Syslog Failing to send

RouterOS Beginner Basics
1

I have a CRS310 that has an interface on a VLAN for managing the device itself. I can SSH, wegfig, etc. All of the stuff to manage the device.
However, I am noticing that I cannot get router initiated traffic out of the device. Surely I missed something simple.

/interface bridge
add admin-mac=xxxaa auto-mac=no comment=bridge frame-types=admit-only-vlan-tagged name=br1 protocol-mode=stp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=g1
set [ find default-name=ether2 ] disabled=yes name=g2
set [ find default-name=ether3 ] disabled=yes name=g3
set [ find default-name=ether4 ] disabled=yes name=g4
set [ find default-name=ether5 ] disabled=yes name=g5
set [ find default-name=ether6 ] disabled=yes name=g6
set [ find default-name=ether7 ] disabled=yes name=g7
set [ find default-name=ether8 ] disabled=yes name=g8
set [ find default-name=sfp-sfpplus1 ] name=t1
set [ find default-name=sfp-sfpplus2 ] name=t2
/interface vlan
add comment=Mgmt interface=br1 name=vlan128 vlan-id=128
/interface bonding
add comment="20G to CRS326" mode=802.3ad name=bond1 slaves=t1,t2
/interface list
add comment="Limit Neighbor Discovery" name=no-discovery
/snmp community
set [ find default=yes ] disabled=yes
add addresses=192.168.128.42/32 authentication-password=xxx authentication-protocol=SHA1 encryption-password=yyy encryption-protocol=AES name=zzz security=authorized write-access=yes
/system logging action
set 3 remote=192.168.128.42
add name=TCPSyslog remote=192.168.128.42 remote-log-format=syslog remote-port=601 remote-protocol=tcp syslog-facility=syslog target=remote
/user group
set full skin=Limitedaa
/interface bridge port
add bridge=br1 comment="20G to CRS326" frame-types=admit-only-vlan-tagged interface=bond1
add bridge=br1 comment=defconf interface=g1
add bridge=br1 comment=defconf interface=g2
add bridge=br1 comment=defconf interface=g3
add bridge=br1 comment=defconf interface=g4
add bridge=br1 comment=defconf interface=g5
add bridge=br1 comment=defconf interface=g6
add bridge=br1 comment=defconf interface=g7
add bridge=br1 comment=defconf interface=g8
/ip neighbor discovery-settings
set discover-interface-list=!no-discovery lldp-med-net-policy-vlan=1
/interface bridge vlan
add bridge=br1 comment=Service tagged=bond1 vlan-ids=128
add bridge=br1 comment=User tagged=bond1 vlan-ids=1
add bridge=br1 comment=Secrets tagged=bond1 vlan-ids=129
add bridge=br1 comment=Guests tagged=bond1 vlan-ids=138
add bridge=br1 comment=Sync tagged=bond1 vlan-ids=353
add bridge=br1 comment="Firewall Inside" tagged=bond1 vlan-ids=1353
add bridge=br1 comment=Outside tagged=bond1 vlan-ids=1357
/ip address
add address=192.168.128.22/24 comment=Mgmt interface=vlan128 network=192.168.128.0
/ip cloud
set update-time=no
/ip dns
set servers=192.168.128.15,192.168.128.16
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.128.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=crs310.dmz disabled=no
set api disabled=yes
set api-ssl certificate=crs310.dmz
/ip ssh
set host-key-size=4096 strong-crypto=yes
/snmp
set contact="Admin <user@gmail.com>" enabled=yes location="Rack1, Room1, Site1" trap-community=zzz trap-interfaces=vlan128 trap-target=192.168.128.42 trap-version=3
/system clock
set time-zone-name=America/Somewhere
/system identity
set name=CRS310
/system logging
add action=TCPSyslog topics="account,bridge,clock,critical,error,event,health,info,interface,ntp,script,snmp,ssh,stp,system,update"
/system note
set note="No one but the owner of this device may access." show-at-cli-login=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.128.51
add address=192.168.128.52
/system script
add comment="VLAN Membership Scraper" dont-require-permissions=no name=LNMS_vlans owner=secureuser policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="###\n### LibreNMS \"glue\" script for routeros vlans discovery\n### https://github.com/librenms/librenms/pull/13427\n###\n\n:global vlanst [:toarray \"\"]\n:global vlansu [:toarray \"\"]\n\n:foreach i in [/interface bridge vlan find] do={\n    :local intf [/interface bridge vlan get \$i bridge]\n    :local vlid [/interface bridge vlan get \$i vlan-ids]\n    :local vname\n\n    :foreach i in [/interface vlan find where vlan-id=\$vlid] do={\n        :local intname [/interface vlan get \$i name]\n        :set \$vname (\$intname)\n    }\n\n    :foreach t in [/interface bridge vlan get \$i tagged] do={\n        :set \$vlanst (\$vlanst, \"\$vlid,\$t,\$vname\")\n    }\n\n    :foreach u in [/interface bridge vlan get \$i current-untagged] do={\n        :set \$vlansu (\$vlansu, \"\$vlid,\$u,\$vname\")\n    }\n\n    :foreach u in [/interface bridge port find where bridge=\$intf and pvid=\$vlid] do={\n        :local iu [/interface bridge port get \$u interface]\n        :local fl 0\n        :foreach tmp in \$vlansu do={\n            :local ar [:toarray \$tmp]\n            :if (((\$ar->0) = \$vlid) && ((\$ar->1) = \$iu))  do={\n                :set fl 1\n            }\n        }\n        :if ( \$fl != 1 ) do={\n            :set \$vlansu (\$vlansu, \"\$vlid,\$iu,\$vname\")\n        }\n    }\n}\n\n:foreach vl in [/interface vlan find ] do={\n    :local intf [/interface vlan get \$vl interface]\n    :local vlid [/interface vlan get \$vl vlan-id]\n    :local vname [/interface vlan get \$vl name]\n    :local fl 0\n\n    :foreach tmp in \$vlanst do={\n        :local ar [:toarray \$tmp]\n        :if (((\$ar->0) = \$vlid) && ((\$ar->1) = \$intf)) do={\n            :set fl 1\n        }\n    }\n    :if ( \$fl != 1 ) do={\n        :set \$vlanst (\$vlanst, \"\$vlid,\$intf,\$vname\")\n    }\n}\n\n:foreach tmp in \$vlanst do={\n    :put \"T,\$tmp\"\n}\n\n:foreach tmp in \$vlansu do={\n    :put \"U,\$tmp\"\n}\n"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
2

ping your next-hop 192.168.128.1 if it’s working check your NAT/Masquerade rule on that router and also why STP not RSTP? you forgot also to add br1 as tagged interface

This is how you do it add br1 as tagged

/interface bridge vlan
add bridge=br1 comment=Service tagged=br1,bond1 vlan-ids=128

other than that I can’t see no reason why it’s not working

3

Something is severely missing in your explanation…

You have two ports bonded going to WHERE?
You have all ports disabled vice2, and this BOND is
a. coming from the ROUTER?
b. going to another SWITCH?

IN both cases THEY DONT MAKE ANY SENSE.
if they are coming from the router, WHY… you have no ports assigned so the switch is not connected to any other device.
if they are going to another switch WHY… you have no input from the router.

In other words, dont you think its odd you have vlans on one port and not on any other ports…

Its a config that is incomplete, what are you not telling us.
This is why a diagram should be mandatory for such posts

4

Apologies my setup is pretty much like this:
https://help.mikrotik.com/docs/spaces/ROS/pages/139526180/CRS3xx+CRS5xx+CCR2116+CCR2216+VLANs+with+Bonds

This traffic is originating on a host on VLAN128. Physically, the host is on a hyper-visor that is trunked to the core switch.
The management box (192.168.128.42) is an LXC running syslog-ng and LibreNMS and successfully receives syslog from all other devices on VLAN 128 and other VLANs
The management box (192.168.128.42) can reach “Switch A” (192.168.128.22) successfully to SSH, and manage “Switch A” via SNMP.

The router is a CCR2116-12G-4S+, and the core switch is a CRS326-24S+2Q+. The switch A and C are both CRS310-8G+2S+. The only deviation from this drawing is that the CCR2116-12G-4S+ does not have direct L3 access to the Internet. (Firewall is a completely different device.)
This “Switch A” doesn’t have anything else on it yet and is really only bonded to the core switch. This shouldn’t matter as we are talking about managing the switch itself here.
All four devices are having the same issue: syslog doesn’t work, traps don’t work (but SNMP does), NTP sometimes works, sometimes not. Everything else, VLANs, bonding, SVIs, SSH, Webfig, etc works on all devices.

I only picked this switch as it required less sanitization.

5

loloski:
I use STP instead of RSTP as other bridge devices in the network have issues with RSTP (Sonos and UniFi APs)
The core router (the device with the 192.168.128.1 SVI) does not do NAT. Internet is handled elsewhere.

[user@host] > ping 192.168.128.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                            
    0 192.168.128.1                               56  64 333us     
    1 192.168.128.1                               56  64 290us     
    2 192.168.128.1                               56  64 280us     
    3 192.168.128.1                               56  64 290us     
    sent=4 received=4 packet-loss=0% min-rtt=280us avg-rtt=298us max-rtt=333us

VLAN 128 IS tagged by the “VLAN on Bridge” automatic tagging. Are you saying that I need to tag it manually?
I don’t know all of the Mikrotik ins and outs yet, as I am on week 3 since my first time touching a Mikrotik device.

Edit: I have manually added the bridge to /interface/bridge/vlan as a tagged on VLAN 128 The “VLAN on Bridge” automatic tagging was removed.

6

Okay, that all makes sense thanks for the clarifications.
Assuming the core router does all the DHCP and routing within the private networks.
The core switch is connected to the CRS310 via two ports bonded, got it.
Okay then.

  1. Ensure the bridge is kept clean and leave functions to /interface bridge port ( aka the frame types etc should not be set on main bridge setting )
    /interface bridge
    add admin-mac=xxxaa auto-mac=no comment=bridge name=br1 protocol-mode=stp vlan-filtering=yes

  2. I noted for observation that all your ports are disabled except for t1 and t2,

  3. Recommend:
    /interface list
    add name=TRUSTED

/interface list member
add interface=VLAN128 list=TRUSTED

/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

  1. Based on 2. above bridge port should look like (only one entry)
    /interface bridge port
    add bridge=br1 comment=“20G to CRS326” ingress filtering=yes frame-types=admit-only-vlan-tagged interface=bond1

  2. The associated bridge vlan has errors… If the only vlan being fed into the unit is 128 then it should only have one line.
    THE BIG ERROR is that the bridge itself needs to be tagged for the management vlan, no other vlans require this.

/interface bridge vlan
add bridge=br1 comment=Service tagged=br1,bond1 vlan-ids=128

The rest of these could be disabled as like the /interface bridge port settings, until actually needed, but I see you already disabled all the other ports and thus you are pre setting up for eventual completion. Got it.

The vlan identfying vlan1 WAS removed as its a bogus entry.


6. My preference is to set the management gateway and main router to deal with DNS coming from the device, this only applies to any users on the switch and not on the vlans so niche application and rarely used.
/ip dns
set servers=192.168.128.1

It is mirrored by the route rule which is rarelly used but ensure any traffic outside the vlans gets sent properly
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.128.1 routing-table=main suppress-hw-offload=no

  1. I have no idea what your script does, so will leave it be for now.

  2. As per neighours discovery, this should be set to Trusted so winbox can access config easily.

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

7

Step 1

[user@SwitchA] > /interface/bridge/print
Flags: D - dynamic; X - disabled, R - running 
 0  R ;;; bridge
      name="br1" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto 
      mac-address=XX:XX:XX:XX:XX:XX protocol-mode=stp fast-forward=yes igmp-snooping=no auto-mac=no 
      admin-mac=XX:XX:XX:XX:XX:XX ageing-time=5m priority=0x8000 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 
      frame-types=admit-all ingress-filtering=yes dhcp-snooping=no port-cost-mode=long mvrp=no 
      max-learned-entries=auto

Pretty much set to defaults and specified the MAC.

Step 3
I set L2 discovery to the opposite of your recommendation. None of these four Mikrotik devices are user facing, so I put an “allow all except” in place to control L2 discovery from hitting the Internet.
I appreciate the recommendation though

Step 4
One entry that matters, the other VLANs are in the process of being staged.

Step 5
I am not clear on this. Is this a recommendation against “VLAN on Bridge” autotagging? I really can’t see that it would make a difference since if I remove br1 from vlan128 is gets added back automatically.

Step 6
I have 3 PiHoles on VLAN 128 that give DNS for various things/purposes.

Step 7
The script is to scrape the VLANs and make them available via SNMP/LibreNMS.
See https://docs.librenms.org/Support/Device-Notes/Routeros/

Step 8
I have all of this turned off.

8

In addition to the above, I did set the br1 pvid to 128 and tried to get Syslog or SNMP trap traffic out of the switch. No luck, I set it back to 1.

[user@SwitchA > /system/logging/action/print where name=UDPSyslog
Flags: * - default 
 4   name="UDPSyslog" target=remote remote=192.168.128.42 remote-port=514 src-address=192.168.128.22 
     remote-log-format=syslog remote-protocol=udp syslog-time-format=bsd-syslog 
     syslog-facility=daemon syslog-severity=auto 

[user@SwitchA > /system/logging/print where action=UDPSyslog
Columns: TOPICS, ACTION
# TOPICS     ACTION   
4 account    UDPSyslog
  bridge              
  clock               
  critical            
  error               
  event               
  health              
  info                
  interface           
  ntp                 
  script              
  snmp                
  ssh                 
  stp                 
  system              
  update              
5 warning    UDPSyslog
9

Please provided latest config for review.

10

By the way, this config comes from Oxidized, let me know if you would rather see the config from another source or in a different format.

/interface bridge
add admin-mac=DA:DA:DA:DA:DA:DA auto-mac=no comment=bridge name=br1 protocol-mode=stp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=g1
set [ find default-name=ether2 ] disabled=yes name=g2
set [ find default-name=ether3 ] disabled=yes name=g3
set [ find default-name=ether4 ] disabled=yes name=g4
set [ find default-name=ether5 ] disabled=yes name=g5
set [ find default-name=ether6 ] disabled=yes name=g6
set [ find default-name=ether7 ] disabled=yes name=g7
set [ find default-name=ether8 ] disabled=yes name=g8
set [ find default-name=sfp-sfpplus1 ] name=t1
set [ find default-name=sfp-sfpplus2 ] name=t2
/interface vlan
add comment=Mgmt interface=br1 name=vlan128 vlan-id=128
/interface bonding
add comment="20G to CRS326" mode=802.3ad name=bond1 slaves=t1,t2
/interface list
add comment="Limit Neighbor Discovery" name=no-discovery
/snmp community
set [ find default=yes ] disabled=yes
add addresses=192.168.128.42/32 authentication-password=xxx authentication-protocol=SHA1 encryption-password=xxx encryption-protocol=AES name=SNMPUser security=authorized write-access=yes
/system logging action
set 3 remote=192.168.128.42
add name=UDPSyslog remote=192.168.128.42 remote-log-format=syslog src-address=192.168.128.22 target=remote
/user group
set full skin=Limited
/interface bridge port
add bridge=br1 comment="20G to CRS326" frame-types=admit-only-vlan-tagged interface=bond1
add bridge=br1 comment=defconf interface=g1
add bridge=br1 comment=defconf interface=g2
add bridge=br1 comment=defconf interface=g3
add bridge=br1 comment=defconf interface=g4
add bridge=br1 comment=defconf interface=g5
add bridge=br1 comment=defconf interface=g6
add bridge=br1 comment=defconf interface=g7
add bridge=br1 comment=defconf interface=g8
/ip neighbor discovery-settings
set discover-interface-list=!no-discovery lldp-med-net-policy-vlan=1
/interface bridge vlan
add bridge=br1 comment=Services tagged=bond1 vlan-ids=128
add bridge=br1 comment=User tagged=bond1 vlan-ids=1
add bridge=br1 comment=Secrets tagged=bond1 vlan-ids=129
add bridge=br1 comment=Guests tagged=bond1 vlan-ids=138
add bridge=br1 comment=Sync tagged=bond1 vlan-ids=353
add bridge=br1 comment="Firewall Inside" tagged=bond1 vlan-ids=1353
add bridge=br1 comment=Outside tagged=bond1 vlan-ids=1357
/ip address
add address=192.168.128.22/24 comment=Mgmt interface=vlan128 network=192.168.128.0
/ip cloud
set update-time=no
/ip dns
set servers=192.168.128.15,192.168.128.16
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.128.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=crs310-a.dmz disabled=no
set api disabled=yes
set api-ssl certificate=crs310-a.dmz
/ip ssh
set host-key-size=4096 strong-crypto=yes
/snmp
set contact="Admin <user@host.com>" enabled=yes location="Rack1, Room1, Site1" trap-community=SNMPUser trap-generators=interfaces trap-interfaces=vlan128 trap-target=192.168.128.42 trap-version=3
/system clock
set time-zone-name=America/Somewhere
/system identity
set name=crs310-a
/system logging
add action=UDPSyslog topics="account,bridge,clock,critical,error,event,health,info,interface,ntp,script,snmp,ssh,stp,system,update"
add action=UDPSyslog topics=warning
/system note
set note="No one but the owner of this device may access." show-at-cli-login=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.128.51
add address=192.168.128.52
/system script
add comment="VLAN Membership Scraper" dont-require-permissions=no name=LNMS_vlans owner=tinsel policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="###\n### LibreNMS \"glue\" script for routeros vlans discovery\n### https://github.com/librenms/librenms/pull/13427\n###\n\n:global vlanst [:toarray \"\"]\n:global vlansu [:toarray \"\"]\n\n:foreach i in [/interface bridge vlan find] do={\n    :local intf [/interface bridge vlan get \$i bridge]\n    :local vlid [/interface bridge vlan get \$i vlan-ids]\n    :local vname\n\n    :foreach i in [/interface vlan find where vlan-id=\$vlid] do={\n        :local intname [/interface vlan get \$i name]\n        :set \$vname (\$intname)\n    }\n\n    :foreach t in [/interface bridge vlan get \$i tagged] do={\n        :set \$vlanst (\$vlanst, \"\$vlid,\$t,\$vname\")\n    }\n\n    :foreach u in [/interface bridge vlan get \$i current-untagged] do={\n        :set \$vlansu (\$vlansu, \"\$vlid,\$u,\$vname\")\n    }\n\n    :foreach u in [/interface bridge port find where bridge=\$intf and pvid=\$vlid] do={\n        :local iu [/interface bridge port get \$u interface]\n        :local fl 0\n        :foreach tmp in \$vlansu do={\n            :local ar [:toarray \$tmp]\n            :if (((\$ar->0) = \$vlid) && ((\$ar->1) = \$iu))  do={\n                :set fl 1\n            }\n        }\n        :if ( \$fl != 1 ) do={\n            :set \$vlansu (\$vlansu, \"\$vlid,\$iu,\$vname\")\n        }\n    }\n}\n\n:foreach vl in [/interface vlan find ] do={\n    :local intf [/interface vlan get \$vl interface]\n    :local vlid [/interface vlan get \$vl vlan-id]\n    :local vname [/interface vlan get \$vl name]\n    :local fl 0\n\n    :foreach tmp in \$vlanst do={\n        :local ar [:toarray \$tmp]\n        :if (((\$ar->0) = \$vlid) && ((\$ar->1) = \$intf)) do={\n            :set fl 1\n        }\n    }\n    :if ( \$fl != 1 ) do={\n        :set \$vlanst (\$vlanst, \"\$vlid,\$intf,\$vname\")\n    }\n}\n\n:foreach tmp in \$vlanst do={\n    :put \"T,\$tmp\"\n}\n\n:foreach tmp in \$vlansu do={\n    :put \"U,\$tmp\"\n}\n"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
11

This will be my last post as you completely ignored my previous post which fixed many errors/missing items.
I will repost based on your latest config

/interface bridge
add admin-mac=DA:DA:DA:DA:DA:DA auto-mac=no comment=bridge name=br1 protocol-mode=stp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disabled=yes name=g1
set [ find default-name=ether2 ] disabled=yes name=g2
set [ find default-name=ether3 ] disabled=yes name=g3
set [ find default-name=ether4 ] disabled=yes name=g4
set [ find default-name=ether5 ] disabled=yes name=g5
set [ find default-name=ether6 ] disabled=yes name=g6
set [ find default-name=ether7 ] disabled=yes name=g7
set [ find default-name=ether8 ] disabled=yes name=g8
set [ find default-name=sfp-sfpplus1 ] name=t1
set [ find default-name=sfp-sfpplus2 ] name=t2
/interface vlan
add comment=Mgmt interface=br1 name=vlan128 vlan-id=128
/interface bonding
add comment="20G to CRS326" mode=802.3ad name=bond1 slaves=t1,t2
/interface list
add name=TRUSTED
/interface list member
add interface=vlan128  list=TRUSTED
/snmp community
set [ find default=yes ] disabled=yes
add addresses=192.168.128.42/32 authentication-password=xxx authentication-protocol=SHA1 encryption-password=xxx encryption-protocol=AES name=SNMPUser security=authorized write-access=yes
/system logging action
set 3 remote=192.168.128.42
add name=UDPSyslog remote=192.168.128.42 remote-log-format=syslog src-address=192.168.128.22 target=remote
/user group
set full skin=Limited
/interface bridge port
add bridge=br1 comment="20G to CRS326" frame-types=admit-only-vlan-tagged interface=bond1
add bridge=br1 comment=defconf interface=g1
add bridge=br1 comment=defconf interface=g2
add bridge=br1 comment=defconf interface=g3
add bridge=br1 comment=defconf interface=g4
add bridge=br1 comment=defconf interface=g5
add bridge=br1 comment=defconf interface=g6
add bridge=br1 comment=defconf interface=g7
add bridge=br1 comment=defconf interface=g8
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=br1  tagged=BR1,bond1 vlan-ids=128  comment="the management vlan must be tagged with Bridge"
add bridge=br1 comment=User tagged=bond1 vlan-ids=1
add bridge=br1 comment=Secrets tagged=bond1 vlan-ids=129
add bridge=br1 comment=Guests tagged=bond1 vlan-ids=138
add bridge=br1 comment=Sync tagged=bond1 vlan-ids=353
add bridge=br1 comment="Firewall Inside" tagged=bond1 vlan-ids=1353
add bridge=br1 comment=Outside tagged=bond1 vlan-ids=1357
/ip address
add address=192.168.128.22/24 comment=Mgmt interface=vlan128 network=192.168.128.0
/ip cloud
set update-time=no
/ip dns
set servers=192.168.128.15,192.168.128.16
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.128.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=crs310-a.dmz disabled=no
set api disabled=yes
set api-ssl certificate=crs310-a.dmz
/ip ssh
set host-key-size=4096 strong-crypto=yes
/snmp
set contact="Admin <user@host.com>" enabled=yes location="Rack1, Room1, Site1" trap-community=SNMPUser trap-generators=interfaces trap-interfaces=vlan128 trap-target=192.168.128.42 trap-version=3
/system clock
set time-zone-name=America/Somewhere
/system identity
set name=crs310-a
/system logging
add action=UDPSyslog topics="account,bridge,clock,critical,error,event,health,info,interface,ntp,script,snmp,ssh,stp,system,update"
add action=UDPSyslog topics=warning
/system note
set note="No one but the owner of this device may access." show-at-cli-login=yes
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.128.51
add address=192.168.128.52
/system script
add comment="VLAN Membership Scraper" dont-require-permissions=no name=LNMS_vlans owner=tinsel policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="###\n### LibreNMS \"glue\" script for routeros vlans discovery\n### https://github.com/librenms/librenms/pull/13427\n###\n\n:global vlanst [:toarray \"\"]\n:global vlansu [:toarray \"\"]\n\n:foreach i in [/interface bridge vlan find] do={\n    :local intf [/interface bridge vlan get \$i bridge]\n    :local vlid [/interface bridge vlan get \$i vlan-ids]\n    :local vname\n\n    :foreach i in [/interface vlan find where vlan-id=\$vlid] do={\n        :local intname [/interface vlan get \$i name]\n        :set \$vname (\$intname)\n    }\n\n    :foreach t in [/interface bridge vlan get \$i tagged] do={\n        :set \$vlanst (\$vlanst, \"\$vlid,\$t,\$vname\")\n    }\n\n    :foreach u in [/interface bridge vlan get \$i current-untagged] do={\n        :set \$vlansu (\$vlansu, \"\$vlid,\$u,\$vname\")\n    }\n\n    :foreach u in [/interface bridge port find where bridge=\$intf and pvid=\$vlid] do={\n        :local iu [/interface bridge port get \$u interface]\n        :local fl 0\n        :foreach tmp in \$vlansu do={\n            :local ar [:toarray \$tmp]\n            :if (((\$ar->0) = \$vlid) && ((\$ar->1) = \$iu))  do={\n                :set fl 1\n            }\n        }\n        :if ( \$fl != 1 ) do={\n            :set \$vlansu (\$vlansu, \"\$vlid,\$iu,\$vname\")\n        }\n    }\n}\n\n:foreach vl in [/interface vlan find ] do={\n    :local intf [/interface vlan get \$vl interface]\n    :local vlid [/interface vlan get \$vl vlan-id]\n    :local vname [/interface vlan get \$vl name]\n    :local fl 0\n\n    :foreach tmp in \$vlanst do={\n        :local ar [:toarray \$tmp]\n        :if (((\$ar->0) = \$vlid) && ((\$ar->1) = \$intf)) do={\n            :set fl 1\n        }\n    }\n    :if ( \$fl != 1 ) do={\n        :set \$vlanst (\$vlanst, \"\$vlid,\$intf,\$vname\")\n    }\n}\n\n:foreach tmp in \$vlanst do={\n    :put \"T,\$tmp\"\n}\n\n:foreach tmp in \$vlansu do={\n    :put \"U,\$tmp\"\n}\n"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool mac-server ping
set enabled=no
12

FYI, I am a Network Architect for over 30 years… I know that L2 discovery has nothing to do with my issue and that autotagging and manual tagging accomplish the same thing…
I did try manual tagging by the way… It didn’t make any difference.

$ diff his.txt new.txt
19,21c19
< add name=TRUSTED
< /interface list member
< add interface=vlan128  list=TRUSTED
---
> add comment="Limit Neighbor Discovery" name=no-discovery
41c39
< set discover-interface-list=TRUSTED
---
> set discover-interface-list=!no-discovery lldp-med-net-policy-vlan=1
43c41
< add bridge=br1  tagged=BR1,bond1 vlan-ids=128  comment="the management vlan must be tagged with Bridge"
---
> add bridge=br1 comment=Services tagged=bond1 vlan-ids=128
92c90
< set allowed-interface-list=TRUSTED
---
> set allowed-interface-list=none
13

Not sure I follow I am basing my comments on what I see in front of me??
On your posted config, I do not see bridged tagged on this line??
What am I missing? Perhaps there is some functionality that I am not aware of?

/interface bridge vlan
add bridge=br1 comment=Services tagged=bond1 vlan-ids=128

14

Note below: ;;; added by vlan on bridge
7 D br1 128 br1

There is no way to NOT have the vlan tagged on the bridge one it gets added as an L3 interface…

> /interface/bridge/vlan/print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
;;; Services
0   br1          128  bond1                           
;;; User
1   br1            1  bond1                           
;;; Secrets
2   br1          129  bond1                           
;;; Guests
3   br1          138  bond1                           
;;; Sync
4   br1          353  bond1                           
;;; Firewall Inside
5   br1         1353  bond1                           
;;; Outside
6   br1         1357  bond1                           
;;; added by vlan on bridge
7 D br1          128  br1                             
;;; added by pvid
8 D br1            1                  br1

My question is… does it make a difference? If yes, I can add it manually…
Which I did…
And it made no difference

15

Interesting, that it added it dynamically. Never seen that before thanks…

The only other thing I can think of is change everything not 192.168.128.1 ( be it dns, ntp etc.) to 192.168.128.1 (after the other changes I recommended of course), and see if that makes a difference.

Running out of ideas here, sorry. Try RTSP vice STP.. for mode…

16

Bridging and Switching
Bridge VLAN Filtering
Management access configuration
https://help.mikrotik.com/docs/spaces/ROS/pages/328068/Bridging+and+Switching#BridgingandSwitching-Managementaccessconfiguration
:bulb:

17

Thanks chechito

I read that article several times before opening this post. (As it is confusing as hell at first.)

I am beginning to think that I am on my own with this one. I will check back in when I find the root cause.
I like Anav’s suggestion though. I am going to try moving the management network to it’s own vlan and see how that works. At the very least it will eliminate layer two tagging issues from being the issue.
Edit:
I moved the management vlan to 192.168.135.48/28 on VLAN 1354. I did get one syslog:

2025-03-07 22:31:53	warning	crs326
	POSSIBLE	SYN flooding on tcp port 22

However none of the other logs made it to syslog.
I am beginning to think there is a syslog bug

18

Got it figured out.
Consider the example that I created specifically to illustrate this below:

> /system/logging/print
Flags: X - DISABLED; * - DEFAULT
Columns: TOPICS, ACTION
 #    TOPICS       ACTION   
 0  * info         memory   
 1  * error        memory   
 2  * warning      memory   
 3  * critical     echo     
 4    warning      UDPSyslog
 5    critical     UDPSyslog
 6 X  ssh          UDPSyslog
 7    error        UDPSyslog
 8 X  snmp         UDPSyslog
 9 X  script       UDPSyslog
10 X  bridge       UDPSyslog
11 X  account      remote   
12    account      UDPSyslog
      acme-client           
      amt                   
      async                 
      backup                
      bgp                   
      caps                  
      critical              
      ddns                  
      dhcp

Entries 4-11 are one topic per number. This works great.
Entry 12 has multiple topics on the one entry. This is a no no.
Single topic per entry - good
Multiple topics per entry - bad

My issue is fixed.

19

I did find the issue with SNMP as well. It seems that the Engine ID needs to be unique. So I set my Engine ID Suffix to my host names on each box.
NTP is working as expected as well now, I am not sure what the fix was for it. I blame Anav for getting it working. :wink: