How to access a mikrotik switch via two vlans & two addresses !?

I would like to manage my Mikrotik CRS317 via two ways / routes.

1. via the console in the same way as after as after a factory reset (via IP address 192.168.88.1 gateway on 192.168.88.10)
2. via a managment vlan (via IP-address 192.168.10.2 gateway on 192.168.10.1)

Configuration is as follows
Ports 1 - 16 are configured as managed switch with multiple vlans. One of them is vlan10 which is the vlan having the 192.168.10.0/24 address range. Via that vlan I can manage the switch. Vlan 10 has a couple of members: port1 which I use for local management ; the trunk towards my router ; and the bridge.

Vlan88 is the other vlan I would like to use for switch management. That route should work a) under normal conditions but b) also after a factory reset. Vlan88 is connected to the console port. Vlan88 has two members; the bridge (managed) and the console port (unmanaged, pivd ‘88’, accept tagged and untagged)

The console port is normally untagged connected via network vlan88 to my router. To access vlan88 from another vlan the router NAT the original source address into the routers gateway address (192.168.88.10) so that the Mikrotik switch thinks the remote PC is in the same vlan (vlan88).

The problem is that it does not work

I did try a couple of things trying to solve the issue: second bridge, creating a VRF, second routing table etc.

Bottum line I did not manage.

The closed thing I could reach was a situation where it was more or less working with a local PC (with fixed IP in the 88 range) connected to the console. Via network vlan88 it was not working at all. Problem was that the CRS317 was not reacting to ARP requests (who owns 192.168.88.1 (the switch). Only sign of live there … MNDP messages …

So, I hope someone can explain which setting I need to make this work!

I really do not understand what you are trying to accomplish?
Is the switch connected to an upstream router that provides vlans, dhcp etc and if so what make/model.
On that router have you setup a management vlan?
Typically what I do on most MT devices is take one port off any bridge and make it an OffBridge port for save access and configuration changes, so that I dont get accidently kicked out due to an error while doing configuration.

Normally I use the management VLAN. However the management access via the console port is just backup. Perhaps overdone, but I like to have a backup especially here since I had frequent issues with a previous CRS317 running older routeros versions (actual version is much better).

So I think that I try to create an ‘OffBridge port’ via the console lan in your terms. By the way all my switches and routers have fixed addresses. Not using dhcp for that type of equipment.

Hi there, so yes we are on the same page then, you are using the console port as an OFF Bridge Port.
And yes all smart devices have fixed IP addresses but on the management VLAN.

Post your config and I will see what is going on.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

Also you didnt mention the router upstream, I will assume all vlans are coming into the switch on a trunk port.

Yep, the router is pfSense which connect to a 2.5G switch and the CRS317 10G Switch. Both connected via a trunk in case of the CRS in the from of a lagg (bonding in Mikrotik terms).

In the past I was considering to use the CRS also as an emergency/backup router. But to use the CRS partly as router/FW and for the rest as managed switch was too complicated.

So the actual config is quite strait forward the CRS as (advanced) managed switch. It is just that I like to have a second access to the CRS next to management LAN which is arriving via the Lagg.

The config file I attach is a slightly modified version of the situation before I did all kind of changes trying to make management via two routes working (what I did not really managed).

20251022_PortsAndVlansMinorChanges.rsc (7.0 KB)

You have ether1/Console in the bridge. Take that interface out of the bridge and put the IP address directly on the interface. Also, you don’t have vlan filtering enabled on the bridge.

I see, thanks for the explanation and cstarritt has probably pointed out the main issues!
How were you going to use the CRS as a backup router?? Do you mean if the ISP went down, or do you mean if the Pfsense blew up for some reason?? If its the latter, then do you mean unplugging the pfsense from the iSP modem and plugging into the CRS. If so, it should not be hard to setup, in terms of having all the rules ready to go just disabled.

1. Missing stuff for security setup such as interface list, interface list members.
2. Missing the management vlan definition???
3. Modified /interface bridge entry
4. Failed to identify management vlan, needs address - for example I have
   given the switch 192.168.10.2 assuming its the management vlan with vlanid=100
5. Dont see ether1 console defined???
6. defined spf1.spf7, fsfp15,sfp16 like other ports for frame type
7. MISSING LAGPORT on bridge ports ???
8. Since all vlans come from the pfsense, every /interface vlan entry should have the LaggpfSense as a tagged entry. Only the management vlan needs the bridge tagged.
9. Your settings appear wrong,
   for example your bridge ports state that spf4 is an access port for vlan40.
   your bridge vlan states that spf5 is the access port for vlan40 while spf4 is a trunk port??? Also spf1 was tagged instead of untagged while on bridge ports defined as an access port.
   I have fixed them to what I think they should be but since you didnt have any comments for the bridge ports I could be messing stuff up.
10. The management vlan should go to every smart device attached to the switch......and it appears you have many trunk ports but most do not get the management vlan, Very confusing. I have added the management vlan to them
11. port TRUNK WK was very confusing as you have it both as a trunk port but then in bridge ports gave it a pvid of 50, so will assume its a HYBRID Port, expecting vlan50 untagged with all other vlans tagged.
12. Be advised vlan100 doesnt go anywhere it arrives at the switch but has no destination, future traffic??
13. Ordered bridge vlans lowest to highest vlanid for easy reading.

RECOMMEND making all changes from laptop connected to console port.
Modify laptop ivp4 settings to 192.168.55.2 and with username and password you can make the the rest of the changes.

So, first modify ether1 name to the below
Add the console address
Add the interface list and interface list members
Then you should be able to access the router on the port.

The reason to do this, is that MTs are finicky when you apply bridge changes and thus being off the bridge allows you not to get kicked offline if the router burps. Safer!! So I know you use ether1 for management which is fine but console off bridge use is recommended when making any bridge changes.

/interface bridge
add admin-mac=08:55:31:67:62:2A auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes  frame-types=admit-only-vlan-tagged
/interface ethernet
set [ find default-name=ether1] Name=Console
set [ find default-name=sfp-sfpplus1 ] advertise="1G-baseT-full,1G-baseX,2.5G-\
    baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR" name=\
    01_MngtLan
set [ find default-name=sfp-sfpplus2 ] advertise="1G-baseT-half,1G-baseT-full,\
    1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR\
    " name=02_FiberNT
set [ find default-name=sfp-sfpplus3 ] advertise="1G-baseT-full,1G-baseX,2.5G-\
    baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR" name=\
    03_Vlan06
set [ find default-name=sfp-sfpplus4 ] advertise="1G-baseT-full,1G-baseX,2.5G-\
    baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR" name=\
    04_FritzboxMK
set [ find default-name=sfp-sfpplus5 ] advertise="1G-baseT-full,1G-baseX,2.5G-\
    baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR" name=\
    05_SW-N&L
set [ find default-name=sfp-sfpplus6 ] advertise="1G-baseT-half,1G-baseT-full,\
    1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR\
    " name=06_KVM-SW-MK
set [ find default-name=sfp-sfpplus7 ] advertise="100M-baseT-half,100M-baseT-f\
    ull,1G-baseT-half,1G-baseT-full,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10\
    G-baseT,10G-baseSR-LR,10G-baseCR" name=07_DirectConn
set [ find default-name=sfp-sfpplus8 ] advertise="100M-baseT-full,1G-baseT-hal\
    f,1G-baseT-full,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-base\
    SR-LR,10G-baseCR" name=08_IOT-MK
set [ find default-name=sfp-sfpplus9 ] advertise="1G-baseT-half,1G-baseT-full,\
    1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR\
    " l2mtu=9084 mtu=9000 name=09_pfSenseLagg
set [ find default-name=sfp-sfpplus10 ] advertise="1G-baseT-half,1G-baseT-full\
    ,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseC\
    R" l2mtu=9084 mtu=9000 name=10_pfSenseLagg
set [ find default-name=sfp-sfpplus11 ] advertise="1G-baseT-half,1G-baseT-full\
    ,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseC\
    R" name=11_InterSwitchLnk
set [ find default-name=sfp-sfpplus12 ] advertise="1G-baseT-half,1G-baseT-full\
    ,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseC\
    R" l2mtu=9084 mtu=9000 name=12_Lion
set [ find default-name=sfp-sfpplus13 ] advertise="1G-baseT-half,1G-baseT-full\
    ,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseC\
    R" l2mtu=9084 mtu=9000 name=13_Panda
set [ find default-name=sfp-sfpplus14 ] advertise="100M-baseT-half,100M-baseT-\
    full,1G-baseT-half,1G-baseT-full,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,1\
    0G-baseT,10G-baseSR-LR,10G-baseCR" name=14_Wasbeertje
set [ find default-name=sfp-sfpplus15 ] advertise="1G-baseT-half,1G-baseT-full\
    ,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseC\
    R" l2mtu=9084 mtu=9000 name=15_MAIN
set [ find default-name=sfp-sfpplus16 ] advertise="1G-baseT-half,1G-baseT-full\
    ,1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseC\
    R" l2mtu=9084 mtu=9000 name=16_TrunkWK
set [ find default-name=ether1 ] name=Console
/interface bonding
add mode=802.3ad mtu=9000 name=LaggpfSense slaves=\
    09_pfSenseLagg,10_pfSenseLagg transmit-hash-policy=layer-2-and-3
/interface vlan
add interface=bridge name=vlanMGMT  vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface list
add name=TRUSTED
/interface bridge port
add bridge=bridge frame-types=admit-priority-and-untagged \
interface=01_MngtLan pvid=10
add bridge=bridge  frame-types=admit-only-vlan-tagged interface=02_FiberNT
add bridge=bridge  frame-types=admit-only-vlan-tagged interface=03_Vlan06
add bridge=bridge frame-types=admit-priority-and-untagged \
 interface=04_FritzboxMK pvid=40
add bridge=bridge  frame-types=admit-only-vlan-tagged interface=05_SW-N&L
add bridge=bridge  frame-types=admit-only-vlan-tagged interface=06_KVM-SW-MK
add bridge=bridge frame-types=admit-priority-and-untagged \
interface=07_DirectConn pvid=230
add bridge=bridge  frame-types=admit-priority-and-untagged \
 interface=08_IOT-MK pvid=30
add bridge=bridge frame-types=admit-only-vlan-tagged interface=LaggpfSense \
comment="Bonded ports to pfsense"
add bridge=bridge  frame-types=admit-only-vlan-tagged interface=11_InterSwitchLnk
add bridge=bridge  frame-types=admit-only-vlan-tagged interface=12_Lion
add bridge=bridge  frame-types=admit-only-vlan-tagged interface=13_Panda
add bridge=bridge  frame-types=admit-priority-and-untagged \
  interface=14_Wasbeertje pvid=14
add bridge=bridge  frame-types=admit-priority-and-untagged \
   interface=15_MAIN pvid=50
add bridge=bridge frame-types=admit-all  comment="Hybrid Port??" \
   interface=16_TrunkWK pvid=50
/ip neighbor discovery-settings                                                
        set discover-interface-list=TRUSTED
/interface list members
add interface=vlanMGMT list=TRUSTED
add interface=Console list=TRUSTED
/ip address
add address=192.168.10.2/24 interface=vlanMGMT network=192.168.10.0
add address=192.168.55.1/30 interface=Console network=192.168.55.0
/interface bridge vlan
add bridge=bridge comment=WAN-IPTV tagged=LaggpfSense,02_FiberNT vlan-ids=4
add bridge=bridge comment=INTERNET tagged=LaggpfSense,02_FiberNT,\
  03_Vlan06  vlan-ids=6
add bridge=bridge comment="Voip (old)" tagged=LaggpfSense,02_FiberNT vlan-ids=7
add bridge=bridge comment=MngtLan tagged=bridge,LaggpfSense,11_InterSwitchLnk,\
02_FiberNT,03_Vlan06,05_SW-N&L,06_KVM-SW-MK,16_TrunkWK,12_Lion,13_Panda,\
  untagged=01_MngtLan vlan-ids=10
add bridge=bridge comment=ConsoleLan tagged=LaggpfSense,11_InterSwitchLnk,\
   06_KVM-SW-MK vlan-ids=12
add bridge=bridge comment=Wasbeertje tagged=LaggpfSense untagged=\
    14_Wasbeertje vlan-ids=14
add bridge=bridge comment=GreenZone tagged=LaggpfSense,12_Lion,13_Panda,\
16_TrunkWK   vlan-ids=18
add bridge=bridge comment=IOT-LAN tagged=LaggpfSense untagged=08_IOT-MK \
    vlan-ids=30
add bridge=bridge comment=PCLAN tagged=LaggpfSense,1_InterSwitchLnk,\
    05_SW-N&L untagged=04_FritzboxMK,1 vlan-ids=40
add bridge=bridge comment=PRIV10G tagged=LaggpfSense untagged=\
    15_MAIN,16_TrunkWK vlan-ids=50
add bridge=bridge comment=Applications tagged=LaggpfSense,12_Lion,13_Panda,\
 16_TrunkWK  vlan-ids=70
add bridge=bridge comment=ServerLan tagged=LaggpfSense,12_Lion,13_Panda,\
  16_TrunkWK vlan-ids=80
add bridge=bridge comment=RedZone tagged=LaggpfSense vlan-ids=100
add bridge=bridge comment=DomainWebsite tagged=LaggpfSense,12_Lion,16_TrunkWK \
    vlan-ids=110
add bridge=bridge comment=DomainElise tagged=LaggpfSense,16_TrunkWK,12_Lion \
    vlan-ids=120
add bridge=bridge comment=DomainGroetjes tagged=LaggpfSense,12_Lion,\
    16_TrunkWK vlan-ids=130
add bridge=bridge comment=DirectConn tagged=LaggpfSense11_InterSwitchLnk \
  untagged=07_DirectConn vlan-ids=230
/ip dns
set servers=192.168.10.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.1 \
    routing-table=main suppress-hw-offload=no
/system swos
set address-acquisition-mode=static allow-from-vlan=2001 identity=CRS_317 \
    static-ip-address=10.0.0.254
/tool mac-server
    set allowed-interface-list=none                                                
/tool mac-server mac-winbox                                                    
     set allowed-interface-list=TRUSTED  

I probably have to remove the console from the bridge or what I did try adding a second bridge.

Related to vlan filtering on the bridge I do not understand that at all. I mean you have to define a particular vlan and pivd there … so that feels like ‘an ACL’ to limit access to the bridge. So in my case I would set vlan to 10 my management vlan. What to do with pivd … I would set it to 10 as well.

Note that if my assumption that the vlan filter is a kind of ‘ACL’ is correct. I can only access the bridge via one vlan. Where I like to have access via a vlan and via the console using another vlan and or IP

However note that I was not yet ready with configuring the switch. However the first thing I would like to archive is access to the crs-cpu via two ‘interfaces’

If vlan-filtering=no is configured, the bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode, and cannot modify VLAN tags of packets. Turning on vlan-filtering enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode. Besides joining the ports for Layer2 forwarding, the bridge itself is also an interface therefore it has Port VLAN ID (pvid).

Without vlan filtering enabled on the bridge, the proper single bridge configuration for hardware offload just doesn’t work properly with vlans.

I would leave the bridge pvid as 1, and create a management vlan interface assigned to the bridge interface instead:

/interface vlan add interface=bridge name="vlan10 mgmt" vlan-id=10

Set the management vlan on the bridge to have the bridge as a tagged interface. You already did this with:

/interface bridge vlan add bridge=bridge comment=MngtLan tagged=
LaggpfSense,bridge,16_TrunkWK,01_MngtLan vlan-ids=10

And finally, put the IP address on the management vlan interface:

/ip address add address=192.168.10.2 interface="vlan10 mgmt" network=192.168.10.0

Then enable bridge vlan filtering with safe mode on in case your setup is incorrect as this setting can lock you out of the switch.

Anav, thanks for your input. I will make some changes. Below a reaction on the mentioned points

• Missing stuff for security setup such as interface list, interface list members.

  have to do more reading at this moment, I have really no idea what an interface list or members are and for which reason I would need them

• Missing the management vlan definition???

  hum …. vlan10 is the managment vlan. What more to define?

• Modified /interface bridge entry

  ?

• Failed to identify management vlan, needs address - for example I have
  given the switch 192.168.10.2 assuming its the management vlan with vlanid=100

  no the managment vlan is vlan 10

• Dont see ether1 console defined???

  can be; the shared file was just a situation save for the case I had to go back to an earlier state

• defined spf1.spf7, fsfp15,sfp16 like other ports for frame type

  not all interfaces are equal. There are interfaces to connect via a trunk and there are interfaces which connect to a simple device like e.g. the fritzbox which do not understand vlan’s

• MISSING LAGPORT on bridge ports ???

  correct to create a bonding you have to remove the interfaces from the bridge. As far as I know I can not add the bonding to the bridge, however perhaps I am wrong

• Since all vlans come from the pfsense, every /interface vlan entry should have the LaggpfSense as a tagged entry. Only the management vlan needs the bridge tagged.

  no not true I will explain.

  1. There are also vlans arriving from the FiberNT
  2. there are also vlan’s arriving from the 2.5G switch
     One of the reasons for that is that the 2.5G switch does not have sufficient ports. so I use some 10G-ports as an extension of the 2.5G-switch

• Your settings appear wrong,
  for example your bridge ports state that spf4 is an access port for vlan40.
  your bridge vlan states that spf5 is the access port for vlan40 while spf4 is a trunk port??? Also spf1 was tagged instead of untagged while on bridge ports defined as an access port.

  all tagged ports have as destination an device which van handle vlans
  all untagged ports have as destination an device which can not handle vlans
  port1 and perhaps the console port are exceptions. Perhaps I will define them as hybrid to accept a tagged or an untagged version of the same vlan
  I have fixed them to what I think they should be but since you didnt have any comments for the bridge ports I could be messing stuff up.
  the rcs was/is just an interim state. and the names I gave to the interfaces are telling the funcion of that interface

• The management vlan should go to every smart device attached to the switch......and it appears you have many trunk ports but most do not get the management vlan, Very confusing. I have added the management vlan to them

  Perhaps I did make a mistake, but vlan10 (not 100 !!) is towards many (tagged) ports. Even if the device attached is actually not capable of handling an management VLAN example

  • my managed switches use the management lan
  • my TrueNas system ….. can not !! and of course I can not manage the providers FiberNT

• port TRUNK WK was very confusing as you have it both as a trunk port but then in bridge ports gave it a pvid of 50, so will assume its a HYBRID Port, expecting vlan50 untagged with all other vlans tagged.

  I really appreciate your comment, however I will explain:

  • TrunkWK is a trunk to my office serving two purposes, which do lead to this unexpected situation
  1. it is transporting vlan’s to my office making it possible to test my NAS from my office (normally the NAS is at another room)
  2. it is also intended as connection point for a second PC …. not understanding vlan’s and using vlan50
     Note that I will perhaps place a small 10G switch in my office and after doing so vlan50 will become tagged on the CRS

• Be advised vlan100 doesnt go anywhere it arrives at the switch but has no destination, future traffic??

  Yep it is just a reservation for now. It is intended as generic redzone vlan, however at this moment in time I have a kind of redzone per domain.

• Ordered bridge vlans lowest to highest vlanid for easy reading.

You surely make me think about things thanks !! However my main problem controlling the switch via two paths 1) the managment vlan10 via 192.168.10.2 and 2) via the console via vlan88 or without vlan to IP 192.168.88.1 ……… is still open

I think this is the good direction, however it is not yet working.

I did issue two commands using ip address 10.3 since address 10.2 was allready there

•/interface vlan add interface=bridge name="vlan10_mgmt_interface" vlan-id=10

•/ip address add address=192.168.10.3 interface="vlan10_mgmt_interface" network=192.168.10.0

I think add address 192.168.10.3 should be 192.168.10.3/24 but I am not sure about that

Then I removed address 10.2

image712×201 12.7 KB

image995×217 16.2 KB

Note that as this moment, I did not yet enable vlan filtering, I am managing the switch via vlan88 attached to the console port. Attaching vlan10 and trying to reach 10.3 does not work. Moreover if vlan10 is connected I can not manage via vlan88 as well. I guess because vlan10 is the default route.

Activating vlan filtering on the bridge …. => end of exercise No disaster since I can reload the backup.

I am not sure but I feel there are multiple problems:

• the default route, I think …. that we need a VRF to fix that
• and something related to the vlan filtering

Too funny reading this................

Activating vlan filtering on the bridge …. => end of exercise No disaster since I can reload the backup.

Did you not read my post..............

RECOMMEND making all changes from laptop connected to console port.
Modify laptop ivp4 settings to 192.168.55.2 and with username and password you can make the the rest of the changes.

So, first modify ether1 name to the below
Add the console address
Add the interface list and interface list members
Then you should be able to access the router on the port.

The reason to do this, is that MTs are finicky when you apply bridge changes and thus being off the bridge allows you not to get kicked offline if the router burps. Safer!! So I know you use ether1 for management which is fine but console off bridge use is recommended when making any bridge changes.

Anav, thanks for your input. I will make some changes. Below a reaction on the mentioned points

Missing stuff for security setup such as interface list, interface list members.

        have to do more reading at this moment, I have really no idea what an interface list or members are and for which reason I would need them

{ Interface lists are used to ensure secure access to the config of the device, we limit access to the switch to the management vlan and to the OffBridge port, and this is used for WINBOX access. Further, we add it to neighbours discovery so that all MT devices show up in winbox. Security and ease of management of MT devices are the reasons }
+++++++++++++++++++++++++++++++++++++++++

Missing the management vlan definition???

        hum …. vlan10 is the managment vlan. What more to define?

{ Okay then where is the definition in your config, it was MISSING!!! I see settings for the interfaces of ethernet and bonding and wireless security profiles and port but nothing for the interfaces of vlans???/interface ethernet, }
+++++++++++++++++++++++++++++++++++++++++++++++

Modified /interface bridge entry 

      {  **This refers to /interface bridge where one needs to turn on vlan-filtering etc.** }

+++++++++++++++++++++++++++++++++++++

Failed to identify management vlan, needs address - for example I have
given the switch 192.168.10.2 assuming its the management vlan with vlanid=100

        no the managment vlan is vlan 10

{ Yes, I see that now, so I just used vlan100 as an example but accurate use of vlan10 would have been better, but I did stick with vlan10 for the /interface bridge ports and /interface bridge vlans
It was confusing for me because you assigned the subnet to the bridge and not to the vlan, which you had yet created/defined on the switch, so nothing was clear and I tried to muddle through :-). ( by the way assigning two addresses to the bridge is generally a no no!! }
++++++++++++++++++++++++++++++++++++++

Dont see ether1 console defined???

        can be; the shared file was just a situation save for the case I had to go back to an earlier state

defined spf1.spf7, fsfp15,sfp16 like other ports for frame type

        not all interfaces are equal. There are interfaces to connect via a trunk and there are interfaces which connect to a simple device like e.g. the fritzbox which do not understand vlan’s

{ What I meant here is that not all bridge ports were defined with the frame types, I initially also included Spf16 but came to the conclusion it was neither a trunk or access but a hybrid port and the right setting is allow all frames. Access ports need pvid assigned on bridge port, trunk ports do not, and hybrid ports need pvid as well }
+++++++++++++++++++++++++++

MISSING LAGPORT on bridge ports ???

        correct to create a bonding you have to remove the interfaces from the bridge. As far as I know I can not add the bonding to the bridge, however perhaps I am wrong

{ Yes that is incorrect, you enter the laggport but not the ports that make up the laggport. }
+++++++++++++++++++++++++++++++++++++++++++++

Since all vlans come from the pfsense, every /interface vlan entry should have the LaggpfSense as a tagged entry. Only the management vlan needs the bridge tagged.

        no not true I will explain.

    There are also vlans arriving from the FiberNT
    there are also vlan’s arriving from the 2.5G switch
    One of the reasons for that is that the 2.5G switch does not have sufficient ports. so I use some 10G-ports as an extension of the 2.5G-switch

{ This level of requirements was not fully explained, thus I had to make assumptions, so any clarity is very helpful. However, if the vlans do not come from the upstream router, what kind of device is creating vlans on FiberNT and on 2.5G switch?? A bit of explanation of the purpose of these devices and perhaps the vlans will shed appropriate light and perhaps then another modification to the setup. }
++++++++++++++++++++++++++++++++++

Your settings appear wrong,
for example your bridge ports state that spf4 is an access port for vlan40.
your bridge vlan states that spf5 is the access port for vlan40 while spf4 is a trunk port??? Also spf1 was tagged instead of untagged while on bridge ports defined as an access port.

        all tagged ports have as destination an device which van handle vlans
        all untagged ports have as destination an device which can not handle vlans
        port1 and perhaps the console port are exceptions. Perhaps I will define them as hybrid to accept a tagged or an untagged version of the same vlan
        I have fixed them to what I think they should be but since you didnt have any comments for the bridge ports I could be messing stuff up.
        the rcs was/is just an interim state. and the names I gave to the interfaces are telling the funcion of that interface

{ Since it was not clear..... made assumptions Comments help ensure communication through the config, lf you identify which bridge ports are access, and hybrid and trunk, it becomes easy to read and understand. So please do so, and then we can adjust the config appropriately }
++++++++++++++++++++++++++++++++++++++++++++

The management vlan should go to every smart device attached to the switch......and it appears you have many trunk ports but most do not get the management vlan, Very confusing. I have added the management vlan to them

        Perhaps I did make a mistake, but vlan10 (not 100 !!) is towards many (tagged) ports. Even if the device attached is actually not capable of handling an management VLAN example

    my managed switches use the management lan
    my TrueNas system ….. can not !! :hot_face: and of course I can not manage the providers FiberNT

{ All good, any differences between knowledge in your head, not clear on the config, is an opportunity to make the config clearer and understandable, for example is the port to your TrueNAS a trunk port or access port or hybrid port........... I fully believe that if it can accept multiple vlans, then the NAS gets assigned an IP address and this IP address should be from the management vlan, but we can discuss.
Again, I have no idea what the entity FiberNT is. This device is a switch not a router so are you saying the FIberNT connects to the switch and not the pfsense ??????????? }

{ as you noted I did add most of what appeared to be trunk ports to the vlanid=10, sfp16 should probably be untagged to that vlan along with console port }
++++++++++++++++++++++++++++++++++++++++

port TRUNK WK was very confusing as you have it both as a trunk port but then in bridge ports gave it a pvid of 50, so will assume its a HYBRID Port, expecting vlan50 untagged with all other vlans tagged.

        I really appreciate your comment, however I will explain:

    TrunkWK is a trunk to my office serving two purposes, which do lead to this unexpected situation
    it is transporting vlan’s to my office making it possible to test my NAS from my office (normally the NAS is at another room)
    it is also intended as connection point for a second PC …. not understanding vlan’s and using vlan50
    Note that I will perhaps place a small 10G switch in my office and after doing so vlan50 will become tagged on the CRS

{ Cool, so it is a trunk port and it needs to carry vlan50 to another switch for further tx to a PC. ALso you can ignore my comment then about spf16 being untagged to management vlan }
++++++++++++++++++++++++++++++++++++++++++++++++++++

Be advised vlan100 doesnt go anywhere it arrives at the switch but has no destination, future traffic??

        Yep it is just a reservation for now. It is intended as generic redzone vlan, however at this moment in time I have a kind of redzone per domain.

{ As surmised, great }
++++++++++++++++++++++++++++

Ordered bridge vlans lowest to highest vlanid for easy reading.

You surely make me think about things thanks !! However my main problem controlling the switch via two paths 1) the managment vlan10 via 192.168.10.2 and 2) via the console via vlan88 or without vlan to IP 192.168.88.1 ……… is still open

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Not really, the management vlan10 on sfp1 is clear we are untagged to that port so you or anyone for that matter could connect to that port, get a vlan10 IP and then with username and password gain access to the config. As far as console, you or anyone guessing the default .88 config on mikrotiks could gain access by plugging laptop into console port and then username password into the config.

The only difference is I prefer the off bridge approach (which you could do by properly removing console port from Bridge), I simply used a different non standard IP address and limited it to one IP address
192.168.55.1/30 . Furthermore I use interface list and interface list member to narrow down winbox access etc..... Typically I dont see the point of a second method on the switch itself, why??
You should be able to access the switch by IP address from any PC that has admin access on the management vlan. The purpose of the OffBridge port is to provide a safe configuration spot or emergency access to the router if for some reason the bridge and/or vlans are acting funny.

@cstarritt @anav

I think I have it working!

cstarritt idea to create a special interfaces and to tie the IP-addresses to them and not to the bridge really helped! I also did activate vlan filtering on the bridge.

I think the access via the management vlan works because the default route points to the management vlan and access via the console port works, due to the fact that I NAT incoming traffic on pfSense so that the incoming packages seems to arrive from the local network/numberrange

anav I did make some small changes triggered by your remarks. I do not (yet?) defined “interface list, interface list members” since I do not think it has added value. I did change the ‘IP Service list’ to for bit telnet and ftp. I do accept SSH and for the moment also www since i manage the switch via its gui and there is not yet a certificate installed

Note that I did try configurations via the console, to have access under every circumstances

Thanks,

below a picture of the actual config

image840×235 57 KB

image1025×321 96.1 KB

You are right, the Lagg have to be part of the bridge. I added it.

Never mind, wrong post.