Struggling with simple VLAN setup

frosty_hedgehog · July 5, 2025, 11:50pm

I really tried to make this work but going out of my mind. I’m trying to have a very simple setup with my CRS310-8G+2S. I have an OPNsense router and another TPLink POE switch, I need the netwotk setup in Mikrotik like below

SFP1 - Unraid (default VLAN5, also uses VLAN10 periodically so I tagged for 10)
SFP2 - OPNsense LAN
Eth8 - Desktop (use management VLAN)
Eth7 - Tplink (tagged for both VLAN5 & 10)

Everytime I enable VLAN filtering, Mikrotik looses internet connection and so does my desktop
Config below

# 2025-07-05 17:49:34 by RouterOS 7.19.2
# software id = R1BT-722U
#
# model = CRS310-8G+2S+
# serial number = HF00954Q0TV
/interface bridge
add admin-mac=78:9A:18:4C:B2:27 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether8 ] name=desktop
set [ find default-name=ether6 ] name=mgmt
set [ find default-name=sfp-sfpplus2 ] name=opnsense_LAN
set [ find default-name=ether7 ] name=tplink
set [ find default-name=sfp-sfpplus1 ] name=unraid
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=mgmt
add bridge=bridge comment=TPLink interface=tplink pvid=5
add bridge=bridge comment=defconf interface=desktop
add bridge=bridge comment=defconf interface=unraid pvid=5
add bridge=bridge comment=defconf interface=opnsense_LAN
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge comment=LAN_MAIN tagged=opnsense_LAN,tplink untagged=unraid vlan-ids=\
    5
add bridge=bridge comment=LAN_IOT tagged=tplink,unraid,opnsense_LAN vlan-ids=10
add bridge=bridge comment=LAN_MGMT tagged=opnsense_LAN untagged=mgmt,desktop vlan-ids=1
/interface ovpn-server server
add mac-address=FE:A8:53:66:26:B0 name=ovpn-server1
/ip dhcp-client
add interface=bridge
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=America/Toronto

I’m not really sure what I’m doing wrong here

CGGXANNX · July 6, 2025, 2:29am

I think the problems arise from the fact that your management VLAN is being transported as tagged VLAN 1 between the switch and the OPNsense device. Usually, people on this forum abhor such configurations!

If that’s really the case (on OPNsense the port is a trunk port that really tags VLAN 1, and not a hybrid port where VLAN 1 is untagged), and you don’t want to make any modification to OPNsense, then you’ll need to do the following changes on the CRS310:

Set frame-types of the opnsense_LAN port (sfp-sfpplus2) to admit-only-vlan-tagged.
Set frame-types of the mgmt and desktop port to admit-only-untagged-and-priority-tagged while keeping pvid=1.
Set frame-types of port tplink to admit-only-vlan-tagged and change pvid back to the default value of 1 (so that it disappear from export) because that parameter is not used anymore.
Until this point, all your other ports in the bridge, ether2, ether3, ether4, ether5, are management ports, because they make VLAN 1 available as untagged, just like your desktop and mgmt ports. If that’s not what you desire, either disabled those ports, or set their pvid to something like 4000 and set frame-types to admit-only-untagged-and-priority-tagged.
Now you can turn back vlan-filtering=yes on the bridge.

If, however, the management VLAN is not the tagged VLAN 1 on the link between sfp-sfpplus2 and the OPNsense device, but is transported untagged (port is hybrid port), then replace step 1 above with:

Keep frame-types of the opnsense_LAN port (sfp-sfpplus2) as admit-all, then fully remove this entry from the Bridge → VLANs table:

/interface bridge vlan
add bridge=bridge comment=LAN_MGMT tagged=opnsense_LAN untagged=mgmt,desktop vlan-ids=1

If everything works, you can apply some modifications from @tangent’s guide MikroTik Solutions: Configuration Flotsam to remove entries from old router’s default from future config exports:

Remove the wireless package.
Increase UDP timeout:

/ip firewall connection tracking set udp-timeout=30s

Remove dummy OpenVPN server instance:

/interface ovpn-server server remove [find where name=ovpn-server1]

Change the default Hotspot directory:

/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot

Move to new default values for IPSec profile:

/ip ipsec profile set [ find default=yes ] dpd-interval=8s dpd-maximum-failures=4

Your future exports should become shorter.

frosty_hedgehog · July 6, 2025, 10:58am

Thank you so much for the response! I did this and successfully kept the Internet connection on all ports.

At the moment, after implementing this, I’m unable to communicate with any devices on the management VLAN, including the OPNsense router. Is it possible its due to these settings? Or do I have a different problem?

My updated config is

# 2025-07-06 06:45:15 by RouterOS 7.19.2
# software id = R1BT-722U
#
# model = CRS310-8G+2S+
# serial number = HF00954Q0TV
/interface bridge
add admin-mac=78:9A:18:4C:B2:27 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=2_mgmt
set [ find default-name=ether7 ] name=7_tplink
set [ find default-name=ether8 ] name=8_desktop
set [ find default-name=sfp-sfpplus2 ] name=opnsense
set [ find default-name=sfp-sfpplus1 ] name=unraid
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=2_mgmt
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=\
    7_tplink
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=8_desktop
add bridge=bridge comment=defconf interface=unraid pvid=5
add bridge=bridge comment=defconf interface=opnsense
/interface bridge vlan
add bridge=bridge comment=LAN_MAIN tagged=opnsense,7_tplink untagged=unraid \
    vlan-ids=5
add bridge=bridge comment=LAN_IOT tagged=7_tplink,unraid,opnsense vlan-ids=10
/ip dhcp-client
add interface=bridge
/system clock
set time-zone-name=America/Toronto

EDIT: To add that this seems to only affect the management VLAN. When I switch to VLAN5, I can access other devices on it like proxmox and unraid

CGGXANNX · July 8, 2025, 11:19am

Sorry for the delay. With the current setup that you exported, the “management” VLAN (what you can access if you plug devices to ether2, ether6, or ether8) is the VLAN that is transferred untagged between the CRS310 and the OPNsense host.

If you plug a PC to ether8 does it obtain an IP address via DHCP from the DHCP Server on OPNsense? Does the CRS310 get an IP address on its bridge interface from OPNsense?

If both get no IP address assigned, you’ll need to check the setting on OPNsense. If OPNsense has the management VLAN tagged on the port connecting to the CRS310 then you’ll need to make the CRS310 aware of that too:
- If OPNsense tags the management VLAN as VLAN 1, then on the CRS you’ll need to add this entry in the Bridge → VLANs table: /interface bridge vlan add bridge=bridge comment=LAN_MGMT tagged=opnsense vlan-ids=1.
- If that tagged ID is not 1 but, let’s say 100, then you’ll need to do this on the CRS310:
  - Add to Bridge → VLANs (adjust the ID accordingly): /interface bridge vlan add bridge=bridge comment=LAN_MGMT tagged=opnsense vlan-ids=100.
  - Set PVIDs of ether2, ether6 and ether8 to that VLAN ID number (100 in this example).
  - Add a vlan_mgmt interface for that VLAN ID: /interface vlan add interface=bridge name=vlan_mgmt vlan-id=100.
  - Enable DHCP client on that vlan_mgmt interface: /ip dhcp-client add interface=vlan_mgmt.
But if your PC could already gets a valid IP address from the DHCP server on OPNsense, then the port & VLAN configuration is already correct, and the problem might be some firewall setting on OPNsense.