HEX refresh's switch chip, MT7621 dropping BPDU frames

Hey everyone!

I have a HEX Refresh used as my main router with ether5 acting like a trunk port, going to an RB260GSP, HW offload is enabled on the bridge and on each ports. Bridge VLAN filtering is currently enabled and the bridge is set to “admit only VLAN tagged” frame types. Port 5 however can only “admit all” frame types because as soon as i switch it to “admit only VLAN tagged” the STP on the RB260GSP starts discarding frames.

Disabling hardware offloading on ether5 on the hex refresh does allow me to set frame types to “admit only VLAN tagged”. This lead me to believe that, once offloaded to the switch chip, the port might be filtering out BPDU frames when not set to “admit all”. This is mainly an assumption as i did not get the time to capture any traffic yet.

Right now, as a workarround, i either leave ether5 on “admit all” or set it to “admit only VLAN tagged” but disable HW offload, i chose the first as this is a home setup and there are no critical security constraints.

Is anyone else experiencing such behavior?

Before commenting would have to see what you have done on the config…
/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys )

surething Anav. Here you go!

# 2025-03-05 14:47:35 by RouterOS 7.18.1
# software id = WL2N-TDV4
#
# model = E50UG
# serial number = XXXX
/caps-man channel
add band=5ghz-n/ac frequency=5260,5500,5240,5640 name=802.11ac save-selected=\
    no skip-dfs-channels=no
add band=2ghz-b/g/n name=802.11n
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5300 name=CH60/W20/Ce save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5220 name=CH44/W20/Ce save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5240 name=CH36/W20/Ce save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XXXX \
    frequency=5180,5200,5220,5240 name="802.11ac (noDFS)" save-selected=no \
    skip-dfs-channels=no
add band=5ghz-n/ac control-channel-width=20mhz frequency=5180,5200 name=\
    "802.11ac (noDFS) UNII1-Low" save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac control-channel-width=20mhz frequency=5220,5240 name=\
    "802.11ac (noDFS) UNII1-High" save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac frequency=5500,5520,5540,5560 name=\
    "802.11ac (DFS) UNII-2c-Low" save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac frequency=5580,5600,5620,5640 name=\
    "802.11ac (DFS) UNII-2c-Medium" save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac frequency=5660,5680,5700 name=\
    "802.11ac (DFS) UNII-2c-High" save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=Ce \
    frequency=5260 name=CH52/W20/Ce save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=eCee \
    frequency=5280 name=CH56/W20/eCee save-selected=no skip-dfs-channels=no
add band=5ghz-n/ac extension-channel=XXXX name=TEST save-selected=no \
    skip-dfs-channels=no
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge-SwitchVlans \
    port-cost-mode=short priority=0 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="RCS&RDS WAN"
set [ find default-name=ether2 ] comment="Reserved for Secondary WAN"
set [ find default-name=ether4 ] comment=Server
set [ find default-name=ether5 ] comment="Switch Birou (Trunk Port)" \
    loop-protect=on
/interface ovpn-client
add auth=sha256 certificate=Colentina cipher=aes256-cbc connect-to=\
    XXXX mac-address=XXXX name=ColentinaSlanic \
    port=4567 protocol=udp tls-version=only-1.2 user=XXXX \
    verify-server-certificate=yes
/interface vlan
add interface=bridge-SwitchVlans name=VLAN_50_Test vlan-id=50
add interface=bridge-SwitchVlans name=VLAN_100_Main vlan-id=100
add interface=bridge-SwitchVlans name=VLAN_101_IoT vlan-id=101
add interface=bridge-SwitchVlans name=VLAN_102_Guest vlan-id=102
add interface=bridge-SwitchVlans name=VLAN_103_OpenVPN vlan-id=103
/caps-man datapath
add bridge=bridge-SwitchVlans client-to-client-forwarding=yes l2mtu=1540 \
    local-forwarding=yes mtu=1500 name=VLAN_100 vlan-id=100 vlan-mode=use-tag
add bridge=bridge-SwitchVlans client-to-client-forwarding=yes l2mtu=1540 \
    local-forwarding=yes mtu=1500 name=VLAN_50 vlan-id=50 vlan-mode=use-tag
add bridge=bridge-SwitchVlans client-to-client-forwarding=yes l2mtu=1540 \
    local-forwarding=yes mtu=1500 name=VLAN_101 vlan-id=101 vlan-mode=use-tag
add bridge=bridge-SwitchVlans client-to-client-forwarding=yes \
    local-forwarding=yes name=VLAN_102 vlan-id=102 vlan-mode=use-tag
/interface pppoe-client
add add-default-route=yes allow=pap default-route-distance=100 disabled=no \
    interface=ether1 name=RCS&RDS use-peer-dns=yes user=XXXX
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=IoT
add authentication-types=wpa2-psk encryption=aes-ccm name=Guest
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=Mikro5
/caps-man configuration
add channel="802.11ac (noDFS) UNII1-Low" country=romania datapath=VLAN_100 \
    installation=indoor name=Mikro5-LivingRoom security=Mikro5 ssid=Mikro5
add channel=802.11n country=romania datapath=VLAN_101 installation=indoor \
    name=IoT security=IoT ssid=IoT
add channel="802.11ac (noDFS) UNII1-High" country=romania datapath=VLAN_101 \
    installation=indoor name=IoT5-Office security=IoT ssid=IoT5
add channel=802.11n country=romania datapath=VLAN_100 installation=indoor \
    name=Mikro2 security=Mikro5 ssid=Mikro2
add channel="802.11ac (noDFS) UNII1-High" country=romania datapath=VLAN_102 \
    installation=indoor name="Alex Guest-Office" security=Guest ssid=\
    "Alex Guest"
add channel="802.11ac (noDFS) UNII1-High" country=romania datapath=VLAN_100 \
    installation=indoor name=Mikro5-Office security=Mikro5 ssid=Mikro5
add channel="802.11ac (noDFS) UNII1-Low" country=romania datapath=VLAN_101 \
    installation=indoor name=IoT5-LivingRoom security=IoT ssid=IoT5
add channel="802.11ac (noDFS) UNII1-Low" country=romania datapath=VLAN_102 \
    installation=indoor name="Alex Guest-LivingRoom" security=Guest ssid=\
    "Alex Guest"
/interface list
add include=all name=LAN
add name=WAN
/interface wifi channel
add disabled=no frequency=2437 name="802.11ax 2.4 (CH6)" width=20mhz
add disabled=no frequency=5745,5765,5785,5805 name="802.11ax UNII-3" \
    skip-dfs-channels=all width=20/40/80mhz
add disabled=no frequency=5200 name="802.11ax UNII-1" width=20/40/80mhz
add disabled=no frequency=5580 name="802.11ax UNII-2c (TDWR)" width=\
    20/40/80mhz
add disabled=no frequency=5680,5660,5700 name="802.11ax UNII-2c (132-144)" \
    width=20/40/80mhz
add disabled=no frequency=5680 name="802.11ax UNII-2c (136/5680)" width=\
    20/40/80mhz
add disabled=no frequency=2412 name="802.11ax 2.4 (CH1)" width=20mhz
add disabled=no frequency=2462 name="802.11ax 2.4 (CH11)" width=20mhz
/interface wifi datapath
add bridge=bridge-SwitchVlans disabled=no name=VLAN_50 vlan-id=50
add bridge=bridge-SwitchVlans disabled=no name=VLAN_100 vlan-id=100
add bridge=bridge-SwitchVlans disabled=no name=VLAN_101 vlan-id=101
add bridge=bridge-SwitchVlans disabled=no name=VLAN_102 vlan-id=102
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=Mikro
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes name=\
    "Alex Guest"
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=IoT
/interface wifi configuration
add channel="802.11ax UNII-2c (132-144)" country=Romania datapath=VLAN_100 \
    disabled=no manager=capsman-or-local mode=ap name=Mikro5-Living security=\
    Mikro ssid=Mikro5
add channel="802.11ax 2.4 (CH6)" datapath=VLAN_100 disabled=no mode=ap name=\
    Mikro2-Living security=Mikro ssid=Mikro2
add channel="802.11ax 2.4 (CH6)" datapath=VLAN_101 disabled=no mode=ap name=\
    IoT-Living security=IoT ssid=IoT
add channel="802.11ax UNII-2c (132-144)" country=Romania datapath=VLAN_101 \
    disabled=no manager=capsman-or-local mode=ap name=IoT5-Living security=\
    IoT ssid=IoT5
add channel="802.11ax UNII-2c (132-144)" country=Romania datapath=VLAN_102 \
    disabled=no manager=capsman-or-local mode=ap name="Alex Guest-Living" \
    security="Alex Guest" ssid="Alex Guest"
add channel="802.11ax UNII-3" country=Romania datapath=VLAN_100 disabled=no \
    manager=capsman-or-local mode=ap name=Mikro5-Bedroom security=Mikro ssid=\
    Mikro5
add channel="802.11ax UNII-3" country=Romania datapath=VLAN_101 disabled=no \
    manager=capsman-or-local mode=ap name=IoT5-Bedroom security=IoT ssid=IoT5
add channel="802.11ax UNII-3" country=Romania datapath=VLAN_102 disabled=no \
    manager=capsman-or-local mode=ap name="Alex Guest-Bedroom" security=\
    "Alex Guest" ssid="Alex Guest"
add channel="802.11ax 2.4 (CH1)" datapath=VLAN_101 disabled=no mode=ap name=\
    IoT-Bedroom security=IoT ssid=IoT
add channel="802.11ax 2.4 (CH1)" datapath=VLAN_100 disabled=no mode=ap name=\
    Mikro2-Bedroom security=Mikro ssid=Mikro2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_VLAN100 ranges=192.168.0.2-192.168.0.254
add name=pool_VLAN50 ranges=192.168.50.2-192.168.50.254
add name=pool_VLAN101 ranges=192.168.101.2-192.168.101.254
add name=pool_VLAN102 ranges=192.168.102.2-192.168.102.254
add name=pool_VLAN103 ranges=192.168.103.2-192.168.103.254
/ip dhcp-server
add address-pool=pool_VLAN100 interface=VLAN_100_Main lease-time=10m name=\
    DHCP-VLAN100
add address-pool=pool_VLAN50 interface=VLAN_50_Test lease-time=10m name=\
    DHCP-VLAN50
add address-pool=pool_VLAN101 interface=VLAN_101_IoT lease-time=10m name=\
    DHCP-VLAN101_IoT
add address-pool=pool_VLAN102 interface=VLAN_102_Guest lease-time=10m name=\
    DHCP-VLAN102_Guest
add address-pool=pool_VLAN103 disabled=yes interface=VLAN_103_OpenVPN name=\
    DHCP-VLAN103_OpenVPN
/ppp profile
add bridge=bridge-SwitchVlans local-address=192.168.103.1 name=OpenVPN \
    remote-address=pool_VLAN103
/caps-man access-list
add action=reject comment="block this address cause it was tryin' to connect" \
    disabled=no mac-address=D8:BF:C0:0B:5C:02
add action=accept disabled=no mac-address=C8:D7:78:48:1D:9A
add action=reject disabled=no signal-range=-120..-70
/caps-man manager
set package-path=/upgrades
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-SwitchVlans
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
    master-configuration=Mikro5-LivingRoom name-format=prefix-identity \
    name-prefix=5Ghz_ radio-mac=XXXX slave-configurations=\
    "IoT5-LivingRoom,Alex Guest-LivingRoom"
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
    master-configuration=Mikro5-Office name-format=prefix-identity \
    name-prefix=5Ghz_ radio-mac=XXXX slave-configurations=\
    "IoT5-Office,Alex Guest-Office"
add action=create-dynamic-enabled hw-supported-modes=b,gn \
    master-configuration=IoT name-format=prefix-identity name-prefix=24Ghz_ \
    slave-configurations=Mikro2
/interface bridge port
add bridge=bridge-SwitchVlans frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge-SwitchVlans frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=100
add bridge=bridge-SwitchVlans interface=ether5 priority=0x20
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans vlan-ids=50
add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans vlan-ids=100
add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans vlan-ids=101
add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans vlan-ids=102
add bridge=bridge-SwitchVlans tagged=bridge-SwitchVlans,ether5 vlan-ids=103
/interface list member
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=RCS&RDS list=WAN
/interface ovpn-server server
add mac-address=XXXX name=ovpn-server1
add auth=sha256,sha512 certificate=SERVER cipher=\
    aes128-cbc,aes256-cbc,aes256-gcm default-profile=OpenVPN disabled=no \
    keepalive-timeout=10 mac-address=XXXX name=OpenVPN_Vlan103 \
    port=7474 protocol=udp push-routes=192.168.0.0/24 redirect-gateway="" \
    require-client-certificate=yes
/interface wifi access-list
add action=reject disabled=no signal-range=-120..-75
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=VLAN_100_Main \
    package-path=/upgrades require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    Mikro5-Bedroom name-format=5Ghz_%I- radio-mac=XXXX \
    slave-configurations="IoT5-Bedroom,Alex Guest-Bedroom" supported-bands=\
    5ghz-a,5ghz-n,5ghz-ac,5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    Mikro5-Living name-format=5Ghz_%I- radio-mac=XXXX \
    slave-configurations="IoT5-Living,Alex Guest-Living" supported-bands=\
    5ghz-a,5ghz-n,5ghz-ac,5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    Mikro2-Bedroom name-format=24GHz-%I- radio-mac=XXXX \
    slave-configurations=IoT-Bedroom slave-name-format=24GHz-%I- \
    supported-bands=2ghz-g,2ghz-n,2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    Mikro2-Living name-format=24GHz-%I- radio-mac=XXXX \
    slave-configurations=IoT-Living slave-name-format=24GHz-%I- \
    supported-bands=2ghz-ax,2ghz-g,2ghz-n
/ip address
add address=192.168.101.1/24 interface=VLAN_101_IoT network=192.168.101.0
add address=192.168.50.1/24 interface=VLAN_50_Test network=192.168.50.0
add address=192.168.0.1/24 interface=VLAN_100_Main network=192.168.0.0
add address=192.168.102.1/24 interface=VLAN_102_Guest network=192.168.102.0
add address=192.168.103.1/24 interface=VLAN_103_OpenVPN network=192.168.103.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.101.0/24 gateway=192.168.101.1
add address=192.168.102.0/24 gateway=192.168.102.1
/ip dns
set mdns-repeat-ifaces=VLAN_101_IoT,VLAN_100_Main
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack (bypass all firewall and queue rules)" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=\
    "ICMP ACCEPT" protocol=icmp
add action=accept chain=forward dst-address-list="ALL INTERNAL VLANS" \
    src-address=192.168.0.0/24
add action=accept chain=forward comment=\
    "Allow access from IoT network to HaaS" dst-address=192.168.0.25 \
    src-address=192.168.101.0/24
add action=accept chain=forward comment=\
    "Alow access to Main network from VPN" dst-address=192.168.0.0/24 \
    src-address=192.168.103.0/24
add action=accept chain=forward connection-nat-state=dstnat in-interface=\
    RCS&RDS
add action=accept chain=input dst-port=7474 protocol=udp
add action=drop chain=input comment="Drop SRI si STS" in-interface=RCS&RDS \
    log=yes log-prefix=DROP_SRI&STS src-address-list=STS_SRI_block
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Block Remote DNS requests" \
    connection-state=new dst-port=53 in-interface=RCS&RDS log-prefix=DNS \
    protocol=tcp
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
    RCS&RDS log-prefix=DNS protocol=udp
add action=drop chain=input comment="drop https brute forcers" dst-port=443 \
    protocol=tcp src-address-list=https_blacklist
add action=add-src-to-address-list address-list=https_blacklist \
    address-list-timeout=2w chain=input connection-state=new dst-port=443 \
    protocol=tcp src-address-list=https_stage3
add action=add-src-to-address-list address-list=https_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=443 \
    protocol=tcp src-address-list=https_stage2
add action=add-src-to-address-list address-list=https_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=443 \
    protocol=tcp src-address-list=https_stage1
add action=add-src-to-address-list address-list=https_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="DROP ALL SSH" dst-address-list=\
    WAN-IP-ADDR dst-port=22 log-prefix=DROP_ALL_SSH protocol=tcp
add action=drop chain=input comment="Drop bruteforce SSH" log-prefix=DROP_SSH \
    protocol=tcp src-address-list=blacklist_ssh
add action=add-src-to-address-list address-list=blacklist_ssh \
    address-list-timeout=2w chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment=\
    ";;; Drop Telnet from any other subnet than main" dst-address-list=\
    WAN-IP-ADDR dst-port=23 log-prefix=DROP_OUTSIDE_TELNET protocol=tcp
add action=drop chain=input comment="Drop Telnet Bruteforcers" dst-port=23 \
    log-prefix=TELNET_BL protocol=tcp src-address-list=blacklist_telnet
add action=add-src-to-address-list address-list=blacklist_telnet \
    address-list-timeout=2w chain=input connection-state=new dst-port=23 \
    log-prefix=TELNET_BL_14d protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    log-prefix=TELNET_BL_S2 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp
add action=drop chain=input comment="Drop FTP at Invalid Password" dst-port=\
    21 log-prefix=FTP_WR_PASS protocol=tcp src-address-list=wr_pwd_ftp
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,3,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=wr_pwd_ftp \
    address-list-timeout=8h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input comment="Drop Port Scanners" \
    log-prefix=PORT_SCAN protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input log-prefix=PORT_SCAN protocol=tcp \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input log-prefix=PORT_SCAN protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input log-prefix=PORT_SCAN protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input log-prefix=PORT_SCAN protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input log-prefix=PORT_SCAN protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=2w chain=input log-prefix=PORT_SCAN protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input log-prefix=PORT_SCAN_BLOCKED src-address-list=\
    port_scanners
add action=drop chain=input comment="Drop External Winbox Access" \
    dst-address-list=WAN-IP-ADDR dst-port=8291 log-prefix=DROP_EXT_WINBOX \
    protocol=tcp
add action=drop chain=input comment="Drop Winbnox access from IoT" dst-port=\
    8291 log-prefix="DROP FROM GUEST/IoT" protocol=tcp src-address=\
    192.168.101.0/24
add action=drop chain=forward connection-state=!established,related \
    dst-address-list="ALL INTERNAL VLANS" src-address-list=\
    "ALL INTERNAL VLANS"
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not EST, REL or DSTNATed" \
    connection-nat-state=!dstnat connection-state=!established,related \
    in-interface-list=WAN log=yes log-prefix=DROPWAN
add action=drop chain=input connection-state=!established,related \
    in-interface-list=WAN log-prefix=Drop_Input_from_WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-address-list=WAN-IP-ADDR dst-port=80 \
    log-prefix=HTTP_NAT protocol=tcp to-addresses=192.168.0.29 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=WAN-IP-ADDR dst-port=443 \
    log-prefix=HTTPS_NAT protocol=tcp to-addresses=192.168.0.29 to-ports=443
add action=dst-nat chain=dstnat comment="HomeAssistant forwarder" \
    dst-address-list=WAN-IP-ADDR dst-port=2209 log-prefix="HomeAssistant FWS" \
    protocol=tcp to-addresses=192.168.0.25 to-ports=8123
add action=masquerade chain=srcnat out-interface=ColentinaSlanic src-address=\
    192.168.0.0/24
add action=masquerade chain=srcnat out-interface=RCS&RDS src-address-list=\
    "ALL INTERNAL VLANS"
add action=dst-nat chain=dstnat comment="Test rule for RSYNC over SSH" \
    disabled=yes dst-address-list=WAN-IP-ADDR dst-port=4151 protocol=tcp \
    to-addresses=192.168.0.3 to-ports=22
add action=masquerade chain=srcnat comment=\
    "HomeAssitant to Xiaomi Air Purifier NAT" dst-address=192.168.101.253 \
    src-address=192.168.0.25
add action=masquerade chain=srcnat comment=\
    "HomeAssistant to Xiaomi Humidifier NAT" dst-address=192.168.101.233 \
    src-address=192.168.0.25
/ip service
set api address=192.168.0.0/24
set winbox address=192.168.0.0/24,192.168.103.0/24
set api-ssl address=192.168.0.0/24
/ip upnp
set enabled=yes
/ipv6 address
add from-pool=ipv6pool interface=VLAN_100_Main
add from-pool=ipv6pool interface=VLAN_50_Test
add from-pool=ipv6pool interface=VLAN_102_Guest
/ipv6 dhcp-client
add add-default-route=yes interface=RCS&RDS pool-name=ipv6pool request=\
    address,prefix
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=::/64 list=allowed
/ipv6 firewall filter
add action=accept chain=forward out-interface=RCS&RDS
add action=accept chain=input comment="Ipv6 DHCP Accept" dst-port=546 \
    in-interface=RCS&RDS log=yes log-prefix="IPV6Client Rule" protocol=udp
add action=accept chain=forward log-prefix="Allow ICMPv6 Out" out-interface=\
    RCS&RDS
add action=drop chain=forward comment=\
    "Drop All From WAN not established from inside or related" \
    connection-state=!established,related in-interface=RCS&RDS log-prefix=\
    "IPV6 INPUT DROP"
add action=drop chain=input connection-state=!established,related \
    in-interface=RCS&RDS
/ipv6 nd
set [ find default=yes ] disabled=yes other-configuration=yes
add interface=VLAN_100_Main other-configuration=yes
add interface=VLAN_50_Test other-configuration=yes
add interface=VLAN_102_Guest other-configuration=yes
/ppp secret
add name=XXXX profile=OpenVPN service=ovpn
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=Router
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Well there is your problem, using capsman LOL. Its not even a wifi device… geesh seems like holvoe has infected everyone with his love for capsman.

1. Suggest that its unusual to ‘get cute’ on the main bridge so remove part in Orange.
   Keep the added bits to bridge ports or datapath entries etc…

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge-SwitchVlans
port-cost-mode=short priority=0 vlan-filtering=yes

2. Keep interface list simple ( remove bit in orange )
   /interface list
   add include=all name=LAN
   add name=WAN

3. Modified
   /interface bridge port
   add bridge=bridge-SwitchVlans ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
   add bridge=bridge-SwitchVlans ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=100
   add bridge=bridge-SwitchVlans ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether5 priority=0x20

4. Modified
   /interface list member
   add interface=VLAN_50_Test list=LAN
   add interface=VLAN_100_Main list=LAN
   add interface=VLAN_101_IoT list=LAN
   add interface=VLAN_102_Guest list=LAN
   add interface=VLAN_103_OpenVPN list=LAN
   add interface=RCS&RDS list=WAN

5. Modified
   /interface bridge vlan
   add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans untagged=ether3,ether4 vlan-ids=100
   add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans vlan-ids=50,101,102,103

6. WRONG you already are doing WAN via pppoe, this must be disabled.
   /ip dhcp-client
   add interface=ether1 disabled=yes

7. Keep your firewall chains together, its much easier to read, keep track of order and spot errors.
   Not going to look at it due to eye strain alone. But I can see a lot of bloat unecessary fear based rules concerned with blocking traffic more than anything.
   You dont need any of it.

Hey there! Thanks for taking your time to actually review my config in that detail.

Yes indeed i use capsman for managing to AX2s but it works like a charm.

I’ll actually implement most of your suggestions.

I filtered frames on the bridge to get rid of VLAN ID 1, but the problem was manifesting itself long before i set that option. i tried getting rid of that again and it seems like no change.
I have ingress filtering enabled on all my ports, it’s just not in the config as i used the GUI to set it all up and if you don’t touch it, it just uses the default setting. i’ve explicitly set it to yes though.

So suggestions number 1 and 3 didn’t change anything, that SwOS RSTP still goes into discarding mode as long as i keep HW offload enabled.

With regards to you other findings:
Interface list LAN containing all was definitely a miss. Thanks for pointing that out!
The DHCP client is a relic from the initial setup that i’ve used to configure the router behind my old router. I likely forgot to disable it after putting it “in production”
Not sure about keeping my chains together, i think the chaos is because i used winbox and the GUI to write all the firewall rules.

edit:NM

Tss tss tss … Hex Refresh (and even original Hex) is perfect for capsman controller function.
As you should very well know, even a mAP Lite can be used for that function (really, it can, I already did with mAP which is same platform as mAP Lite).

It’s IMHO best to be used on a device without radio since you will not have any possible conflict with e.g. an incompatible radio or the need to configure things just a tiny bit different (which to be honest is only a less then 5% difference from normal capsman but some make a HUGE problem from it).

No problem!
I was making fun, capsman seems to be an interesting tool and useful if you have multiple MT access points…

Vlan-id=1 is the default in the background setting for the single bridge approach on MT devices. Leave it as default, not to worry.

Yes but you can use winbox to re-order the rules.
See below…
Anything capsman ignored since its working fine and also anything that seems okay…

Not saying it will fix your bpdu frame issue but worth a try,

1. Ensure you change bridge from STP to RTSP. If there is a problem this should fix it!!
   CHECK frame traffic for drops…

2. Remove loop protect from port to switch I believe this is ethernet 5. Should not make a difference but if 1. doesnt work then we have to try more.
   CHECK frame traffic for drops.

3. Optional, zero is rarely used for priority setting and is not wrong. The key being hex is lower than 260 so you should be good to go I prefer something like 2000 on hex and 9000 on 260.

4. If you have adjusted the config below and steps 1-3 have no change
   THEN

5. Remove the 0x20 on the /interface bridge port setting for ether5, I have no idea why you have done that, cannot recall seeing that on any other config!!

6. Regardless here are other items to work on and fix first so the testing above is done on a more efficient setup!

…
/interface bridge
add name=bridge-SwitchVlans port-cost-mode=short priority=2000 vlan-filtering=yes protocol-mode**=RSTP** { note protocol-mode wont likely show up on export }

/interface list
add name=LAN
add name=TRUSTED
add name=WAN

/interface bridge port { understand ingress-filtering does not show on export }
add bridge=bridge-SwitchVlans frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge-SwitchVlans frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=100
add bridge=bridge-SwitchVlans interface=ether5

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans vlan-ids=50
add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans vlan-ids=100
add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans vlan-ids=101
add bridge=bridge-SwitchVlans tagged=ether5,bridge-SwitchVlans vlan-ids=102
add bridge=bridge-SwitchVlans tagged=bridge-SwitchVlans,ether5 vlan-ids=103

/interface list member
add interface=VLAN_50_Test list=LAN
add interface=VLAN_100_Main list=LAN
add interface**=VLAN_101_IoT** list=LAN
add interface=VLAN_102_Guest list=LAN
add interface=VLAN_103_OpenVPN list=LAN
add interface=VLAN_100_Main list=TRUSTED[/]
add interface=VLAN_103_OpenVPN list=TRUSTED[/]
add interface=RCS&RDS list=WAN

/ip dhcp-client
add interface=ether1 disabled=yes

/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
(admin rules)
add action=accept chain=input dst-port=7474 protocol=udp
add action=accept chain=input comment=“ADMIN to Router” in-interface-list=TRUSTED
add action=accept chain=input comment=“users to Services” dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“users to Services” dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“DROP everything else” { insert this rule but last of all rules }
++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
( admin rules )
add action=accept chain=forward comment=“Internet Traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat’
add action=accept chain=forward comment=“admin to vlans” in-interface-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment=“IoT to HaaS” dst-address=192.168.0.25 src-address=192.168.101.0/24
add action=drop chain=forward comment=“DROP everything else”

Note: If you have other concerns, we can discuss and figure out the best approach, maybe even consider raw rules. In other words, simplify, clean up, then build up if necessary.

/ip firewall nat { dont mistake sourcenat for routing or firewall chain powers!! }
add action=masquerade chain=srcnat comment=“Hairpin NAT” dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat out-interface=RCS&RDS
add action=masquerade chain=srcnat out-interface=ColentinaSlanic
+++++++++++++++++++++++++++
add action=dst-nat chain=dstnat dst-address-list=WAN-IP-ADDR dst-port=80
log-prefix=HTTP_NAT protocol=tcp to-addresses=192.168.0.29 to-ports=80
NO HELL NO → providing an UN-encrypted servers is a very very bad bad bad idea.
++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=dst-nat chain=dstnat dst-address-list=WAN-IP-ADDR dst-port=443
log-prefix=HTTPS_NAT protocol=tcp to-addresses=192.168.0.29 to-ports=443
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=dst-nat chain=dstnat comment=“HomeAssistant forwarder”
dst-address-list=WAN-IP-ADDR dst-port=2209 log-prefix=“HomeAssistant FWS”
protocol=tcp to-addresses=192.168.0.25 to-ports=8123
COMMENT:==> How is Home Assistant protected from access?? IF NOT ENCRYPTED ( just username and password is a joke ) same response!!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=dst-nat chain=dstnat comment=“Test rule for RSYNC over SSH”
disabled=yes dst-address-list=WAN-IP-ADDR dst-port=4151 protocol=tcp
to-addresses=192.168.0.3 to-ports=22
COMMENT: Confused are you trying to use router for SSH and also have an SSH server on the LAN ??
++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=masquerade chain=srcnat comment=
“HomeAssitant to Xiaomi Air Purifier NAT” dst-address=192.168.101.253
src-address=192.168.0.25
add action=masquerade chain=srcnat comment=
“HomeAssistant to Xiaomi Humidifier NAT” dst-address=192.168.101.233
src-address=192.168.0.25

COmment: Still thinking about these two rules. Confused here seems like something missing. WHAT out interface will supply the IP…?

/ip service
set api address=192.168.0.0/24 disabled=yes ??? ( not a secure access method, you have api-ssl already??)

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list**=TRUSTED**

Note: Consider other options for servers.
Zerotier will allow you to link user to servers quite easily and securely.
Wireguard another VPN would allow you to give access to servers securely etc.

And this is where you really shine …

Hey Anav,

Thanks again for your time! Let me respond to your suggestions

1. It was already set to RSTP
2. Implemented it with no change
3. I performed the changes, I now use 1000 on HEX and 2000 on RB260
4. deleted it, i believe I put it to 20 out of desperation and forgot about it

So far no change. Once i put the interface to only accept tagged frames, the RSTP on the RB260 starts discarding.

Btw, i saw you picked on my for leaving port 80 open and you are right to do so, however i have certificates and https redirection on all the services exposed. I also have 2FA enabled on both my web server and HomeAssistant and i’m planning to use cloudflare tunneling in the future so i close even those ports. Plus i keep the cyphers suite for https quite strict. So it’s not a complete disaster. I can’t put them behind a VPN as my family is using my webserver quite heavily so cloudflare tunnel might be the best solution.

I will investigate what zerotier is as i have absolutely no ideea.

I used to have a server to RSYNC over ssh. That rule i need to delete indeed as i’m not using it

I will also look into into further optimizing my firewall with your other suggestions but i need to find time for that.