Mikrotik Switch - it is not a switch?

I just purchased CRS354-48G-4S+2Q+RM, to use it as a switch.

First problem: SwitchOS that I planned to use, I found out after 6-7 hours of reboots/reset (no errors, just no port activity) is actually not supported on this switch… Found on on this forum that they said one year ago they might add it later… Guess not! What on earth is going on…

So I go for option two: Use it with the default bridge setup. I just choose defaults and it says “all ports are switched”. Great! That sounds exactly like I need. I connect my WAN and my LAN-cable at the datacenter to the switch - and nothing happens. No internet - there appears to be some bridge traffic, but seems like the actual internet port 1 has no traffic. I even reset the switch to factory default, get the message that by default, all ports are switched - and still no luck. I have tried to add the ip to the bridge interface, but no luck. Added NAT-rule for all outgoing traffic from bridge (masqarade) to my ISPs gw (even though it should not be needed if it was a switch): No luck.

Finally I gave up, found an “old” enterprise D’link switch, connected LAN and WAN to random ports and all up with no configuration needed. Now I have connected the Mngt interface on Mikrotik to the D’link switch (on a public static ip) so I can configure it remotely. When I tried to connect a normal port to the existing D’link switch that has internet, internet goes down for all machines even on D’link. I need to keep only the management interface port up. So this tells me the Mikrotik-switch is far from a switch as configured now…

How on earth can I just get this switch to work like a … switch? I know the performance will be bad, but at least I get some joy of of this wrong purchase. My thinking was that 2 powersupplys on a switch in this price range is awesome and that is why I bought this. So funny not to be able to use it easly as a switch

1. As a dumb switch, it should just work.
2. It runs RoS, but can be used as a switch no problem - with all the functionalities. I’m using one CRS328 this way.
3. As it runs RoS, You can connect using Winbox - and it works with or without IP. Just connect the computer to one of the switch ports, and see if Winbox can detect it.
4. I don’t know this one - but several Mikrotiks have a fixed IP set. Use Winbox, and it will autodetect the unit, no problem.
5. This unit have one management ethernet port. Have You tried using it? I have no experience with it, but I’m thinking if (out of the box) management is allowed only through it.

1. Yeah, I was thinking that also. Direct replacement with “dumb” D-link switch (non-configured) works, but as soon as I put the two cables to Mikrotik, it just doesn’t work. It seems like default config is some kind of bridge and somehow, it doesn’t want to bridge WAN and LAN. The bridge created by default might have some limits or something..
2. and 5. I can connect with it just fine through both winbox and web (even can connect with the app!) - with and without IP. But only on management port.. I have set it to fixed IP and can manage it remotely. But devices connected to ports on the switch can’t get out to the gateway/internet (or the other way). So management port works just fine, it is the 48 ports that is the issue

Could it be that I need to delete the default bridge it creates? While it suggest to create a bridge with all interfaces, maybe that is the problem?

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

https://www.amazon.ca/gp/product/B08ZW38C46/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1

Basically every post on that page shows far more complicated setup than I need. I don’t have any vlans and I want to group WAN and LAN on the bridge somehow, so that it behaves like a normal switch basically.

If your config Not work, it has an error
Export it and Show it us

So I go for option two: Use it with the default bridge setup. I just choose defaults and it says “all ports are switched”. Great! That sounds exactly like I need. I connect my WAN and my LAN-cable at the datacenter to the switch - and nothing happens. No internet - there appears to be some bridge traffic, but seems like the actual internet port 1 has no traffic. I even reset the switch to factory default, get the message that by default, all ports are switched - and still no luck. I have tried to add the ip to the bridge interface, but no luck. Added NAT-rule for all outgoing traffic from bridge (masqarade) to my ISPs gw (even though it should not be needed if it was a switch): No luck.

I don’t know the device, but it should work if “all ports are switched” really does what it says. You should double check, and find one bridge, with all ethernet ports under tab-“ports” added to that bridge. An IP address can be given to the bridge for management, it has no influence on the payload traffic. If there is a default firewall setup the bridge should be part of the LAN “interface list”, to allow and track passing traffic, or the firewall rules should be disabled/removed. Changing firewall (e.g. NAT) or routing will not influence anything in the flow between the interfaces. The traffic never leaves the switches. RouterOS only knows one interface, and that’s the bridge. (all other interfaces are slave to the bridge)
Any VLAN will just be forwarded to all active ports. It’s just a dump switch now.
What I don’t know is how the flow is between the switch chips, but it should not go over the CPU (and not use any of the RouterOS data manipulation or redirection).
https://i.mt.lv/cdn/product_files/CRS354-48G-4Splus2Qplus_200122.png

Management via the SFP interfaces was mentioned in the release notes and version discussion in the forum, for some CSS3xx switches AFAIK.

If it’s like most Mikrotik routers, with the default configuration, port 1 will be configured as the WAN port and everything else connected in a bridge. Therefore, all ports EXCEPT port 1 should be able to function as if it was a dumb switch. Make sure you are not trying to use port 1 until you change the configuration. As I recall, it will also act as a DHCP server on the bridge, and you will most likely need to disable that if you are going to use this just as a switch.

CRS switches has different default configuration.
All ports bridged, and, if I remember correctly, a static IP assigned to that bridge.

So much for what I expected. Never played with a CRS in RouterOS. The only one I have was switched to SwitchOS on day one.

There isn’t LAN and WAN. It’s just a switch. You have a lot of ports, all of them attached to one bridge. That’s the default config.

I really didn’t understand what You wanted wanted to say with “but as soon as I put the two cables to Mikrotik, it just doesn’t work”. Which two cables? To which Mikrotik? What is “doesn’t work”? What should happen, that didn’t?

Paste your config here, as already suggested, so we can take a look at.

Reset the switch and start again. Before you connect it to a network…

On a laptop/PC, that you connect to the switch to set it up, manually set its IP to 192.168.88.2.
Log into the switch by browsing to 192.168.88.1 on the same machine.
Set the switch to DHCP auto.
Plug the switch into your network, it should be issued an IP. Done.

Remove “WAN” from /interface list

“interface=ether1 list=WAN” - - - Change this to LAN.

That should be the dumb switch that your wanting with all ports on a single bridge. And you can connect it to the network.

Remove “WAN” from /interface list

“interface=ether1 list=WAN” - - - Change this to LAN.

Yes.

OR

Add ether1 to the bridge. Make sure the bridge is in the LAN interface list. The “interface list” where the (slave) interface belongs to doesn’t matter, if they are ports of the bridge. It’s cosmetically better to remove their membership, because it is confusing.

But as the OP speaks of WAN and LAN, it’s not clear if this is what the OP wants.

Do this make things more clear?

My needs are simply layer 2 on same network and not a single VLAN needed. Just pure switch.

At any time, if I just remove the Mikrotik-switch from this flow and replace it with a gigabit switch I had (I have reset it to default), all works with not a single config.

I suspect that somehow the router-part of the switch is blocking Port 1 from being on the bridge with Port 7 (and all other ports on the switch).

If I put my ISPs cable into the dedicated management port (Port 49), I have mikrotik on this static IP as shown in picture and no problem from a management perspective (but no use when the switch ports 1-48 doesn’t switch/broadcast). So it is just when putting my ISP on port 1 that nothing works. Port 7 do not get internet, server connected to port 7 does not travel upwards to port 1 to get Internet (it works if I put the ISP cable directly into server 1).

So it is like it is still working like a router - a router would block the flowchart attached and it would be normal for a router. But I need to have same network on both sides (same mask,gw) passed-through from the WAN-side (data center) to the LAN-side (basically all ports on mikrotik).

The default bridge (was there after reset) includes all ports (1-48), including port 1/ether 1 that have my internet (as you can see from the screenshots). So one gigantic bridge with total broadcast on all ports.From my point of view, the setup reflects all the feedback I have gotten here.

Now I’m beginning to think that I might have to put the switch as gw instead of my ISP on the server. Worth a try… Should not be needed if is a transparent bridge/switch as I have assumed, but maybe a special thing since this is combined router and switch.
config.txt (6.67 KB)

I prefer to avoid that “internet detect”. It changes your configuration. There is absolutely no need for “internet detect”.

If the connected ether ports remain disabled with the cable in, something is wrong with the cable or connector. (Did it snap in?).

I was desperate, so I just tried everything - I did change this when I saw that it didn’t work out of the box Since I use the same cable now on a dlink-switch now until I get this fixed, it should rule out any cable errors (then I should see same there). I have also tried to put internet on port 2 and 3.. So it must be a config-mistake. I’m going back to data center today to try and plug everything back on. I will also try a reboot, maybe something is stuck. I just try to collect as much info as possible to see what I can try when I’m there again.

Ah, I understand what you see. But the port goes to enable when I connect it. This is just config from when it is not connected on port 1 or 7. I can add that once port 1 is connected, no traffic is shown to flow through it (it only shows bridge traffic), but at least it shows enabled.

Don’t call a port “WAN” just based on its number. My “Internet” port on a hEX Gr3 is ether4 - even with ether1 being the default WAN port. Mikrotik gives You almost infinite flexibility (that’s what we love on them!), so terminology is important - and not assuming that something is, is. It may very well not be.

So. This IS a switch. It has some low capacity router abilities. But it’s a switch. Its default config is to put ALL ports (I think all but the management port) on one single bridge. With this config it works as a dumb switch - at least it should work as one.

In order to understand what is going on, the easiest way is for You to show us the export. It will have all the configs listed. Just open a terminal on the device, and do an “export hide-sensitive file=whatever”

Copy the contents of the file and post here as code. Doing this, we can see where Your config stands and stop the guessing game.

I uploaded the config file in previous post.

I’ll add it here for ease.

Note #1: Since I’m operating with fixed public IPs and not local private ips, there is a bit work involved to remove that information from the config-file. So the places with XX or GWIP is my masking of the real IP addresses.

Note #2: This shows config while not having connected anything to it, since I can’t afford downtime. So my management-port is set to WAN (port 49) in this case, so that I was able to remotely connect to it and edit config. But shouldn’t matter, it shows the config correctly I think. I added trusted to port 1 and others as you see from config, just to see if that changed things.

# model = CRS354-48G-4S+2Q+
# serial number = 
/interface bridge
add admin-mac=08:55:31:BB:13:B5 auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool1 ranges=10.10.0.60-10.10.10.90
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge name=server1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 trusted=yes
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13 trusted=yes
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=ether25
add bridge=bridge comment=defconf interface=ether26
add bridge=bridge comment=defconf interface=ether27
add bridge=bridge comment=defconf interface=ether28
add bridge=bridge comment=defconf interface=ether29
add bridge=bridge comment=defconf interface=ether30
add bridge=bridge comment=defconf interface=ether31
add bridge=bridge comment=defconf interface=ether32
add bridge=bridge comment=defconf interface=ether33
add bridge=bridge comment=defconf interface=ether34
add bridge=bridge comment=defconf interface=ether35
add bridge=bridge comment=defconf interface=ether36
add bridge=bridge comment=defconf interface=ether37
add bridge=bridge comment=defconf interface=ether38
add bridge=bridge comment=defconf interface=ether39
add bridge=bridge comment=defconf interface=ether40
add bridge=bridge comment=defconf interface=ether41
add bridge=bridge comment=defconf interface=ether42
add bridge=bridge comment=defconf interface=ether43
add bridge=bridge comment=defconf interface=ether44
add bridge=bridge comment=defconf interface=ether45
add bridge=bridge comment=defconf interface=ether46
add bridge=bridge comment=defconf interface=ether47
add bridge=bridge comment=defconf interface=ether48
add bridge=bridge comment=defconf interface=ether49
add bridge=bridge comment=defconf interface=qsfpplus1-1
add bridge=bridge comment=defconf interface=qsfpplus1-2
add bridge=bridge comment=defconf interface=qsfpplus1-3
add bridge=bridge comment=defconf interface=qsfpplus1-4
add bridge=bridge comment=defconf interface=qsfpplus2-1
add bridge=bridge comment=defconf interface=qsfpplus2-2
add bridge=bridge comment=defconf interface=qsfpplus2-3
add bridge=bridge comment=defconf interface=qsfpplus2-4
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether49 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=ether25 list=LAN
add interface=ether26 list=LAN
add interface=ether27 list=LAN
add interface=ether28 list=LAN
add interface=ether29 list=LAN
add interface=ether30 list=LAN
add interface=ether31 list=LAN
add interface=ether32 list=LAN
add interface=ether33 list=LAN
add interface=ether34 list=LAN
add interface=ether35 list=LAN
add interface=ether36 list=LAN
add interface=ether37 list=LAN
add interface=ether38 list=LAN
add interface=ether39 list=LAN
add interface=ether40 list=LAN
add interface=ether41 list=LAN
add interface=ether42 list=LAN
add interface=ether43 list=LAN
add interface=ether44 list=LAN
add interface=ether45 list=LAN
add interface=ether46 list=LAN
add interface=ether47 list=LAN
add interface=ether48 list=LAN
add interface=qsfpplus1-1 list=LAN
add interface=qsfpplus1-2 list=LAN
add interface=qsfpplus1-3 list=LAN
add interface=qsfpplus1-4 list=LAN
add interface=qsfpplus2-1 list=LAN
add interface=qsfpplus2-2 list=LAN
add interface=qsfpplus2-3 list=LAN
add interface=qsfpplus2-4 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=XX/26 comment=defconf interface=bridge network=\
    XX
add address=XX/26 interface=bridge network=XX
add address=XX/24 comment=LocalAdmin interface=bridge network=\
    XX
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add dns-server=8.8.8.8 gateway=XXXX
/ip dns
set servers=XXX,XX
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge
add action=masquerade chain=srcnat dst-address=GWIP
/ip route
add gateway=GWIP
/ipv6 address
add address=XXX interface=bridge
/ppp secret
add name=vpn

/system routerboard settings
set boot-os=router-os

Does this mean anything? I have tried to click Switch all ports, but after a while, the checkmark disappears (maybe because it is redundant since all ports are in bridge)?

Pfff … if you want a switch, config it as a switch, not as a router please.

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

Wireless ??? No need for wireless.

/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool1 ranges=10.10.0.60-10.10.10.90
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge name=server1

No need for a DHCP server on a switch

/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn

PPP is for a router

/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes

No need for this

/interface list member
add interface=ether49 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=ether25 list=LAN
add interface=ether26 list=LAN
add interface=ether27 list=LAN
add interface=ether28 list=LAN
add interface=ether29 list=LAN
add interface=ether30 list=LAN
add interface=ether31 list=LAN
add interface=ether32 list=LAN
add interface=ether33 list=LAN
add interface=ether34 list=LAN
add interface=ether35 list=LAN
add interface=ether36 list=LAN
add interface=ether37 list=LAN
add interface=ether38 list=LAN
add interface=ether39 list=LAN
add interface=ether40 list=LAN
add interface=ether41 list=LAN
add interface=ether42 list=LAN
add interface=ether43 list=LAN
add interface=ether44 list=LAN
add interface=ether45 list=LAN
add interface=ether46 list=LAN
add interface=ether47 list=LAN
add interface=ether48 list=LAN
add interface=qsfpplus1-1 list=LAN
add interface=qsfpplus1-2 list=LAN
add interface=qsfpplus1-3 list=LAN
add interface=qsfpplus1-4 list=LAN
add interface=qsfpplus2-1 list=LAN
add interface=qsfpplus2-2 list=LAN
add interface=qsfpplus2-3 list=LAN
add interface=qsfpplus2-4 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN

Useless, these interfaces have no membership, only the bridge has membership. And the LAN or WAN list is nowhere used in this config.

/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes

Router level again

/ip dhcp-server network
add dns-server=8.8.8.8 gateway=XXXX

Is for the not needed DHCP server

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge
add action=masquerade chain=srcnat dst-address=GWIP

Traffic does not pass the firewall. And even then you would masquerate way too much (out-interface =bridge is everything!)

/ip route
add gateway=GWIP
/ipv6 address
add address=XXX interface=bridge

Only for management of the switch (and possible firmware download from the internet)

/ppp secret
add name=vpn

VPN is router level

And … you touched the Switch menu. Be aware that either you do everything in Bridge (and nothing in Switch), or just add all interfaces to the bridge (nothing else), and do the config in the Switch menu only. This “Smart switch” mode is activated/deactivated with the “VLAN filtering” in the defined bridge, but be VERY CAREFULL to not lock yourselves out when activated!