I have an RB5009 and a CRS310 directly connected via a fiber connection (SFP1-SFP1)
On both router and switch I have VLAN2225 created as a tagged VLAN on both devices. On the RB5009, VLAN2225 IP address is, 192.168.25.1/24, which is the gateway. On the CRS310 VLAN2225 is 192.168.25.3/24. The RB5009 is using MT's default fw rules. The CRS310 in router mode (no SWOS available for this device) has no fw rules enabled. All configuration is on bridge.

If I try to ping the CRS310 ip address from the RB5009, the ping times out, and so does the ping from the CRS310 to the RB5009. I have tested this with and without fw rules enabled on the RB5009.

I have a client connected on the CRS310, port one, whose PVID is VLAN2225, which is successfully served a correct IP address from the gateway. The client can ping the gateway, but not the VLAN2225 IP on the CRS310.

These devices are not connected to the internet, as I am attempting to test in a standalone environment. I have attached the configs for both devices. I have read documents and watched numerous videos, and feel the config is correct. But, who knows.. Any feedback appreciated.

As an aside question. On the RB5009, I have removed port 3 from bridge, and added it to bridge1, with PVID2225. Am I wrong in assuming the the client connected to the port get an IP address in VLAN2225?


RB5009

1970-01-02 03:01:03 by RouterOS 7.13.1

software id = N5MJ-6GLN

model = RB5009UG+S+

serial number

/interface bridge
add admin-mac=78:9A:18:5D:E6:A0 auto-mac=no comment=defconf name=bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=sfp-sfpplus1 name=vlan2225 vlan-id=2225
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool1 ranges=192.168.225.55-192.168.225.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=pool1 interface=vlan2225 name=server-2225
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge1 interface=ether3 pvid=2225
/ip neighbor discovery-settings
set discover-interface-list=LAN protocol=mndp
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus1 untagged=ether3 vlan-ids=2225
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.225.1/24 interface=vlan2225 network=192.168.225.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.225.29 client-id=1:0:24:54:79:f2:e4 mac-address=
00:24:54:79:F2:E4 server=server-2225
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
add address=192.168.225.0/24 gateway=192.168.225.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=
33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


CRS310

1970-01-02 03:09:19 by RouterOS 7.13.1

software id = 81WK-S9AL

model = CRS310-8G+2S+

serial number =

/interface bridge
add admin-mac=78:9A:18:3F:C5:A3 auto-mac=no comment=defconf name=bridgeLocal
port-cost-mode=short vlan-filtering=yes
/interface vlan
add interface=sfp-sfpplus1 name=vlan2225 vlan-id=2225
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10
path-cost=10 pvid=2225
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10
path-cost=10 pvid=2225
add bridge=bridgeLocal comment=defconf interface=ether3 internal-path-cost=10
path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether4 internal-path-cost=10
path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether5 internal-path-cost=10
path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether6 internal-path-cost=10
path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether7 internal-path-cost=10
path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether8 internal-path-cost=10
path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus1
internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus2
internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set protocol=mndp
/interface bridge vlan
add bridge=bridgeLocal tagged=sfp-sfpplus1 untagged=ether1,ether2 vlan-ids=
2225
/ip address
add address=192.168.225.3/24 interface=vlan2225 network=192.168.225.0
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=CRS310-8
/system logging
add topics=interface
add topics=debug
add topics=state
add topics=route
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
/system swos
set address-acquisition-mode=static static-ip-address=192.168.88.4

Observations:

5009

1. One bridge as per → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
   If you do not want to use the single bridge for vlans and just have the vlan on the port, then simply assign the vlan to the port as you have done and remove bridge and also the bridge port you created for the vlan as well as the /interface bridge vlan.

2. Suggest you should also add the vlan to the LAN interface list

3. There should be nothing stopping bridge users and vlan users from reaching each other as the firewall wall rules as setup do not block LAN to LAN traffic.

4. If not using IPV6 then disable it and remove all the address lists and firewall rules for ipv6 leaving just two.
   add chain=input action=drop
   add chain=forward action=drop

5. Set mac server by itself, not secure to NONE
   /tool mac-server
   set allowed-interface-list=NONE
   /tool mac-server mac-winbox
   set allowed-interface-list=LAN
   
   
   https://forum.mikrotik.com/viewtopic.php?t=182276
   CS310

6. The only connection between the CRS310 and the RB5009 is via the vlan and the CRS310 gets its IP from this vlan thus
   ASSIGN the VLAN to the bridge, not the port.

7. You have assigned vlan225 as access ports for ether1-2 which is fine but no traffic on the rest if that is what is desired. sfpplus port is correctly set in basic form for trunk port carrying vlans.

8. Not sure what your doing with neighbours discovery but only one interface is required in this setup.
   /interface list
   add name= MANAGE
   /interface list members
   add interface=vlan2225
   /ip neighbours discovery-settings
   set discover-interface-list=MANAGE

9. NO IP DHCP Client required (remove) , the address is assigned to the CRS310 via the vlan.

10. Further additions/modifications
    /ip route
    add dst-address=0.0.0.0/0 gateway=192.168.225.1
    /ip dns
    set allow-remote-requests=yes servers=192.168.225.1

Hello anav, thank you for your tips. I have cleaned up my configs as per your suggestions.

I have managed to get some time to spend with the router and switch config. I am able, for now, to ping 192.168.225.1 and .3 from router switch and vise versa. The client (192.168.225.29) can also ping gateway and the switch.

So.. I have opted to go with a Bridge1 configuration - VLAN2225 on the RB5009. I have “attempted” to configure another DHCP Server on Bridge1. Part way through the configuration, it complains that “DHCP Server with such interface already exists”.. Out of curiosity I tried on “bridge”, I get the same pop up error, as the .88 network lives there.. Right, or wrong, I was under the impression of the following:

Create a new bridge (call it what you want). Add your VLAN(s) there. I am attempting to do router on a stick. Could be around 4 VLAN’s. What exactly am I missing here? Am I supposed to create a bridge per VLAN? I have also read don’t create multiple bridges.. Clearly I have not grasped the whole concept of this platform..

Other things that do not make sense to me. Why can I not remove an interface off of “Bridge” (ether3 on the RB5009) and add to “Bridge1” to VLAN2225. It just doesn’t work.. No Ip address at all is served to the client.

EDIT: Another thing i ma not sure of. It seems that the only way I can stay connected to the CRS10, is if I have an ethernet cable plugged between the RB5009 and CRS10. How do i resolve that? I thought that since both devices can ping each other on the 2225 network, that It would be able to stay connect through winbox..

As per the link, time to have a reread,
you will see that the bridge should do no DHCP, and its all vlans!
Therefore you create vlans for all your subnets and they have interface bridge.

The vlans get ip pool, address, dhcp-server, dchp-server network
The vlans are part of the lan interface list
the vlans go out the /interface bridge ports( in either access ports pvid=xx ) or trunk ports
the vlans are identifed per line, on the /interface bridge vlans

I figured out how to add multiple VLANS to a single bridge, pointing to a specific interface - ie: sfp1. I kept missing it - now I have it. Removing port 3 from bridge on the RB5009, to bridge1 doesn’t seem to work. I will open a ticket on that. Not sure if it’s the ROS version I am running, or not.. Thanks again!

I would suggest posting your config as it might simply be an error your not seeing. ( less router serial number, public WANIP info, keys etc.)
You can use the code quotes above so the post is short (black square with white square brackets (on the same line as B and U for example)

If you didn’t, try to reboot RB5009. Sometimes config, related to HW offload, only gets applied after reboot (or cold boot even). And changing bridge port membership most of times is related to HW offload on most RB models.