I have an rb5009 that I plan to use as a glorified switch. From factory settings I’ve:
- changed to bridge mode
- cleaned up lots of router-specific junk that got left behind (deleted ip & ipv6 firewall rules, added ether1 back to bridge, removed dhcp server definitions)
- added 3 vlans to bridge (main, guest, iot), set up ether8 as tagged on all 3 vlans
- set ether1-ether6 as untagged on main vlan, and added main vlan as pvid on all each of the ports
- add an interface on main vlan, assigned it a static address
Plugged ether8 into an upstream crs326 port configured to pass all 3 vlans as tagged. No issues accessing webfig on static address or sshing into rb5009 through crs326.
BUT…nothing connected to ether1-ether6 can access anything on the network, not even the static address of the rb5009. I’ve left the 192.168.88.1 address on the rb5009 & ether7 as pvid 1 as an emergency fallback. It’s acting like the box is ignoring the pvids I set on ether1-ether6, since machines plugged into those ports can get to the 88.1 address.
Any hints on what I should try next? Config attached below.
# 2024-11-16 18:39:54 by RouterOS 7.16.1
# software id = <redacted>
#
# model = RB5009UPr+S+
# serial number = <redacted>
/interface bridge
add admin-mac=<redacted> auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface vlan
add interface=bridge name=vlan-98-bridge vlan-id=98
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 \
internal-path-cost=10 path-cost=10 pvid=98
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 \
internal-path-cost=10 path-cost=10 pvid=98
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10 \
pvid=98
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 \
internal-path-cost=10 path-cost=10 pvid=98
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether6 \
internal-path-cost=10 path-cost=10 pvid=98
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether1 \
internal-path-cost=10 path-cost=10 pvid=98
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether8 vlan-ids=71
add bridge=bridge tagged=ether8 untagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=98
add bridge=bridge tagged=ether8 vlan-ids=138
/interface list member
add comment=defconf interface=bridge list=LAN
/ip address
add address=192.168.98.33/20 interface=vlan-98-bridge network=192.168.96.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.98.1 routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/system clock
set time-zone-name=America/New_York
/system identity
set name=mikrotik-xxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN