RoaS with CRS112 switch and HAP ac2

Hello everyone!

Mikrotik Noob here. I am trying to setup a few vlans. I work on Cisco junk all day, so I am slowly learning still. The switch is a CRS112-8P-4S with trunks and VLAN’s working pretty good. Attached is a diagram showing the network layout to help.

My last problem I am stumped pretty good is I can’t get untagged traffic (VLAN10) to work on an ether5 on the router, when I set it to tag for vlan 10. It gives the default .88 (bridge) address, so it does flow traffic, just not on VLAN10 it is seeing the bridge interface. I am sure I have missed something in the setup, hoping someone can school me on where I have gone wrong.

All VLANs are accessible and flowing traffic fine from all switch ports. The trunks tag correctly and all seems to be fine. Just can’t get VLAN10 on one of the router ports, really just a backdoor incase I lock myself out, is not critical as all the production stuff is plugged into the switch. I am using the switch chip on the switch, far as I know the bridge on the router is offloading to hardware, even though I am not using ‘/interface ethernet switch vlan’ mode, or “old vlan method” as I understand. I used pcunite’s guide on the forum, big Thank you to pcunite for taking the time to provide such easy to follow guide, has helped me more than I can say!

Here is the router config:

# mar/27/2020 12:01:12 by RouterOS 6.44.5
# software id = 7LNX-BSQ6
#
# model = RBD52G-5HacD2HnD
# serial number = B4A10BDB99E4
/interface bridge
add admin-mac=C4:AD:34:A9:4A:C5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=\
    indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-A94AC9 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-A94ACA \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=VLAN10 vlan-id=10
add interface=bridge name=VLAN20 vlan-id=20
add interface=bridge name=VLAN30 vlan-id=30
add interface=bridge name=VLAN99 vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=VLAN99_POOL ranges=192.168.0.10-192.168.0.254
add name=VLAN10_POOL ranges=192.168.1.10-192.168.1.240
add name=VLAN20_POOL ranges=192.168.2.10-192.168.2.240
add name=VLAN30_POOL ranges=192.168.3.10-192.168.3.240
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=VLAN10_POOL disabled=no interface=VLAN10 name=VLAN10_DHCP
add address-pool=VLAN20_POOL disabled=no interface=VLAN20 name=VLAN20_DHCP
add address-pool=VLAN30_POOL disabled=no interface=VLAN30 name=VLAN30_DHCP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=99
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3 untagged=ether5 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.0.1/24 interface=VLAN99 network=192.168.0.0
add address=192.168.1.1/24 interface=VLAN10 network=192.168.1.0
add address=192.168.2.1/24 interface=VLAN20 network=192.168.2.0
add address=192.168.3.1/24 interface=VLAN30 network=192.168.3.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.0.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.0.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.0.1 gateway=192.168.3.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/system clock
set time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

And my switch config:

# jan/03/1970 02:47:05 by RouterOS 6.44.5
# software id = QYMG-SSQH
#
# model = CRS112-8P-4S
# serial number = 9B210B746392
/interface bridge
add name=bridge protocol-mode=none
/interface vlan
add interface=bridge name=MGMT vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=sfp9
add bridge=bridge interface=sfp10
add bridge=bridge interface=sfp11
add bridge=bridge interface=sfp12
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp10,sfp9,sfp12,sfp11 vlan-id=10
add tagged-ports=sfp10,sfp9,sfp12,sfp11 vlan-id=20
add tagged-ports=sfp10,sfp9,sfp12,sfp11 vlan-id=30
add tagged-ports=switch1-cpu,sfp10,sfp9,sfp12,sfp11 vlan-id=99
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether5
add customer-vid=0 new-customer-vid=20 ports=ether6
add customer-vid=0 new-customer-vid=30 ports=ether7
add customer-vid=0 new-customer-vid=30 ports=ether8
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=20 ports=ether4
/interface ethernet switch vlan
add ports=ether1,ether2,sfp10,sfp9,sfp12,sfp11 vlan-id=10
add ports=ether3,ether4,ether5,ether6,sfp10,sfp9,sfp12,sfp11 vlan-id=20
add ports=ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=30
add ports=switch1-cpu,sfp10,sfp9,sfp12,sfp11 vlan-id=99
/ip address
add address=192.168.0.2/24 interface=MGMT network=192.168.0.0
[admin@MikroTik] >

Thank You!

The VLAN-aware bridge documentation indicates you have to configure the untagged membership to be the same in both /interface bridge port and /interface bridge vlan, you are missing it in the bridge port entry.

In practice if you only configure it in /interface bridge port the corresponding membership is added dynamically to /interface bridge vlan. So
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=99
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3 untagged=ether5 vlan-ids=10

You may wish to add ingress-filtering=yes to the bridge port entries too.

Missing some config for CRS112 ether1
/interface ethernet switch ingress-vlan-translation
…
add customer-vid=0 new-customer-vid=10 ports=ether1

tdw Thank you!

I have been reading and reading and there are so many ways to configure them, depending on what switch chip, old method new method. But it seems I am on the right track not using /interface ethernet switch on router, using only bridge to handle vlan. Slowly I am getting there. Thanks again!

Mikrotik VLAN configuration has historically been a mess, older versions of RouterOS it did look as though many of the switch chip registers were just presented to the user to figure out.

It is getting better with the CRS3xx implementation handling all the behind-the-scenes switch chip configuration for hardware offloading, if Mikrotik did the same for their other devices incorporating switch chips I’m sure it would eliminate 90% of the VLAN-related questions on the forum.

Until then for RBxxx devices with switch chips you have two options:
Use a vlan-aware bridge and forgo hardware switch offloading - simplest if the CPU can cope with forwarding L2 traffic.
Use a regular bridge (acts like an unmanaged switch) plus configure the switch chip - best performance, fast ethernet chips unable to support hybrid ports, tricky to configure.

This seems to match my experience indeed. The switch was quite intuitive, I just followed the CRS1xxx instructions, and the posts here and it works fine. Switching and Routing works fantastic so far, just the VLAN’s throwing me off, making my learning curve much steeper than I estimated. Going to try to testing on an RBM33G board I have to use as another bridged “CPE mode” router. I see others have used the switch chip configs and experience glitches/bugs, so trying to avoid that if possible with the ac2 hap. Routing seems to be fine on a 100Mbit internet uplink.

I have discovered new issue, for some reason I can’t see the switch management IP (192.168.0.2/24), from outside the router (wifi), I don’t access it much, so I just console in serial if I need to make changes. Once I get that sorted out then I will play with ingress filtering.

No default route on the switch so it won’t be able to reply to anything outside 192.168.0.0/24
/ip route
add gateway=192.168.0.1

My final changes that worked for using ether5 as VLAN10 access on the routerboard, as suggested by tdw:

/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
ingress-filtering=yes interface=ether5 pvid=10

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=99
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=30
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=10

Bridge is set to filter vlans:

/interface bridge
add admin-mac=C4:AD:34:A9:4A:C5 auto-mac=no comment=defconf
ingress-filtering=yes name=bridge vlan-filtering=yes

Thanks!

I spotted another error in my old configs in case anyone missed it. The router was doing RSTP protocol (by default) and I did not specify the ‘protocol-mode=none’ on bridge and my switch is set to ‘add name=bridge protocol-mode=none’ probably doesn’t help in addition to my other errors. I think these must always match no matter what protocol is set.

That would not break anything, the non-RSTP device would ignore the BPDU packets, but a non-optimal setup.

RSTP is good in larger setups for redundant paths and/or preventing storms if two edge ports are connected together, but probably unnecessary for a home setup. It does introduce a ~15 seconds forwarding delay when a port becomes active, so when you plug in a connection traffic will not flow immediately unless the port is specifically configured as an edge port.