New RB5009, complete new setup, need help

RouterOS General
1

Hi. I have an old MikroTik CRS125-24G-1S-2HND-IN, which is still running (am not using the WiFi feature) and now I bought a new RB5009. I would like to set it up as well as possible and this time also use VLANs. I took the script from here http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 - Router configuration. The issue is, that if I apply this configuration, then I can not access the router anymore - neither does the LAN port light blink (the WAN still does).
So I took some time and took the same script and edited it with some of my old configurations that I would like to use - and yes, as you can imagine, it does not work :smiley:
Can someone help me and check the scripts I would like to apply, but also to find the issues with it. I am adding all IPs, that do not suit my country IPs or my private IPs, and they try to connect to RDP, ping, and others to each firewall list, and those are then blocked by default. Do you have a better solution for that? There was some time ago this solution http://forum.mikrotik.com/t/problems-getting-mikrotik-to-work-with-dsl/442/1 but it does not work anymore.

I do not want to use the MGMT VLAN, but would like all clients by default to be connected to the Default_VLAN, which should be able to connect to use everything, except the clients that connect over WLAN - those will use the needed VLAN tagging. As you can see from the reservations, the clients should get the IP from the DHCP and then be in the correct VLAN.

Here is the script, I would like to import is in the second post.

2

Add a network diagram, that shows which ports are connected and which vlans and/or devices are connected or running through them.
Since your explanation/requests do not match the config shown.

Also
Please use
/export hide-sensitive file=anynameyouwish

to provide the config and use the code brackets above (black square with white rectangular brackets)

3

I took the main configuration from the mentioned website, but here a brief description:
Router Configuration at a glance:

How it all works:
Firewall rules allow visibility for entire VLANs or resources within a VLAN. Customize to suit your needs.

The idea is, that all devices, that connect are by default in the “Default_VLAN”, except the ones, that connect wirelessly over the guest WLAN - they should by default come to the “Guest_VLAN”. Guest VLAN should also only have access to the internet. WLAN access points are http://www.grandstream.com/products/networking-solutions/wifi-access-points/product/gwn7660
The devices (like Webcams, etc), that I do not want that they connect to the internet, but still are able to connect to “default_VLAN” as for example the storage for the camera’s footage is on the “Default_VLAN”. I make those devices static IP set in the 10.10.30.x - that is what they should get when they connect.
“Default_VLAN” should be able to connect to all VLANs.

Here the configuration:

# nov/08/2021 14:28:35 by RouterOS 7.1rc6
# software id = 
#
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
/interface vlan
add interface=bridge name=Default_VLAN vlan-id=10
add interface=bridge name=Guest_VLAN vlan-id=20
add interface=bridge name=NoNet_VLAN vlan-id=30
/disk
set sata1 disabled=no
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Default_POOL ranges=10.10.10.200-10.10.10.254
add name=Guest_POOL ranges=10.10.20.200-10.10.20.254
add name=NoNet_POOL ranges=10.10.30.200-10.10.30.254
/ip dhcp-server
add address-pool=Default_POOL interface=Default_VLAN name=Default_DHCP
add address-pool=Guest_POOL interface=Guest_VLAN name=Guest_DHCP
add address-pool=NoNet_POOL interface=NoNet_VLAN name=NoNet_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7 \
    vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7 \
    vlan-ids=30
/interface list member
add interface=ether1 list=WAN
add interface=Default_VLAN list=VLAN
add interface=Guest_VLAN list=VLAN
add interface=NoNet_VLAN list=VLAN
/ip address
add address=192.168.1.0/24 interface=ether1 network=192.168.1.0
add address=10.10.10.1/24 interface=Default_VLAN network=10.10.10.0
add address=10.10.20.1/24 interface=Guest_VLAN network=10.10.20.0
add address=10.10.30.1/24 interface=NoNet_VLAN network=10.10.30.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.10.10.3 client-id=8:92:4A:39:04:B0 comment=whs lease-time=1d \
    mac-address=28:92:4A:39:04:B0 server=Default_DHCP
add address=10.10.10.4 client-id=0:11:32:54:41:FD comment=nas lease-time=1d \
    mac-address=00:11:32:54:41:FD server=Default_DHCP
add address=10.10.10.6 client-id=0:15:99:E1:29:69 comment=printer lease-time=\
    1d mac-address=00:15:99:E1:29:69 server=Default_DHCP
add address=10.10.10.7 client-id=C:17:02:0D:4E:3E comment=fibaro lease-time=\
    1d mac-address=AC:17:02:0D:4E:3E server=Default_DHCP
add address=10.10.10.10 client-id=C:11:BF:0D:69:55 comment=videonadzor \
    lease-time=3d mac-address=4C:11:BF:0D:69:55 server=Default_DHCP
add address=10.10.10.13 client-id=8:27:EB:58:D4:D7 comment=moode lease-time=\
    1d mac-address=B8:27:EB:58:D4:D7 server=Default_DHCP
add address=10.10.10.20 client-id=0:74:AD:54:62:54 comment=stenge lease-time=\
    3w mac-address=C0:74:AD:54:62:54 server=Default_DHCP
add address=10.10.10.21 client-id=0:74:AD:54:63:1C comment=garaza lease-time=\
    3w mac-address=C0:74:AD:54:63:1C server=Default_DHCP
add address=10.10.10.23 client-id=8:27:EB:67:A7:46 comment=Cayenne \
    lease-time=1d mac-address=B8:27:EB:67:A7:46 server=Default_DHCP
add address=10.10.10.24 client-id=8:27:EB:32:F2:13 comment=\
    "Cayenne + Wireguard + Ubidots" lease-time=1d mac-address=\
    B8:27:EB:32:F2:13 server=Default_DHCP
add address=10.10.10.25 client-id=4:FB:E4:82:66:3B comment="unifi cloudkey" \
    lease-time=1d mac-address=B4:FB:E4:82:66:3B server=Default_DHCP
add address=10.10.10.26 client-id=C:EC:DA:B6:4D:77 comment=stenge lease-time=\
    1d mac-address=FC:EC:DA:B6:4D:77 server=Default_DHCP
add address=10.10.10.27 client-id=4:D9:E7:C6:D9:4E comment=garaza lease-time=\
    1d mac-address=44:D9:E7:C6:D9:4E server=Default_DHCP
add address=10.10.10.40 client-id=0:90:3E:DA:1B:47 comment="televizija WLAN" \
    lease-time=1d mac-address=00:90:3E:DA:1B:47 server=Default_DHCP
add address=10.10.10.41 client-id=C:5A:6B:C0:86:96 comment="televizija LAN" \
    lease-time=1d mac-address=1C:5A:6B:C0:86:96 server=Default_DHCP
add address=10.10.10.42 client-id=C:AD:F8:15:04:3E comment=chromecast \
    lease-time=1d mac-address=6C:AD:F8:15:04:3E server=Default_DHCP
add address=10.10.20.100 client-id=0:F5:20:0A:94:3B comment=vremenska \
    lease-time=1d mac-address=40:F5:20:0A:94:3B server=Guest_DHCP
add address=10.10.20.101 client-id=0:98:C3:F8:27:22 comment=Toplotna \
    lease-time=1d mac-address=10:98:C3:F8:27:22 server=Guest_DHCP
add address=10.10.20.102 client-id=8:E7:DA:51:40:27 comment=zvonec \
    lease-time=1d mac-address=48:E7:DA:51:40:27 server=Guest_DHCP
add address=10.10.20.103 client-id=4:91:1E:31:61:E4 comment="klima dnevna" \
    lease-time=1d mac-address=F4:91:1E:31:61:E4 server=Guest_DHCP
add address=10.10.20.104 client-id=4:90:C1:6F:6B:DE comment=sesalec \
    lease-time=1d mac-address=64:90:C1:6F:6B:DE server=Guest_DHCP
add address=10.10.30.100 client-id=0:BD:1D:4F:F3:B6 comment="Kamera Tim" \
    lease-time=1d mac-address=A0:BD:1D:4F:F3:B6 server=NoNet_DHCP
add address=10.10.30.101 client-id=4:52:6A:AA:C6:C7 comment="Kamera leteca" \
    lease-time=1d mac-address=24:52:6A:AA:C6:C7 server=NoNet_DHCP
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=9.9.9.9,1.1.1.1,212.18.32.10 gateway=\
    10.10.10.1
add address=10.10.20.0/24 dns-server=9.9.9.9,1.1.1.1,212.18.32.10 gateway=\
    10.10.20.1
add address=10.10.30.0/24 dns-server=9.9.9.9,1.1.1.1,212.18.32.10 gateway=\
    10.10.30.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1,8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes log-prefix=FastTrack
add action=accept chain=forward comment="ZVONEC povezave" log-prefix=ZVONEC \
    src-address=10.10.20.102
add action=accept chain=forward comment="dostop WireGuard private list" \
    dst-port=8080 in-interface=ether1 log-prefix=\
    "dostop WireGuard private list" protocol=udp src-address-list=PrivateIPs
add action=accept chain=forward comment="dostop WireGuard AT list" dst-port=\
    8080 in-interface=ether1 log-prefix="dostop WireGuard AT list" protocol=\
    udp src-address-list=AT
add action=accept chain=forward comment="dostop WireGuard HR list" dst-port=\
    8080 in-interface=ether1 log-prefix="dostop WireGuard AT list" protocol=\
    udp src-address-list=HR
add action=accept chain=forward comment="dostop WireGuard SI list" dst-port=\
    8080 in-interface=ether1 log-prefix="dostop WireGuard AT list" protocol=\
    udp src-address-list=SI
add action=drop chain=forward comment="Tim kamera v WAN" dst-address=\
    !10.10.10.0/24 log-prefix="WIFI Kamera OUT" src-address=10.10.30.100
add action=drop chain=forward comment="Leteca kamera v WAN" dst-address=\
    !10.10.10.0/24 log-prefix="WIFI Kamera OUT" src-address=10.10.30.101
add action=drop chain=forward comment="Leteca kamera v WAN" dst-address=\
    !10.10.10.0/24 log-prefix="WIFI Kamera OUT" src-address=10.10.30.102
add action=drop chain=forward comment="Sesalec v LAN" dst-address=\
    10.10.10.0/24 log=yes log-prefix="Sesalec local" src-address=10.10.20.104
add action=accept chain=forward comment=\
    "Allow the Private IP ranges to be forwarded by the router" \
    connection-state=new log-prefix="Allow Private IP ranges" \
    src-address-list=PrivateIPs
add action=accept chain=forward comment=\
    "Allow current valid connections as well as valid related packets" \
    connection-state=established,related log-prefix=\
    "Allow current valid connections"
add action=accept chain=forward comment="dostop videonadzor SI list" \
    dst-port=37777 in-interface=ether1 log=yes log-prefix=\
    "dostop videonadzor SI list" protocol=tcp src-address-list=SI
add action=accept chain=forward comment="dostop videonadzor HR list" \
    dst-port=37777 in-interface=ether1 log=yes log-prefix=\
    "dostop videonadzor HR list" protocol=tcp src-address-list=HR
add action=accept chain=forward comment="dostop videonadzor AT list" \
    dst-port=37777 in-interface=ether1 log=yes log-prefix=\
    "dostop videonadzor AT list" protocol=tcp src-address-list=AT
add action=add-src-to-address-list address-list="Videonadzor BlackList" \
    address-list-timeout=none-dynamic chain=forward comment=\
    "dostop Videonadzor" dst-port=37777 in-interface=ether1 log=yes \
    log-prefix="Videonadzor => Videonadzor BlackList" protocol=tcp
add action=accept chain=forward comment="dostop do interneta" in-interface=\
    bridge log-prefix="BRIDGE LAN"
add action=accept chain=forward comment="dostop nas" dst-port=\
    21,80,5000,5001,5005,5506,500,5678 log-prefix="dostop do nas" protocol=\
    tcp
add action=accept chain=forward comment=\
    "dostop do MikroTik private IP (winbox)" dst-port=\
    80,443,8291,8728,8729,20561 log=yes log-prefix=\
    "Dostop do Mikrotik private IP" protocol=tcp src-address=10.10.10.0/24 \
    src-address-list=PrivateIPs
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=4w2d chain=output content="530 Login incorrect" \
    protocol=tcp
add action=add-src-to-address-list address-list=icmp_ping \
    address-list-timeout=12w6d chain=input dst-address=192.168.1.10 \
    in-interface=ether1 log-prefix="PING add to blacklist" protocol=icmp \
    src-address-list=!PrivateIPs
add action=accept chain=input in-interface=bridge log-prefix=PING protocol=\
    icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="LAN => WAN" out-interface=ether1
add action=masquerade chain=srcnat comment="lokalno do nas" dst-address=\
    10.10.10.4 dst-port=21,80,5001,5000,5005,5506,500,5678,443 out-interface=\
    bridge protocol=tcp src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="lokalno do MikroTik" dst-address=\
    10.10.10.1 dst-port=80,443,8291,8728,8729,20561 log=yes log-prefix=\
    "Local IP do MikroTik NAT" out-interface=bridge protocol=tcp src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat comment="lokalno do MikroTik" dst-address=\
    10.10.10.1 dst-port=80,443,8291,8728,8729,20561 log=yes log-prefix=\
    "Local IP do MikroTik NAT" out-interface=bridge protocol=tcp src-address=\
    10.6.0.0/24
add action=masquerade chain=srcnat comment="lokalno do whs" dst-address=\
    10.10.10.3 dst-port=3389 out-interface=bridge protocol=tcp src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat comment="lokalno do meteohub" dst-address=\
    10.10.10.2 dst-port=8080 out-interface=bridge protocol=tcp src-address=\
    10.10.10.0/24
add action=masquerade chain=srcnat comment="lokalno do videonadzor" \
    dst-address=10.10.10.10 dst-port=37777,37778,37779 out-interface=bridge \
    protocol=tcp src-address=10.10.10.0/24
add action=dst-nat chain=dstnat comment="nas ftp" dst-address=192.168.1.10 \
    dst-port=21 protocol=tcp to-addresses=10.10.10.4 to-ports=21
add action=dst-nat chain=dstnat comment="nas http" dst-address=192.168.1.10 \
    dst-port=80 log-prefix=web-in protocol=tcp to-addresses=10.10.10.4 \
    to-ports=80
add action=dst-nat chain=dstnat comment="nas https" dst-address=192.168.1.10 \
    dst-port=443 protocol=tcp to-addresses=10.10.10.4 to-ports=443
add action=dst-nat chain=dstnat comment="nas 500" dst-address=192.168.1.10 \
    dst-port=500 protocol=tcp to-addresses=10.10.10.4 to-ports=500
add action=dst-nat chain=dstnat comment="nas admin" dst-address=192.168.1.10 \
    dst-port=5000 protocol=tcp to-addresses=10.10.10.4 to-ports=5000
add action=dst-nat chain=dstnat comment="rdp whs" dst-address=192.168.1.10 \
    dst-port=3389 log=yes log-prefix="RDP WHS Private IP" protocol=tcp \
    src-address-list=PrivateIPs to-addresses=10.10.10.3 to-ports=3389
add action=add-src-to-address-list address-list=rdp_blacklist \
    address-list-timeout=none-static chain=dstnat comment=\
    "3389 whs => Blockedlist" dst-address=192.168.1.10 dst-port=3389 log=yes \
    log-prefix="3389 WHS => RDP Blacklist NAT" protocol=tcp to-addresses=\
    10.10.10.3 to-ports=3389
add action=add-src-to-address-list address-list=rdp_blacklist \
    address-list-timeout=none-static chain=dstnat comment=\
    "23 whs => Blockedlist" dst-address=192.168.1.10 dst-port=23 log=yes \
    log-prefix="23 WHS => RDP Blacklist NAT" protocol=tcp to-addresses=\
    10.10.10.3 to-ports=3389
add action=add-src-to-address-list address-list=rdp_blacklist \
    address-list-timeout=none-static chain=dstnat comment=\
    "22 whs => Blockedlist" dst-address=192.168.1.10 dst-port=22 log=yes \
    log-prefix="22 WHS => RDP Blacklist NAT" protocol=tcp to-addresses=\
    10.10.10.3 to-ports=3389
add action=dst-nat chain=dstnat comment="dostop WireGuard Private" \
    dst-address=192.168.1.10 dst-port=8080 log=yes log-prefix=\
    "dostop WireGuard VPN PrivateIP" protocol=udp src-address-list=PrivateIPs \
    to-addresses=10.10.10.24 to-ports=8080
add action=dst-nat chain=dstnat comment="dostop WireGuard SI" dst-address=\
    192.168.1.10 dst-port=8080 log-prefix="dostop WireGuard piVPN" protocol=\
    udp src-address-list=SI to-addresses=10.10.10.24 to-ports=8080
add action=dst-nat chain=dstnat comment="dostop WireGuard HR" dst-address=\
    192.168.1.10 dst-port=8080 log-prefix="dostop WireGuard piVPN" protocol=\
    udp src-address-list=HR to-addresses=10.10.10.24 to-ports=8080
add action=dst-nat chain=dstnat comment="dostop WireGuard AT" dst-address=\
    192.168.1.10 dst-port=8080 log-prefix="dostop WireGuard piVPN" protocol=\
    udp src-address-list=AT to-addresses=10.10.10.24 to-ports=8080
add action=dst-nat chain=dstnat comment=videonadzor dst-address=192.168.1.10 \
    dst-port=37777 log-prefix="Videonadzor dostop NAT Private IP" protocol=\
    tcp to-addresses=10.10.10.10 to-ports=37777
add action=dst-nat chain=dstnat comment="nas webdaw" dst-address=192.168.1.10 \
    dst-port=5005 protocol=tcp to-addresses=10.10.10.4 to-ports=5005
add action=dst-nat chain=dstnat comment="nas webdaw" dst-address=192.168.1.10 \
    dst-port=5506 protocol=tcp to-addresses=10.10.10.4 to-ports=5506
add action=dst-nat chain=dstnat comment="nas torrent" dst-address=\
    192.168.1.10 dst-port=5678 protocol=tcp src-address=0.0.0.0 to-addresses=\
    10.10.10.4 to-ports=5678
add action=dst-nat chain=dstnat comment="nas admin" dst-address=192.168.1.10 \
    dst-port=5001 protocol=tcp to-addresses=10.10.10.4 to-ports=5000
add action=masquerade chain=srcnat comment="lokalno do unify" dst-address=\
    10.10.10.10 dst-port=8443 out-interface=bridge protocol=tcp src-address=\
    10.10.10.0/24
/ip firewall raw
add action=drop chain=prerouting comment="Drop WAN connections from 'RDP' blac\
    klisted hosts <- Src. Address List: RDP_Blacklist" in-interface-list=WAN \
    log-prefix="raw RDP Blacklist Drop" src-address-list=rdp_blacklist
add action=drop chain=prerouting comment="Drop WAN connections from 'Videonadz\
    or' blacklisted hosts <- Src. Address List: VideonadzorBlackList" \
    in-interface-list=WAN log-prefix="raw Videonazdor Blaclikst Drop" \
    src-address-list="Videonadzor BlackList"
add action=drop chain=prerouting comment="Drop WAN connections from 'CMP_PING\
    \" blacklisted hosts <- Src. Address List: icm_ping" disabled=yes \
    in-interface-list=WAN log=yes log-prefix="raw PING blocklist" \
    src-address-list=icmp_ping
/ip route
add distance=1 gateway=192.168.1.254
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=Router

As I wrote, that after applying this setup, I can not access the router anymore. SO I did that using the Windows version and a Virtual box - there I do not lose the connection. But in my real environment, it is not working.

Thank you!

4

Are all of the connections to ether2-7 really all tagged? There is mention of UniFi devices in the comments - by default UniFi management is untagged, you can change UniFi to use a tagged managment VLAN but you have to take care to allow adoption of new/reset devices as they will DHCP on an untagged network and look for a controller ready to be provisioned.

Also add address=192.168.1.0/24 interface=ether1 network=192.168.1.0 is invalid.

You should be able to connect by MAC address from Winbox.

5

There is/was an Unifi controller with some APs, but it was exchanged by the grandsream devices, that do not need a controller.
I do hope, that they are tagged (am not really the best in understanding this) and I do hope it works.
Will try to import it again and see what happens.

Thank you!

6

So, I added the whole configuration again, I can connect using MAC, but my computer does not get any IP from the DHCP server. I tried all ports.
What am I missing, why, does the DHCP not assign any IPs?
Also the Router does not seem to have an IP?

Thank you!

7

If you are plugging your computer directly into ether2-7 you will not get an address unless you configure the ethernet port on the computer to be tagged. The default settings on the ports and bridge have VLAN ID 1 untagged, and as there is no address attached it appears as 0.0.0.0

Try configuring one of the ports as an access port on your Default_VLAN (VLAN ID 10), e.g. ether7
/interface bridge port

add bridge=bridge interface=ether7 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10

8

even better have a read through this document…before making any further changes.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

9

In the first post you see a link. That is showing exactly to that article. I have read it several times :joy:
I am not an networking guy (am sys admin) but I know some basics.
Thanks for your help.

10

Hmmm
[admin@Router] > /interface bridge port
[admin@Router] /interface/bridge/port> add bridge=bridge interface=ether7 pvid=10
failure: device already added as bridge port

[admin@Router] /interface/bridge/port> print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON

INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON

0 IH ether2 bridge yes 1 0x80 10 10 none
1 IH ether3 bridge yes 1 0x80 10 10 none
2 IH ether4 bridge yes 1 0x80 10 10 none
3 IH ether5 bridge yes 1 0x80 10 10 none
4 IH ether6 bridge yes 1 0x80 10 10 none
5 H ether7 bridge yes 1 0x80 10 10 none
6 IH sfp-sfpplus1 bridge yes 1 0x80 10 10 none

[admin@Router] /interface/bridge/port> /interface bridge vlan
[admin@Router] /interface/bridge/vlan> add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5,ether6 vlan-ids=10
failure: vlan already added

[admin@Router] /interface/bridge/vlan> print
Columns: BRIDGE, VLAN-IDS

BRIDGE VLAN-IDS

0 bridge 10
1 bridge 20
2 bridge 30

I have now assigned ether8 (I forgot to add it, it has 8+sfp ports :slight_smile: )

I did:
/interface bridge port
add bridge=bridge interface=ether8 pvid=10

But I still can not get an IP on it...

Thanks!

11

provide the latest config
and also a network diagram showing wehre all the vlans should be flowing over which ports to what devices…

For example All the ports on the Router look like trunk ports? Are they all attached to smart devices that can read vlan tags.
What about the switch smart switch you are using, ROS or SWOS, and also where is its network diagram??