Hello..
My setup is “working” and have access to my wireless ap, and all designated vlans seem to work on tagged and untagged ports, tho only have access through LAN.
The setup Qotom 1U → CRS328 → GS7665
I want to setup a mgmt vlan on network. I have a opnsense on the qotom with 4 vlans and 1 mgmt vlan 99. I had problems getting the opnsense to use the just 1 sfp+, and i bricked my opnsense on the qotom several times now. So now Lan and vlan99 is on igc2 (2.5gbe)/ether 23 and the 4 vlans on sfp+/sfp1plus. I’ve setup ip and and routes “correctly”, but can’t access vlan99 on untagged ether 8. How do i troubleshoot this? Do i have to keep LAN, or have to let Lan and vlan99 run side by side or smth else needed?
I personally would not use ether8 as management port as any tom dick and harry can plug a device into ether 8 and be automatically in the management network.
At least with off bridge 24, you have to know to put 192.168.77.2 into the IPV4 settings to gain access.
This would still be smth like 192.168.99.x/30 right, i dont understand how the addition of 192.167.77.1/30 works i must admit?
Thx for the guided help in the config - tho i have a hard time understanding all the settings. I have made the offbridge24 and will get this done, mgmt network should be hidden or no point..
the idea is that 192.168.77.1/30 means only two usable IP addresses 192.168.77.1 and 192.167.77.2
hence plug in your laptop to ether24 and ensure 192.168.77.2 is set manually on the laptops IPV4 settings.
This creates a safe spot to do vlan configs on any mikrotik device.
You can disable the port after if you dont want to keep it.
How to add them??
In winbox on the LHMenu select Interfaces
Then in the popup menu select Interface list
This is the location to add interfaces to existing interface lists with the PLUS + symbol.
Before one can do that one has to add the lists. On the same line as the plus on the far right select the block that says Lists
On this popup menu,
Add the list name and hit apply then ok.
Then go back to the Plus symbol, on the Interface List menu, to add the desired interfaces to the TRUSTED list you just created.
…
I am still on winbox3, winbox4 is not ready enough for me to use.
Only one interface list name is used (TRUSTED) remove /interface list add name=WAN
add name=LAN
Similarly the interface list members should be modified too ( why are you not implementing changes? ) /interface list member
add comment=TRUSTED interface=OffBridge24 list=TRUSTED
add comment=MGMT interface=vlan0.5.99 list=TRUSTED
Why do you have ANY POOLS, get rid of them!!! This is a switch acting as a switch not a router.
Please add the ingress filtering and frame types back in
SFPPLUS1 MUST be tagged on the management vlan. It is a trunk with tagged vlans going to another smart device. That other smart device needs the management vlan99 because thats where its getting its IP address from!! Please confirm what is at the other end of sfpplus1! /interface bridge vlan
add bridge=Bridge comment=MGMT tagged=ether23,Bridge,ether1,sfpplus1 untagged=ether8
vlan-ids=99 add bridge=Bridge comment=Trusted tagged=sfp-sfpplus1,ether1,Bridge untagged=ether3,ether4,ether5,ether6 vlan-ids=10
Why do you have vlan10 tagged with the bridge above?
I am getting frustrated that you have not followed the advice from the previous config provided, and are repeating errors!!
Why is ether1 missing from being tagged for vlan40??? add bridge=Bridge comment=DMZ tagged=sfp-sfpplus1,??? untagged=ether7,sfp-sfpplus2
vlan-ids=40
Why is the bridge tagged for vlan20 and vlan30???
Why is there an address for ether2 REMOVE IT,
…
# model = CRS328-24P-4S+
# serial number =
/interface bridge
add name=Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether24 ] comment=MGMT name=OffBridge24
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=ether17 ] disabled=yes
set [ find default-name=ether18 ] disabled=yes
set [ find default-name=ether19 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether21 ] disabled=yes
set [ find default-name=ether22 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface vlan
add comment=TRUSTED interface=Bridge name=vlan0.5.99 vlan-id=99
/interface list
add comment=MGMT name=TRUSTED
/interface bridge port
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether1 comment=AP-99-10-20-30
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether2 pvid=20 comment="iot-accessport"
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether3 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether4 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether5 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether6 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether7 pvid=40 comment=DMZ
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether8 pvid=99 comment="management pc"
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether23
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=sfp-sfpplus2 pvid=40 comment=DMZ
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=Bridge comment=MGMT tagged=ether23,Bridge,ether1,sfpplus1 untagged=ether8 \
vlan-ids=99
add bridge=Bridge comment=Trusted tagged=sfp-sfpplus1,ether1 untagged=ether3,ether4,ether5,ether6 vlan-ids=10
add bridge=Bridge comment=DMZ tagged=sfp-sfpplus1,ether1 untagged=ether7,sfp-sfpplus2 \
vlan-ids=40
add bridge=Bridge comment=iot tagged=ether1,sfp-sfpplus1 untagged=ether2 \
vlan-ids=20
add bridge=Bridge comment=Guest tagged=ether1,sfp-sfpplus1 vlan-ids=30
/interface list member
add comment=TRUSTED interface=OffBridge24 list=TRUSTED
add comment=MGMT interface=vlan0.5.99 list=TRUSTED
/ip address
add address=192.168.99.2/24 comment="\"MGMT\"" interface=vlan0.5.99 network=\
192.168.99.0
add address=168.168.70.1/30 comment=TRUSTED interface=OffBridge24 network=\
168.168.70.0
/ip dhcp-client
add disabled=yes interface=Bridge
/ip dns
set servers=192.168.99.1
/ip route
add comment=MGMT distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.99.1 routing-table=main
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.99.1
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
I could not add the mgmt vlan99 and offbridge in 4.09 as you did - i switched to 3.41 and i hope i implemented it now - Removed it all, only have TRUSTED - dunno why wan and lan still show up in /export.
Had pools yes and forgot because network tripguide switched to the router and i added them by mistake..
i added back ingress filtering on 1 that was missing.
I have Lan and mgmt vlan99 on ether23 - and the rest of the vlans 10-40 on sfp+/sfpplus1 - My qotom opnsense bricks when using only sfp+sfpplus1(Lan,vlan 99 - vlan 10-40). Want to tag vlan 40 to sfpplus2 to a Miniforum ms01. Ether 1 is vlan99, vlan10-30 to my accesspoint. I cant tag sfpplus1 if ether23 is the one carrying Lan and vlan99??
Dunno why i added the bridge here, only vlan99 needs the bridge :X right?
I want to pass vlan40 along with sfpplus2, ether 1 carries the vlan 10,20,30,99 as i was intending.
I had troubles adding list and hard for me to know all the settings i might have unticked, being on 4.09 did not help, when using 3.41 i could see the TRUSTED list and the adding of offbridge24 and vlan99.
I still have ether 8 untagged for vlan99, so im sure this works before delete or changing the port.
Sorry for the slow implementation - glad you stayed with me this far..
# model = CRS328-24P-4S+
# serial number =
/interface bridge
add name=Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether24 ] comment=MGMT name=OffBridge24
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=ether17 ] disabled=yes
set [ find default-name=ether18 ] disabled=yes
set [ find default-name=ether19 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether21 ] disabled=yes
set [ find default-name=ether22 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface vlan
add comment=TRUSTED interface=Bridge name=vlan0.5.99 vlan-id=99
/interface list
add name=WAN
add name=LAN
add comment=MGMT name=TRUSTED
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=Bridge comment=AP-99-10-20-30 interface=ether1
add bridge=Bridge comment=iot interface=ether2 pvid=20
add bridge=Bridge comment=Home interface=ether3 pvid=10
add bridge=Bridge comment=Home interface=ether4 pvid=10
add bridge=Bridge comment=Home interface=ether5 pvid=10
add bridge=Bridge comment=Home interface=ether6 pvid=10
add bridge=Bridge comment=DMZ interface=ether7 pvid=40
add bridge=Bridge interface=ether8 pvid=99
add bridge=Bridge interface=ether23
add bridge=Bridge interface=sfp-sfpplus1
add bridge=Bridge comment=DMZ interface=sfp-sfpplus2 pvid=40
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!TRUSTED
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=Bridge comment=MGMT tagged=ether23,Bridge,ether1 untagged=ether8 vlan-ids=99
add bridge=Bridge comment=DMZ tagged=sfp-sfpplus1 untagged=ether7,sfp-sfpplus2 vlan-ids=40
add bridge=Bridge comment=iot tagged=Bridge,ether1,sfp-sfpplus1 untagged=ether2 vlan-ids=20
add bridge=Bridge comment=Guest tagged=Bridge,ether1,sfp-sfpplus1 vlan-ids=30
add bridge=Bridge tagged=ether1,sfp-sfpplus1 untagged=ether3,ether4,ether5,ether6 vlan-ids=10
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list member
add interface=OffBridge24 list=TRUSTED
add interface=vlan0.5.99 list=TRUSTED
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.99.2/24 comment=defconf disabled=yes interface=ether2 network=192.168.99.0
add address=192.168.99.2/24 comment="\"MGMT\"" interface=vlan0.5.99 network=192.168.99.0
add address=168.168.70.1/30 comment=TRUSTED interface=OffBridge24 network=168.168.70.0
/ip dhcp-client
add disabled=yes interface=Bridge
/ip dns
set servers=192.168.99.1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=MGMT disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.99.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=
/system identity
set name=CRS328-1
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.99.1
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes
