auto-negotiation=no
set [ find default-name=qsfpplus2-1 ] comment=martin
set [ find default-name=sfp-sfpplus3 ] comment="FW LAN"
/interface vlan
add interface=bridge name=vlan5 vlan-id=5
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan65 vlan-id=65
add interface=bridge name=vlan99 vlan-id=99
/interface bonding
add mode=802.3ad name=switch-bond slaves=qsfpplus1-1,qsfpplus1-2,qsfpplus1-3,qsfpplus1-4 transmit-hash-policy=layer-2-and-3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether9 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether10 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether12 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether13 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether14 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether15 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether16 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether17 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether20 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether21 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether25 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether26 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether27 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=ether28 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether29 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether30 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether31 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether32 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether33 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether34 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether35 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether36 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether37 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether38 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether39 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether40 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether41 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether42 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether43 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether44 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether45 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether46 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether47 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether48 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=ether49 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-1 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=qsfpplus2-2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=qsfpplus2-4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10 pvid=5
add bridge=bridge comment=defconf interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=switch-bond pvid=5
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge tagged=ether8,qsfpplus2-1,switch-bond vlan-ids=10,65,99
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ovpn-server server
add mac-address=FE:CD:80:12:5A:F9 name=ovpn-server1
/ip address
add address=192.168.5.3/24 comment=defconf interface=vlan5 network=192.168.5.0
add address=192.168.10.3/24 interface=vlan10 network=192.168.10.0
add address=172.16.5.3/24 interface=vlan99 network=172.16.5.0
add address=192.168.65.3/24 interface=vlan65 network=192.168.65.0
/ip dhcp-relay
add dhcp-server=192.168.5.7 disabled=no interface=vlan10 local-address=192.168.10.3 name=vlan10
add dhcp-server=192.168.5.7 disabled=no interface=vlan65 local-address=192.168.65.3 name=vlan65
add dhcp-server=192.168.5.7 disabled=no interface=vlan99 local-address=172.16.5.3 name=vlan99
/ip dns
set servers=192.168.5.7
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.5.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/system clock
set time-zone-name=America/New_York
/system identity
set name=48p
/system routerboard settings
set boot-device=nand-only boot-protocol=dhcp
/system swos
set address-acquisition-mode=static identity=48p static-ip-address=192.168.5.3
EdPa
May 30, 2025, 1:24pm
6
The HW routing did not get enabled on the bridge interface because you have a mix of HW and SW ports bridged (the ether49 management port is directly connected to the CPU, not switched). If you removed the ether49 from /in/br/port menu, you should see “H” flag appearing for the related routes.