I need assistance with configuring VLANS on RB5009 and a CRS326

Hi!

I am having issues with getting my end devices properly established in their VLANs.

the router and CRS are able to ping each other using their VLAN IP but whenever I connect a system to an access port on the CRS I am not able to pull an IP through DHCP, even with a static IP I am not able to ping the router.

currently I am trying to figure out what I am doing wrong, once VLAN2 is properly setup I plan on making the port a Trunk port for other VLANS

My goal for now is to have VLAN2 properly set up, providing IPs through DHCP and have the nodes be able to access the internet.

I do have other VLAN interfaces added but they can be ignored, I will have them properly configured once I find where my mistake(s) are.

Below is the configuration I have on my Router and CRS.

If you need additional output please let me know and I will provide it.

Router Ethernet2 connects to CRS

CRS Ethernet1 connects to Router

Router

[admin@MikroTik] > /interface/export
# 2025-12-01 11:49:05 by RouterOS 7.19.4
# software id = KR4R-W8P8
#
# model = RB5009UG+S+
# serial number = HFF093ZCWJ6
/interface bridge
add admin-mac=78:9A:18:CD:F5:7D auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] comment="to CRS"
/interface vlan
add interface=bridge name=vlan2 vlan-id=2
add interface=ether2 name=vlan27 vlan-id=27
add interface=ether2 name=vlan100 vlan-id=100
add interface=ether2 name=vlan777 vlan-id=777
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 tag-stacking=yes
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/interface bridge vlan
add bridge=bridge tagged=ether2 vlan-ids=777
add bridge=bridge tagged=ether2,bridge vlan-ids=2
add bridge=bridge tagged=ether2 vlan-ids=27
add bridge=bridge comment="access port sofr vlan 1" untagged=ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
[admin@MikroTik] >



DHCP server

[admin@MikroTik] /ip> dhcp-server/ export
# 2025-12-01 12:05:42 by RouterOS 7.19.4
# software id = KR4R-W8P8
#
# model = RB5009UG+S+
# serial number = HFF093ZCWJ6
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=VLAN2POOL interface=vlan2 name=VLAN2DHCP
add address-pool=VLAN27POOL interface=vlan27 name=VLAN27DHCP
add interface=vlan777 name=VLAN777DHCP
# No IP address on interface
add interface=vlan100 name=VLAN100DHCP
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf dns-server=10.1.1.1 gateway=10.1.1.1 netmask=24
add address=10.1.2.0/26 comment=vlan777 dns-server=10.1.2.1 gateway=10.1.2.1 netmask=26
add address=10.1.3.0/24 comment=vlan2 dns-server=8.8.8.8 gateway=10.1.3.1 netmask=24
add address=10.1.4.0/24 comment=VLAN27 dns-server=10.1.4.1 gateway=10.1.4.1 netmask=24
[admin@MikroTik] /ip>

DHCP pool

[admin@MikroTik] /ip> pool/ export
# 2025-12-01 12:07:11 by RouterOS 7.19.4
# software id = KR4R-W8P8
#
# model = RB5009UG+S+
# serial number = HFF093ZCWJ6
/ip pool
add name=dhcp ranges=10.1.1.2-10.1.1.250
add name=VLAN2POOL ranges=10.1.3.2-10.1.3.250
add name=VLAN777POOL ranges=10.1.2.2-10.1.2.62
add name=VLAN27POOL ranges=10.1.4.2-10.1.4.250
[admin@MikroTik] /ip>

Router Firewall

[admin@MikroTik] /interface/bridge> /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

-- [Q quit|D dump|down]

CRS

[admin@MikroTik] > /interface export
# dec/01/2025 11:50:54 by RouterOS 6.49.19
# software id = E14I-HNQS
#
# model = CRS326-24G-2S+
# serial number = 94560B834CAD
/interface bridge
add admin-mac=C4:AD:34:1B:05:25 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=Production vlan-id=100
add interface=bridge name=test_env vlan-id=27
add interface=bridge name=vlan2 vlan-id=2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether1 tag-stacking=yes
add bridge=bridge comment=defconf interface=ether2 pvid=2
add bridge=bridge comment=defconf interface=ether3 pvid=2
add bridge=bridge comment=defconf interface=ether4 pvid=2
add bridge=bridge comment=defconf interface=ether5 pvid=2
add bridge=bridge comment=defconf interface=ether6 pvid=2
add bridge=bridge comment=defconf interface=ether7 pvid=2
add bridge=bridge comment=defconf interface=ether8 pvid=2
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge disabled=yes tagged=bridge untagged=ether3,ether2,ether4,ether5,ether6 vlan-ids=100
add bridge=bridge tagged=ether1,bridge untagged=ether3,ether8,ether2,ether4,ether5,ether6,ether7 vlan-ids=2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=Production list=LAN
[admin@MikroTik] >

Why are you using tag-stacking?

Please read,

Which contains examples for both router and switch.
And this video perfect for the CR326
https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=1522s

TL;DR summary. "the feed a man a fish" approach.

The first thing I would do in your circumstance is to remove the "tag-stacking=yes" from the /interface bridge port settings on ether1 of the CRS326 and ether2 on the RB5009. Then see if it works.

Details follow: The "teach a man to fish" approach.

Is this your first time using vlans? vlans on MikroTik?

Just trying to determine your networking background so advice will be appropriate.

I'm a "teach a man to fish" more than "feed a man a fish" personality, so I will expect that you are willing to put in some effort to learn if you haven't already. Because with networking a little knowledge can be a dangerous thing, and leave you exposed to exploits from the internet.

As I asked in the first response, what is your reason for using tag-stacking? That's for Q-in-Q IEEE 802.1ad (vlan tunneling) is normally only used by ISPs to transport custormer traffic that may already have vlan tags. It's not something one would normally see in a question posted to the Beginner Basics section, because it isn't needed in a home environment under "normal conditions"; it a relatively advanced topic.

So unless you can express why you need tag-stacking, you probably don't need it.

Also, is there a reason for not exporting the whole config for the RB5009?

From your configs it appears what you want to be able to do is to connect a PC to one of ports 2-8 on the CRS326 switch.

Is there a reason you are using 6.49.19 on the CRS instead of 7.19.4 like is on the RB5009? Newer versions of ROS make vlans easier to config as you won't need to include the bridge in the /interface/bridge/vlan section it will automatically add dynamic tagged entries for the bridge when you add a vlan interface. If you were running 7.19.4 you would only "need"

/interface bridge vlan add bridge=bridge tagged=ether1 vlan-ids=2

instead of

/interface bridge vlan add bridge=bridge tagged=ether1,bridge untagged=ether3,ether8,ether2,ether4,ether5,ether6,ether7 vlan-ids=2

The access ports and bridge entries would be added dynamically. Some people like dynamic, so don't. I used to be in the explicitly list all the members camp, but I have come to like the ease of configuring only the parts that need to be configured. The "rational" given by the other side e.g. @anav is that it makes it easy to see what ports are members of the vlan "in one place". The problem with that argument, is that ROS allows you to shoot yourself in the foot and configure egress behavior (in the /interface/bridge/vlan section) to be different than the ingress behavior (in the pvid=x setting in /interface/bridge/port section). Not having them consistent can cause a lot of grief, especially for people than are trying to learn on MikroTik. The advantage of letting ROS configure is that it will do the right thing if you change a pvid on a port, you just don't need to be bothered with making sure you have the egress bahavior corfigured to agree with the ingress behavior. You can always use /interface/bridge/vlan print to see the current settings.

The first thing I would do in your circumstance is to remove the "tag-stacking=yes" from the /interface bridge port settings on ether1 of the CRS326 and ether2 on the RB5009.

If you are interested in what tag-stacking is all about, watch VLANs, pt.3: QinQ and the L2MTU mystery a MikroTik "MikroTip" by MikroTik engineer Druvis Timma

Sorry for the delay, I posted this around the time I had to head to work without realizing.

I am very new to the Mikrotik environment and its VLAN configuration methods.

I know enough about how VLANs operate to be able to troubleshoot end devices but setting up VLANs from the ground up is not something I am familiar with especially on Mikrotik hardware.

I was trying multiple things to get VLANs working and enabling tag stacking was something I enabled and forgot to disable.

I was not sure if exporting the entire configuration would have been a big help or if it would’ve been useless stuff to dig through to find what is really needed.

I’ll export the entire config on my next attempt to configure the VLAN if it fails.

Currently my CRS only prompts me for versions 6.4x.xx

I did not realize the jump from 6 to 7 made VLAN configurations easier.

I’ll need to look into why its not prompting me for ROS 7 when I have a chance.

Unfortunately my time is very limited at home so won’t be able to reconfigure my setup until tomorrow night or Wednesday morning.

I’ll let yall know how it goes!

image367×215 4.73 KB

There are two places where one "upgrades" a Mikrotik device: System -> RouterBOARD (your screenshot) ... which is similar to BIOS/EFI on a PC and is commonly referred to as routerboot in MT world ... and System -> Packages, which is similar to OS (e.g. Linux or Windows) and is commonly referred t oas RouterOS in MT world.

When upgrading ROS, there are a few channels: long-term , stable, testing ... and upgrade. After setting channel to desired one (upgrade is v6 channel, specific for upgrading to v7 ... and might not be available in your version of ROS, which is pretty ancient, newest is 6.49.18), you need to hid "update" which will contact MT's download server and check for newer versions within selected channel. Hitting upgrade will then upgrade to that newest version. Note that in v7, there is no long-term (yet) and obviously neither upgrade channel.

As to routerboot upgrades: ROS comes with matching routerboot images and after you successfully upgrade ROS (and reboot, which is standard part of ROS upgrade), you can go back to routerboard menu ... and you'll see newer version available.

And to the topic (VLANs): on CRS3xx there isn't a major difference in how VLANs are configured between v6 and v7, there are only minor differences. But I'd recommend you to upgrade to v7 never the less, notable difference for CRS3xx is wire-speed routing (with more ore less severe limitations depending on switch chip used in device), you can read about it in L3HW offloading.

And another (a bit lenghty but very good) document (a tutorial) about configuring VLANs on bridge: Using RouterOS to VLAN your network (it's a mystery to me why it became so hard to find it ... e.g. using google, IMHO it's worth reading it)
There's often confusion about what bridge actually is in ROS ... it has multiple "personalities" and this article tries to explain them: RouterOS bridge mysteries explained