Management IP in RouterOS

twiztedtbone · October 21, 2025, 6:45am

hello friends.

i’m at my wit’s end with what i imagine is going to end up being something incredibly simple, however i’ve tried everything i can find and i continue to fail, so i’m coming here for some assistance.

goal: i want my CRS310-8G+2S+, which is acting as my L2 core switch, to have a management IP address of 10.10.10.15 on VLAN 10 via RouterOS.

hangup: my CRS309-1G-8S+, currently running SwOS, works exactly like i’d like the CRS310 to work in RouterOS: give IP address in VLAN 10 subnet, be accessible in VLAN 10 via that IP from my desktop. i’d be running SwOS on the CRS310 (and was, successfully, working exactly as i wish it was working in RouterOS) if fan ctrl in SwOS wasn’t currently borked, even though i’d like to ultimately have RouterOS on both, as that would mean i was a better network admin

current network layout:

upstream router handles all L3 (DHCP, DNS, routing, etc.); VLAN subnets are defined here as well, notably 10 (10.10.10.1/24) and 101 (172.16.101.1/24), the former being MGMT, the latter being desktops. router connects to CRS310 via 10G trunk port
CRS310 connects to router via one of its SFP+ (trunk) ports; the other SFP+ port (trunk) goes downstream to my CRS309 (10.10.10.20, which runs my storage network), and the 2.5G ports are all access ports for 101 and 201
my desktop is currently plugged into one of the 101 access ports on the CRS310; VLAN 101 routes successfully to VLAN 10 (that’s where the SwOS CRS309 lives, which i can access fine), so i know my router/routing is not the issue

what i’ve read: it’d honestly be quicker to list what i haven’t read, but just assume there’s not a forum, reddit, or documentation post i’ve not read and tried copying almost verbatim (just replacing with my VLAN IDs) on the topic of VLAN based mgmt IP. most notably, i’ve all but memorized the management access section of the bridging guide. see below for more specifics on what i’ve tried.

my current config: here is a copy of my current config; note that the PVID of the bridge is currently set to 101 untagged as that’s the only way i’ve found that i don’t lose winbox MAC-based access (i’ve yet to successfully have IP access at all):

/interface bridge
add name=bridge pvid=101 vlan-filtering=yes
/interface vlan
add interface=bridge name=mgmt vlan-id=10
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=201
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=10,69,101,201
/ip address
add address=10.10.10.15/24 interface=mgmt network=10.10.10.0

per the documentation, on the “tagged access with VLAN filtering” section (which is what i assume i’m after), i’ve tried adding the bridge itself to the tagged list. i’ve tried changing the PVID of the bridge to 10 and experimented with each frame type setting. i’ve tried things i’ve already forgotten i’ve tried. no matter what i do, the same thing happens: i lose all admin access to the switch. the switch always continues to work and handle L2/VLANs just fine, i just cannot access it anymore. so i end up factory defaulting it and getting it back to the above.

==

sorry for the wall of text, hoping to share all the pertinent details ahead of time so i don’t waste anyone’s time with follow-ups. appreciate whatever time anyone can offer to help me out with this. if the solution to anyone feels like something i already said i ruled out, please post it anyway, as there’s every chance i did something wrong each time i tried.

thanks all,

T

CGGXANNX · October 21, 2025, 7:26am

What is the RouterOS version running on the CRS310? Because if you are not running a recent version of RouterOS 7 (≥ 7.16), then you'll need to split this:

/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=10,69,101,201

into

/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=69,101,201
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge vlan-ids=10

Also, because you have frame-types=admit-only-vlan-tagged for the 2 SFP+ ports, don't set pvid=10 on them, set the PVID back to the default value of 1 on those ports.

twiztedtbone · October 21, 2025, 4:05pm

thanks for the reply!

What is the RouterOS version running on the CRS310?

it is running the latest stable 7.20.1

Also, because you have frame-types=admit-only-vlan-tagged for the 2 SFP+ ports, don't set pvid=10 on them, set the PVID back to the default value of 1 on those ports.

i can do this when i get home; do you suspect this will resolve anything? i was under the impression that the PVID was simply ignored on ports with frame-types=admit-only-vlan-tagged (the fact that they are currently 10 was just a remnant of me trying them as hybrid ports at some point)

CGGXANNX · October 21, 2025, 4:10pm

Yes, its normally ignore with frame-types=admit-only-vlan-tagged, but just set it to 1 so that it disappear from the export.

And because you have 7.20.1 there is no need to add bridge to the tagged list because it's done automatically when you create the VLAN interface.

So, the problem might on the router. Check the firewall on the router maybe?

twiztedtbone · October 21, 2025, 7:34pm

So, the problem might on the router. Check the firewall on the router maybe?

unfortunately, i’ve all but verified there’s nothing wrong with the router/firewall or its ability to route between VLANs. as i mentioned in the OP, the CRS309 (running SwOS) is in VLAN 10 and working exactly as i’d like the CRS310 to be working, perfectly accessible from any of the other VLANs that i allowed to route to the mgmt VLAN. i can access its web ui from my workstation on VLAN 101 no problem, and all i had to do was turn on DHCP in SwOS settings and it correctly got the VLAN 10 IP i’d reserved for it on the DHCP server.

somewhat humorously, the CRS309 is downstream of the CRS310, so routing would have to be working correctly as it’s also going through the CRS310 from the router.

if only the CRS310 had a dedicated MGMT Ethernet port, that’d be perfect! then again, i’m confident this can work, there’s just something i’m doing wrong/missing….

tdw · October 21, 2025, 10:01pm

accessible from any of the other VLANs that i allowed to route to the mgmt VLAN

There is no default route for the return traffic in your switch config. SwOS has a simplistic method of returning traffic to the MAC address it originated from so it just works, RouterOS requires an explict default route.

CGGXANNX · October 22, 2025, 1:43am

Oh yes, you're fully correct! There's a

/ip route add dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-table=main

missing if 10.10.10.1 is the IP address of the router on VLAN 10. Or if the switch has no needs to access the internet (for updates) then

/ip route add dst-address=172.16.101.0/24 gateway=10.10.10.1 routing-table=main

suffices.

twiztedtbone · October 22, 2025, 3:36am

There is no default route for the return traffic in your switch config.

ugh….dozens of dell, hp, and brocade switches in an almost two decade IT career, and forgetting about the default route on a switch…certainly takes the cake on making today’s embarrassing oversight! gonna try to chalk it up to just how different RouterOS is in administration to most other switch OSes, especially after being lulled in by how easy SwOS was to get working comparatively

humbly, thank you very much for the suggestion; switch is now reachable throughout the network on VLAN 10 at the IP i want it to have!

huge thank you to @tdw and @CGGXANNX for helping out! here’s my final, functional config with everything said and done, should future generations need to see this:

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=mgmt vlan-id=10
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=201
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=201
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge vlan-ids=10,69,101,201
/ip address
add address=10.10.10.15/24 interface=mgmt network=10.10.10.0
/ip dns
set servers=10.10.10.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-table=main suppress-hw-offload=no

cheers everyone, thanks for being a great community!

T