Most devices on Ether2, one new device on Ether3 can't communicate

I’ve got my basic set up working, after several wipes and restarts. I hit a snag when I went to add one new device.

Everything is on a switch going to two WIFI APs and wired devices, and the switch is plugged in to Ether2 port. WAN is on sfp1 and everything can get out to the internet okay. I added a raspberry pi to ether3 to use, and cannot reach it in any way. I’m sure it’s a config setting I’m missing, but I’m just not seeing the solution. Can anyone take a look and help? I don’t really need multiple VLANs right now, I will probably segregate the IoT devices eventually, but I don’t need to yet.

# 2024-09-18 14:31:38 by RouterOS 7.15.3
# software id = 8ERR-9RKF
#
# model = RB760iGS
# serial number = xxxx
/interface bridge
add add-dhcp-option82=yes admin-mac=78:9A:18:63:E9:A7 auto-mac=no comment=defconf dhcp-snooping=yes igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=BC:9A:8E:B4:AE:B0
set [ find default-name=sfp1 ] auto-negotiation=no mac-address=BC:9A:8E:B4:AE:B0
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=1
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip arp
add address=192.168.88.245 comment=Pi-Hole interface=bridge mac-address=52:54:00:6C:CA:19
add address=192.168.88.229 comment=Tower interface=bridge mac-address=A8:A1:59:DA:FF:E4
add address=192.168.88.247 comment=Desktop interface=bridge mac-address=52:54:00:0B:2C:E9
add address=192.168.88.216 comment="WiFi AP" interface=bridge mac-address=88:DC:96:9D:25:DD
add address=192.168.88.217 comment="WiFi AP" interface=bridge mac-address=88:DC:96:9D:25:E6
add address=192.168.88.42 comment=ezMaster interface=bridge mac-address=52:54:00:78:EF:14
add address=192.168.88.198 comment=Printer interface=bridge mac-address=38:63:BB:D9:59:B8
add address=192.168.88.203 comment=Voron interface=bridge mac-address=E4:5F:01:44:06:82
/ip dhcp-client
add comment=defconf interface=sfp1
/ip dhcp-server lease
add address=192.168.88.245 client-id=ff:56:50:4d:98:0:2:0:0:ab:11:a4:37:ed:f0:57:61:62:11 mac-address=52:54:00:A2:4E:B7 server=defconf
add address=192.168.88.203 client-id=1:e4:5f:1:44:6:82 mac-address=E4:5F:01:44:06:82 server=defconf
add address=192.168.88.198 client-id=1:38:63:bb:d9:59:b8 mac-address=38:63:BB:D9:59:B8 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.245 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward dst-port=51820 in-interface=sfp1 out-interface=bridge protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=wireguard dst-port=51820 in-interface-list=WAN protocol=udp to-addresses=192.168.88.229 to-ports=51820
add action=dst-nat chain=dstnat comment="unraid connect" dst-port=44773 in-interface-list=WAN protocol=tcp to-addresses=192.168.88.229 to-ports=2443
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=bridge type=internal
add interface=sfp1 type=external
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I cannot see at first sight anything obvious, but I am a bit perplexed by your settings for static ARP, I don’t know but it seems to me like you risk some kind of conflict between your static arp entries and DHCP leases, I am not sure that this is “right”:

/ip arp
add address=192.168.88.245 comment=Pi-Hole interface=bridge mac-address=52:54:00> :6C:CA:19

Isn’t the same 192.168.88.245 IP leased to another MAC?

/ip dhcp-server lease
add address=192.168.88.245 client-id=ff:56:50:4d:98:0:2:0:0> > 11:a4:37:ed:f0:57:61:62:11 mac-address=52:54:00> :A2:4E:B7 > server=defconf

I haven’t manually added anything to the ARP, just exported what was there. That pihole is a VM I set up until I could get an actual pi up and running. Possibly when I killed the VM and remade it, a new MAC was generated and I sent it to the same IP.

I’ve cleaned up the duplicate entries.

Further, I tested the pi on a dumb switch that is on the first Ethernet port and it works fine. I should try one of the other ports, maybe I just have a dead port.

Why did you create VLAN interface with ID 1 ??? That VLAN is already running in the background.

Also how do you have internet access if sfp1 is set to disabled=yes ?

Also you should disable detect internet option.

Ether1 and sfp1 have same mac address.

When you connect device to ether3 do you see link goes up and it negotiates link speed ?

That was the default, I’ve changed it to 100

Also how do you have internet access if sfp1 is set to disabled=yes ?

I believe that was as part of the bridge. It was posted as a bridge device, but disabled. Sfp1 is active and working. I’ve removed the entry from the bridge group.

Also you should disable detect internet option

Done.

Ether1 and sfp1 have same mac address.

Whoops, fixed.

When you connect device to ether3 do you see link goes up and it negotiates link speed ?

On the interface tab it shows 512 bps transfer, as opposed to mbps or kbps, after about 10 minutes it will have one packet counted as sent. When plugged in, the port does activate, and negotiate 100M speed.

I also checked and the same happens on all of the other ports.

You created VLAN interface but you still won’t use it ? There is no VLAN filtering enabled on the bridge and I don’t see any port untagged for that VLAN.

Does your devices get IP address via DHCP server when connected to other ports ?

No, nothing gets an IP via DHCP on any other port.

I’m not sure on the VLAN set up, I’ve read the page on it and I’m not getting it. I don’t need multiple VLANS, everything just needs to be in one group, shouldn’t VLAN filtering not be needed in that case?

Then use default configuration, don’t mess with the settings you don’t understand yet or don’t need right now.

Also I noticed you have port forward for wireguard and also forward rule for it.

My advice, reset configuration with default one and don’t add functions you don’t need right now. VLAN config is useless, port forward and fw rule for wireguard is useless and it’s adding confusion. You have DHCP snooping, IGMP snooping, DHCP option 82 enabled, you messed with arp, with MAC addresses.

Then, when you confirm everything is working as it should start adding functions.