I’ve migrated my configuration from RB750Gr3 (ROSv7) to CCR1009 (ROSv7). Copied exported commands to CCR and there were no incompatible configs, but now the trunk port configured on ether2 to a CCS switch stopped working.
After some research I found that I must create a bridge per vlan since the CCR1009 does not have a switch chip.
Is that the correct way of trunk port configuration on mikrotik routers that do now have a switch chip?
All mikrotik devices since ROS v6.42 can do bridge VLAN. Some can offload it to hardware (switch chip; RB750Gr3 is one of them), others do it with their general-purpose CPU. But the end effect is the same. If configured properly. So why your hEX config, transplanted to CCR, doesn’t work is a big question and without seeing actual config export (from CCR) we’d be just guessing.
No single bridge is correct and as mkx stated, without facts we cannot help.
Bellow is my current config. I made some changes trying to fix the trunk so it’s not exactly the same as it was on the RB.
# 2024-05-11 22:21:06 by RouterOS 7.14.3
#
# model = CCR1009-7G-1C-1S+
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=TRUNK
set [ find default-name=ether1 ] name=WAN
set [ find default-name=combo1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wg
/interface vlan
add interface=bridge name=InfrastructureVM vlan-id=20
add interface=bridge name=LAN vlan-id=40
add interface=bridge name=Network vlan-id=10
add interface=bridge name=Servers vlan-id=11
add interface=bridge name=VM vlan-id=30
/interface list
add name=ManagementList
add name=WAN_ACCESS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Management ranges=172.29.10.200-172.29.10.254
add name=LAN_POOL ranges=192.168.40.100-192.168.40.254
/ip dhcp-server
add address-pool=Management interface=Network name=Management
add address-pool=LAN_POOL interface=LAN name=LAN_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged hw=no interface=TRUNK
add bridge=bridge edge=yes interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether6 pvid=10
add bridge=bridge interface=ether7 pvid=11
/ip neighbor discovery-settings
set discover-interface-list=ManagementList
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge,TRUNK vlan-ids=11
add bridge=bridge tagged=bridge,TRUNK vlan-ids=12
add bridge=bridge tagged=bridge,TRUNK vlan-ids=40
add bridge=bridge tagged=bridge,TRUNK vlan-ids=30
add bridge=bridge tagged=bridge,TRUNK vlan-ids=20
/interface list member
add interface=bridge list=ManagementList
add interface=TRUNK list=ManagementList
add interface=ether3 list=ManagementList
add interface=ether4 list=ManagementList
add interface=Network list=ManagementList
add interface=VM list=WAN_ACCESS
add interface=InfrastructureVM list=WAN_ACCESS
add interface=Network list=WAN_ACCESS
add interface=LAN list=WAN_ACCESS
add interface=Servers list=WAN_ACCESS
/ip address
add address=172.29.10.1/24 interface=Network network=172.29.10.0
add address=192.168.100.110/24 interface=WAN network=192.168.100.0
add address=192.168.32.1/24 interface=wg network=192.168.32.0
add address=10.19.11.1/24 interface=Servers network=10.19.11.0
add address=10.19.30.1/24 interface=VM network=10.19.30.0
add address=10.19.20.1/24 interface=InfrastructureVM network=10.19.20.0
add address=192.168.40.1/24 interface=LAN network=192.168.40.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server network
add address=172.29.10.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=172.29.10.1
add address=192.168.40.0/24 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment="Allow established, related" connection-state=established,related
add action=accept chain=input comment="Wireguard server" port=13231 protocol=udp
add action=accept chain=input comment="Allow ping" protocol=icmp
add action=accept chain=input comment="SSH Access" port=22 protocol=tcp
add action=accept chain=input comment="Winbox Access" in-interface=Network port=8291 protocol=tcp
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Internet access" in-interface-list=WAN_ACCESS out-interface=WAN
add action=drop chain=forward comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=172.30.1.0/24 gateway=wg pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set always-allow-password-login=yes
/lcd
set backlight-timeout=never color-scheme=dark default-screen=stats
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=MikroTik
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
It doesn’t seem to be too off to me. With possible discrepancy in overall config: you have VLAN interfaces for VIDs 10 and 11 … TRUNK is not member of VID 10 and there’s VID 12 used as bridge VLAN (without any other related config). These are not necessarily wrong, it really depends on the overall network design.
And what in particular doesn’t seem to be working in conjunction with CSS?
No communication between CCR & CSS on any of the configured VLAN Networks. Pinging devices located on CCR from devices on CSS and vice-versa. Nothing.
Can you show CSS config as well?
This should be the crux of it
I can do SS of every tab if you require it.
Also, plugging in the switch to the old RB ether2 port allows communication across the trunk port.
Doesn’t seem off either.
Did you perform a cold boot of CCR since finalizing its config? In some rare cases this does seem to be necessary.
I do not recall but I did it now and the result is the same unfortunately.
I’m out of ideas, hopefully somebody with CCR1009 experience will chime in.
Thanks anyway!
I have a ccr1009 tile, device as my main router with a gazillion vlan. Will have a quick look at the config.
(1) First comment never use a name for any interface which already has connotations on the MT device, let alone the exact nomenclature, bad bad… thus MODIFY
/interface vlan
add interface=bridge name=InfrastructureVM vlan-id=20
add interface=bridge name=LAN vlan-id=40
TO:
/interface vlan
add interface=bridge name=InfrastructureVM vlan-id=20
add interface=bridge name=homeLAN vlan-id=40
AND
/ip address
add address=192.168.40.1/24 interface=homeLAN network=192.168.40.0
(2) Your naming of interface lists is also not clear. Once I look at the firewall rules it should be clearer but dont get fancy
Use standard stuff and create extra lists if required.
/interface list
add name=WAN ( all ISP related interfaces )
add name=LAN ( all local subnet related interfaces, could also include local Wireguard }
add name=Management
add name=Other ( if you have a group of two or more subnets with a specfic requirement as expressed in rules somewhere, like internet_only for example )
I have no idea what you mean by WANACCESS for example
(3) Bridge ports minor preference;
interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=TRUNK
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged edge=yes interface=ether3 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=11
(4) BRIDGE VLANS modifed personal preference
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether3,ether4,ether5,ether6 vlan-ids=10
add bridge=bridge tagged=bridge,TRUNK, untagged=ether7 vlan-ids=11
add bridge=bridge tagged=bridge,TRUNK vlan-ids=12,20,30,40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(5) FIVE VLANS but only TWO Pools / TWO dhcp servers / etc…
In other words you only have the management subnet and the homeLAN subnet fully setup.
What is your plan for the others??
(6) Firewall Rules Modifed: One minor rule missing, one major rule missing, no access for LAN users to DNS.
/ip firewall filter
{ default rules to keep }
add action=accept chain=input comment=“Allow established, related” connection-state=established,related,untracked
add action=drop chain=input comment=“Invalid traffic” connection-state=invalid
add action=accept chain=input comment=“Allow ping” protocol=icmp
{ admin rules }
add action=accept chain=input comment=“Wireguard server” port=13231 protocol=udp
add action=accept chain=input comment=“SSH Access” port=22 protocol=tcp
add action=accept chain=input comment=“Winbox Access” in-interface=Network port=8291 protocol=tcp
add action=accept chain=input comment=“Users to services” dst-port=53 protocol=udp in-interface-list=LAN
add action=accept chain=input comment=“Users to services” dst-port=53 protocol=tcp in-interface-list=LAN
add action=drop chain=input comment=“Drop everything else”
+++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“Established, Related” connection-state=established,related,untracked
add action=drop chain=forward comment=“Invalid traffic” connection-state=invalid
add action=accept chain=forward comment=“Internet access” in-interface-list=LAN out-interface=WAN
add action=accept chain=forward comment=“port forwarding” connection-state=dstnat disabled=yes { enable if required, or remove }
add action=drop chain=forward comment=“Drop everything else”
(7) Looking at your firewall rules we can rationalize your interface lists… THE BRIDGE is transparent once go to all vlans, so need to enter that for any list.
One does not name PORTs that are on a bridge in every case, as interfaces, again this is covered by vlans.
/interface list member ( The standard LAN interface list meets all your needs for both input chain and forward chain )
add interface=ether1 list=WAN
add interface=VM list=LAN
add interface=InfrastructureVM list=LAN
add interface=Network list=LAN
add interface=homeLAN list=LAN
add interface=Servers list=LAN
add interface=Network list=ManagementList
(8) No need that I can see to route to a non-existent subnet
add disabled=no distance=1 dst-address=172.30.1.0/24 gateway=wg pref-src=“” routing-table=main scope=30
suppress-hw-offload=no target-scope=10
Also to be clear, you dont need to create a route for wireguard as the IP addresss you have automatically creates one.
(9) You will have to add firewall rules if you want you as admin to be able to config the router (input chain) or reach the vlans (forward chain)
In regards to trunk port not working, I restored factory defaults and tried the old config one line at a time. It worked this time and when I compared the configs I find that the WAN (ether1) interface was part of the bridge. After removing it the trunk port stopped working for some reason. Next I restored factory default but this time remove default config, imported RB config (as I did the first time) and now it works. Can’t find a reason as to why it works now and what does ether1 has to do with the trunk port…
In regards to anav response:
(1) Good tip!
(2) WAN_ACCESS is a list of interfaces that have access to the internet
(5) Yeah, showed config was a WIP of me reconfiguring the network
(6) Forgot about the invalid traffic! Devices will use a DNS server hosted on one of the servers.
(8) Had a wireguard config where the subnet is on a remote site. Thanks for the tip!
Thanks for your input anav!
There is no need for WAN ACCESS in your case as the standard LAN interface list comprised of all vlans, adequately covered your needs for firewall rules.