I have been running in circles trying to get this figured out and figured it’s time to ask for help if anyone is willing. I have read multiple articles, watched videos, locked myself out, reset multiple times, etc.

What I have: I have a RB5009, CSS326, cAP ax, and wAP ax. RB5009 - SFP connection to CSS326 - APs plugged into the 326. My hope was not to get too deep down the rabbit hole and tackle only a few things at a time. I have been running this setup for a couple months as is but have wanted to add some VLANs. I was hoping to just keep the default configuration, add some VLANs and go about my business until I’m ready to extend the VLAN configuration to the access points. Everything I keep doing, every guide I follow, I get stuck.

What I’m looking to do:

-RB5009 SFP to CSS326 SFP1 trunk

-ether2 and ether3 on RB5009 for adguard instances on VLAN70 (two rpi for failover)

-cAP ax port 1 on CSS326 (all I “need” at this point is them just to work. Default or VLAN20/50 for now)

-wAP ax port24 on CSS326 (all I “need” at this point is them just to work. Default or VLAN20/50 for now)

ether8 dedicated management port on RB5009

I attempted to keep the default network intact for devices I’m not ready to move to VLAN yet and wifi access points because my S.O. works from home and me jacking up the internet every night I get home from work is not going well.

My VLAN needs:

VLAN10-Trusted Devices (home server, NAS, desktop pcs, laptops, etc)

VLAN20-General (game consoles, kids phones, printers)

VLAN30-Media (fire tv, nvidia shield, network media receiver)

VLAN40-IoT (samsung appliances, smart sensors)

VLAN50-Guest (guest wifi for…guests)

VLAN60-Security (IP cameras, blue iris nvr)

VLAN70-Services (home assistant, adguard)

VLAN99-Management

I can get so far as getting my fire tv to pull a DHCP address for VLAN30, but I lose all other wired internet devices/APs. Then I start getting locked out of the switch. Somewhere along turning on VLAN filtering or activating the trunk port on the switch. I rolled back to my last functioning point and have the config below. CSS326 I have the VLANs 10-99 on the VLANs page and all ports checked (default). Port19 - my firetv that I have tested with set to strict/untagged. Trunk port sfp1 to enabled/only tagged. This is when I get locked out of the switch.

2026-03-02 20:26:13 by RouterOS 7.20.6

software id = B1KF-Z5SI

model = RB5009UG+S+

serial number =

/interface bridge
add admin-mac=************* auto-mac=no comment="LAN Bridge" name=
LAN_bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1_WAN
set [ find default-name=ether2 ] comment=AdGuard name=ether2_adguard
set [ find default-name=ether8 ] comment=Management name=ether8-management
/interface vlan
add comment="Secure VLAN" interface=LAN_bridge name=VLAN10-secure vlan-id=10
add comment="General VLAN" interface=LAN_bridge name=VLAN20-general vlan-id=
20
add comment="Media VLAN" interface=LAN_bridge name=VLAN30-media vlan-id=30
add comment="IoT VLAN" interface=LAN_bridge name=VLAN40-iot vlan-id=40
add comment="Guest VLAN" interface=LAN_bridge name=VLAN50-guest vlan-id=50
add comment="Security VLAN" interface=LAN_bridge name=VLAN60-security
vlan-id=60
add comment="Services VLAN" interface=LAN_bridge name=VLAN70-services
vlan-id=70
add comment="Management VLAN" interface=LAN_bridge name=VLAN99-management
vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add comment="Default IP Pool" name=dhcp ranges=192.168.88.30-192.168.88.254
add comment="VLAN20-general Pool" name=vlan20-general_pool ranges=
192.168.20.31-192.168.20.254
add comment="VLAN10-secure Pool" name=vlan10-secure_pool ranges=
192.168.10.31-192.168.10.254
add comment="VLAN30-media Pool" name=vlan30-media_pool ranges=
192.168.30.31-192.168.30.254
add comment="VLAN40-IoT Pool" name=vlan40-iot_pool ranges=
192.168.40.31-192.168.40.254
add comment="VLAN60-Security Pool" name=vlan60-security_pool ranges=
192.168.60.31-192.168.60.254
add comment="VLAN50-Guest Pool" name=vlan50-guest_pool ranges=
192.168.50.31-192.168.50.100
add comment="VLAN70-Services Pool" name=vlan70-services_pool ranges=
192.168.70.31-192.168.70.254
add comment="VLAN99-Management Pool" name=vlan99-management_pool ranges=
192.168.99.31-192.168.99.254
/ip dhcp-server
add address-pool=dhcp interface=LAN_bridge name=defconf
add address-pool=vlan10-secure_pool comment="VLAN10 DHCP" interface=
VLAN10-secure lease-time=12h name=VLAN10-secure_dhcp
add address-pool=vlan20-general_pool comment="VLAN20 DHCP" interface=
VLAN20-general lease-time=12h name=VLAN20-general_dhcp
add address-pool=vlan30-media_pool comment="VLAN30 DHCP" interface=
VLAN30-media lease-time=12h name=VLAN30-media_dhcp
add address-pool=vlan40-iot_pool comment="VLAN40 DHCP" interface=VLAN40-iot
lease-time=12h name=VLAN40-iot_dhcp
add address-pool=vlan50-guest_pool comment="VLAN50 DHCP" interface=
VLAN50-guest lease-time=1h name=VLAN50-guest_dhcp
add address-pool=vlan60-security_pool comment="VLAN60 DHCP" interface=
VLAN60-security lease-time=12h name=VLAN60-security_dhcp
add address-pool=vlan70-services_pool comment="VLAN70 DHCP" interface=
VLAN70-services lease-time=12h name=VLAN70-services_dhcp
add address-pool=vlan99-management_pool comment="VLAN99 DHCP" interface=
VLAN99-management lease-time=12h name=VLAN99-management_dhcp
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=LAN_bridge auto-media-sharing=yes auto-smb-sharing=
yes
/interface bridge port
add bridge=LAN_bridge comment=defconf interface=ether2_adguard
add bridge=LAN_bridge comment=defconf interface=ether3
add bridge=LAN_bridge comment=defconf interface=ether4
add bridge=LAN_bridge comment=defconf interface=ether5
add bridge=LAN_bridge comment=defconf interface=ether6
add bridge=LAN_bridge comment=defconf interface=ether7
add bridge=LAN_bridge comment=defconf interface=ether8-management
add bridge=LAN_bridge comment=defconf frame-types=admit-only-vlan-tagged
interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=LAN_bridge tagged=sfp-sfpplus1,LAN_bridge vlan-ids=
10,20,30,40,50,60,70,99
/interface list member
add comment="LAN BRIDGE" interface=LAN_bridge list=LAN
add comment=WAN interface=ether1_WAN list=WAN
add comment="LAN BRIDGE" interface=VLAN30-media list=LAN
add comment="LAN BRIDGE" interface=VLAN20-general list=LAN
add comment="LAN BRIDGE" interface=VLAN10-secure list=LAN
add comment="LAN BRIDGE" interface=VLAN40-iot list=LAN
add comment="LAN BRIDGE" interface=VLAN50-guest list=LAN
add comment="LAN BRIDGE" interface=VLAN60-security list=LAN
add comment="LAN BRIDGE" interface=VLAN70-services list=LAN
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip address
add address=192.168.88.1/24 comment=defconf interface=LAN_bridge network=
192.168.88.0
add address=192.168.10.1/24 comment="vlan10 ip" interface=VLAN10-secure
network=192.168.10.0
add address=192.168.20.1/24 comment="vlan20 ip" interface=VLAN20-general
network=192.168.20.0
add address=192.168.30.1/24 comment="vlan30 ip" interface=VLAN30-media
network=192.168.30.0
add address=192.168.40.1/24 comment="vlan40 ip" interface=VLAN40-iot network=
192.168.40.0
add address=192.168.50.1/24 comment="vlan50 ip" interface=VLAN50-guest
network=192.168.50.0
add address=192.168.70.1/24 comment="vlan70 ip" interface=VLAN70-services
network=192.168.70.0
add address=192.168.99.1/24 comment="vlan99 ip" interface=VLAN99-management
network=192.168.99.0
/ip dhcp-client
add comment=defconf interface=ether1_WAN
/ip dhcp-server network
add address=192.168.10.0/24 comment=VLAN10 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.10.1
add address=192.168.20.0/24 comment=VLAN20 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.20.1
add address=192.168.30.0/24 comment=VLAN30 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.30.1
add address=192.168.40.0/24 comment=VLAN40 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.40.1
add address=192.168.50.0/24 comment=VLAN50 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.50.1
add address=192.168.60.0/24 comment=VLAN60 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
add address=192.168.99.0/24 comment=VLAN99 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=America/Detroit
/system identity
set name="MikroTik RB5009"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Until you set vlan-filtering=yes on bridge, none of other VLAN-related settings under /interface/bridge will apply. Which includes frame-types=admit-only-vlan-tagged setting on sfp-sftpplus1 or /interface bridge vlan settings.

This, however, should not completely break VLAN operations (if other devices are configured appropriately), it only makes bridge transparent to VLAN tags so proper separation of VLAN traffic (from non-member ports) is not enforced and is left to connected devices to (properly) ignore VLAN-tagged frames if devices are not configured for VLANs (which, in case of Windows OS, normally does not happen).

So currently it's up to switch (assuming it's connected to SFP+ port) configuration for proper VLAN operations. Since it's running SwOS (if I gont oyur description right), somebody else will have to look at config (unfortunately only screenshots).

In any case, first thing make the ether8-management an offbridge port, so you don't lock yourself out, see:
Once and for all COMPLETE Offbridge Port setup

Classic apples and oranges, if you go vlans take the friggen bridge off of dhcp stuff….
Off bridge port is 8, better use for management access and safe access.
Remove old static IP DNS config.
Use Trusted Interface!
If not using ipv6 turn if off.
To access router, plug in pc to port 8, change ipv4 settings to 192.168.77.2 and with user name and password you should be in.
any problems you are having will have to do with the CRS326 setup.

```
/interface bridge
add admin-mac=************* auto-mac=no comment="LAN Bridge" name=
LAN_bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1_WAN
set [ find default-name=ether2 ] comment=AdGuard name=ether2_adguard
set [ find default-name=ether8 ] comment=Management name=ether8-management
/interface vlan
add interface=LAN_bridge name=vlan5-default vlan-id=5
add comment="Secure VLAN" interface=LAN_bridge name=VLAN10-secure vlan-id=10
add comment="General VLAN" interface=LAN_bridge name=VLAN20-general vlan-id=
20
add comment="Media VLAN" interface=LAN_bridge name=VLAN30-media vlan-id=30
add comment="IoT VLAN" interface=LAN_bridge name=VLAN40-iot vlan-id=40
add comment="Guest VLAN" interface=LAN_bridge name=VLAN50-guest vlan-id=50
add comment="Security VLAN" interface=LAN_bridge name=VLAN60-security
vlan-id=60
add comment="Services VLAN" interface=LAN_bridge name=VLAN70-services
vlan-id=70
add comment="Management VLAN" interface=LAN_bridge name=VLAN99-management
vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/ip pool
add comment="Default IP Pool" name=dhcp ranges=192.168.88.30-192.168.88.254
add comment="VLAN20-general Pool" name=vlan20-general_pool ranges=
192.168.20.31-192.168.20.254
add comment="VLAN10-secure Pool" name=vlan10-secure_pool ranges=
192.168.10.31-192.168.10.254
add comment="VLAN30-media Pool" name=vlan30-media_pool ranges=
192.168.30.31-192.168.30.254
add comment="VLAN40-IoT Pool" name=vlan40-iot_pool ranges=
192.168.40.31-192.168.40.254
add comment="VLAN60-Security Pool" name=vlan60-security_pool ranges=
192.168.60.31-192.168.60.254
add comment="VLAN50-Guest Pool" name=vlan50-guest_pool ranges=
192.168.50.31-192.168.50.100
add comment="VLAN70-Services Pool" name=vlan70-services_pool ranges=
192.168.70.31-192.168.70.254
add comment="VLAN99-Management Pool" name=vlan99-management_pool ranges=
192.168.99.31-192.168.99.254
/ip dhcp-server
add address-pool=dhcp interface=vlan5-default name=defconf
add address-pool=vlan10-secure_pool comment="VLAN10 DHCP" interface=
VLAN10-secure lease-time=12h name=VLAN10-secure_dhcp
add address-pool=vlan20-general_pool comment="VLAN20 DHCP" interface=
VLAN20-general lease-time=12h name=VLAN20-general_dhcp
add address-pool=vlan30-media_pool comment="VLAN30 DHCP" interface=
VLAN30-media lease-time=12h name=VLAN30-media_dhcp
add address-pool=vlan40-iot_pool comment="VLAN40 DHCP" interface=VLAN40-iot
lease-time=12h name=VLAN40-iot_dhcp
add address-pool=vlan50-guest_pool comment="VLAN50 DHCP" interface=
VLAN50-guest lease-time=1h name=VLAN50-guest_dhcp
add address-pool=vlan60-security_pool comment="VLAN60 DHCP" interface=
VLAN60-security lease-time=12h name=VLAN60-security_dhcp
add address-pool=vlan70-services_pool comment="VLAN70 DHCP" interface=
VLAN70-services lease-time=12h name=VLAN70-services_dhcp
add address-pool=vlan99-management_pool comment="VLAN99 DHCP" interface=
VLAN99-management lease-time=12h name=VLAN99-management_dhcp
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=LAN_bridge auto-media-sharing=yes auto-smb-sharing=
yes
/interface bridge port
add bridge=LAN_bridge frame-types=admit-priority-and-untagged interface=ether2_adguard pvid=5
add bridge=LAN_bridge frame-types=admit-priority-and-untagged interface=ether3 pvid=5
add bridge=LAN_bridge frame-types=admit-priority-and-untagged interface=ether4 pvid=5
add bridge=LAN_bridge frame-types=admit-priority-and-untagged interface=ether5 pvid=5
add bridge=LAN_bridge frame-types=admit-priority-and-untagged interface=ether6 pvid=5
add bridge=LAN_bridge frame-types=admit-priority-and-untagged interface=ether7 pvid=5
add bridge=LAN_bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=LAN_bridge tagged=sfp-sfpplus1,LAN_bridge vlan-ids=
10,20,30,40,50,60,70,99
add bridge=LAN_bridge tagged=LAN_bridge untagged=ether2_adguard,ether3,ether4,
ether5,ether6,ether7 vlan-ids=5
/interface list member
add comment="LAN BRIDGE" interface=vlan5-default list=LAN
add comment=WAN interface=ether1_WAN list=WAN
add comment="LAN BRIDGE" interface=VLAN30-media list=LAN
add comment="LAN BRIDGE" interface=VLAN20-general list=LAN
add comment="LAN BRIDGE" interface=VLAN10-secure list=LAN
add comment="LAN BRIDGE" interface=VLAN40-iot list=LAN
add comment="LAN BRIDGE" interface=VLAN50-guest list=LAN
add comment="LAN BRIDGE" interface=VLAN60-security list=LAN
add comment="LAN BRIDGE" interface=VLAN70-services list=LAN
add interface=vlan99-management list=TRUSTED
add interface=ether8-management list=TRUSTED
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlan5-default network=
192.168.88.0
add address=192.168.10.1/24 comment="vlan10 ip" interface=VLAN10-secure
network=192.168.10.0
add address=192.168.20.1/24 comment="vlan20 ip" interface=VLAN20-general
network=192.168.20.0
add address=192.168.30.1/24 comment="vlan30 ip" interface=VLAN30-media
network=192.168.30.0
add address=192.168.40.1/24 comment="vlan40 ip" interface=VLAN40-iot network=
192.168.40.0
add address=192.168.50.1/24 comment="vlan50 ip" interface=VLAN50-guest
network=192.168.50.0
add address=192.168.70.1/24 comment="vlan70 ip" interface=VLAN70-services
network=192.168.70.0
add address=192.168.99.1/24 comment="vlan99 ip" interface=VLAN99-management
network=192.168.99.0
add address=192.168.77.1/30 interface=ether8-management network=192.168.77.0
/ip dhcp-client
add comment=defconf interface=ether1_WAN
/ip dhcp-server network
add address=192.168.10.0/24 comment=VLAN10 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.10.1
add address=192.168.20.0/24 comment=VLAN20 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.20.1
add address=192.168.30.0/24 comment=VLAN30 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.30.1
add address=192.168.40.0/24 comment=VLAN40 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.40.1
add address=192.168.50.0/24 comment=VLAN50 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.50.1
add address=192.168.60.0/24 comment=VLAN60 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
add address=192.168.99.0/24 comment=VLAN99 dns-server=1.1.1.1,8.8.8.8
gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED
add action=accept chain=input comment="users to services" in-interface-list=LAN
dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN
dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { add this as last rule overall }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN
out-interface-list=WAN
add action=accept chain=forward in-interface-list=TRUSTED out-interface-list=LAN
add action=drop drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
/system clock
set time-zone-name=America/Detroit
/system identity
set name="MikroTik RB5009"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
```

uggg reading buckeyes post below………. swtich is swos only

Don't disable untagged access to the bridge until you get vlans working on the CSS326 or you have removed a port from the bridge. And then do the rest of the configuration from that dedicated port (or vlan if you don't remove a port).

Until you turn on vlan-filtering on the RB5009, the only way you can access the RB5009 from a bridge-port is either via untagged traffic to the bridge itself, or via tagged traffic to the vlan-interface. If you remove the ability to access the bridge device itself (by removing the ip address from the bridge), your only option to access the switch is via a vlan-aware device. This is how people lock themselves out. The RB5009 has no serial console, so that's not an option either.

That's why anav and jaclaz recommend removing a port (in this case ether8) from the bridge, and adding an ip address to it, and making sure that it works (need to add ether8 to a list that has access, anav's example shows TRUSTED.)

Once you really understand how it works, it is possible to configure without locking yourself out.

But if the RB5009 is your internet router, and you want to keep peace in the house, it's wise to dedicate an RB5009 port just for management, until you are more familiar with the way things work.

With recent versions of ROS the /interface bridge vlan stuff will get dyanmically setup by ROS (when you specify a pvid on a bridge port and when you create a vlan interface).

In the defconf, you can turn on vlan-filtering, and not get locked out. That's because in the defconf, all bridge ports are configured as access ports for vlan 1, and the bridge itself is also in vlan 1.

It is when you start to mess with the bridge interface or setting pvids on bridge ports, or limiting frame-types that you are most likely to lock yourself out.

So anav's recommendation to remove a port for management is because he wants you to remove access to the bridge interface, and without an alternate way in, you will lock yourself out.

Creating an vlan interface and an access access port for that vlan on the RB5009 before you disable the base bridge, is the key to avoiding locking yourself out if you don't remove a port from the bridge dedicated to management. Creating a vlan interface and access port on the RB5009 is like creating a new door into the house. You still need to verify that you can enter throught the new door before going out the front door without a key when the door is locked and it is the latch type (not deadbolt, where you must lock with a key from the outside).

@Mitchigan Have you seen this documentation for configuring vlans on the CSS326?

This example shows what you need to do for your connection to the RB5009 SFP if you are going to use a "all tagged" trunk link instead of a hybrid trunk link.

This example shows 4 "trunks", one "trunk" with all vlans tagged, and three hybrid links, each with a different "access vlan". All four connections are carrying all the same vlans, the hybrid links just have one of the vlans untagged on the link.