VLAN issue with CRS112-8P-4S, 6.45.9

Hello. I have tried different approaches to this, but I’m stuck. Probably I just made a stupid mistake somewhere. Please point any problems out!

I have a test setup with three ports on the switch configured:

• ether3 - VLAN 3 access port
• ether5 - VLAN 4 access port
• ether7 - trunk port (tagged)
  Switch has admin access on VLAN 4: IP address 192.168.99.1/24

Configuration attached. What happens is:

• When I try to access the switch from access port 5 with the aforementioned IP using SSH, that is succesful.
• When I connect my trunk to port 7 and try to access switch that way, the SSH connection times out.

Any pointers as of what I do wrong?

# jan/02/1970 00:35:37 by RouterOS 6.45.9
# software id = ...
#
# model = CRS112-8P-4S
# serial number = ...
/interface bridge
add admin-mac=... auto-mac=no comment=defconf name=bridge
add name=bridge1
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether3,ether5,ether7
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether7
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether7 vlan-id=3
add tagged-ports=ether7 vlan-id=4
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=3 ports=ether3
add customer-vid=0 new-customer-vid=4 ports=ether5
/interface ethernet switch vlan
add ports=ether3,ether7 vlan-id=3
add ports=switch1-cpu,ether5,ether7 vlan-id=4
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp9 list=LAN
add interface=sfp10 list=LAN
add interface=sfp11 list=LAN
add interface=sfp12 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.99.1/24 interface=bridge1 network=192.168.99.0
/system identity
set name=switch

Are you tagging the traffic on ether7? It’s an tagged VLAN that you have placed on this interface, so your need to tag the traffic with VLAN 4 in order to access the equipement

Yes, the interface I connected to ether7 has all traffic tagged.

First correct this to add switch1-cpu as a tagged port:
/interface ethernet switch egress-vlan-tag add tagged-ports=switch1-cpu,ether7 vlan-id=4

Then you need to create a vlan interface on the bridge:
/interface vlan add interface=bridge1 vlan-id=4 name=vlan4

And put the IP address on the VLAN interface, not the bridge (delete the existing):
/ip address add address=192.168.99.1/24 interface=vlan4

Make sure you have a separate management port to do all this otherwise you risk cutting yourself off.

Worked, thanks!

.. Actually, does not work completely. Strange.

The final configuration below:
Port 1 is mostly on default config, but IP address changed to 192.168.88.8.
Ports 2-4 are access ports for VLAN 3 (switch addr 192.168.93.4)
Ports 5-6 are access ports for VLAN 4 (switch addr 192.168.94.4)
Ports 7-12 are trunk ports (VLANs 3,4,9 tagged)

What works:

• The trunk. Tagged traffic on ether7 goes nicely to sfp9 and vice versa. I can also access the two switch IPs from trunk side. The switch can access respective networks thru the trunk (ntp, dns). Internet works thru trunk.
• Access ports w/ Windows laptop. On all access ports, I can connect the PC and receive response from the respective DHCP server elsewhere on the network. Traffic also flows.

Then, I configured another Mikrotik box (hAP ac lite) and gave it two IP addresses: 192.168.88.1 and 192.168.93.13.

What still works:

• When I connect the above hAP to port 1, I can access it as 192.168.88.1
  What does NOT work:
• When I connect the hAP to port 2, I can NOT access it as 192.168.93.13 (connecting the hAP on another VLAN 3 access port elsewhere makes it visible to everybody)

Any help? Again, I am hopelessly stuck…

The current config:

# jan/27/2021 18:43:04 by RouterOS 6.48
# software id = ...
#
# model = CRS112-8P-4S
# serial number = ...
/interface bridge
add admin-mac=... auto-mac=no comment=defconf name=bridge
add admin-mac=... auto-mac=no name=bridge1
/interface vlan
add interface=bridge1 name=vlan3 vlan-id=3
add interface=bridge1 name=vlan4 vlan-id=4
add interface=bridge1 name=vlan9 vlan-id=9
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp9
add bridge=bridge1 interface=sfp10
add bridge=bridge1 interface=sfp11
add bridge=bridge1 interface=sfp12
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu,ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=3
add tagged-ports=switch1-cpu,ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=4
add tagged-ports=switch1-cpu,ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=9
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=3 ports=ether2,ether3,ether4
add customer-vid=0 new-customer-vid=4 ports=ether5,ether6
/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether3,ether4,ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=3
add ports=switch1-cpu,ether5,ether6,ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=4
add ports=switch1-cpu,ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=9
/interface list member
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp9 list=LAN
add interface=sfp10 list=LAN
add interface=sfp11 list=LAN
add interface=sfp12 list=LAN
/ip address
add address=192.168.88.8/24 comment=defconf interface=ether1 network=192.168.88.0
add address=192.168.93.4/24 interface=vlan3 network=192.168.93.0
add address=192.168.94.4/24 interface=vlan4 network=192.168.94.0
add address=192.168.99.4/24 interface=vlan9 network=192.168.99.0
/ip dns
set allow-remote-requests=yes servers=192.168.93.100,192.168.94.110,8.8.8.8
/ip route
add distance=1 gateway=192.168.93.1 pref-src=192.168.93.4
/system ntp client
set enabled=yes primary-ntp=192.168.93.100 secondary-ntp=192.168.94.110

Works now, with some minor tweaking.