Need help to understand why allow only VLAN tagged breaks connection [SOLVED]

Hathor · July 24, 2022, 1:52pm

Hi.

I have tried to analyse this but I can’t find out what I am doing wrong. I would like to activate allow only VLAN tagged on my Hex S router on port 4 - but when I do so I lose the connection between the Hex S router and the Hex PoE configured as a switch. The two devices are connected with a trunk from Hex S port 4 to Hex PoE SFP port. Hex PoE SFP already have ‘ALLOW ONLY VLAN TAGGED’, so I think the configuration that breaks the link must be in the Hex PoE, because the connection only breaks when I set port 4 on the Hex S to ‘ALLOW ONLY VLAN TAGGED’.

I would greatly appreciate to know what I am doing wrong. I am aware that my firewall rules are not that good - I’m a novice.

If I torch the interfaces on both the Hex S and on the Hex PoE it just seems that only tagged traffic is coming through. I just can’t find the thing that breaks it.

My config for the Hex S:

# jul/24/2022 15:36:36 by RouterOS 7.4
# software id = 6EGA-GY7S
#
# model = RB760iGS
# serial number = A36A0BF2D178
/interface bridge
add admin-mac=C4:AD:34:E4:DB:3F auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan1-mgmt vlan-id=1
add interface=bridge name=vlan2-HomeVLAN vlan-id=2
add interface=bridge name=vlan3-HomeWifiVLAN vlan-id=3
add interface=bridge name=vlan10-ServerVLAN vlan-id=10
add interface=bridge name=vlan20-OfficeVLAN vlan-id=20
add interface=bridge name=vlan30-LabVLAN vlan-id=30
add interface=bridge name=vlan40-OnlyLocalVLAN vlan-id=40
/interface list
add comment=defconf name=WAN
add name=L2TP-clients-external
add comment=defconf include=L2TP-clients-external name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip pool
add name=pool-mgmt ranges=10.0.0.10-10.0.0.50
add name=pool-HomeVLAN ranges=192.168.1.10-192.168.1.254
add name=pool-ServerVLAN ranges=192.168.0.10-192.168.0.254
add name=pool-OfficeVLAN ranges=192.168.2.10-192.168.2.254
add name=pool-LabVLAN ranges=172.132.1.10-172.132.1.254
add name=L2TP-vpn-pool-external ranges=172.20.30.30-172.20.30.50
add name=L2TP-vpn-pool-internal ranges=172.20.30.2-172.20.30.29
add name=pool-OnlyLocalVLAN ranges=192.168.3.10-192.168.3.254
add name=pool-HomeWiFiVLAN ranges=192.168.4.20-192.168.4.254
/ip dhcp-server
add address-pool=pool-HomeVLAN interface=vlan2-HomeVLAN lease-time=1m name=\
    dhcp-HomeVLAN
add address-pool=pool-ServerVLAN interface=vlan10-ServerVLAN lease-time=1m \
    name=dhcp-ServerVLAN
add address-pool=pool-OfficeVLAN interface=vlan20-OfficeVLAN lease-time=1m \
    name=dhcp-OfficeVLAN
add address-pool=pool-LabVLAN interface=vlan30-LabVLAN lease-time=1m name=\
    dhcp-LabVLAN
add address-pool=pool-mgmt interface=vlan1-mgmt lease-time=1m name=dhcp-mgmt
add address-pool=pool-OnlyLocalVLAN interface=vlan40-OnlyLocalVLAN \
    lease-time=1m name=dhcp-OnlyLocal
add address-pool=pool-HomeWiFiVLAN interface=vlan3-HomeWifiVLAN name=\
    dhcp-HomeWiFiVLAN
/port
set 0 name=serial0
/ppp profile
set *0 dns-server=192.168.1.1 local-address=172.20.30.1 only-one=yes \
    remote-address=L2TP-vpn-pool-external use-ipv6=no use-upnp=no
add bridge=bridge change-tcp-mss=yes dns-server=192.168.1.1 local-address=\
    172.20.30.1 name=L2TP-VPN-external only-one=no remote-address=\
    L2TP-vpn-pool-external use-encryption=yes use-ipv6=no use-upnp=no
add address-list=LOCAL bridge=bridge change-tcp-mss=yes dns-server=\
    192.168.1.1 interface-list=LAN local-address=172.20.30.1 name=\
    "Hathor L2TP" only-one=no remote-address=L2TP-vpn-pool-internal \
    use-encryption=required use-ipv6=no use-upnp=no
/interface bridge port
add bridge=bridge comment="Ubiquity US-8-150 trunk" frame-types=\
    admit-only-vlan-tagged interface=ether2
add bridge=bridge comment="Mirror port af WAN til loft" frame-types=\
    admit-only-vlan-tagged interface=ether3
add bridge=bridge comment="Hex PoE trunk" ingress-filtering=no interface=\
    ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="MGMT 10.0.0.1/24" tagged=\
    bridge,ether2,ether4,ether5,ether3 vlan-ids=1
add bridge=bridge comment="HomeVLAN 192.168.1.1/24" tagged=\
    bridge,ether2,ether4,ether3 vlan-ids=2
add bridge=bridge comment="ServerVLAN 192.168.0.1/24" tagged=\
    bridge,ether3,ether4 vlan-ids=10
add bridge=bridge comment="OfficeVLAN 192.168.2.1/24" tagged=\
    bridge,ether3,ether4 vlan-ids=20
add bridge=bridge comment="LabVLAN 172.132.1.1/24" tagged=bridge,ether4 \
    vlan-ids=30
add bridge=bridge comment="OnlyLocalVLAN 192.168.3.1/24" tagged=bridge,ether4 \
    vlan-ids=40
add bridge=bridge comment="HomeWiFiVLAN 192.168.4.1/24" tagged=bridge,ether2 \
    vlan-ids=3
/interface l2tp-server server
set default-profile="Hathor L2TP" enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=MGMT interface=vlan1-mgmt list=LAN
add comment=HomeVLAN interface=vlan2-HomeVLAN list=LAN
add comment=ServerVLAN interface=vlan10-ServerVLAN list=LAN
add comment=OfficeVLAN interface=vlan20-OfficeVLAN list=LAN
add comment=LabVLAN interface=vlan30-LabVLAN list=LAN
add comment="HikVision + other stuff no internet VLAN " interface=\
    vlan40-OnlyLocalVLAN list=LAN
add comment=HomeWiFiVLAN interface=vlan3-HomeWifiVLAN list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.0.1/24 comment=mgmtVLAN interface=vlan1-mgmt network=\
    10.0.0.0
add address=192.168.1.1/24 comment=HomeVLAN interface=vlan2-HomeVLAN network=\
    192.168.1.0
add address=192.168.0.1/24 comment=ServerVLAN interface=vlan10-ServerVLAN \
    network=192.168.0.0
add address=192.168.2.1/24 comment=OfficeVLAN interface=vlan20-OfficeVLAN \
    network=192.168.2.0
add address=172.132.1.1/24 comment=LabVLAN interface=vlan30-LabVLAN network=\
    172.132.1.0
add address=172.20.30.1/24 comment="Segment for VPN" disabled=yes interface=\
    *F00000 network=172.20.30.0
add address=192.168.4.1/24 comment=OfficeVLAN interface=vlan3-HomeWifiVLAN \
    network=192.168.4.0
add address=192.168.3.1/24 comment=OfficeVLAN interface=vlan40-OnlyLocalVLAN \
    network=192.168.3.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.4 client-id=1:18:e8:29:e6:87:c6 comment=\
    "Unifi UAP AC PRO" mac-address=18:E8:29:E6:87:C6 server=dhcp-HomeVLAN
add address=10.0.0.10 client-id=1:8:55:31:e:cf:e6 comment="CRS112 POE" \
    mac-address=08:55:31:0E:CF:E6 server=dhcp-mgmt
add address=192.168.1.187 client-id=1:dc:a6:32:18:a1:4a comment=\
    "LibreElec KODI sovev\E6relse, RPI 4" mac-address=DC:A6:32:18:A1:4A \
    server=dhcp-HomeVLAN
add address=192.168.0.12 client-id=1:52:54:0:81:70:35 comment=\
    "Ubuntu VM Unifi controller" mac-address=52:54:00:81:70:35 server=\
    dhcp-ServerVLAN
add address=10.0.0.15 client-id=1:c4:ad:34:25:3:7c comment="Hex PoE" \
    mac-address=C4:AD:34:25:03:7C server=dhcp-mgmt
add address=192.168.3.5 client-id=1:98:df:82:52:11:72 comment=\
    "HikVision CAM - terrassed\F8r" mac-address=98:DF:82:52:11:72 server=\
    dhcp-OnlyLocal
add address=192.168.3.2 client-id=1:84:9a:40:54:31:8 comment="HikVision NVR" \
    mac-address=84:9A:40:54:31:08 server=dhcp-OnlyLocal
add address=192.168.3.3 client-id=1:80:7c:62:df:1a:17 comment=\
    "HikVision CAM - forhave" mac-address=80:7C:62:DF:1A:17 server=\
    dhcp-OnlyLocal
add address=192.168.0.9 client-id=1:b8:27:eb:78:12:4f comment=\
    "Unify controller PI3" mac-address=B8:27:EB:78:12:4F server=\
    dhcp-ServerVLAN
add address=192.168.0.11 client-id=1:0:4:23:e5:65:ad comment=\
    "Unraid BR2 -> Hex S port 3 direct cable." mac-address=00:04:23:E5:65:AD \
    server=dhcp-ServerVLAN
add address=192.168.1.12 client-id=1:84:a9:3e:97:ed:c1 comment="HP printer" \
    mac-address=84:A9:3E:97:ED:C1 server=dhcp-HomeVLAN
add address=10.0.0.5 client-id=1:74:83:c2:7d:f4:13 comment=\
    "Unifi switch US-8-150" mac-address=74:83:C2:7D:F4:13 server=dhcp-mgmt
/ip dhcp-server network
add address=10.0.0.0/24 comment=mgmtVLAN dns-server=192.168.1.1 gateway=\
    10.0.0.1 netmask=24
add address=172.20.30.0/24 comment="VPN Network" dns-server=\
    208.67.222.222,208.67.220.220 gateway=172.20.30.1 netmask=24
add address=172.132.1.0/24 comment=LabVLAN dns-server=192.168.1.1 gateway=\
    172.132.1.1 netmask=24
add address=192.168.0.0/24 comment=ServerVLAN dns-server=192.168.1.1 gateway=\
    192.168.0.1 netmask=24
add address=192.168.1.0/24 comment=HomeVLAN dns-server=\
    208.67.222.222,8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 comment=OfficeVLAN dns-server=192.168.1.1 gateway=\
    192.168.2.1 netmask=24
add address=192.168.3.0/24 comment=OnlyLocalVLAN dns-server=192.168.1.1 \
    gateway=192.168.3.1 netmask=24
add address=192.168.4.0/24 comment="HomeWiFiVLAN " dns-server=192.168.1.1 \
    gateway=192.168.4.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.222.222,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.20.30.1-172.20.30.50 list=LOCAL
add address=192.168.0.0/24 list=LOCAL
add address=192.168.1.0/24 list=LOCAL
add address=192.168.100.0/24 list=LOCAL
add address=172.132.1.0/24 list=LOCAL
add address=192.168.2.0/24 list=LOCAL
add address=10.0.0.0/8 disabled=yes list=LOCAL
add address=172.132.1.0/24 list=Servers-LAB
add address=192.168.3.0/24 list=LOCAL
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface=ether1 log=yes log-prefix=\
    "IPSEC: " protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 log=\
    yes log-prefix=IPSEC: protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="DROPPED INPUT INVALID:"
add action=accept chain=forward comment="defconf: accept ICMP" \
    in-interface-list=LAN log=yes log-prefix="ICMP FORWARD: " \
    out-interface-list=LAN protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    log-prefix="ICMP INPUT: " protocol=icmp
add action=accept chain=forward in-interface-list=LAN log-prefix=ACCEPT: \
    out-interface-list=LAN
add action=accept chain=forward dst-address-list=LOCAL log-prefix=ACCEPT: \
    src-address-list=LOCAL
add action=accept chain=input dst-address-list=LOCAL log-prefix=ACCEPT: \
    src-address-list=LOCAL
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix="DROPPED NOT FROM LAN: "
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=forward log=yes log-prefix="DROPPED FROM LAN-ONLY:" \
    out-interface-list=WAN src-address=192.168.3.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=input disabled=yes in-interface=!vlan1-mgmt log=yes \
    log-prefix="DROPPED INPUT:"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="DROPPED FORWARD INVALID: "
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "DROPPED NOT DSTNAT: "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
add level=unique peer=*2 protocol=udp src-port=1701
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=Hathor profile="Hathor L2TP"
add name=Bonnie profile="Hathor L2TP"
/system clock
set time-zone-name=Europe/Copenhagen
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=time.windows.com
/system script
add dont-require-permissions=no name=wol-workstation owner=HathorADM policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=vlan2-HomeVLAN mac=70:85:C2:D0:E5:94"
add dont-require-permissions=no name=wol-unraid owner=HathorADM policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=vlan10-ServerVLAN mac=40:8D:5C:72:83:DF"
add dont-require-permissions=no name=wol-esxi owner=HathorADM policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=vlan10-ServerVLAN mac=68:05:CA:EA:38:E5"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

And my config for the Hex PoE:

# jul/24/2022 15:40:45 by RouterOS 7.4
# software id = WGYF-R4I7
#
# model = 960PGS
# serial number = AD8A0B31EBBD
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan1-mgmt vlan-id=1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 comment="Tagged uplink from Hex S" frame-types=\
    admit-only-vlan-tagged interface=sfp1
add bridge=bridge1 comment="Unraid onboard" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge1 comment="Lenovo dock" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether1 pvid=2
add bridge=bridge1 comment="Unraid Intel BR2" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge1 comment=ESXi ingress-filtering=no interface=ether4 pvid=10
add bridge=bridge1 comment="Tagged uplink to CRS112" frame-types=\
    admit-only-vlan-tagged interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp1,ether5 vlan-ids=1
add bridge=bridge1 tagged=sfp1,ether5 untagged=ether1 vlan-ids=2
add bridge=bridge1 tagged=sfp1,ether5 untagged=ether2,ether3,ether4 vlan-ids=\
    10
add bridge=bridge1 tagged=sfp1,ether5,ether4 vlan-ids=20
add bridge=bridge1 tagged=sfp1,ether5,ether4 vlan-ids=30
add bridge=bridge1 tagged=sfp1,ether5 vlan-ids=40
/ip address
add address=10.0.0.15/24 interface=sfp1 network=10.0.0.0
/ip dhcp-client
add interface=vlan1-mgmt
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name=HexPoE
/system ntp client
set enabled=yes mode=broadcast
/system ntp client servers
add address=192.168.1.1

Any help is very appreciated.

Thanks in advance for your time.

anav · July 24, 2022, 1:55pm

(1) Dont make such settings on the bridge, that would be for advanced users and rarely done.
/interface bridge
add admin-mac=C4:AD:34:E4:DB:3F auto-mac=no comment=defconf frame-types=
admit-only-vlan-tagged name=bridge vlan-filtering=yes

Instead use Bridge Ports to delineate trunk, access or hybrid ports.

(2) Also dont use vlan1 for anything and by that I mean passing data. Use other vlans for data.
Vlan1 is implicit exists already on the router and need not be defined. If you need a managment vlan make one up lets say vlan99

(3) Dont use this as the regular firewall rules suffice for 98% of requirements, its for advanced users …
/interface bridge settings
set use-ip-firewall-for-vlan=yes

(4) remove this not required.
add comment=defconf interface=bridge list=LAN

(5) Your firewall rules are a mess.

In summary a very simple network with vlans, made into a complicated mess with too many youtube video ideas…

Hathor · July 25, 2022, 8:20am

Let me thank you for taking your time to answer me. I’m sorry for this long post - I will just try to provide all the information I can.

1: I hadn’t noticed I had enabled the admin MAC - that was clearly a mistake. I must have clicked the down-arrow by mistake. That is gone.

Instead use Bridge Ports to delineate trunk, access or hybrid ports.

I must admit, I am not skilled enough to understand what you mean by this. I don’t know what I need to do differently.

2: mgmtVLAN is changed to 99 per your instructions.

3: I am not skilled enough to use the CLI, I can’t remember the syntacs and the commands. I mostly use Winbox or google commands. Use IP firewall was not ticked in Winbox so it didn’t appear to be turned on - I executed the command you wrote in the CLI to make sure to set it to off.

4: I had a feeling that the bridge could be removed but was unsure. It has been removed. Thanks for confirming.

5: I know they are a mess. Most of the firewall is the default config I think, but I have added some rules in trouble shooting and forgot to take them out, I have removed most of the rules I have made myself. Still trying to learn firewall, but it will be a long time before I’m good at it.

Actually I have been reading most of this from the WiKi and tried to make it into something working, theres not many good tutorials on Youtube.

My setup is like this:

Router: Hex S → Ether 4 trunk → Hex PoE SFP1 (using an SFP copper module) → Ether 5 trunk → CRS112. I have allow only VLAN tagged working between the Hex PoE and CRS 112 but still after making the changes you suggested, enabling ‘allow only VLAN tagged’ on Hex S port 4 breaks connection to Hex PoE.

Could this be because I’m using the SFP port as uplink?

The manual says that you have to do something like this on the Hex router:

/interface ethernet switch vlan
add ports=ether1,switch1-cpu switch=switch1 vlan-id=99

https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip

However, the SFP1 port is not available in the list of ports in /interface ethernet switch port.

My new config on Hex S:

# jul/25/2022 09:27:55 by RouterOS 7.4
# software id = 6EGA-GY7S
#
# model = RB760iGS
# serial number = A36A0BF2D178
/interface bridge
add comment=defconf frame-types=admit-only-vlan-tagged name=bridge pvid=99 \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan2-HomeVLAN vlan-id=2
add interface=bridge name=vlan3-HomeWifiVLAN vlan-id=3
add interface=bridge name=vlan10-ServerVLAN vlan-id=10
add interface=bridge name=vlan20-OfficeVLAN vlan-id=20
add interface=bridge name=vlan30-LabVLAN vlan-id=30
add interface=bridge name=vlan40-OnlyLocalVLAN vlan-id=40
add interface=bridge name=vlan99-mgmt vlan-id=99
/interface list
add comment=defconf name=WAN
add name=L2TP-clients-external
add comment=defconf include=L2TP-clients-external name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip pool
add name=pool-mgmt ranges=10.0.0.10-10.0.0.50
add name=pool-HomeVLAN ranges=192.168.1.10-192.168.1.254
add name=pool-ServerVLAN ranges=192.168.0.10-192.168.0.254
add name=pool-OfficeVLAN ranges=192.168.2.10-192.168.2.254
add name=pool-LabVLAN ranges=172.132.1.10-172.132.1.254
add name=L2TP-vpn-pool-external ranges=172.20.30.30-172.20.30.50
add name=L2TP-vpn-pool-internal ranges=172.20.30.2-172.20.30.29
add name=pool-OnlyLocalVLAN ranges=192.168.3.10-192.168.3.254
add name=pool-HomeWiFiVLAN ranges=192.168.4.20-192.168.4.254
/ip dhcp-server
add address-pool=pool-HomeVLAN interface=vlan2-HomeVLAN lease-time=1m name=\
    dhcp-HomeVLAN
add address-pool=pool-ServerVLAN interface=vlan10-ServerVLAN lease-time=1m \
    name=dhcp-ServerVLAN
add address-pool=pool-OfficeVLAN interface=vlan20-OfficeVLAN lease-time=1m \
    name=dhcp-OfficeVLAN
add address-pool=pool-LabVLAN interface=vlan30-LabVLAN lease-time=1m name=\
    dhcp-LabVLAN
add address-pool=pool-mgmt interface=vlan99-mgmt lease-time=1m name=dhcp-mgmt
add address-pool=pool-OnlyLocalVLAN interface=vlan40-OnlyLocalVLAN \
    lease-time=1m name=dhcp-OnlyLocal
add address-pool=pool-HomeWiFiVLAN interface=vlan3-HomeWifiVLAN lease-time=1m \
    name=dhcp-HomeWiFiVLAN
/port
set 0 name=serial0
/ppp profile
set *0 dns-server=192.168.1.1 local-address=172.20.30.1 only-one=yes \
    remote-address=L2TP-vpn-pool-external use-ipv6=no use-upnp=no
add bridge=bridge change-tcp-mss=yes dns-server=192.168.1.1 local-address=\
    172.20.30.1 name=L2TP-VPN-external only-one=no remote-address=\
    L2TP-vpn-pool-external use-encryption=yes use-ipv6=no use-upnp=no
add address-list=LOCAL bridge=bridge change-tcp-mss=yes dns-server=\
    192.168.1.1 interface-list=LAN local-address=172.20.30.1 name=\
    "Hathor L2TP" only-one=no remote-address=L2TP-vpn-pool-internal \
    use-encryption=required use-ipv6=no use-upnp=no
/interface bridge port
add bridge=bridge comment="Ubiquity US-8-150 trunk" interface=ether2 pvid=2
add bridge=bridge comment="Mirror port af WAN til loft" frame-types=\
    admit-only-vlan-tagged interface=ether3
add bridge=bridge comment="Hex PoE trunk" ingress-filtering=no interface=\
    ether4 pvid=99
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 pvid=\
    2
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="MGMT 10.0.0.1/24" tagged=bridge,ether4,ether3 \
    untagged=ether5 vlan-ids=99
add bridge=bridge comment="HomeVLAN 192.168.1.1/24" tagged=bridge,ether4 \
    vlan-ids=2
add bridge=bridge comment="ServerVLAN 192.168.0.1/24" tagged=\
    bridge,ether3,ether4 vlan-ids=10
add bridge=bridge comment="OfficeVLAN 192.168.2.1/24" tagged=\
    bridge,ether3,ether4 vlan-ids=20
add bridge=bridge comment="LabVLAN 172.132.1.1/24" tagged=bridge,ether4 \
    vlan-ids=30
add bridge=bridge comment="OnlyLocalVLAN 192.168.3.1/24" tagged=bridge,ether4 \
    vlan-ids=40
add bridge=bridge comment="HomeWiFiVLAN 192.168.4.1/24" tagged=\
    bridge,ether4,ether2 vlan-ids=3
/interface l2tp-server server
set default-profile="Hathor L2TP" enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=MGMT interface=vlan99-mgmt list=LAN
add comment=HomeVLAN interface=vlan2-HomeVLAN list=LAN
add comment=ServerVLAN interface=vlan10-ServerVLAN list=LAN
add comment=OfficeVLAN interface=vlan20-OfficeVLAN list=LAN
add comment=LabVLAN interface=vlan30-LabVLAN list=LAN
add comment="HikVision + other stuff no internet VLAN " interface=\
    vlan40-OnlyLocalVLAN list=LAN
add comment=HomeWiFiVLAN interface=vlan3-HomeWifiVLAN list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.0.1/24 comment=mgmtVLAN interface=vlan99-mgmt network=\
    10.0.0.0
add address=192.168.1.1/24 comment=HomeVLAN interface=vlan2-HomeVLAN network=\
    192.168.1.0
add address=192.168.0.1/24 comment=ServerVLAN interface=vlan10-ServerVLAN \
    network=192.168.0.0
add address=192.168.2.1/24 comment=OfficeVLAN interface=vlan20-OfficeVLAN \
    network=192.168.2.0
add address=172.132.1.1/24 comment=LabVLAN interface=vlan30-LabVLAN network=\
    172.132.1.0
add address=172.20.30.1/24 comment="Segment for VPN" disabled=yes interface=\
    *F00000 network=172.20.30.0
add address=192.168.4.1/24 comment=OfficeVLAN interface=vlan3-HomeWifiVLAN \
    network=192.168.4.0
add address=192.168.3.1/24 comment=OfficeVLAN interface=vlan40-OnlyLocalVLAN \
    network=192.168.3.0
add address=10.0.0.1/24 comment=mgmtVLAN disabled=yes interface=*16 network=\
    10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.4 client-id=1:18:e8:29:e6:87:c6 comment=\
    "Unifi UAP AC PRO" mac-address=18:E8:29:E6:87:C6 server=dhcp-HomeVLAN
add address=10.0.0.10 client-id=1:8:55:31:e:cf:e6 comment="CRS112 POE" \
    mac-address=08:55:31:0E:CF:E6 server=dhcp-mgmt
add address=192.168.1.187 client-id=1:dc:a6:32:18:a1:4a comment=\
    "LibreElec KODI sovev\E6relse, RPI 4" mac-address=DC:A6:32:18:A1:4A \
    server=dhcp-HomeVLAN
add address=192.168.0.12 client-id=1:52:54:0:81:70:35 comment=\
    "Ubuntu VM Unifi controller" mac-address=52:54:00:81:70:35 server=\
    dhcp-ServerVLAN
add address=10.0.0.15 client-id=1:c4:ad:34:25:3:7c comment="Hex PoE" \
    mac-address=C4:AD:34:25:03:7C server=dhcp-mgmt
add address=192.168.3.5 client-id=1:98:df:82:52:11:72 comment=\
    "HikVision CAM - terrassed\F8r" mac-address=98:DF:82:52:11:72 server=\
    dhcp-OnlyLocal
add address=192.168.3.2 client-id=1:84:9a:40:54:31:8 comment="HikVision NVR" \
    mac-address=84:9A:40:54:31:08 server=dhcp-OnlyLocal
add address=192.168.3.3 client-id=1:80:7c:62:df:1a:17 comment=\
    "HikVision CAM - forhave" mac-address=80:7C:62:DF:1A:17 server=\
    dhcp-OnlyLocal
add address=192.168.0.9 client-id=1:b8:27:eb:78:12:4f comment=\
    "Unify controller PI3" mac-address=B8:27:EB:78:12:4F server=\
    dhcp-ServerVLAN
add address=192.168.0.11 client-id=1:0:4:23:e5:65:ad comment=\
    "Unraid BR2 -> Hex S port 3 direct cable." mac-address=00:04:23:E5:65:AD \
    server=dhcp-ServerVLAN
add address=192.168.1.12 client-id=1:84:a9:3e:97:ed:c1 comment="HP printer" \
    mac-address=84:A9:3E:97:ED:C1 server=dhcp-HomeVLAN
/ip dhcp-server network
add address=10.0.0.0/24 comment=mgmtVLAN dns-server=192.168.1.1 gateway=\
    10.0.0.1 netmask=24
add address=172.20.30.0/24 comment="VPN Network" dns-server=\
    208.67.222.222,208.67.220.220 gateway=172.20.30.1 netmask=24
add address=172.132.1.0/24 comment=LabVLAN dns-server=192.168.1.1 gateway=\
    172.132.1.1 netmask=24
add address=192.168.0.0/24 comment=ServerVLAN dns-server=192.168.1.1 gateway=\
    192.168.0.1 netmask=24
add address=192.168.1.0/24 comment=HomeVLAN dns-server=\
    208.67.222.222,8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 comment=OfficeVLAN dns-server=192.168.1.1 gateway=\
    192.168.2.1 netmask=24
add address=192.168.3.0/24 comment=OnlyLocalVLAN dns-server=192.168.1.1 \
    gateway=192.168.3.1 netmask=24
add address=192.168.4.0/24 comment="HomeWiFiVLAN " dns-server=192.168.1.1 \
    gateway=192.168.4.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.222.222,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.20.30.1-172.20.30.50 list=LOCAL
add address=192.168.0.0/24 list=LOCAL
add address=192.168.1.0/24 list=LOCAL
add address=192.168.100.0/24 list=LOCAL
add address=172.132.1.0/24 list=LOCAL
add address=192.168.2.0/24 list=LOCAL
add address=10.0.0.0/8 disabled=yes list=LOCAL
add address=172.132.1.0/24 list=Servers-LAB
add address=192.168.3.0/24 list=LOCAL
add address=192.168.4.0/24 list=LOCAL
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface=ether1 log=yes log-prefix=\
    "IPSEC: " protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 log=\
    yes log-prefix=IPSEC: protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix="DROPPED INPUT INVALID:"
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    log-prefix="ICMP INPUT: " protocol=icmp
add action=accept chain=forward in-interface-list=LAN log-prefix=ACCEPT: \
    out-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix="DROPPED NOT FROM LAN: "
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=forward log=yes log-prefix="DROPPED FROM LAN-ONLY:" \
    out-interface-list=WAN src-address=192.168.3.0/24
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=input disabled=yes in-interface=!vlan99-mgmt log=yes \
    log-prefix="DROPPED INPUT:"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="DROPPED FORWARD INVALID: "
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "DROPPED NOT DSTNAT: "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
add level=unique peer=*2 protocol=udp src-port=1701
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=Hathor profile="Hathor L2TP"
add name=Bonnie profile="Hathor L2TP"
/system clock
set time-zone-name=Europe/Copenhagen
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=time.windows.com
/system script
add dont-require-permissions=no name=wol-workstation owner=HathorADM policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=vlan2-HomeVLAN mac=70:85:C2:D0:E5:94"
add dont-require-permissions=no name=wol-unraid owner=HathorADM policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=vlan10-ServerVLAN mac=40:8D:5C:72:83:DF"
add dont-require-permissions=no name=wol-esxi owner=HathorADM policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=vlan10-ServerVLAN mac=68:05:CA:EA:38:E5"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

My config for Hex PoE:

# jul/25/2022 10:08:04 by RouterOS 7.4
# software id = WGYF-R4I7
#
# model = 960PGS
# serial number = AD8A0B31EBBD
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 pvid=99 vlan-filtering=\
    yes
/interface vlan
add interface=bridge1 name=vlan99-mgmt vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 comment="Tagged downlink from Hex S" interface=sfp1 pvid=\
    99
add bridge=bridge1 comment="Unraid server onboard NIC" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge1 comment="Lenovo dock" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether1 pvid=2
add bridge=bridge1 comment="Unraid Intel BR2 NIC" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge1 comment="ESXi server NIC" ingress-filtering=no interface=\
    ether4 pvid=10
add bridge=bridge1 comment="Tagged uplink to CRS112" frame-types=\
    admit-only-vlan-tagged interface=ether5 pvid=99
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=sfp1,bridge1,ether5 untagged=ether1 vlan-ids=2
add bridge=bridge1 tagged=sfp1,ether5 untagged=ether2,ether3,ether4 vlan-ids=\
    10
add bridge=bridge1 tagged=sfp1,ether5,ether4 vlan-ids=20
add bridge=bridge1 tagged=sfp1,ether5,ether4 vlan-ids=30
add bridge=bridge1 tagged=sfp1,ether5 vlan-ids=40
add bridge=bridge1 tagged=bridge1,sfp1,ether5 vlan-ids=99
/ip dhcp-client
add interface=vlan99-mgmt
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name=HexPoE
/system ntp client
set enabled=yes mode=broadcast
/system ntp client servers
add address=192.168.1.1

My config for CRS112 just to show my full setup:

# jul/25/2022 10:24:42 by RouterOS 6.49.6
# software id = NLS7-JGB5
#
# model = CRS112-8P-4S
# serial number = D25F0DAEEA49
/interface bridge
add comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    name=bridge pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] poe-priority=20
set [ find default-name=ether6 ] poe-voltage=high
/interface vlan
add interface=bridge name=vlan99-mgmt vlan-id=99
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment="DOWNLINK FROM Hex PoE" frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=ether1 pvid=99
add bridge=bridge comment="Hikvision NVR" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=40
add bridge=bridge comment="HikVision torret cam" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=40
add bridge=bridge comment="Hikvision bullet cam" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=bridge comment=defconf interface=ether6 pvid=2
add bridge=bridge comment=defconf interface=ether7 pvid=30
add bridge=bridge comment="Office link" interface=ether8 pvid=2
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
add bridge=bridge comment="Raspberry Pi 3B Unifi Controller" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge comment="ServerVLAN 192.168.0.1/24" tagged=ether1 untagged=\
    ether5 vlan-ids=10
add bridge=bridge comment="LabVLAN 172.132.1.1/24" tagged=ether1,ether5 \
    vlan-ids=30
add bridge=bridge comment="HomeVLAN 192.168.1.1/24" tagged=ether1 vlan-ids=2
add bridge=bridge comment="OfficeVLAN 192.168.2.1/24" tagged=ether1 vlan-ids=\
    20
add bridge=bridge comment="OnlyLocalVLAN 192.168.3.1/24" tagged=ether1 \
    vlan-ids=40
add bridge=bridge comment="MGMT 10.0.0.1/24" tagged=ether1,bridge vlan-ids=99
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether1 vlan-id=30
add tagged-ports=switch1-cpu,ether1 vlan-id=10
add tagged-ports=switch1-cpu,ether1 vlan-id=20
add tagged-ports=switch1-cpu,ether1 vlan-id=2
add tagged-ports=switch1-cpu,ether1 vlan-id=40
add tagged-ports=switch1-cpu,ether1 vlan-id=99
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp9 list=LAN
add interface=sfp10 list=LAN
add interface=sfp11 list=LAN
add interface=sfp12 list=LAN
/ip dhcp-client
add disabled=no interface=vlan99-mgmt
/ip dns
set servers=192.168.0.1,10.0.0.1,192.168.1.1
/ip route
add distance=1 gateway=10.0.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Europe/Copenhagen
/system identity
set name=PoE

rextended · July 25, 2022, 8:24am

@anav do not say anything about admin-mac.

Restore it!

Hathor · July 25, 2022, 8:28am

I will restore it.

I’m sorry, I’m not trying to be dense.
Then I simply don’t know what the meaning behind this is:

(1) Dont make such settings on the bridge, that would be for advanced users and rarely done.
/interface bridge
add admin-mac=C4:AD:34:E4:DB:3F auto-mac=no comment=defconf frame-types=
admit-only-vlan-tagged name=bridge vlan-filtering=yes

rextended · July 25, 2022, 8:30am

@anav use colors for undelinyng the problematic parts.
You are too much addicted to copy-paste…

@anav do not say “paste this on terminal”, but you do not need it.
This is on your original export
“/interface bridge settings
set use-ip-firewall-for-vlan=yes”

PASTE this on both devices for restore how can be:

/interface bridge settings
set use-ip-firewall-for-vlan=no

Hathor · July 25, 2022, 8:38am

Thanks, I have put the admin MAC back.

use-ip-firewall-for-vlan should already be disabled - I don’t see it in the export from today.

Even though you think I’m too addicted to copy/paste I did however paste your command on all devices just to make sure

rextended · July 25, 2022, 8:52am

("◠‿◠)

Hathor · July 25, 2022, 11:45am

I got this resolved.

I now have accept only VLAN tagged on all trunk ports on all devices and connection remains.

I had to use config in /interface ethernet switch and use ether 1 and not SFP1 one for trunk port.

I added this to config on Hex PoE:

[admin@HexPoE] > /interface ethernet switch port  print
Columns: NAME, SWITCH, VLAN-MODE, VLAN-HEADER, DEFAULT-VLAN-ID
# NAME         SWITCH   VLAN-MODE  VLAN-HEADER     DEFAULT-VLAN-ID
0 ether1       switch1  secure     add-if-missing  auto           
1 ether2       switch1  disabled   leave-as-is     auto           
2 ether3       switch1  disabled   leave-as-is     auto           
3 ether4       switch1  disabled   leave-as-is     auto           
4 ether5       switch1  disabled   leave-as-is     auto           
5 switch1-cpu  switch1  secure     leave-as-is     auto

Ether 1 is uplink to Hex S, Ether 5 is downlink to CRS112. I had trouble getting DHCP address from Hex S, I had to add switch 1 CPU to all VLANS on Hex Poe - otherwise, Hex S offered DHCP lease but devices on Hex PoE did not take it.

[admin@HexPoE] > /interface ethernet switch vlan print
Columns: SWITCH, VLAN-ID, PORTS
# SWITCH   VLAN-ID  PORTS      
0 switch1       99  switch1-cpu
                    ether1     
                    ether5     
1 switch1        2  ether1     
                    switch1-cpu
                    ether5     
2 switch1       10  ether1     
                    switch1-cpu
                    ether5     
3 switch1       20  ether1     
                    switch1-cpu
                    ether5     
4 switch1       30  ether1     
                    switch1-cpu
                    ether5     
5 switch1       40  ether1     
                    switch1-cpu
                    ether5

If you are a beginner you think all ports are the same, and you don’t think there is much difference between Hex S and Hex PoE/CRS112 but the different chips make initial setup confusing.

anav · July 25, 2022, 11:51am

HEX

(1) Wrong, apply setting on /interface bridge ports not here, and don’t enter in any pvid on the bridge (this is where the default vlan1 belongs, in the background)
/interface bridge
add comment=defconf frame-types=admit-only-vlan-tagged name=bridge pvid=99
vlan-filtering=yes

(2) Your bridge ports and vlan setting are all over the map…
Suggest you instead provide a clear diagram of what is connected to each port and the vlans going through it.

(3) The ubiquiti access point, is it expecting the management VLAN as untagged ( normally the stupid twits from ubiquiti want it this backwards way)?

(4) IF you have a trusted subnet like the home one or local only, you can use it to replace the management vlan. If you prefer to have the management vlan that is fine but as my comment asking for the diagram its not clear where you are going to access this vlan??