New to Mikrotik

3dgfx · August 15, 2021, 6:49pm

Hi to all,
i buy my first Mikrotik Router and i am new to this devices. i try to make with my new router ccr2004 Vlan trunk to this router i look many sites and you tube videos but i not getting it to work.
i have 2 Ubiquiti switches and wanna attach them to this router over trunk port for routing the vlans best was when can be done a LACP Trunk. Can someone give any hints or a example config examples. Thx in advance

Zacharias · August 15, 2021, 7:41pm

There are many examples around the Wiki according to VLANs…
Ofcorse you can create a VLAN trunk on your CCR…

What have you tried so far ?
Network diagram ?

pe1chl · August 15, 2021, 7:53pm

It is generally not advisable to get your info from youtube videos or “many other sites”. There is a lot of garbage going around. It is outdated or unsafe.
You should check the wiki or help sites: wiki.mikrotik.com and help.mikrotik.com

And of course, when you want specific help, you first need to describe what you want to do.

anav · August 15, 2021, 8:01pm

Hi there,
I dont know what is the best option for you to
a. do vlans, either vlan filtering bridge method ( i prefer), or
b. switch chip method. ****

***** Your unit diagram shows a fancy PIPE connections between ports and I dont think there is any specific method to optimize those, at least I have not read anything. So I dont think the switch chip method applies anyway.

Here is the link for bridge vlan filtering which I use for many vlans myself,
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Stick with the default firewall rules until you understand them as they keep you safe from the start.
When you have a first config kind of done, do not hesitate to post the config here for review.
/export hide-sensitive file=anynameyouwish

Default rules in case your router didnt come with any. IP FIREWALL
all you have to do is copy and paste this in your winbox Terminal selection window ( without the { _____ chain part} of course )
/ip firewall filter
{input chain part}
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface-list=!LAN

{forward chain part}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

If there are no NAT rules, this is the default rule for that as well.

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

3dgfx · August 15, 2021, 8:07pm

Hi mate i tried many things vlans under port, vlans under bridge, looked wiki and so on but not realy anything functions. my diagram is easy need have 8 vlans for seperating my netwoks in segments and wanna give them from router to the switches over trunk. As router to switches it was even much better if i can do some LACP for the 2 switches.

Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE

NAME MTU ARP VL INTERFACE

0 R vlan5 1500 enabled 5 Trunk_bridge
1 R vlan10 1500 enabled 10 Trunk_bridge
2 R vlan30 1500 enabled 30 Trunk_bridge
3 R vlan40 1500 enabled 40 Trunk_bridge
4 R vlan50 1500 enabled 50 Trunk_bridge
5 R vlan60 1500 enabled 60 Trunk_bridge
6 R vlan70 1500 enabled 70 Trunk_bridge
7 R vlan80 1500 enabled 80 Trunk_bridge
8 R vlan90 1500 enabled 90 Trunk_bridge

Flags: X - disabled, R - running
0 R name="Trunk_bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=08:55:31:DF:AF:E3 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=no dhcp-snooping=no

1 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=08:55:31:DF:AF:D8 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
vlan-filtering=no dhcp-snooping=no

Flags: R - RUNNING; S - SLAVE
Columns: NAME, MTU, MAC-ADDRESS, ARP, SWITCH

NAME MTU MAC-ADDRESS ARP SWITCH

;;; WAN
0 R ether1 1500 08:55:31:DF:AF:D7 enabled
1 S sfp-sfpplus1 1500 08:55:31:DF:AF:D8 enabled switch1
2 S sfp-sfpplus2 1500 08:55:31:DF:AF:D9 enabled switch1
3 S sfp-sfpplus3 1500 08:55:31:DF:AF:DA enabled switch1
4 S sfp-sfpplus4 1500 08:55:31:DF:AF:DB enabled switch1
5 S sfp-sfpplus5 1500 08:55:31:DF:AF:DC enabled switch1
6 S sfp-sfpplus6 1500 08:55:31:DF:AF:DD enabled switch1
7 S sfp-sfpplus7 1500 08:55:31:DF:AF:DE enabled switch1
8 S sfp-sfpplus8 1500 08:55:31:DF:AF:DF enabled switch1
9 S sfp-sfpplus9 1500 08:55:31:DF:AF:E0 enabled switch1
10 S sfp-sfpplus10 1500 08:55:31:DF:AF:E1 enabled switch1
11 S sfp-sfpplus11 1500 08:55:31:DF:AF:E2 enabled switch1
12 RS sfp-sfpplus12 1500 08:55:31:DF:AF:E3 enabled switch1
13 S sfp28-1 1500 08:55:31:DF:AF:E4 enabled switch1
14 S sfp28-2 1500 08:55:31:DF:AF:E5 enabled switch1

Trunk bridge is on SFP+12 port for testing purpuse for configuration i try it with 1 port but even this not get to run.
many thx and kind regards

3dgfx · August 15, 2021, 8:16pm

Many thx for fast answers i have it now behind my real firewall till i am sure and safe to take this wan interface to public until it is behind a firewall for now first role is the 10gb routing capabilitys what i wanna use bridge or port based i dont know what is the best i think to make 2 LACP ports each for 1 switch to get fastest as possible for routing for routing i thing this will much faster do it or?

@anav i read this its is awesome info there but get it not work, idk for the CCR2004 is not much info my firewall rules are empty there mybe firewall block? Empty means all block?
By the way how i get this config?

anav · August 15, 2021, 9:11pm

Okay, lets walk before running. Lets ignore LACP and added stuff for now.
Lets get a safe clean firewall up and working VLAN setup.

So the config is best handled by using WINBOX.
Once you have been able to access winbox.

The find the left hand menu TERMINAL selection.
When in there type
/export hide-sensitive file=anynameyouwish

It will create and send a file TO FILES.
So on winbox find FILES on teh left hand menu.
Then right or left click it to download to your pc.

Then using notepad++ open it up and paste it here.
You may want to use the code tags up top as good etiquette ( to the right of BOLD UNDERLINE etc (black square with white brackets)

When its open in notepadd plus plus just remove any serial numbers that identify the router,
and sometimes if a pppoe setup there may be information that has to be removed first (aka a password)
In addition just make NO PUBLIC IP addresses are exposed…

3dgfx · August 15, 2021, 9:16pm

aug/15/2021 22:48:55 by RouterOS 7.1beta6

software id = KIHW-0X4S

model = CCR2004-1G-12S+2XS

serial number =

/interface bridge
add name=Trunk_bridge vlan-filtering=yes
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface vlan
add interface=Trunk_bridge name=vlan5 vlan-id=5
add interface=Trunk_bridge name=vlan10 vlan-id=10
add interface=Trunk_bridge name=vlan30 vlan-id=30
add interface=Trunk_bridge name=vlan40 vlan-id=40
add interface=Trunk_bridge name=vlan50 vlan-id=50
add interface=Trunk_bridge name=vlan60 vlan-id=60
add interface=Trunk_bridge name=vlan70 vlan-id=70
add interface=Trunk_bridge name=vlan80 vlan-id=80
add interface=Trunk_bridge name=vlan90 vlan-id=90
/interface list
add name=WAN
add name=LAN
add name=Gast
add name=Server
add name=WLAN
add name=IOT
add name=SECURITY
add name=IPMI
add name=MGMT
add name=DMZ
add name=Cluster
add name=HA
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_vlan1 ranges=172.16.1.100-172.16.1.254
add name=dhcp_IPMI ranges=172.16.5.100-172.16.5.254
add name=dhcp_security ranges=172.16.30.100-172.16.30.254
add name=dhcp_IoT ranges=172.16.40.100-172.16.40.254
add name=dhcp_10 ranges=172.16.10.100-172.16.10.254
add name=dhcp_50 ranges=172.16.50.2-172.16.50.254
add name=dhcp_60 ranges=172.16.60.100-172.16.60.254
add name=dhcp_70 ranges=172.16.70.100-172.16.70.254
add name=dhcp_80 ranges=172.16.80.100-172.16.80.254
add name=dhcp_90 ranges=172.16.90.50-172.16.90.254
/ip dhcp-server

DHCP server can not run on slave interface!

add address-pool=dhcp_vlan1 disabled=no interface=sfp-sfpplus12 lease-time=2h
name=dhcp_1
add address-pool=dhcp_IPMI disabled=no interface=vlan5 lease-time=2h name=
dhcp_5
add address-pool=dhcp_security disabled=no interface=vlan30 lease-time=2h
name=dhcp_30
add address-pool=dhcp_IoT disabled=no interface=vlan40 lease-time=2h name=
dhcp_40
add address-pool=dhcp_10 disabled=no interface=vlan10 lease-time=2h name=
dhcp_10
add address-pool=dhcp_50 disabled=no interface=vlan50 lease-time=2h name=
dhcp_50
add address-pool=dhcp_60 disabled=no interface=vlan60 lease-time=2h name=
dhcp60
add address-pool=dhcp_70 disabled=no interface=vlan70 lease-time=2h name=
dhcp70
add address-pool=dhcp_80 disabled=no interface=vlan80 lease-time=2h name=
dhcp80
add address-pool=dhcp_90 disabled=no interface=vlan90 lease-time=2h name=
dhcp90
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
add bridge=Trunk_bridge interface=sfp-sfpplus12
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=vlan50 list=Gast
add interface=vlan30 list=SECURITY
add interface=vlan90 list=WLAN
add interface=vlan40 list=IOT
add interface=vlan5 list=IPMI
add interface=vlan60 list=DMZ
add interface=vlan80 list=Cluster
add interface=vlan70 list=HA
/ip address
add address=172.16.1.1/24 interface=sfp-sfpplus12 network=172.16.1.0
add address=172.16.5.1/24 interface=vlan5 network=172.16.5.0
add address=172.16.30.1/24 interface=vlan30 network=172.16.30.0
add address=172.16.40.1/24 interface=vlan40 network=172.16.40.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.50.1/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.1/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.1/24 interface=vlan70 network=172.16.70.0
add address=172.16.80.1/24 interface=vlan80 network=172.16.80.0
add address=172.16.90.1/24 interface=vlan90 network=172.16.90.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
add address=172.16.5.0/24 gateway=172.16.5.1
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=172.16.60.0/24 gateway=172.16.60.1
add address=172.16.70.0/24 gateway=172.16.70.1
add address=172.16.80.0/24 gateway=172.16.80.1
add address=172.16.90.0/24 gateway=172.16.90.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=cr1
/system ntp client
set enabled=yes

anav · August 15, 2021, 11:00pm

FIrst thing you are using a beta firmware.
All bets are off, nothing or everything make work as advertised and some settings are different from version6,
I would recommend not experimenting with beta firmware if this is for a production environment!!!

Okay a bit confusing to name a vlan after its vlanid, but not the end of the world.
However I dont get your ip pool designation of vlan1 as there is no vlan1 that I can see and one should never use VLAN1 as that is a default vlan on most equipment.
It will be the default vlan of the bridge so best not to use elsewhere. You can get rid of bridge1 as its not needed.

You have 9 vlans.
You have 10 IP pools, and 10 dhcp networks where is the disconnect??
Where are IP pools for 30 40, (this is what I mean about a disconnect in your naming conventions).

Note Interface member lists are good idea if you have TWO or more VLANs you want to identify for specific purposes be it access to the internet or access to a common printer in another vlan etc.)
The one time one may want to define a single subnet as an interface is if its the management interface which is used in a couple of different config locations.
For single subnets, just use the subnet in firewall rules…
The good time to use firewall address lists is for when you have
a. a selection of IPs only within a subnet (not all of them).
b. a selection of IPs across several subnets.
c. a whole subnet and a selection of IPs from one or more other subnets

Your first /dhcp server line is suspect. its not happy with the interface chosen?
What is your purpose or plan for sfp-sfpplus12 ??

Ahh so now I see what you have done,
You have a NON VLAN which you want to run on all the SFP PLUS ports and then RUN ALL VLANS on the bridge interface TRUNK thru sfp-plus12

SO, GET RID OF BRIDGE 1, you do not use it anywhere according to the config ???
PUT ALL INTERFACES ON THE BRIDGE TRUNK
now you have two choices
a. create another VLAN (what I would do) call in vlan99-home or whatever purpose it is.
b. assign to interface bridge trunk like all the others.

OR
just get the bridge trunk as the interface for the subnet and let the bridge hand out leases for the subnets on all spf ports.
I prefer to let the bridge be a bridge and let vlans to do the work!!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Over all so far, we need clarity.
What are you putting over all the SFP ports other than spf-1212
What are you putting over SPF-12
What is the purpose of your vlan-1 but not really a vlan ???

WARNING;;Missing this rule on the default rule set at the bottom of the forward chain!!
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

There is no NAT rule the default typically is…
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Also you have no route rules it seems, so the router has no direction where to send packets to the internet.

3dgfx · August 15, 2021, 11:41pm

So i downgrade it to 6.48 get rid of bridge1 ah sfp+12 is the vlan trunk i try to make vlan1 was for default vlan1 adress if put some devices get dhcp adress for them from sfp+9 to 12 try to make thoose lacp for the 2 switches with sfp+ links from sfp1 to 8 wanna do nothing for now mybe i put my proxmox cluster there. This

There is no NAT rule the default typically is…
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

i put extra not i thing mybe can not acces the device later i have 2 vlans after this my home network and my server vlan this i can put only later if all works

I do instead vlan1 put the adress of default to trunk_bridge port and used the dhcp pool for it so whenever need a dhcp from vlan1 can get it, or bad idea?

anav · August 16, 2021, 1:49am

If you dont follow the link provided and think you know the rules better, no I cannot help much further.

3dgfx · August 16, 2021, 1:01pm

hi mate, i try to follow what you say me my config so far

# jan/02/1970 14:23:49 by RouterOS 6.48.3
# software id = 
#
# model = CCR2004-1G-12S+2XS
# serial number = 
/interface bridge
add name=Trunk_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface vlan
add interface=Trunk_bridge name=vlan5 vlan-id=5
add interface=Trunk_bridge name=vlan10 vlan-id=10
add interface=Trunk_bridge name=vlan30 vlan-id=30
add interface=Trunk_bridge name=vlan40 vlan-id=40
add interface=Trunk_bridge name=vlan50 vlan-id=50
add interface=Trunk_bridge name=vlan60 vlan-id=60
add interface=Trunk_bridge name=vlan70 vlan-id=70
add interface=Trunk_bridge name=vlan80 vlan-id=80
add interface=Trunk_bridge name=vlan90 vlan-id=90
/interface list
add name=WAN
add name=LAN
add name=Gast
add name=Server
add name=WLAN
add name=IOT
add name=SECURITY
add name=IPMI
add name=MGMT
add name=DMZ
add name=Cluster
add name=HA
/interface lte apn
set [ find default=yes ] ip-type=ipv4-ipv6
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_vlan1 ranges=172.16.1.100-172.16.1.254
add name=dhcp_IPMI ranges=172.16.5.100-172.16.5.254
add name=dhcp_security ranges=172.16.30.100-172.16.30.254
add name=dhcp_IoT ranges=172.16.40.100-172.16.40.254
add name=dhcp_10 ranges=172.16.10.100-172.16.10.254
add name=dhcp_50 ranges=172.16.50.2-172.16.50.254
add name=dhcp_60 ranges=172.16.60.100-172.16.60.254
add name=dhcp_70 ranges=172.16.70.100-172.16.70.254
add name=dhcp_80 ranges=172.16.80.100-172.16.80.254
add name=dhcp_90 ranges=172.16.90.50-172.16.90.254
/ip dhcp-server
add address-pool=dhcp_IPMI disabled=no interface=vlan5 lease-time=2h name=\
    dhcp_5
add address-pool=dhcp_security disabled=no interface=vlan30 lease-time=2h \
    name=dhcp_30
add address-pool=dhcp_IoT disabled=no interface=vlan40 lease-time=2h name=\
    dhcp_40
add address-pool=dhcp_10 disabled=no interface=vlan10 lease-time=2h name=\
    dhcp_10
add address-pool=dhcp_50 disabled=no interface=vlan50 lease-time=2h name=\
    dhcp_50
add address-pool=dhcp_60 disabled=no interface=vlan60 lease-time=2h name=\
    dhcp60
add address-pool=dhcp_70 disabled=no interface=vlan70 lease-time=2h name=\
    dhcp70
add address-pool=dhcp_80 disabled=no interface=vlan80 lease-time=2h name=\
    dhcp80
add address-pool=dhcp_90 disabled=no interface=vlan90 lease-time=2h name=\
    dhcp90
/interface bridge port
add bridge=Trunk_bridge interface=sfp-sfpplus1
add bridge=Trunk_bridge interface=sfp-sfpplus2
add bridge=Trunk_bridge interface=sfp-sfpplus3
add bridge=Trunk_bridge interface=sfp-sfpplus4
add bridge=Trunk_bridge interface=sfp-sfpplus5
add bridge=Trunk_bridge interface=sfp-sfpplus6
add bridge=Trunk_bridge interface=sfp-sfpplus7
add bridge=Trunk_bridge interface=sfp-sfpplus8
add bridge=Trunk_bridge interface=sfp-sfpplus9
add bridge=Trunk_bridge interface=sfp-sfpplus10
add bridge=Trunk_bridge interface=sfp-sfpplus11
add bridge=Trunk_bridge interface=sfp28-1
add bridge=Trunk_bridge interface=sfp28-2
add bridge=Trunk_bridge interface=sfp-sfpplus12
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=vlan50 list=Gast
add interface=vlan30 list=SECURITY
add interface=vlan90 list=WLAN
add interface=vlan40 list=IOT
add interface=vlan5 list=IPMI
add interface=vlan60 list=DMZ
add interface=vlan80 list=Cluster
add interface=vlan70 list=HA
/ip address
add address=172.16.1.1/24 interface=Trunk_bridge network=172.16.1.0
add address=172.16.5.1/24 interface=vlan5 network=172.16.5.0
add address=172.16.30.1/24 interface=vlan30 network=172.16.30.0
add address=172.16.40.1/24 interface=vlan40 network=172.16.40.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.50.1/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.1/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.1/24 interface=vlan70 network=172.16.70.0
add address=172.16.80.1/24 interface=vlan80 network=172.16.80.0
add address=172.16.90.1/24 interface=vlan90 network=172.16.90.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
add address=172.16.5.0/24 gateway=172.16.5.1
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=172.16.60.0/24 gateway=172.16.60.1
add address=172.16.70.0/24 gateway=172.16.70.1
add address=172.16.80.0/24 gateway=172.16.80.1
add address=172.16.90.0/24 gateway=172.16.90.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=cr1
/system ntp client
set enabled=yes
/system resource irq rps
set ether1 disabled=yes

anav · August 16, 2021, 1:37pm

I see improvements on a quick look, busy for the next part of the day but will look in detail later.
Its a work in progress patience is a good thing.

3dgfx · August 16, 2021, 1:40pm

Hi mate as so far you are awesome help i would give you from 5 stars 25 stars many many thx what you till now even did for me, and have a nice day

anav · August 16, 2021, 5:44pm

No worries lets simplify and build back up where necessary.

(1) You had an error in your interface list member. LAN did not have any interfaces assigned. So we assign the bridge to the LAN interface and this includes all 9 vlans.
I got rid of all the rest as I dont see any role for them yet on your config. If we need them then we can add them.

/interface list member
add interface=ether1 list=WAN
add interface=Trunk_bridge list=LAN

Thats it, and for the ‘parent’ nterface list, remove all except WAN and LAN.

(2) This item is still in the pool, which would be okay..
add name=dhcp_vlan1 ranges=172.16.1.100-172.16.1.254
but where is the corresponding dhcp server setting (there are only 9, but you have 10 IP pools and 10 IP addresses…).

Suggesting you probably meant to add this.
add dhcp_vlan1
*add address-pool=dhcp_vlan1 disabled=no interface=Trunk_bridge lease-time=2h name=bridge-dhcp*

(3) Okay, you have 14 ports but you dont state what is going on each port??
The only things so far that is going out on all ports, is the subnet you have assigned to the bridge. 176.16.1.0/24
You have not assigned any vlans to go out on any bridge ports??

(4) You have not stated what is the purpose of the Bridge sponsored subnet???

(5) Still missing one default firewall rule that needs to be added to the bottom of the forward chain!!!
WARNING;;Missing this rule on the default rule set at the bottom of the forward chain!!
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
This should be the first thing you do!

(6) The NAT rule is in the wrong format despite the fact that I had already provided the rule properly for you as well as the firewall rule above… You need to pay closer attention to detail…
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

3dgfx · August 16, 2021, 5:54pm

Hi mate i get it now working with this config,

# aug/16/2021 19:50:11 by RouterOS 6.48.3
# software id = KIHW-0X4S
#
# model = CCR2004-1G-12S+2XS
# serial number = 
/interface bridge
add name=Trunk_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface vlan
add interface=Trunk_bridge name=vlan5 vlan-id=5
add interface=Trunk_bridge name=vlan10 vlan-id=10
add interface=Trunk_bridge name=vlan20 vlan-id=20
add interface=Trunk_bridge name=vlan30 vlan-id=30
add interface=Trunk_bridge name=vlan40 vlan-id=40
add interface=Trunk_bridge name=vlan50 vlan-id=50
add interface=Trunk_bridge name=vlan60 vlan-id=60
add interface=Trunk_bridge name=vlan70 vlan-id=70
add interface=Trunk_bridge name=vlan80 vlan-id=80
add interface=Trunk_bridge name=vlan90 vlan-id=90
add interface=Trunk_bridge name=vlan100 vlan-id=100
/interface list
add name=WAN
add name=LAN
add name=Gast
add name=Server
add name=WLAN
add name=IOT
add name=SECURITY
add name=IPMI
add name=MGMT
add name=DMZ
add name=Cluster
add name=HA
/interface lte apn
set [ find default=yes ] ip-type=ipv4-ipv6
/ip pool
add name=dhcp_pool_ipmi ranges=172.16.5.100-172.16.5.254
add name=dhcp_pool_security ranges=172.16.30.100-172.16.30.254
add name=dhcp_pool_IoT ranges=172.16.40.100-172.16.40.254
add name=dhcp_pool_mgmt ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool_guest ranges=172.16.50.2-172.16.50.254
add name=dhcp_pool_dmz ranges=172.16.60.100-172.16.60.254
add name=dhcp_pool_ha ranges=172.16.70.100-172.16.70.254
add name=dhcp_pool_cluster ranges=172.16.80.100-172.16.80.254
add name=dhcp_pool_wlan ranges=172.16.90.50-172.16.90.254
add name=dhcp_pool_LAN ranges=172.16.100.2-172.16.100.254
add name=dhcp_pool_server ranges=172.16.20.11-172.16.20.20
/ip dhcp-server
add address-pool=dhcp_pool_ipmi disabled=no interface=vlan5 lease-time=2h \
    name=dhcp_ipmi
add address-pool=dhcp_pool_security disabled=no interface=vlan30 lease-time=\
    2h name=dhcp_security
add address-pool=dhcp_pool_IoT disabled=no interface=vlan40 lease-time=2h \
    name=dhcp_IoT
add address-pool=dhcp_pool_mgmt disabled=no interface=vlan10 lease-time=2h \
    name=dhcp_mgmt
add address-pool=dhcp_pool_guest disabled=no interface=vlan50 lease-time=2h \
    name=dhcp_guest
add address-pool=dhcp_pool_dmz disabled=no interface=vlan60 lease-time=2h \
    name=dhcp_dmz
add address-pool=dhcp_pool_ha disabled=no interface=vlan70 lease-time=2h \
    name=dhcp_ha
add address-pool=dhcp_pool_cluster disabled=no interface=vlan80 lease-time=2h \
    name=dhcp_cluster
add address-pool=dhcp_pool_wlan disabled=no interface=vlan90 lease-time=8h \
    name=dhcp_wlan
add address-pool=dhcp_pool_LAN disabled=no interface=vlan100 lease-time=8h \
    name=dhcp_LAN
add address-pool=dhcp_pool_server disabled=no interface=vlan20 lease-time=8h \
    name=dhcp_server
/interface bridge port
add bridge=Trunk_bridge interface=sfp-sfpplus1
add bridge=Trunk_bridge interface=sfp-sfpplus2
add bridge=Trunk_bridge interface=sfp-sfpplus3
add bridge=Trunk_bridge interface=sfp-sfpplus4
add bridge=Trunk_bridge interface=sfp-sfpplus5
add bridge=Trunk_bridge interface=sfp-sfpplus6
add bridge=Trunk_bridge interface=sfp-sfpplus7
add bridge=Trunk_bridge interface=sfp-sfpplus8
add bridge=Trunk_bridge interface=sfp-sfpplus9
add bridge=Trunk_bridge interface=sfp-sfpplus10
add bridge=Trunk_bridge interface=sfp-sfpplus11
add bridge=Trunk_bridge interface=sfp28-1
add bridge=Trunk_bridge interface=sfp28-2
add bridge=Trunk_bridge interface=sfp-sfpplus12
/interface bridge vlan
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=10
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=5
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=20
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=30
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=40
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=50
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=60
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=70
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=80
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=90
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=vlan100 list=LAN
add interface=vlan50 list=Gast
add interface=vlan30 list=SECURITY
add interface=vlan90 list=WLAN
add interface=vlan40 list=IOT
add interface=vlan5 list=IPMI
add interface=vlan60 list=DMZ
add interface=vlan80 list=Cluster
add interface=vlan70 list=HA
/ip address
add address=172.16.1.1/24 interface=Trunk_bridge network=172.16.1.0
add address=172.16.5.1/24 interface=vlan5 network=172.16.5.0
add address=172.16.30.1/24 interface=vlan30 network=172.16.30.0
add address=172.16.40.1/24 interface=vlan40 network=172.16.40.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.50.1/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.1/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.1/24 interface=vlan70 network=172.16.70.0
add address=172.16.80.1/24 interface=vlan80 network=172.16.80.0
add address=172.16.90.1/24 interface=vlan90 network=172.16.90.0
add address=172.16.20.1/24 interface=vlan20 network=172.16.20.0
add address=172.16.100.1/24 interface=vlan100 network=172.16.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
add address=172.16.5.0/24 gateway=172.16.5.1
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=172.16.60.0/24 gateway=172.16.60.1
add address=172.16.70.0/24 gateway=172.16.70.1
add address=172.16.80.0/24 gateway=172.16.80.1
add address=172.16.90.0/24 gateway=172.16.90.1
add address=172.16.100.0/24 dns-server=172.16.20.5,172.16.100.1 domain=\
    xxx.xxx gateway=172.16.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=xxxx
/system identity
set name=xxx
/system ntp client
set enabled=yes primary-ntp=xx.xx.xx.xx secondary-ntp=xx.xx.xx.xx
/system ntp server
set broadcast=yes enabled=yes
/system resource irq rps
set ether1 disabled=yes

3dgfx · August 16, 2021, 6:04pm

i make for each vlan own list for better controll it later from firewall rules
Firewall, Thx for the info changed nat to masquarade
Now i realized no need bridge tunk adress remove it can manage this device from mgmt address, was scray that i loose access to this device
Ports are now all as trunk is better for me need only trunk when later use them for mybe VM ports
now this works but how can i now let say port 9 and 10 LACP for 1st switch and 11 and 12 LACP for 2nd switch, and activating all for Jumbo frames?
Put thhose ports out of trunk bridge bond them and put bonded interfaces to trunk bridge?
After CCR2004 i have a Firewall ccr gets a ip from this this is the wan dhcp 172.16.0.100 Nat doing this firewall still should do this on the ccr too? Well i did it now i see no connection loose from internet its ok

anav · August 17, 2021, 1:00am

If you have a mangement vlan all smart devices (switches etc) should have an IP from this subnet.

I already stated how to efficiently use vlans, interface lists and firewall address lists…

3dgfx · August 17, 2021, 10:49am

thank you for your advices very helpfull, now need to check how to turn on mtu for jumbo frames my devices all are running on jumbo frames and find how to LACP thoose 2 switches to ports 9-10 and 11-12 this router is for core network router

3dgfx · September 9, 2021, 9:47am

I have a problem on this config on the interface where goes to my firewall this natting how can i disable this nat that my devices use its own ip instead the interface ip who goes to this firewall?
As this device will be used as internal core router and 1 interface goes to the firewall where all natting to the network is done. Config should passthrough my adresses to the firewall side as normal and not natted. Thx for any help