New to Mkt, struggling with basic VLAN setup

Dear community,
I’m new to Mikrotik (not new in the networking field though ) and I’m really struggling to add basic vlan support to my CCR2004-16G-2S+
Basically I will use it as a standard NAT router and I will need a few VLANs on my LAN to have AP management and User traffic on 2 different VLANs.

I can’t even make the 1st vlan to work (untagged)…
Trying to ping 192.168.88.1 from a laptop (192.168.88.5) connected on ether2.

Can you please assist? I’m sure I’m missing some obvious part here but can’t figure out what

Here is the config I tested:

admin@MikroTik] > export
# 1970-01-02 00:28:55 by RouterOS 7.12.1
# software id = NCR8-KCMM
#
# model = CCR2004-16G-2S+
/interface bridge
add name=WIFI vlan-filtering=yes
/interface vlan
add interface=WIFI name=users vlan-id=8
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=WIFI interface=ether2 pvid=8
add bridge=WIFI interface=ether4 pvid=8
add bridge=WIFI interface=ether6 pvid=8
add bridge=WIFI interface=ether8 pvid=8
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=WIFI untagged=ether2,ether4,ether6,ether8 vlan-ids=8
/ip address
add address=192.168.88.1/24 interface=users network=192.168.88.0
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

Thanks

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Hello llamajaja and thank you, yes I checked this topic already…

Take a look at your IP address.
/ip address
add address=192.168.88.1/24 interface=users network=192.168.88.0

Thanks anav,
Well do you mean that the ip address should be associated with WIFI bridge instead of users subinterface?

Ahh okay, I see you only have one subnet and are using a vlan for that. A bit unusual but perfectly fine.
My question is, where are your firewall rules?
Where is your internet connection??

I voluntarily removed all other parts to isolate my issue but basically port 1 will be my WAN interface with classic NAT.
I’ll then have 2 vlans: one for users and one for wifi management

Here is a more comprehensive config I’m trying without success: connecting a laptop to access port 2 or 4 doesn’t work: it cannot get any IP from DHCP server.
I tried assigning an IP manually and it cannot ping .1 in any vlan (not DHCP related)

/interface bridge
add name=br-wifi vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
/interface vlan
add interface=br-wifi name=vlan8 vlan-id=8
add interface=br-wifi name=vlan9 vlan-id=9
/ip pool
add name=dhcp_pool0 ranges=10.88.0.2-10.88.0.254
add name=dhcp_pool1 ranges=10.99.0.2-10.99.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan8 name=dhcp1
add address-pool=dhcp_pool1 interface=vlan9 name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=br-wifi interface=ether2 pvid=9
add bridge=br-wifi interface=ether4 pvid=8
add bridge=br-wifi interface=ether6
add bridge=br-wifi interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=br-wifi tagged=ether6,ether8 untagged=ether4 vlan-ids=8
add bridge=br-wifi tagged=ether6,ether8 untagged=ether2 vlan-ids=9
/ip address
add address=10.88.0.1/24 interface=vlan8 network=10.88.0.0
add address=10.99.0.1/24 interface=vlan9 network=10.99.0.0
/ip dhcp-server network
add address=10.88.0.0/24 dns-server=1.1.1.1 gateway=10.88.0.1
add address=10.99.0.0/24 dns-server=1.1.1.1 gateway=10.99.0.1
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

Read through this article and pay close attention to /interface bridge ports and /interface bridge vlans to find your error
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

nice I think you made my day ! thanks a lot !
I replaced:

/interface bridge vlan
add bridge=br-wifi tagged=ether6,ether8 untagged=ether4 vlan-ids=8
add bridge=br-wifi tagged=ether6,ether8 untagged=ether2 vlan-ids=9

with:

/interface bridge vlan
add bridge=br-wifi tagged=br-wifi vlan-ids=8
add bridge=br-wifi tagged=br-wifi vlan-ids=9

That said after all the doc/video I checked I cannot recall where it was explained this way
(so many different ways of doing this)

The doc shows it but your config still not correct.
/interface bridge port
add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=9
add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-priority-and-untagged i interface=ether4 pvid=8
add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether6
add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether8

/interface bridge vlan
add bridge=br-dcwifi tagged=br-dcwifi,ether6,ether8 untagged=ether4 vlan-ids=8
add bridge=br-dcwifi tagged=br-dcwifi,ether6,ether8 untagged=ether2 vlan-ids=9

Ok, I see yours is more strict but the one I pasted seems to work too: it looks like untagged is inferred from the PVID field of this interface
meaning that port 2 and 4 are shown as currently untagged in winbox when active whereas 6 and 8 as tagged which is correct.

Correct, I prefer to manually insert the untagging as a visual crosscheck to make sure my bridge ports and bridge interfaces line up.
Also the untagging doesnt show up when exporting a config…

Yes, the stricter and more explicit it is the better for me too
So basically my mistake was omitting the bridge itself from the vlan table

Correct, and thus the linked article was not followed, all good now I will bet.

Indeed I did not read the entire thread, just the first posts, sorry about that.
Thanks for the help.