Random internet connection via VLAN

Hello there,

I have moved my WAN setup last weekend from CPE connected directly to my router to a VLAN-based setup.

Currently my CPE goes into a CRS305 switch which tags any traffic with VLAN1000.
This is connected via a trunk to a CRS326 which is connected to a CCR2004 with a VLAN interface on a SFP+ port (all trunk ports).

My WAN IPs are linked to the VLAN1000 interface on the CCR2004.

The weird thing is that sometimes I have a connection to the internet sometimes I don’t.
The only thing that “solves” the problem is to reboot the CRS305 and/or my CPE.
Not sure what is causing the problem.

Any ideas?

Nope,
/export file=anynameyouwish (minus device serial #, any public WANIP information, keys)

of all three to review

crs305.rsc (5.6 KB)

crs326.rsc (13.1 KB)

ibr.rsc (47.5 KB)

I have added the files instead of pasting everything here for better overview

As an additional information: My ISP only allows one MAC address after the CPE.

I have double checked and the MAC address of CRS305 ether1 is the same as its bridge MAC address.

1. Not sure what you mean by one mac address, but the CPE should only see the mac address of etherX on the CCR2004 as that is where the internet connection will be terminated.

2. Assuming, since first looking at CRS305, that vlan9 is the management vlan.

3. Unusual, why is l2mtu setting all set to 10218??

4. The configuration is not correct as the vlan going to the CPE should be an access port (edit okay see the pvid, just not the frame types)

5. I see port 4 is free for an OffBridge port, very handy! - to be able to access the switch OS manually, even if there is a glitch with the vlans or bridge.

6. It is not clear to me why you are showing all the vlans on /interface bridge vlans.
   Since its connected to the router and to the CPE, clearly it needs 1000.
   Since vlan9 is the managment vlan I can see it clearly needs to be present
   Since I move nvidia to 326, vlan90 is not required on the 305.

7. Only vlan managment is tagged with bridge, on switch setup.
   ( also changed name on nvdia to be consistent with other ports and dont like using quotes for anything other than comments )

8. not a fan of auto upgrades.

#
# model = CRS305-1G-4S+
/interface bridge
add comment=defconf mvrp=yes name=bridge port-cost-mode=short vlan-filtering=\
    yes  frame-types=admit-only-vlan-tagged
/interface ethernet
set [ find default-name=ether1 ] l2mtu=10218 rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=sfp-sfpplus1 ] l2mtu=10218 name=sfp-sfpplus1:CRS326
set [ find default-name=sfp-sfpplus2 ] l2mtu=10218 name=sfp-sfpplus2:Nvidia-Shield
set [ find default-name=sfp-sfpplus3 ] l2mtu=10218 name=sfp-sfpplus3:Audience \
    rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus4 ] name=OffBridge4
/interface vlan
add interface=bridge name=vlan9 vlan-id=9
/interface list
add name=TRUSTED
/disk
add slot=proxmox2 smb-address=10.0.9.242 smb-share=\
    Backup/mikrotik/Switch-CRS305 smb-user=root type=smb
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/user group
add name=mktxp_group policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,\
    !policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1:CRS326
add bridge=bridge frame-types=admit-priority-and-untagged \
interface=sfp-sfpplus2:Nvidia-Shield  pvid=90
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus3:Audience
add bridge=bridge frame-types=admit-priority-and-untagged interface=ether1 pvid=1000
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1:CRS326,sfp-sfpplus3:Audience \
    vlan-ids=9
add bridge=bridge tagged=sfp-sfpplus1:CRS326,sfp-sfpplus3:Audience \
    vlan-ids=10,11,31
add bridge=bridge tagged=sfp-sfpplus1:CRS326,sfp-sfpplus3:Audience \
    untagged="sfp-sfpplus2:Nvidia Shield" vlan-ids=90
add bridge=bridge tagged=sfp-sfpplus1:CRS326 untagged=ether1 vlan-ids=\
    1000
/interface list members
add interface=vlan9 list=TRUSTED
add interface=OffBridge4 list=TRUSTED
/interface ovpn-server server
add mac-address=FE:82:CC:44:A1:CB name=ovpn-server1
/ip address
add address=10.0.9.249/24 interface=vlan9 network=10.0.9.0
add address=192.168.44.1/39 interface=OffBridge4 network=192.168.44.0
/ip dns
set servers=10.0.9.254
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.9.254 routing-table=main \
    suppress-hw-offload=no
/ip ssh
set host-key-size=4096 host-key-type=ed25519 strong-crypto=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=switch-crs305.hks.lan
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.9.254
/tool mac-server 
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Apply the same logic to the CC326, ether1 or ether10 for an OffBridge port, only vlan9 has bridge tagged on /interface bridge vlan, and the other assorted pieced I added, and post here for review.
Then I will handle the router.

ad 1) This was also my thought - but I was not sure how a Mikrotik handles a MAC address as soon as an interface is being added to a bridge (slave).
The bridge has it’s own MAC address but the interfaces also.

ad 2) Yes, VLAN 9 is my management VLAN for all devices.

ad 3) Just increased l2mtu on all devices to the maximum. “Regular” (layer3) MTU is set on 1500.

ad 6) The CRS305 is also acting as and edge switch. My Nvidia is connected to it via a RJ45 module and needs to be in its own VLAN.
VLAN 90 is for all “smart” devices which I cannot control directly.

ad 8) Manual updates only?

# 2025-10-22 20:53:26 by RouterOS 7.20.2
# software id = IY4D-ZVRF
#
# model = CRS305-1G-4S+
/interface bridge
add frame-types=admit-only-vlan-tagged mvrp=yes name=bridge port-cost-mode=\
    short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=10218 rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=sfp-sfpplus1 ] l2mtu=10218 name=sfp-sfpplus1:CRS326 \
    rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus2 ] l2mtu=10218 name=\
    sfp-sfpplus2:Nvidia-Shield
set [ find default-name=sfp-sfpplus3 ] l2mtu=10218 name=sfp-sfpplus3:Audience \
    rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus4 ] l2mtu=10218 rx-flow-control=auto \
    tx-flow-control=auto
/interface vlan
add interface=bridge name=vlan9 vlan-id=9
/disk
add slot=proxmox2 smb-address=10.0.9.242 smb-share=\
    Backup/mikrotik/Switch-CRS305 smb-user=root type=smb
/interface list
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/user group
add name=mktxp_group policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,\
    !policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=\
    sfp-sfpplus1:CRS326
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="sfp-sfpplus2:Nvidia Shield" pvid=90
add bridge=bridge frame-types=admit-only-vlan-tagged interface=\
    sfp-sfpplus3:Audience
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=1000
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1:CRS326,sfp-sfpplus3:Audience \
    vlan-ids=9
add bridge=bridge tagged=bridge,sfp-sfpplus3:Audience,sfp-sfpplus1:CRS326 \
    untagged=sfp-sfpplus2:Nvidia-Shield vlan-ids=90
add bridge=bridge tagged=bridge,sfp-sfpplus1:CRS326,sfp-sfpplus3:Audience \
    vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1:CRS326,sfp-sfpplus3:Audience \
    vlan-ids=11
add bridge=bridge tagged=bridge,sfp-sfpplus1:CRS326,sfp-sfpplus3:Audience \
    vlan-ids=31
add bridge=bridge tagged=bridge,sfp-sfpplus1:CRS326 untagged=ether1 vlan-ids=\
    1000
/interface list member
add interface=sfp-sfpplus1:CRS326 list=TRUSTED
add interface=sfp-sfpplus2:Nvidia-Shield list=TRUSTED
add interface=sfp-sfpplus3:Audience list=TRUSTED
add interface=sfp-sfpplus4 list=TRUSTED
/interface ovpn-server server
add mac-address=FE:82:CC:44:A1:CB name=ovpn-server1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.9.249/24 interface=vlan9 network=10.0.9.0
/ip dns
set servers=10.0.9.254
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.9.254 routing-table=main \
    suppress-hw-offload=no
/ip ssh
set host-key-size=4096 host-key-type=ed25519 strong-crypto=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=switch-crs305.hks.lan
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name="schedule update" on-event="/system package update\
    \ncheck-for-updates once\
    \n:delay 3s;\
    \n:if ( [get status] = \"New version is available\") do={ install }" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-02-25 start-time=01:00:00
add name=reboot-to-upgrade-firmware on-event="/system routerboard\
    \n:if ([get current-firmware] != [get upgrade-firmware]) do={ /system rout\
    erboard settings set auto-upgrade=yes; :delay 15; /system reboot; } " \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1d name=backup on-event=backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-02-28 start-time=00:00:00
/system script
add dont-require-permissions=no name=backup owner=mathias policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    ## Set local variables. Change the value between \"\" to reflect your envi\
    ronment. Do not delete quotation marks. \
    \n\
    \n### Set Local and Remote Filename variables. Do not change this unless y\
    ou want to edit the format of the filename.\
    \n### Default \"local file name\" is always the same to avoid lots of file\
    s and running out of space, \"remote file name\" uploaded to FTP has the d\
    ate\
    \n:local hostname [/system identity get name]\
    \n:local date [/system clock get date] \
    \n:local localfilename \"\$hostname-Backup-Daily\";\
    \n:local remotesystem \"proxmox2/\"\
    \n:local remotepath \"\$remotesystem\"\
    \n:local remotefilename \"\$hostname-\$date\";\
    \n\
    \n### Enable for Debug removing staing hash in the following lines\
    \n:log info \"\$localfilename\";\
    \n:log info \"\$remotefilename\";\
    \n:log info \"\$hostname\";\
    \n:log info \"\$date\";\
    \n\
    \n### Stating the Backup\
    \n:log info \"STARTING BACKUP\";\
    \n\
    \n### Create backup file and export the config.\
    \nexport compact show-sensitive file=\"\$localfilename\"\
    \n/system backup save name=\"\$localfilename\"\
    \n:log info \"Backup Created Successfully\"\
    \n:log info \$remotefilename\
    \n:log info \$remotepath;\
    \n\
    \n/system backup save name=\"\$remotepath/\$remotefilename.backup\"\
    \n/export compact show-sensitive file=\"\$remotepath/\$remotefilename.rsc\
    \"\
    \n\
    \n:log info \"Config Uploaded Successfully\"\
    \n:log info \"Backup Uploaded Successfully\"\
    \n\
    \n### Finishing the Backup\
    \n:log info \"BACKUP FINISHED\";"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool sniffer
set filter-vlan=1000

On CRS326 I only changed all bridge ports to “admit-only-vlan-tagged” as it’s my aggregation switch which is only switching tagged traffic.

Therefore I also haven’t set a separate neighbor discovery option only for specific ports as all ports are trusted.

1. Guess will have to see what transpires, do you have to put in the Routers MAC address for ether1, into the CPE manually? The switches should be transparent to the CPE.

2. Confirmed good.

3. Okay, just looked weird, that there was perhaps a reason for doing so.

4. Not sure what you mean by edge switch??? Yup nothing wrong with any device attached to on of its ports.

5. YOu had a setting for automatic updates on the firmware...
   ahhhh it was for the routerboard..... not the main firmware.
   /system routerboard settings
   set auto-upgrade=yes enter-setup-on=delete-key

ad 1) No I do not need to enter any MAC address at the CPE. It only takes the first one visible on an ethernet port and uses this address. If I would exchange my equipment I also would need to restart the CPE for resetting the MAC address link.

ad 4) This switch (CRS305) handles my WAN traffic but also traffic from end devices like my Nvidia switch. Due to that I called it an “edge switch”.

If this is the case, do not add bridge to the tagged list for VLAN 100 on the two switches!

Instead of this for example:

Only have this:

add bridge=bridge tagged=sfp-sfpplus1:CRS326 untagged=ether1 vlan-ids=\
    1000

In fact, because your switches are running 7.20.2 already, remove bridge from the tagged list for all VLANs under /interface bridge vlan on both switches.

Currently on your switches, under /interface bridge vlan the bridge interface is added to the tagged list of everything. Normally it's only needed if you also want the switch to have layer 3 access to those VLANs, which you only need for the management VLAN, in your case VLAN 9.

Furthermore, since 7.16, if you add an entry under /interface vlan with the bridge as interface, RouterOS will automatically add bridge to the tagged list of the affected VLAN, which means you don't even need to do that manually anymore, because you have added the vlan9 interface under /interface vlan for both switches.

If you put bridge of the two switches in the tagged list of VLAN 1000, then the modem will see the MAC addresses of the two switches too. If you remove bridge from tagged, then the modem will only see the MAC address of sfpplus1:crs326 of the CCR2004.

To recapitulate: On the two switches, go to /interface bridge vlan and remove bridged from the tagged list of all entries.

Thanks - will do so and run some tests in the afternoon when there is no traffic.

Regarding tagged VLAN9: This is necessary as my CRS305 is also connected to my Audience which also runs a VLAN9 for management traffic.

So I need a trunk port to Audience for my WLAN VLANs and the Mgmt VLAN.

Yes, you can use VLAN 9 for that purpose. What I meant was that even for VLAN 9, which is a VLAN that your switches need Layer 3 access too, you don't need to put bridge into tagged. Because RouterOS will dynamically add that needed entry for you, simply because you already have this:

/interface vlan
add interface=bridge name=vlan9 vlan-id=9

So, no need to have bridge in tagged for any entry under /interface bridge vlan at all.

Yeah true - but it would give a better overview if I put everything togethter.
Otherwise I would have my static VLAN9 entry + additional a dynamic entry.

On the otherside I would just need to set everything up according to my network design and let RouterOS handle the rest.

Yes, in case you hate to see the dynamic entry, then only add bridge to the tagged list of VLAN ID 9. Not to every other VLANs like you are currently doing. The switches don't need to have a presence on those VLANs. Which sometimes can cause problem, like when their MAC addresses appear on VLAN 1000, with your original config.

I disagree 100% with CGG, when learning RoS, definitely put in the bridge tagged for the management vlan. As per point 7, on one of my previous posts, only the vlan management is tagged on /interface bridge vlans, which you failed to adhere too LOL but I also failed to not notice when looking at your revision

Once you understand better how the router works, then take advantage of shortcuts where the router does steps for you dynamically. I never will unless it adds clarity or some real efficiency, otherwise I will always stick to a more clear presentation of the config with less assumptions.

Part of the reason I loathe any dynamic settings because they are not visible on a config export.
I wish mikrotik would make an export option which also showed all the dynamic settings.

I took a look at the dogs breakfast your router shows. I would reduce firewall rules to what is required.
I would add the management vlan its missing. Why dont you use a bridge with the vlans?
Why have you decided to use IP-firewall- on the bridge, nothing adds up here.
Complicated mess of mangling for port 53, what is going on there.
Why are you mangling all traffic, very strange.
What is going on with steam?? I use steam nothing is needed on router config.
You have so many ports identified in mangles and dstnat rules there are probably conflicts.
For starters trying I see mangling for 443 in many rules, and again identified in many places for port fowarding and finally as www-ssl on the router itself..............nightmare!!!
I see also using RDP which is NOT a safe protocol to be using on a server.

In other words, wont tackle this one, way past my scope of knowledge. Gluck.
The only thing to help would be to detail the following and it appears it would be a very much needed book.
a. identify all the user(s)/device(s), including the admin
b. identify all the traffic they need.
c. forget about blocking anything ( focus only on that needed traffic), just use drop all rules at end of input and forward chain, and when everything is working, aka needed traffic is flowing, then consider additional security steps if actually helpful.

Yeah, I wrote the above, but on my few routers I don’t have dynamic /interface bridge vlan entries either hehe, with the sole exception of some ports with dot1x configured (because dot1x is configured to dynamically put the port on different VLAN based on the authenticated/guest state, so static /interface bridge vlan added beforehand is not possible).

But for beginners, there are fewer steps to perform and fewer mistakes to make if they let RouterOS add the dynamic entries for access ports (only step needed is to set PVID, also see my post about how the "replacement" for the OffBridge port can be done with the recent RouterOS versions) and the automatic tagging of bridge when adding VLAN interfaces.

For educational purpose we can tell them to look at those "D"-flagged entries to see what the router had to do, and those can serve as examples, maybe that will even help them better understand @pcunite's article, instead of only copy ready-made commands from that guide. The teaching becomes more interactive when the person changes PVID on ether8 from 15 to 30 and sees what needed to be modified happening right after in the /interface bridge vlan table.

I am using all the firewall/mangle stuff to mark packages as needed for QoS.
Some “dangerous” stuff including RDP is also part but this is only allowed via my Wireguard VPN tunnels.