please help harden my MLAG setup

Hello!

I am quite new to mikrotik MLAG. I use mainly proxmox virtualization nodes, with 2 port SFP+ cards.
Recently I purchased two CRS309 switches for my lab. These have 8 ports SFP+, so I can implement MLAG. Each server has one link to both switches.
I use a virtualized PFSENSE router, that handles Firealling and NAT. It connects from the proxmox servers to each vlan.

I ran the following configuration on my switches:

/interface bonding
add mlag-id=2 mode=802.3ad name=client-bond2 slaves=sfp-sfpplus2
add mlag-id=3 mode=802.3ad name=client-bond3 slaves=sfp-sfpplus3
add mlag-id=4 mode=802.3ad name=client-bond4 slaves=sfp-sfpplus4
add mlag-id=5 mode=802.3ad name=client-bond5 slaves=sfp-sfpplus5

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1 pvid=99
add bridge=bridge1 interface=client-bond2
add bridge=bridge1 interface=client-bond3
add bridge=bridge1 interface=client-bond4
add bridge=bridge1 interface=client-bond5

/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1,client-bond2,client-bond3,client-bond4,client-bond5 vlan-ids=1,121,122,123,124,125,126

/interface bridge mlag
set bridge=bridge1 peer-port=sfp-sfpplus1

/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus7 pvid=123
add bridge=bridge1 interface=sfp-sfpplus8 pvid=122

/interface/ethernet/switch set 0 l3-hw-offloading=no

THis makes so the VLANS on my servers(client-bond2 to client-bond 5) are visible to each server.

On ports 7 and 8 I use SFP+ to RJ45 adapters to connect both to the WAN router(Chateau 5g AX) and the LAN switch (RB260GS).

My problem is the following:

The DHCP from the wan router (VLAN122) gives adresses to my clients on the lan side (VLAN123)…
This should not occur, the WAN should be separate from the LAN side, but I see that only the IP addresses I set do separate the traffic…
The traffic comes in on port 7 (LAN), it should get PVID 123, and should not pass through to port 8 that has PVID 122…
The LAN traffic should only go to the trunk ports, (sfp-sfpplus1,client-bond2,client-bond3,client-bond4,client-bond5) that pass these through to the linux vmbr-s, that have the router virtual network card as vmbr member, and should only go that far…

Pls help!

Thx

CadilLACi

Hi, you are missing something here, please add this for the Client-bonds:

interface/bridge/port/add bridge=bridge1 frame-types=admit-only-vlan-tagged
now they are using untagged default vlan1 , which creates L2 connection between the links.