I’ve got two VLANs at the moment for internet devices like servers and the wifi router. I also have an internal devices VLAN. Once I get these working I have more I want to add.
My internet comes in on a modem running it’s own DHCP server. Once I can migrate the servers connected to it, I’ll be putting it in bridge mode.
from the switch/router I can ping 8.8.8.8 just fine. However nothing on any of the other networks can. They get IPs from the DHCP server, but I can’t figure out why they don’t get internet access.
depending on what you are routing and whether you need firewall, you may be able to use L3HW offloading, but it appears the CRS312 is on the "partial L3HW offloading" list. So I doubt it will work well for an internet connection (but this is just guess, I have never used L3HW offloading on MikroTik)
Yes, it has great throughput between ports on the switch ( so many devices on the switch passing data back and forth at amazing rates. A switch is not meant for routing data back and forth with the internet.
Isnt that a basic tenant of networking?? Me not trained so just guessing.
Suggest an ax3 for cheap 1gig router, or for your more business case/throughput the RB5009 is an excellent long term investment
Aside from the fact that the devices is not suitable to act as NAT gateway for Gbps internet, the configuration posted in the OP has several issues:
vlan-filtering=yes is missing on the bridge.
Device is still using the very old version 7.6, and declares the two interfaces NetworkDevices and NutterDevices, but under /interface bridge vlan the bridge is not listed in the tagged list of VLAN 10 and 40. If you want to be lazy and omit that, then you'll need to upgrade RouterOS to the recently released versions, where that will be done automatically for you.
Port ether2 has pvid=10 and frame-types=admit-all, but under /interface bridge vlan is listed in the tagged list of VLAN 10.
If you want ether2 to be access port of VLAN 10, then you must remove it from the tagged list and it it to the untagged list (optional, RouterOS can also do it automatically for you).
But if you want VLAN 10 to be tagged on that port, then EITHER set frame-types=admit-only-vlan-tagged on ether2 (make it trunk port only); OR keep frame-types=admit-all but change pvid=1 (ether2 will be hybrid port).
VLAN 40 has no port assigned.
The bridge interface that appears to be your WAN interface (quite questionable setup) should be in the interface list WAN and not LAN. Create an interface list WAN and move the bridge to it.
Port ether2 doesn't need to be in the LAN interface list.
You have wrong and redundant masquerade rules, remove all and only keep:
Where are the firewall filter rules protecting your router and the LAN?
About how to configure VLAN, read the official docs, including the examples. If you don't know the several VLAN terms, read this often linked guide, the first post explains the concepts.
If you want to secure your firewall, apply the defconf firewall rules that come with MikroTik's SOHO devices here (use the rules for RouterOS 7).
Further, you should not use the whole bridge as WAN interface. Assuming ether7 is the port connected to the ISP, you should do the following modifications (after having upgraded RouterOS and fixing the VLAN configuration):
Set pvid=1000 on ether7 (or any number of your choice between 2-4094 excluding 10 and 40).
Under /interface vlan create VLAN interface vlan-wan with bridge as parent with the VLAN ID above.
Add vlan-wan to WAN interface list that you've created above.
Modify the DHCP client instance to use vlan-wan as interface instead of bridge.
If I may, besides the incomplete/wrong configuration and the - let's say - poor choice of the device as a router, there is no firewall (nor categorization of interfaces as LAN and WAN).
If the device is/will be connected directly to the internet (without a proper firewall in between), it is potentially vulnerable to attacks.
