I’m trying to create a management VLAN on all the RJ45 ethernet ports on my CCR2116 router.
I’ve set the ports as “untagged 100”, tagged the bridge with VLAN 100 and called the VLAN “MGMT”
The LAN network (VLAN 1/default) is configured as 10.12.1.1/24, connected to two of the SFP+ ports. The MGMT VLAN is 10.100.1.1/24, on all the RF45 ports
DHCP does seem to work on the MGMT VLAN, as the devices are getting an IP address and appear in the leases list.
I am able to ping 10.100.1.1 (MGMT VLAN, router IP) from a device on the LAN network, however trying to ping/access any device on VLAN 100, for example 10.100.1.50 times out.
Pinging using the “Ping” tool in RouterOS does however work. I’m not sure where I went wrong here, “Allow forwarding” rule is in place and I did try a “allow all” firewall rule for a moment but that didn’t seem to have helped.
Pinging other devices on the LAN network works just fine.
Worst part is, I had this setup work properly not so long ago but I’m not sure what change I made that caused the VLAN to stop working.
Does anyone have an idea what might be wrong here?
# 2025-03-31 23:22:06 by RouterOS 7.18.1
# model = CCR2116-12G-4S+
/interface bridge
add name=bridge port-cost-mode=short vlan-filtering=yes
/interface ipip
add local-address=88.99.a.b name=monitor remote-address=168.119.a.b
/interface vlan
add interface=bridge name=MGMT vlan-id=100
/interface bonding
add comment="SW Bond" lacp-rate=1sec mode=802.3ad name="SW Bond" slaves=sfp-sfpplus3,sfp-sfpplus4
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=10.12.1.150-10.12.1.253
add name="MGMT DHCP" ranges=10.100.1.150-10.100.1.253
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=dhcp1
add address-pool="MGMT DHCP" interface=MGMT name=MGMT
/interface bridge port
add bridge=bridge interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether9 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether10 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether11 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=ether12 internal-path-cost=10 path-cost=10 pvid=100
add bridge=bridge interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge interface="SW Bond"
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge comment=MGMT tagged=bridge untagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12" vlan-ids=100
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge list=LAN
/ip address
add address=10.12.1.1/24 comment=LAN interface=bridge network=10.12.1.0
add address=10.12.0.1/24 comment="Jumphost Bridge" interface=monitor network=10.12.0.0
add address=88.99.a.b/29 comment="Public" interface=sfp-sfpplus1 network=88.99.a.b
add address=10.100.1.1/24 comment=MGMT interface=MGMT network=10.100.1.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=10.12.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.12.1.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=168.119.a.b comment="Jump Host" list="Servers"
add address=10.10.0.0/24 comment="VSwitch" list="Servers"
add address=10.10.1.0/24 comment="Cloud" list="Servers"
add address=10.12.1.0/24 comment="LAN" list="Servers"
add address=10.12.0.0/24 comment="Jumphost Bridge" list="Servers"
add address=10.100.1.0/24 comment=MGMT list="Servers"
/ip firewall filter
add action=accept chain=input comment="Allow Establisted" connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow known origins" src-address-list="Servers"
add action=accept chain=forward comment="Allow forwarding"
add action=drop chain=input comment="Block all" log=yes
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment=Default disabled=no distance=1 dst-address=0.0.0.0/0 gateway=88.99.a.b routing-table=main suppress-hw-offload=no
add comment="vswitch" disabled=no distance=1 dst-address=10.10.0.0/24 gateway=monitor routing-table=main suppress-hw-offload=no
add comment="Cloud" disabled=no distance=1 dst-address=10.10.1.0/24 gateway=monitor routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8000
set winbox disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key