Hi, I was with an IT team last week.
They were extending and inheriting a network from me.
I have Cube 60Pro ac units bridging two buildings.
Rough idea of setup:
Remote building:
Cube 60Pro ac, with a vlan 3 virtual interface for management
TP Link 2000 series L2+ switch, management on vlan 3
Aruba 615 WiFi access points.
The team were provisioning many VLANs and WiFi SSIDs on their Arubas.
Local / main building:
Brocade 6450 switch
Fortinet 100F, running DHCP relay from a multitude of new VLANs over to a Windows Server DC acting as main DHCP server
Mikrotik CCR-2004-16G-2S+ still running the management VLAN (3) that I had put in place, for now. with DHCP on that management VLAN, and providing upstream internet access to the Forti, until adequate public IP subnet can be provisioned by the ISP.
Everything into a 16 port 10G core switch (TP Link 3016 SFP+)
The issue:
The default VLAN (non-tagged ‘default’) was set to 2200.
The Aruba 615 WiFi AP that they put on the remote side, would not receive the DHCP replies in this instance. Confirmed with wireshark as well as Forti packet capture.
A laptop connected to the same switches would receive it no problem.
I ran a 100 meter cable between the buildings from the same switch ports as the Cube radios, and the problem was also gone.
I am not 100% sure because I was just handing over and trying to help, but was not manging the VLANs or the Fortinet or the DHCP server, but I seem to remember that we saw that using another VLAN ID was OK, such as 200 which they were using for general office.
I think we tried as much as we could but in the end, it seems like the Cube radios were not working the same as a direct CAT6 cable did.
I think we tried looking at the MTU. We updated firmware from 7.17.2 to 7.19.1.
We found that putting the default VLAN back to id=1 worked OK.
Interestingly, if I put a vlan interface and dhcp server on VLAN 2200 on the CCR2004, it worked. They got their IP from it. but not the relayed DHCP from Forti ↔ Windows.
Any ideas? Most bizarre, and we lost a lot of time on it. We had to statically-configure the IPs of those APs on that side of the road in the end, and of course the Forti/Aruba fans from the IT team will be blaming the ‘unknown’ Mikrotik 
I’d like to find an explanation if anyone can help.
Here is a config export from the remote side. They are pretty much as they come out of the box, except for added vlan interface. I added vlan-2200 as a test, in case it somehow made the radios ‘aware’ of it more-so.. unlikely but worth a shot and made no difference.
# 2025-06-07 14:39:45 by RouterOS 7.19.1
# software id = US3Q-5W3U
#
# model = CubeG-5ac60ay
# serial number = HD108B9WZQ3
/interface bridge add admin-mac=18:FD:74:88:8D:1B auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ethernet set [ find default-name=ether1 ] loop-protect=off
/interface wireless set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no frequency=auto hide-ssid=yes installation=outdoor mode=bridge ssid=P6_to_P7_bridge wps-mode=disabled
/interface w60g set [ find ] disabled=no mode=bridge name=wlan60-1 ssid=MikroTik-888d1b
/interface w60g station add comment=defconf mac-address=04:CE:14:FA:5D:5F name=wlan60-station-1 parent=wlan60-1 remote-address=04:CE:14:FA:5D:6B
/interface vlan add interface=bridge name=vlan3-management vlan-id=3
/interface vlan add interface=bridge name=vlan2200 vlan-id=2200
/interface bonding add comment=defconf mode=active-backup name=bond1 primary=wlan60-station-1 slaves=wlan60-station-1,wlan1
/interface list add name=Management
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk comment=defconf disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/snmp community set [ find default=yes ] addresses=192.168.3.18/32,192.168.3.16/32
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=bond1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking set udp-timeout=10s
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface list member add interface=vlan3-management list=Management
/interface ovpn-server server add auth=sha1,md5 mac-address=FE:6B:25:9A:30:1F name=ovpn-server1
/ip dhcp-client add interface=vlan3-management
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/snmp set contact="Carl Farrington" enabled=yes
/system clock set time-zone-name=Europe/London
/system gps set port=gps set-system-time=yes
/system identity set name="P6 Cube 60Pro"
/tool mac-server set allowed-interface-list=Management
/tool mac-server mac-winbox set allowed-interface-list=Management
/tool sniffer set file-name=capture filter-interface=bridge
and here is the local/main side:
# 2025-06-07 14:42:02 by RouterOS 7.19.1
# software id = E3S2-SJ88
#
# model = CubeG-5ac60ay
# serial number = HD1089CT6JY
/interface bridge add admin-mac=18:FD:74:88:8D:0F auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireless set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no frequency=auto installation=outdoor mode=station-bridge ssid=P6_to_P7_bridge
/interface w60g set [ find ] disabled=no mode=station-bridge name=wlan60-1 ssid=MikroTik-888d1b
/interface vlan add interface=bridge name=vlan3-management vlan-id=3
/interface vlan add interface=bridge name=vlan2200 vlan-id=2200
/interface bonding add comment=defconf mode=active-backup name=bond1 primary=wlan60-1 slaves=wlan60-1,wlan1
/interface list add name=Management
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk comment=defconf disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/snmp community set [ find default=yes ] addresses=192.168.3.18/32,192.168.3.16/32
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=bond1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking set udp-timeout=10s
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface list member add interface=vlan3-management list=Management
/interface ovpn-server server add auth=sha1,md5 mac-address=FE:34:62:62:CB:55 name=ovpn-server1
/ip dhcp-client add interface=vlan3-management
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/snmp set contact="Carl Farrington" enabled=yes
/system clock set time-zone-name=Europe/London
/system gps set port=gps set-system-time=yes
/system identity set name="P7 Cube 60Pro"
/tool mac-server set allowed-interface-list=Management
/tool mac-server mac-winbox set allowed-interface-list=Management