Unable to access Winbox using IP or Webfig, Winbox using MAC works

RouterOS Beginner Basics
1

Need some ideas of where to look here. I created 4 VLANs and have a DHCP server for all of them. They all issue IPs correctly however on VLAN1 I am unable to access the router by IP address using either WInbox with the IP or Webfig.

I am a bit confused about if the bridge should have the DHCP range tied to it or the VLAN. It does seem to work the best with the DHCP on the VLAN1.

I am trying to get to a point where I can lock down the MAC server but am unable to because I loose contact to the router without it.

# 2024-10-02 19:37:53 by RouterOS 7.15.3
# software id = xxxx-xxx
#
# model = RB960PGS
# serial number = xxxxxxxxxx
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] advertise=1G-baseT-half,1G-baseT-full
set [ find default-name=ether4 ] advertise=\
    100M-baseFX-full,1G-baseT-half,1G-baseT-full
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/interface list
add name=WAN
add name=LAN
/ip pool
add name=pool10 ranges=192.168.10.2-192.168.10.254
add name=pool20 ranges=192.168.20.2-192.168.20.254
add name=pool30 ranges=192.168.30.2-192.168.30.254
add name=pool1 ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=pool10 interface=vlan10 lease-time=1h30m name=dhcp3
add address-pool=pool20 interface=vlan20 lease-time=1h30m name=dhcp4
add address-pool=pool30 interface=vlan30 lease-time=1h30m name=dhcp5
add address-pool=pool1 interface=vlan1 lease-time=1h30m name=dhcp1
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment="Base  VLAN1 1.0" tagged=bridge untagged=\
    ether1,ether2,ether3,ether4,ether5 vlan-ids=1
add bridge=bridge comment="CAMs  VLAN10 10.0" tagged=\
    bridge,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge comment="IoT  VLAN20 20.0" tagged=\
    bridge,ether3,ether4,ether5 vlan-ids=20
add bridge=bridge comment="NoT  VLAN30 30.0" tagged=\
    bridge,ether3,ether4,ether5 vlan-ids=30
/interface list member
add interface=sfp1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.1.254/24 disabled=yes interface=bridge network=\
    192.168.1.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.1.254/24 interface=vlan1 network=192.168.1.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
/ip dhcp-client
add interface=sfp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.254 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="###   Allow VLAN1 onto VLAN10" \
    dst-address=192.168.10.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="###  Allow NTP on VLAN10" dst-port=\
    123 in-interface=vlan10 protocol=udp src-port=""
add action=accept chain=forward comment="###   Allow NTP on VLAN20" dst-port=\
    123 in-interface=vlan20 protocol=udp src-port=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="###   Drop 10.xxx access to VLAN1" \
    dst-address=192.168.1.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment="###   Drop 10.xxx from WAN" \
    out-interface-list=WAN src-address=192.168.10.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=dstnat comment="###   Allow 1.0 onto 10.0" \
    dst-address=192.168.10.0/24 src-address-list=192.168.1.0/24
add action=masquerade chain=srcnat comment="###   Allow 1.0 onto 10.0" \
    dst-address=192.168.10.0/24 src-address=192.168.1.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add comment="###   Added to allow access to 10.0" disabled=no distance=1 \
    dst-address=192.168.10.0/24 gateway=192.168.1.254 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
/system clock
set time-zone-name=America/Vancouver
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=time.windows.com
2

You should really avoid creating VLAN interfaces with VLAN ID 1. If you still insist on doing it, based on your current config, you should go to the VLAN tab of the “bridge” interface and change the PVID value here to something other than 1, like 999 for instance.

As for why you are unable to access the router by IP address. The router’s firewall currently drops incoming connections to the router itself if the connections don’t originate from one of the interfaces in the interface list LAN (the rule with the comment “defconf: drop all not coming from LAN”). However, the interface list LAN currently only has one member, “bridge”. You need to add vlan1 to this list too:


/interface list member
add interface=vlan1 list=LAN
3

Also, to fully take advantage of the hEX POE hardware, which has a QCA8337 switch chip, you should consider using the recommended way by MikroTik to setup VLAN on the device, which is to NOT use Bridge VLAN Filtering, but to use the /interface/ethernet/switch/port and /interface/ethernet/switch/vlan menus:

https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-SetupExamples
https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#BasicVLANswitching-Otherdeviceswithabuilt-inswitchchip

4

I created the setup using the HW offloading method according to a video on the subject, but seeing the table you pointed to does state that HW offload is disabled in Bridge VLAN filtering mode. I will have to start experimenting using the interface method. In theory then, using the Interface mode should make things faster.

5

Thanks very much for the help. Fast and easy fix.

I will have to re-read that massive thread on VLANs. My take-away was that the inconvenience outweighed the benefit for a new user. If misconfigured, services can still run on the base lan.