Hi, i have noticed a problem when I Reboot my router I can’t get a connect back to internet until I reboot the switch. The Switch is connected with 5G CPE to port 5 (DHCP handed IP)
Port 1 Trunk to Mikrotik Router.
Trunkport in router is set to pvid 1. vlan 1= bridge Vlan 1000=Bridge and Trunkport.

My config is:

VLAN 10 LAN
VLAN 1000 WAN

swOS
Port 1 Trunk, Vlan mode strict, only tagged, vlanID 1, vlan header=leave as if
Vlan ID 10 (IVL) add if missing
Vlan ID 1000 (IVL) add if missing

Port 2 Vlan mode strict, only untagged, vlanID 10, vlan header=leave as if (Always strip vlan 10, and not a member vlan 1000 under VLANs)
Port 3 Vlan mode strict, only untagged, vlanID 10, vlan header=leave as if (Always strip vlan 10, and not a member vlan 1000 under VLANs)
Port 4 Vlan mode strict, only untagged, vlanID 10, vlan header=leave as if (Always strip vlan 10, and not a member vlan 1000 under VLANs)

Port 5 Vlan mode strict, any, vlanID 1000, vlan header=leave as if (not a member vlan 10, and always strip vlan 1000 under VLANs)

Is it something I’m missing? It works flawless until router reboots, then I have to reboot switch to make it work again.

Diagram of network please, as your explanation sheds no light.
Config of MT device
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

2024-11-05 06:04:16 by RouterOS 7.16.1

software id = IYUC-L43Z

model = RB4011iGS+

serial number =

/interface bridge
add arp=proxy-arp name=bridge-VLAN port-cost-mode=short priority=0x6000
vlan-filtering=yes
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether6 ] comment="WAN/LAN VLAN TRUNK"
set [ find default-name=ether9 ] name="ether9 - Downlink"
set [ find default-name=ether10 ] name="ether10 - AP"
/interface wireguard
add listen-port=13231 mtu=1420 name=Mullvad
add comment=back-to-home-vpn listen-port=21350 mtu=1420 name=back-to-home-vpn
add disabled=yes listen-port=13232 mtu=1420 name=wg-user
add listen-port=14000 mtu=1420 name=wireguard-site2site
/interface vlan
add arp=proxy-arp interface=bridge-VLAN name="MULLVAD VLAN" vlan-id=66
add arp=proxy-arp interface=bridge-VLAN name=vlan10-admin vlan-id=10
add arp=proxy-arp interface=bridge-VLAN name=vlan99 vlan-id=99
add interface=bridge-VLAN name=vlan1000 vlan-id=1000
add interface=bridge-VLAN name=vlan2000 vlan-id=2000
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add fri=8h-19h45m mon=8h-19h45m name="Odin surfplatta" sat=8h-19h45m sun=
8h-19h45m thu=8h-19h45m tue=8h-19h45m wed=8h-19h45m
add fri=7h-1d mon=7h-1d name="Odin dator" sat=6h-1d sun=6h-1d thu=7h-1d tue=
7h-1d wed=7h-1d
/ip pool
add name=dhcp_pool1 ranges=10.0.20.30-10.0.20.254
add name=dhcp_pool2 ranges=10.0.30.50-10.0.30.254
add name=dhcp_pool3 ranges=10.0.99.2-10.0.99.254
add name=dhcp_pool4 ranges=192.168.66.100-192.168.66.254
add name=dhcp_pool5 ranges=192.168.99.10-192.168.99.254
add name=dhcp_pool6 ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool7 ranges=10.2.2.2-10.2.2.6
add name=dhcp_pool8 ranges=10.0.99.2-10.0.99.6
/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlan10-admin lease-time=5m name=dhcp1
add address-pool=dhcp_pool4 interface="MULLVAD VLAN" lease-time=10m name=
dhcp2
add address-pool=dhcp_pool7 interface=vlan2000 name=dhcp5
add address-pool=dhcp_pool8 interface=vlan99 name=dhcp3
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
set 0 bridge=bridge-VLAN
/queue type
add kind=pcq name=odin-dl pcq-burst-rate=120M pcq-burst-threshold=120M
pcq-classifier=dst-address pcq-rate=100M
set 6 pcq-rate=5M
set 7 pcq-burst-rate=15M pcq-burst-threshold=15M pcq-rate=5M
/queue simple
add disabled=yes max-limit=10M/10M name=queue1 queue=
pcq-upload-default/pcq-download-default target=10.0.20.22/32
add max-limit=150M/150M name=queue2 queue=default-small/odin-dl target=
10.0.20.106/32
add max-limit=150M/150M name=queue3 queue=default-small/odin-dl target=
10.0.20.91/32
/routing pimsm instance
add disabled=no name=pimsm-instance1 vrf=main
/routing table
add disabled=no fib name=mullvad
/system logging action
set 3 remote=...* remote-port=5514 syslog-severity=emergency
/dude
set enabled=yes
/interface bridge port
add bridge=bridge-VLAN interface="ether9 - Downlink" internal-path-cost=10
path-cost=10 pvid=10
add bridge=bridge-VLAN comment=Tv interface=ether8 internal-path-cost=10
path-cost=10 pvid=66
add bridge=bridge-VLAN disabled=yes interface=ether7 internal-path-cost=10
path-cost=10 pvid=99
add bridge=bridge-VLAN frame-types=admit-only-vlan-tagged interface=ether6
internal-path-cost=10 path-cost=10
add bridge=bridge-VLAN interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-VLAN interface=ether4 internal-path-cost=10 path-cost=10
pvid=10
add bridge=bridge-VLAN interface=ether3 internal-path-cost=10 path-cost=10
pvid=10
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10 pvid=
10
add bridge=bridge-VLAN interface="ether10 - AP" internal-path-cost=10
path-cost=10 pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge-VLAN tagged=
"bridge-VLAN,ether2,ether3,ether4,ether9 - Downlink,ether10 - AP"
untagged=ether8 vlan-ids=66
add bridge=bridge-VLAN tagged=bridge-VLAN,ether6 vlan-ids=10
add bridge=bridge-VLAN comment="WAN VLAN" tagged=bridge-VLAN,ether6 vlan-ids=
1000
add bridge=bridge-VLAN vlan-ids=99
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add interface=studie1 list=VLAN
add interface=vlan10-admin list=VLAN
add interface=lokholmsvagen list=VLAN
add interface=vlan1000 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=************
endpoint-port=51820 interface=1E name=peer9 public-key=
""
add allowed-address=192.168.216.3/32 comment="Home (iPhone 13 Pro)"
interface=back-to-home-vpn name=peer17 public-key=
""
add allowed-address=192.168.216.4/32 comment="MAC DATOR" interface=
back-to-home-vpn name=peer18 public-key=
""
add allowed-address=10.254.254.2/32 comment=gangsmad disabled=yes
endpoint-port=51820 interface=wg-user name=peer19 public-key=
""
add allowed-address=0.0.0.0/0 endpoint-address=... endpoint-port=
51820 interface=Mullvad name=Mullvad persistent-keepalive=15s public-key=
""
add allowed-address=10.200.200.3/32,192.168.10.0/24 interface=
wireguard-site2site name=peer23 public-key=
""
/ip address
add address=10.0.20.1/24 interface=vlan10-admin network=10.0.20.0
add address=10.0.10.1/24 interface=vlan10-admin network=10.0.10.0
add address=192.168.88.8/24 interface=vlan10-admin network=192.168.88.0
add address=********** interface=Mullvad network=**********
add address=192.168.66.1/24 interface="MULLVAD VLAN" network=192.168.66.0
add address=192.168.0.1/24 interface=vlan10-admin network=192.168.0.0
add address=10.200.200.2 interface=wireguard-site2site network=10.200.200.1
add address=10.0.0.10 interface=vlan10-admin network=10.0.0.0
add address=10.2.2.1/29 disabled=yes interface=vlan2000 network=10.2.2.0
add address=10.0.99.1/29 comment=MGMT_VLAN interface=vlan99 network=10.0.99.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether1-wan use-peer-dns=no
add interface=vlan1000
/ip dhcp-server alert
add disabled=no interface=vlan10-admin on-alert=
":log error message="Not accepted DHCP server"" valid-server=
74:4D:28:64:A4:07
/ip dhcp-server lease
add address=10.0.20.70 mac-address=5C:C3:36:39:7A:3B server=dhcp1
add address=10.0.20.48 mac-address=84:7A:B6:EE:F2:31 server=dhcp1
add address=10.0.20.34 client-id=1:44:5c:e9:8f:95:c2 mac-address=
44:5C:E9:8F:95:C2 server=dhcp1
add address=10.0.20.111 mac-address=38:AF:29:03:64:BB server=dhcp1
add address=10.0.20.60 mac-address=40:ED:00:8D:5D:EA server=dhcp1
add address=10.0.20.91 mac-address=C4:35:D9:AE:BB:EC server=dhcp1
add address=10.0.20.86 comment=HA disabled=yes mac-address=2C:CF:67:27:F5:B4
server=dhcp1
add address=10.0.20.84 client-id=1:ac:64:cf:2d:85:4d comment=Doorbell
mac-address=AC:64:CF:2D:85:4D server=dhcp1
add address=10.0.20.102 client-id=1:4:d9:f5:20:73:dc comment="Odins dator"
mac-address=04:D9:F5:20:73:DC server=dhcp1
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=1.1.1.1 domain=local gateway=10.0.10.1
netmask=24
add address=10.0.20.0/24 dns-server=1.1.1.1 domain=local gateway=10.0.20.1
netmask=24
add address=10.0.99.0/29 dns-server=1.1.1.1 gateway=10.0.99.1
add address=10.2.2.0/29 dns-server=1.1.1.1 gateway=10.2.2.1
add address=192.168.66.0/24 dns-server=100.64.0.55 gateway=192.168.66.1
netmask=24
add address=192.168.99.0/24 gateway=192.168.99.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=172.10.10.21 name=unifi type=A
add address=10.0.20.80 name=hemmadisplay.local type=A
/ip firewall address-list
add address=10.0.20.0/24 list=allowed_to_router
add address=10.0.30.0/24 list=allowed_to_router
add address=192.168.250.0/24 list=allowed_to_router
add address=172.10.10.0/24 list=allowed_to_router
add address=10.0.99.0/24 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=
not_in_internet
add address=******** list="ALLOWED OUTSIDE VLAN"
add address=******** list="ALLOWED OUTSIDE VLAN"
add address=******** list="ALLOWED OUTSIDE VLAN"
add address=***** list="ALLOWED OUTSIDE VLAN"
add address=********** list="ALLOWED OUTSIDE VLAN"
add address=10.0.20.1 list=router
add address=10.0.10.0/24 list=allowed_to_router
add address=10.0.20.106 list="odin dator"
add address=10.0.20.60 list=no-internet
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules"
jump-target=kid-control
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=wireguard dst-port=51820 protocol=udp
add action=accept chain=input comment=wireguard dst-port=14000 protocol=udp
add action=accept chain=input comment=wireguard dst-port=13232 protocol=udp
add action=accept chain=output disabled=yes dst-address=*********
dst-port=51820 protocol=udp
add action=accept chain=input comment=wireguard dst-port=13666 protocol=udp
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-port=8291 protocol=tcp
add action=drop chain=input connection-state=invalid disabled=yes
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=drop chain=input disabled=yes in-interface-list=WAN protocol=icmp
add action=drop chain=forward connection-state=invalid disabled=yes
add action=drop chain=forward connection-nat-state=!dstnat connection-state=
new disabled=yes in-interface-list=WAN
add action=drop chain=input disabled=yes
add action=accept chain=forward dst-address=10.0.20.0/24 src-address=
10.0.20.60
add action=reject chain=forward reject-with=icmp-network-unreachable
src-address=10.0.20.60
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface="MULLVAD VLAN"
new-routing-mark=mullvad passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.20.0/24 src-address=
10.0.20.0/24
add action=masquerade chain=srcnat dst-address=10.0.10.0/24 src-address=
10.0.10.0/24
add action=accept chain=srcnat dst-address=10.0.20.60
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=Mullvad src-address=
192.168.66.0/24
add action=dst-nat chain=dstnat comment="nas sync firman" dst-port=873
protocol=tcp to-addresses=10.0.20.20 to-ports=873
add action=dst-nat chain=dstnat comment="nas sync firman" dst-port=22
protocol=tcp to-addresses=10.0.20.20 to-ports=22
add action=dst-nat chain=dstnat disabled=yes dst-address=!10.0.20.8 protocol=
tcp src-address=!10.0.20.8 to-addresses=10.0.20.8 to-ports=53
add action=dst-nat chain=dstnat disabled=yes dst-address=!10.0.20.8 protocol=
udp src-address=!10.0.20.8 to-addresses=10.0.20.8 to-ports=53
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.20.8
dst-port=53 protocol=tcp src-address=10.0.20.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.20.8
dst-port=53 protocol=tcp src-address=10.0.30.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.20.8
dst-port=53 protocol=udp src-address=10.0.30.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=10.0.20.8
dst-port=53 protocol=udp src-address=10.0.20.0/24
add action=dst-nat chain=dstnat dst-address-list=!router dst-address-type=
local dst-port=8123 protocol=tcp to-addresses=10.0.20.86 to-ports=8123
add action=dst-nat chain=dstnat dst-address-list=!router dst-address-type=
local dst-port=443 protocol=tcp to-addresses=10.0.20.54 to-ports=8123
add action=dst-nat chain=dstnat dst-address-list=!router dst-address-type=
local dst-port=33443 protocol=tcp to-addresses=10.0.20.160 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=!router dst-address-type=
local dst-port=8980 protocol=tcp to-addresses=10.0.20.8 to-ports=80
add action=dst-nat chain=dstnat dst-address-list=!router dst-address-type=
local dst-port=8080 protocol=tcp to-addresses=10.0.20.4 to-ports=8080
add action=dst-nat chain=dstnat comment="ftp nas" dst-port=50021 protocol=tcp
to-addresses=10.0.20.4 to-ports=50022
add action=dst-nat chain=dstnat dst-port=2055 protocol=udp to-addresses=
10.0.20.91 to-ports=2055
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=B2:B1:D3:82:04:E7 name=Galaxy-Tab-A user="Odin surfplatta"
add mac-address=B8:AE:ED:30:E2:E5 name="Odin dator" user="Odin dator"
/ip route
add disabled=yes distance=1 dst-address=******** gateway=10.0.20.1
pref-src="" routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=192.168.66.0/24 gateway=Mullvad
pref-src="" routing-table=mullvad scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=10.200.200.1
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.20.0/24,172.16.10.3/32,172.16.10.2/32
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip traffic-flow
set cache-entries=16k
/ip traffic-flow target
add dst-address=10.0.20.64 version=ipfix
/ppp secret
add local-address=10.0.20.1 name=fridenmyr remote-address=10.0.20.203
service=l2tp
add local-address=10.0.20.1 name=hagblom profile=default-encryption
remote-address=10.0.20.206 service=l2tp
add local-address=10.0.20.1 name=fredrikhossmo remote-address=10.0.20.212
service=l2tp
add local-address=10.0.20.1 name=hemma remote-address=10.0.20.213 service=
l2tp
add local-address=10.0.20.1 name=strandtorp remote-address=10.0.20.214
service=l2tp
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=mullvad src-address=
192.168.66.1/24 table=mullvad
/system clock
set time-zone-name=Europe/Stockholm
/system logging
set 0 topics=info,!wireguard
add action=remote disabled=yes topics=info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=gbg1.ntp.se
/system script
add dont-require-permissions=no name=dyndns owner=l2 policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#
_Set needed variables\r
\n\t:local username ""\r
\n\t:local clientkey ""\r
\n\t:local hostname ""\r
\n\r
\n\t:global dyndnsForce\r
\n\t:global previousIP\r
\n\r
\n# get the current IP address from the internet (in case of double-nat)\r
\n\t/tool fetch mode=http address="checkip.dyndns.org" src-path="/" ds
t-path="/dyndns.checkip.html"\r
\n\t:delay 1\r
\n\t:local result [/file get dyndns.checkip.html contents]\r
\n\r
\n# parse the current IP result\r
\n\t:local resultLen [:len $result]\r
\n\t:local startLoc [:find $result ": " -1]\r
\n\t:set startLoc ($startLoc + 2)\r
\n\t:local endLoc [:find $result "" -1]\r
\n\t:local currentIP [:pick $result $startLoc $endLoc]\r
\n\t:log info "UpdateDynDNS: currentIP = $currentIP"\r
\n\r
\n# Remove the # on next line to force an update every single time - usefu
l for debugging,\r
\n# but you could end up getting blacklisted by DynDNS!\r
\n\r
\n#:set dyndnsForce true\r
\n\r
\n# Determine if dyndns update is needed\r
\n# more dyndns updater request details https://help.dyn.com/remote-access\
-api/perform-update/\r
\n\t:log info "UpdateDynDNS: previousIP = $previousIP"\r
\n\t:if ($dyndnsForce = true) do={ :log warning "UpdateDynDNS: Forced up
date on" }\r
\n\r
\n\t:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={\r
\n\t\t:set dyndnsForce false\r
\n\t\t:set previousIP $currentIP\r
\n\r
\n\t\t/tool fetch mode=https \\r
\n\t\turl="https://$username:$clientkey@members.dyndns.org/v3/update?h
ostname=$hostname&myip=$currentIP" \ \r
\n\t\tdst-path="/dyndns.txt"\r
\n\r
\n\t\t:delay 1\r
\n\t\t:local result [/file get dyndns.txt contents]\r
\n\t\t:log info ("UpdateDynDNS: Dyndns update needed")\r
\n\t\t:log info ("UpdateDynDNS: Dyndns Update Result: ".$result)\r
\n\t\t:put ("Dyndns Update Result: ".$result)\r
\n\t} else={\r
\n\t\t:log info ("UpdateDynDNS: No dyndns update needed")\r
\n\t}"
add dont-require-permissions=no name=dyndns2 owner=l2 policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#
_Set needed variables\r
\n\t:local username ""\r
\n\t:local clientkey "**************"\r
\n\t:local hostname ""\r
\n\r
\n\t:global dyndnsForce\r
\n\t:global previousIP\r
\n\r
\n# get the current IP address from the internet (in case of double-nat)\r
\n\t/tool fetch mode=http address="checkip.dyndns.org" src-path="/" ds
t-path="/dyndns.checkip.html"\r
\n\t:delay 1\r
\n\t:local result [/file get dyndns.checkip.html contents]\r
\n\r
\n# parse the current IP result\r
\n\t:local resultLen [:len $result]\r
\n\t:local startLoc [:find $result ": " -1]\r
\n\t:set startLoc ($startLoc + 2)\r
\n\t:local endLoc [:find $result "" -1]\r
\n\t:local currentIP [:pick $result $startLoc $endLoc]\r
\n\t:log info "UpdateDynDNS: currentIP = $currentIP"\r
\n\r
\n# Remove the # on next line to force an update every single time - usefu
l for debugging,\r
\n# but you could end up getting blacklisted by DynDNS!\r
\n\r
\n#:set dyndnsForce true\r
\n\r
\n# Determine if dyndns update is needed\r
\n# more dyndns updater request details https://help.dyn.com/remote-access\
-api/perform-update/\r
\n\t:log info "UpdateDynDNS: previousIP = $previousIP"\r
\n\t:if ($dyndnsForce = true) do={ :log warning "UpdateDynDNS: Forced up
date on" }\r
\n\r
\n\t:if (($currentIP != $previousIP) || ($dyndnsForce = true)) do={\r
\n\t\t:set dyndnsForce false\r
\n\t\t:set previousIP $currentIP\r
\n\r
\n\t\t/tool fetch mode=https \\r
\n\t\turl="https://$username:$clientkey@members.dyndns.org/v3/update?h
ostname=$hostname&myip=$currentIP" \ \r
\n\t\tdst-path="/dyndns.txt"\r
\n\r
\n\t\t:delay 1\r
\n\t\t:local result [/file get dyndns.txt contents]\r
\n\t\t:log info ("UpdateDynDNS: Dyndns update needed")\r
\n\t\t:log info ("UpdateDynDNS: Dyndns Update Result: ".$result)\r
\n\t\t:put ("Dyndns Update Result: ".$result)\r
\n\t} else={\r
\n\t\t:log info ("UpdateDynDNS: No dyndns update needed")\r
\n\t}"
/tool romon
set enabled=yes
/tool traffic-monitor
add interface=ether1-wan name="over 100M" on-event=
":log warning "BANDBREDD \D6VER 100MBIT"" threshold=100000000 traffic=
received
/user group
add name=test policy="reboot,read,write,policy,test,api,!local,!telnet,!ssh,!f
tp,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"

Skärmavbild 2024-11-05 kl. 06.32.54.png2916×588 58.6 KB

Skärmavbild 2024-11-05 kl. 06.33.02.png2920×386 69.5 KB

diag1.jpg536×447 15.4 KB

Hej där!

First, please consider using the “code” tags next time, this makes reading the config a lot easier.

To make sure I understand your config: the router is used to access a tunnel to Mullvad. As it no longer has a dhcp client on ether1 (flagged as the wan port), I gather it no longer provides internet access. Instead it relies on the switch and 5G connection (via vlan1000) to get access to the Internet. The trunk between the switch and router arrives on the router on ether6 (could be ether9 but that makes less sense)

When you have the issue, does the interface vlan1000 have an IP address? Do you see a default route installed in the routing table?

You have set the RSTP priority on your router to 0x6000 (24576). What is the priority on the switch? Do you have the same port-cost-mode on both side (Router is short - what is the switch) - Consider posting a screenshot of the RSTP tab here as well.

Here are my comments. None of that, in isolation, could cause the issue you see, but they are worth fixing, at the very least for the sake of having a clear configuration.

You have 2 bridges defined. Any specific reason? VLAN10 is reused between the 2.

/interface bridge
add arp=proxy-arp name=bridge-VLAN port-cost-mode=short priority=0x6000 \
vlan-filtering=yes
add name=bridge1

Port ether2 is shared between the 2 bridges. Likely to cause weird issues.

/interface bridge port
...
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10 pvid=\
10
/interface bridge vlan
add bridge=bridge-VLAN tagged=\
"bridge-VLAN,ether2,ether3,ether4,ether9 - Downlink,ether10 - AP" \
untagged=ether8 vlan-ids=66

You have quite a few IP addresses assigned to the interface vlan10-admin. This works but at the cost of making things hard to troubleshoot.

/ip address
add address=10.0.20.1/24 interface=vlan10-admin network=10.0.20.0
add address=10.0.10.1/24 interface=vlan10-admin network=10.0.10.0
add address=192.168.88.8/24 interface=vlan10-admin network=192.168.88.0
...
add address=192.168.0.1/24 interface=vlan10-admin network=192.168.0.0
...
add address=10.0.0.10 interface=vlan10-admin network=10.0.0.0

I would go further, your config is so confused its a wonder anything works. Certainly it does not seem you have read the vlan bible —> http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
as your /interface bridge vlans are nonsensical!

As noted above, it incomprehensible that you assign different subnets to the same vlan…
In other words your requirements have never been clear in your mind. So not quite sure how you expect us to pluck out any logic or approach.

As stated above, I think it would be fair to say, that VLAN1000 is just placeholder vlan to get the cellular traffic to the RB4011 as the WAN IINPUT.
On the same line (trunk port) you need vlan10 with DHCP, for the switch to distribute.

Why do you name ether1 on the ROUTER WAN??? The WAN is coming in on the trunk port on ether6.
Ether9 looks like a trunk port to another smart device not in the picture.

This interface list item makes no sense!!!
add interface=lokholmsvagen list=VLAN

Error indications are cropping up…
/ppp profile
set *0 bridge=bridge-VLAN

Another contradiction… you seem to have many port forwardings going on??
This is ONLY possible if you have a public IP on the router or are able to forward ports from an upstream router which gets a public IP.
What is the truth???
If that is the case why are you using Back to Home VPN, instead of just normal wireguard with the RB4011 as peer Server Device.
I understand the mullvad, in that you want all users on a specific subnet to go out mullvad for internet.

Too many unknowns and issues to even begin to assist.
You assign an interface to the vLAN that doesnt exist…

I highly suggest to concentrate on one thing at a time.
Disable all wireguard and queuing etc. and just work on getting vlans setup as a first step.
Remove all the extra firewall rules added over defaults and keep the bare minimum required.

Once all the requirements and WAN situation are better understood we could start adding back in functionality, once the vlan network is solid.

• The VLAN1000 is converted to VLAN1000 and has DHCP client to get IP from the 5g CPE that is IP Passthrough on. (and is connected to Eth6 on router)

• Deafult route gets dynamically associated to vlan 1000 because of the DHCP client on vlan 1000. But when “the issues” is when router reboots (and not the switch) then the IP never gets to DHCP client until I reboot switch.

• Bridge-VLAN RSTP is set to 6000, short on router… and 8000, short on switch.

• The eth2 on bridge didn’t do the trick, that made no difference.( from old setup I had forgotten to delete, the port is not in use. ) Bridge 2 is used from old setup. Have fixed this now and deleted.

• Quite a few addresses?? nooo…It’s dhcp on 10.0.20.1, and then I have I couple of subnets to have when I troubleshoot to set static addresses on that vlan.

• For some reason my Mullvad connection on vlan66 don’t work any longer either. I have communication on rx/tx wireguard but no internet when I connect on vlan 66. This problem I got when I converted to vlan 1000 from ordinary Eth1 that was WAN earlier…hmmm…

• Ok, sorry for the messup All this is because I have converted it from a normal router setup with wan on eth1. Then I made this setup because I only had one cable to the other side of house where the 5G CPE is. Then the VLAN story came up…

• As I said in the other post, more subnets on same vlan is because I use this setup on “work” when I setup other switches and stuff that is delivered with static ip. Then I set the subnet on vlan to get to the device from my network. They are not statically there all the time, I change them from now and then…they are only there for setup… The usual ip is 10.0.20.1 Network.

• VLAN1000 is just placeholder vlan as you mentioned…

• The ports you name not considered right is port not in use, so this shouldn’t be a problem. But of cause its wrong, I will fix that.

• The router gets public ip from vlan 1000 on eth6 through CPE 5G

My recommendations stand, you switched configs many times and went in several different directions.
Start from scratch and do only the basic networking and vlans with basic firewall rules.
Once up and running we can add in layers.