Need help with CRS112 Switch configuring IP addresses on VLANs

Greetings,
I just setup a new CRS112-8P-4S for my WISP. I’ve configured the switch for 3 different VLANs:
Public net - VLAN 9
Management net - VLAN 10
Old net - VLAN 1
My goal is to have all VLANs isolated from one another. I followed Example 2 (Trunk and Hybrid ports) in this guide and I think I got that working:
https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Example_2_.28Trunk_and_Hybrid_ports.29
I’d like to have 2 IPs assigned to the switch, one on VLAN 10 and another on VLAN 1. I tried assigning those IPs to the bridge directly, but they don’t respond. How do I configure IP addresses so that I can remote manage the switch over either/both VLANs?

Any help or advice is appreciated.
Thank you,

Here is my current config:

# jun/30/2021 14:41:34 by RouterOS 6.48.3
# software id = PSC1-QAU1
# model = CRS112-8P-4S
/interface bridge
add admin-mac=2C:C8:1B:26:9B:4A auto-mac=no comment="Switch Bridge" name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Management - VLAN 10"
set [ find default-name=ether2 ] comment="Public - VLAN 9"
set [ find default-name=ether3 ] comment=\
    "Town AP - VLAN 9 Untag, VLAN 10 tag"
set [ find default-name=ether4 ] comment=\
    "Creek AP - VLAN 9 Untag, VLAN 10 tag"
set [ find default-name=ether5 ] comment=\
    "Road AP - VLAN 9 Untag, VLAN 10 tag"
set [ find default-name=ether6 ] comment="Old AP - VLAN 1"
set [ find default-name=ether7 ] comment="Old PTP Radio - VLAN 1"
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether3,ether4,ether5 vlan-id=10
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=9 ports=ether3
add customer-vid=0 new-customer-vid=9 ports=ether4
add customer-vid=0 new-customer-vid=9 ports=ether5
add customer-vid=0 new-customer-vid=10 ports=ether1
add customer-vid=0 new-customer-vid=9 ports=ether2
/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether5 vlan-id=9
add ports=ether1,ether3,ether4,ether5 vlan-id=10
/ip address
add address=172.30.0.30/29 comment="IP on VLAN 1 over Old PTP Radio" interface=bridge network=172.30.0.24
add address=172.31.0.110/16 comment="IP on VLAN 10 over Management Network" interface=bridge \
    network=172.31.0.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add comment="Default route over Management Network" distance=1 gateway=172.31.0.1
add comment="Default route over Old PTP Radio" distance=2 gateway=172.30.0.25
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="MikroTik"
/tool graphing interface
add

Use vlan interfaces assigned to the bridge. Assign the IP address to the vlan interfaces and set your routes.

You also need to add switch1-cpu as a port on the vlans for mgmt access under

/interface ethernet switch vlan

Hello Biomesh,
Thank you for the reply.

I created the vlan interface:

/interface vlan
add interface=bridge name="Management VLAN" vlan-id=10

I moved the IP address over to the newly created VLAN interface:

/ip address
add address=172.31.0.110/16 comment="IP on VLAN 10 over Management Network" interface="Management VLAN" network=172.31.0.0

The route was already created:

/ip route
add comment="Default route over Management Network" distance=1 gateway=172.31.0.1

I didn’t know I needed to add the switch1-cpu to the ports, thank you for that. I’ve done that now:

/interface ethernet switch vlan
add ports=ether2,ether3,ether4,ether5 vlan-id=9
add ports=switch1-cpu,ether1,ether3,ether4,ether5 vlan-id=10

I know traffic is passing over VLAN 10, because devices on either side are communicating on that VLAN. However, I still cannot ping the Mikrotik switch from other device on that VLAN, nor can the switch ping anything else on the VLAN.

What am I missing to get remote connectivity to the switch?

Add switch1-cpu to the /interface ethernet switch egress-vlan-tag command for vlan10.

These examples are in the page you originally posted about, but are at the top of the page.

When originally setting up my switch, I forgot the above option.

I am in a similar situation where I cannot ping my CRS112 from any network device other than clients connected locally to access ports.
I use VLAN100 as an internal network and VLAN200 as a guest network. So I don’t need a management VLAN.
I’m trying to reach my CRS112 from other parts of the VLAN100, but haven’t been successful so far.

Ether1 and SFP12 are the trunk ports, the rest are access ports only for VLAN100.
Maybe I made a mistake with “switch1-cpu” somewhere?

/interface bridge
add name=bridge-intern
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1-cAP,ether2-OfficePC,ether3-Test,ether4,ether5,ether6-NVR,ether7-Drucker,sfp9,sfp10,sfp11,sfp12-Uplink
/interface bridge port
add bridge=bridge-intern interface=ether2-OfficePC
add bridge=bridge-intern interface=ether3-Test
add bridge=bridge-intern interface=ether4
add bridge=bridge-intern interface=ether5
add bridge=bridge-intern interface=ether6-NVR
add bridge=bridge-intern interface=ether7-Drucker
add bridge=bridge-intern interface=ether8
add bridge=bridge-intern interface=sfp9
add bridge=bridge-intern interface=sfp10
add bridge=bridge-intern interface=sfp11
add bridge=bridge-intern interface=ether1-cAP
add bridge=bridge-intern interface=sfp12-Uplink
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1-cAP,sfp12-Uplink vlan-id=100
add tagged-ports=ether1-cAP,sfp12-Uplink vlan-id=200
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=100 ports=ether2-OfficePC,ether3-Test,ether4,ether5,ether6-NVR,ether7-Drucker,sfp9,sfp10,sfp11
/interface ethernet switch vlan
add ports=switch1-cpu,ether1-cAP,ether2-OfficePC,ether3-Test,ether4,ether5,ether6-NVR,ether7-Drucker,ether8,sfp10,sfp9,sfp12-Uplink,sfp11 vlan-id=100
add ports=ether1-cAP,sfp12-Uplink vlan-id=200
/ip address
add address=192.168.1.3/24 interface=bridge-intern network=192.168.1.0

The answers are the same as above:
/interface ethernet switch egress-vlan-tag add tagged-ports=switch1-cpu,ether1-cAP,sfp12-Uplink vlan-id=100

You are (presumably) missing ether8 from here:
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=100 ports=ether2-OfficePC,ether3-Test,ether4,ether5,ether6-NVR,ether7-Drucker,sfp9,sfp10,sfp11

This is no use:
/ip address add address=192.168.1.3/24 interface=bridge-intern network=192.168.1.0

You need a VLAN interface created on the bridge for VLAN 100. Then the IP address goes on the VLAN interface.

See posts 2, 3, 4.

Thanks, this solved my problem too.
I had probably tried so many different configurations beforehand, also with a VLAN interface, and kept locking myself out that I had not tried this particular configuration in its entirety.

Merry Christmas and Happy Holidays

This is always a problem, in any switch. Management via VLAN can be done, but when you do not exactly know the procedure you will normally lock yourself out at least once.