Edge switch between FW & ISP

Hi folks! Thank you in advance for reading, and double thanks if you choose to help.

I’ve got 2 firewalls in active/passive which need to communicate to a single ISP. Currently, $20 unmanaged switch is doing the trick. I needed the capability to port mirror for a security appliance, as well as redundant power supplies, so the CRS305-1G-4S+ seemed perfect for the job. Here’s an overview:

Because an unmanaged switch works no problem, I’ve been bashing my head into a wall trying to figure out how to configure this CRS305 to simply act in the same way. VLAN 1000 is arbitrary. As soon as I move cables from the unmanaged switch to the CRS305, internet connectivity is lost, and never recovers. Plugging cables back into the old switch, connectivity is restored in <5 seconds. I’m clearly lacking critical information, but my Cisco/HP/Dell skills are next to useless when configuring RouterOS.

To confirm that I’m not a total idiot, I connected a couple of laptops to SFP1 and SFP4 using random IPs on the same subnet (i.e. 123.123.123.1/24 and 123.123.123.2/24), and they were able to ping each other no problem. What’s the special sauce I’m missing here?

[admin@CRS305] > export hide-sensitive compact 
# 1970-01-16 05:43:13 by RouterOS 7.12.1
# software id = U730-MHG3
#
# model = CRS305-1G-4S+
# serial number = 
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=MGMT vlan-id=99
/interface ethernet switch
set 0 mirror-source=sfp-sfpplus4 mirror-target=sfp-sfpplus3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus4 pvid=1000
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=1000
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=99
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 pvid=1000
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 vlan-ids=99
add bridge=bridge1 untagged=ether1 vlan-ids=99
/ip address
add address=10.99.0.2/24 interface=MGMT network=10.99.0.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl address=10.99.0.0/24,10.90.0.0/24 certificate=www-ssl-Server disabled=no
set api disabled=yes
set winbox address=10.99.0.0/24,10.90.0.0/24
set api-ssl disabled=yes
/system identity
set name=CRS305
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

From what I see in your config, you haven’t defined the entry for vlan1000 in /interface bridge vlan
You need to define vlan1000 in there as well, like you have defined for vlan99.
As you have indicated the pvid in /interface bridge port you can avoid specifying the untagged port, as those with pvid being set will get automatically added as untagged for the vlan they are member of. For the same reason, as you have defined pvid for vlan99, you can omit the second line about untagged for vlan99.

I figured out the issue. Everything was OK with my config, except for 1 thing: bridges have RSTP enabled by default. After disabling it, everything works flawlessly.

This may be the case for other people dealing with high-availability and ISP connections, so hopefully my struggles help someone else!

To fix via CLI, add the following to your bridge configuration:

protocol-mode=none

For example:

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes

To fix via GUI:

• Go to either Interfaces or Bridge and double click on the bridge present
• Expand STP and set Protocol Mode to

none

• Apply