Hello everyone,

I’m very new to the Mikrotik/RouterOS but looking forward to learning. I’m hoping more advanced users would be able to provide some comments on my configuration.

What I am trying to do:

• Purchased a HEX RB750gr3
• Hex cable/port configuration as follows:
  Eth1 - connected to LTE router
  Eth2 - connected to a Cisco IOS based switch as a VLAN trunk carrying VLANS (1, 30, 43, 45, 47, 48, 49, 54, 57, 58) (trunk port)
  Eth3 - connected to an unmanaged switch with devices intended for VLAN 30 (access port)
  Eth4 - connected to a Wireless AP that is for VLAN 54 (access port)
  Eth5 - reserved as an admin port to be used as a backup way to connect

I would like the Mikrotic router to be able to basically be a hybrid of a router on a stick, managed switch, NAT/Firewall. This is a temporary setup until our facility gets it’s proper wiring and switch stacks (backordered due to supply chain issues). I could have temporarily put all my devices on a flat style network with the same subnet but then that would mean i would have to change the IP’s of everything in the future.

For now I would like every VLAN to be able to route to each other as well as to be able to access the internet (in the future i’ll set more restrictive rules but for now i’ll start off simple). I would also like the router to have a DHCP server on VLANs 54, 57, 58.

I’ve used the configuration files in this excellent thread as a starting point http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 but my use case is a bit of a hybrid so I am sure i’ve screwed something up.

The configuration appears to work when I plug devices in ports 3,4,5 but I don’t have a switch capable of VLAN trunking/tagging in my house so I can’t test that portion until I go to the factory and this is why I would appreciate any tips or suggestions. Thank you all in advance!

#######################################
# Cable Configuration
#######################################
#ether1 "INTERNET"		WAN
#ether2 "2"				Trunk connection to switches (VLAN 1, 30, 43, 45, 47, 48, 49, 54, 57, 58)
#ether3 "3"				Local Unmanaged Switch (VLAN 30)
#ether4 "4"				Local Wifi AP (VLAN 54)
#ether5 "5"				Admin (VLAN 1)


#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="CAL-OT Router"


#######################################
# VLAN Overview
#######################################

# 1 = Router/Switch Management	BASE_VLAN
# 30 = OT - Core				OT_CORE
# 40 = OT - Grow BHA			OT_BHA_GROW
# 42 = OT - Ext. BHA			OT_BHA_EXT
# 43 = OT - Seeding				OT_SEEDING
# 45 = OT - AHU/BAS				OT_AHU
# 46 = OT - Irrigation			OT_IRRIGATION
# 47 = OT - Packaging			OT_PACKAGING
# 48 = OT - Harvest				OT_HARVEST
# 49 = OT - Tray Handling		OT_TRAY
# 54 = OT - Wireless			OT_WIFI
# 57 = OT - IOT #1				OT_IOT1
# 58 = OT - IOT #2				OT_IOT2


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether2

# egress behavior
/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether2 vlan-ids=1
add bridge=BR1 tagged=BR1,ether2 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2 vlan-ids=43
add bridge=BR1 tagged=BR1,ether2 vlan-ids=45
add bridge=BR1 tagged=BR1,ether2 vlan-ids=47
add bridge=BR1 tagged=BR1,ether2 vlan-ids=48
add bridge=BR1 tagged=BR1,ether2 vlan-ids=49
add bridge=BR1 tagged=BR1,ether2 vlan-ids=54
add bridge=BR1 tagged=BR1,ether2 vlan-ids=57
add bridge=BR1 tagged=BR1,ether2 vlan-ids=58


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# set port 3 to VLAN ID 30 (OT - Core)
add bridge=BR1 interface=ether3 pvid=30

# set port 4 to VLAN ID 54 (OT - Wireless)
add bridge=BR1 interface=ether4 pvid=54

# set port 5 to VLAN ID 1 (Router/Switch Management)
add bridge=BR1 interface=ether5 pvid=1 


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=1
/ip address add address=192.168.1.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="8.8.8.8"

# Yellow WAN facing port with IP Address provided by ISP
/ip address add interface=ether1 address=192.168.0.79/24 network=192.168.0.0

# router's gateway provided by ISP
/ip route add distance=1 gateway=192.168.0.1


#######################################
# IP Services
#######################################

# OT - Core interface creation, IP assignment
/interface vlan add interface=BR1 name=OT_CORE vlan-id=30
/ip address add interface=OT_CORE address=10.30.30.1/24

# OT - Grow BHA interface creation, IP assignment
/interface vlan add interface=BR1 name=OT_BHA_GROW vlan-id=40
/ip address add interface=OT_BHA_GROW address=10.30.40.1/24

# OT - Ext. BHA interface creation, IP assignment
/interface vlan add interface=BR1 name=OT_BHA_EXT vlan-id=42
/ip address add interface=OT_BHA_EXT address=10.30.42.1/24

#  OT - Seeding	interface creation, IP assignment
/interface vlan add interface=BR1 name=OT_SEEDING vlan-id=43
/ip address add interface=OT_SEEDING address=10.30.43.1/24

#  OT - AHU/BAS	interface creation, IP assignment
/interface vlan add interface=BR1 name=OT_AHU vlan-id=45
/ip address add interface=OT_AHU address=10.30.45.1/24

#  OT - Irrigation interface creation, IP assignment
/interface vlan add interface=BR1 name=OT_IRRIGATION vlan-id=46
/ip address add interface=OT_IRRIGATION address=10.30.46.1/24

#  OT - Packaging interface creation, IP assignment
/interface vlan add interface=BR1 name=OT_PACKAGING vlan-id=47
/ip address add interface=OT_PACKAGING address=10.30.47.1/24

#  OT - Harvest interface creation, IP assignment
/interface vlan add interface=BR1 name=OT_HARVEST vlan-id=48
/ip address add interface=OT_HARVEST address=10.30.48.1/24

#  OT - Tray Handling interface creation, IP assignment
/interface vlan add interface=BR1 name=OT_TRAY vlan-id=49
/ip address add interface=OT_TRAY address=10.30.49.1/24

# OT - Wireless interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=OT_WIFI vlan-id=54
/ip address add interface=OT_WIFI address=10.30.54.1/24
/ip pool add name=OT_WIFI_POOL ranges=10.30.54.20-10.30.54.254
/ip dhcp-server add address-pool=OT_WIFI_POOL interface=OT_WIFI name=OT_WIFI_DHCP disabled=no
/ip dhcp-server network add address=10.30.54.0/24 dns-server=8.8.8.8 gateway=10.30.54.1

# OT - IOT #1 interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=OT_IOT1 vlan-id=57
/ip address add interface=OT_IOT1 address=10.30.57.1/24
/ip pool add name=OT_IOT1_POOL ranges=10.30.57.200-10.30.57.254
/ip dhcp-server add address-pool=OT_IOT1_POOL interface=OT_IOT1 name=OT_IOT1_DHCP disabled=no
/ip dhcp-server network add address=10.30.57.0/24 dns-server=8.8.8.8 gateway=10.30.57.1

# OT - IOT #2 interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=OT_IOT2 vlan-id=58
/ip address add interface=OT_IOT2 address=10.30.58.1/24
/ip pool add name=OT_IOT2_POOL ranges=10.30.58.200-10.30.58.254
/ip dhcp-server add address-pool=OT_IOT2_POOL interface=OT_IOT2 name=OT_IOT2_DHCP disabled=no
/ip dhcp-server network add address=10.30.58.0/24 dns-server=8.8.8.8 gateway=10.30.58.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1     list=WAN
add interface=BASE_VLAN  list=BASE

add interface=BASE_VLAN  		list=VLAN
add interface=OT_CORE    		list=VLAN
add interface=OT_BHA_GROW    	list=VLAN
add interface=OT_BHA_EXT    	list=VLAN
add interface=OT_SEEDING    	list=VLAN
add interface=OT_AHU			list=VLAN
add interface=OT_IRRIGATION		list=VLAN
add interface=OT_PACKAGING		list=VLAN
add interface=OT_HARVEST		list=VLAN
add interface=OT_TRAY			list=VLAN
add interface=OT_WIFI			list=VLAN
add interface=OT_IOT1			list=VLAN
add interface=OT_IOT2			list=VLAN

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox. Naturally, you SHOULD make it more granular.
add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow all VLANs to access the Internet
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access"

# Allow all VLANs to access each other (for now)
add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=VLAN comment="VLAN to VLAN access"

add chain=forward action=drop comment="Drop"


##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]

# Only allow ingress packets without tags on Access Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
#/ip neighbor discovery-settings set discover-interface-list=BASE
#/tool mac-server mac-winbox set allowed-interface-list=BASE
#/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

I don't think the following is correct:

create one bridge, set VLAN mode off while we configure

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

ingress behavior

/interface bridge port

Purple Trunk. Leave pvid set to default of 1 This is what you want, don't chage

add bridge=BR1 interface=ether2

egress behavior

/interface bridge vlan

Purple Trunk. These need IP Services (L3), so add Bridge as member

add bridge=BR1 tagged=BR1,ether2 vlan-ids=1 This is the part I think is wrong.

ether2 has pvid set to 1, so untagged frames it receives will be associated with vlan 1 in the vlan-filtering bridge (and the switch ASIC with 7.2 and above). But you are instructing ROS to configure the internal port to the CPU (BR1) and ether2 to tag vlan 1. I think this should be

add bridge=BR1 untagged=BR1,ether2 vlan-ids=1

I am assuming that the cisco will have its trunk port set with native vlan set to 1. If you want vlan 1 to be tagged to the switch, you would need to specify another unused vlan as the pvid, and then set the ether2 of the hEX to use a different pvid, so it isn't getting mixed messages about how to deal with vlan 1 (should it be tagged or have untagged frames have implicit vlan 1 association by specifying pvid 1?)

Unless you REALLY have to, avoid VLAN 1. Many devices handle VLAN 1 strangely. You may find traffic on that VLAN that you did not intend.
And yes, there are some devices that do not give you a choice (I have a couple).

Hi Buckeye - thanks a lot for the feedback.

I have noted your proposed changes and when I get to site I will consider investigating what happens when i change this line:

add bridge=BR1 tagged=BR1,ether2 vlan-ids=1

to

add bridge=BR1 untagged=BR1,ether2 vlan-ids=1

I should note that the sample router.rsc on the original forum doesn’t have any lines with “untagged” so perhaps it’s an error there too?

Thanks again!

Concur, vlan1 will be there in the background regardless dont worry about and just dont use it for any data or management purpose, basically ignore it.
What concerns me is what is giving out DHCP to vlans 30, 43, 45, 47, 48 and 49??

Suggest for ether5 - excellent off-bridge access is safe and the best way (location) to configure the bridge from.
https://forum.mikrotik.com/viewtopic.php?t=181718

hi K6ccc - thanks for the comment.

my plan is to ONLY use VLAN 1 for the management of the switches on the network. I wanted to trunk VLAN1 back to the Mikrotik because if I didn’t do that, i would need to assign an access port on each switch to VLAN 1 and physically connect into each switch to manage it. Is this correct?

thank you!

Use something other than VLAN 1. VLAN 99 seems to be a commonly used on, but there is nothing magic about that number.

Slow learner… If you insist on not listening, help ceases.

That’s true, but it is not an error. In that example vlan 1 is not used for user data (other than possibly by the router for spanning tree protocol). It isn’t used as a layer 3 interface with an ip address applied.

Specifically there is no /interface bridge vlan line that mentions vlan 1. Only 10, 20, and 30 and 99 in the router.rsc file. And 99 was for management.

I don’t understand why @pcunite used the term BASE_VLAN for the vlan 99 interface. He says in his article

Native, Base, & MGMT (management) VLAN:
Before designing IP Addressing & Routing, you’ll need to choose a VLAN scheme. To get your VLAN going you have to start somewhere and that’s usually something termed the Native VLAN. This would be the base network that you used to initiate your first connection to a router or switch. The Native VLAN is not a requirement but rather something that continues to exist if you allow it. Think of the Native VLAN as a term used to describe packets without a VLAN tag that move between your equipment and network. Whether or not this is a good thing is up to you. In our examples, we do not allow for this scenario. Instead we implement a Base VLAN (our name for the management VLAN). Over this network will be device to device traffic (routing, etc.). We also default Winbox availability here as well.

I tend to use the term Base as the interface that you create a vlan subinterface under; when using the vlan-filtering bridge this will usually be the bridge interface (which is nameed BR1) in your config. vlan interfaces are logical interfaces that behave a separate L3 interfaces that you can apply an ip address, but there is a shim between the the logical interface an the physical port that adds a vlan tag on egress and when a tagged frame is received the physical port driver removes the tag and forwards the untagged ethernet payload to the correct vlan interface.

I could go into more details about this, but the advice that @k6ccc and @anav gave to avoid using vlan 1 for any user data (including management) is good advice. There are multiple reasons, but they all usually boil down to the fact that vlan 1 is the vlan that will be used in the default case.

The pcunite thread is a great starting point, but it is more of a user guide than a reference that explains things in detail. My first MikroTik router was a hEX S (RB760iGS) and my previous vlan explosure was from a vyatta/EdgeOS (specifically the Ubiquiti ER-X which is based on the same MediaTek MT7621 SoC as the hEX) and Cisco/IOS vlan and various vlan-aware switches (MikroTik SwOS based CSS106-5G-1S, TP-Link Tl-SG108E and TL-2008v3 , NetGear GS908E, and several Cisco switches). @Sindy’s thread RouterOS bridge mysteries explained was very helpful to me. If you are interested in learning more about what the bridge in the hEX represents, that is worth reading, and I have some notes about it here and the post that follows. But I like to understand why things work, some people are more interested in just getting a working config (and understanding why it works is of no interest to them). So you may or may not find it of interest.

MikroTik also has reasonably good documentation here, which should be understandable if you have worked with vlans on another vendor’s kit. Bridging and Switching - Bridge VLAN Filtering and Bridging and Switching Case Studies - Bridge VLAN Table And you should at least skim what is in Bridging and Switching

Don’t be too put off by @anav. He has a standard way to configure things that works well, and if you don’t want to accept his way of doing it, he won’t continue to help. You may want to review his New User Pathway To Config Success. It is relatively well organized (for what can be done in a forum post), and he has sections on a variety of configuration topics. It is well worth skimming it; you will probably find some useful info there. His style can be off-putting, and his avatar is appropriate, so be prepared for some flames.

Ha Buckeye, you funny!
First I was not alone and was supporting kcccs advice on vlan1, so its not my way, its the accepted smart way.
Also its not my way, its the right way
Tons of ways to configure RoS, depends on requirements and network as to what is most efficient.

Thank you to all!

I will change the management to VLAN 99 and then remove any specific mention of VLAN 1.

Good plan, remember any smart devices on your network (can read vlan tags) should get an IP address on the managment network.
neighbours discovery also set to the managment interface.

Vlan1 will exist as the default vlan on the single bridge and all you need to do on this confg entry is to turn vlan filtering ON after you have completed the router configuration, last step etc…

Hello all,

I just want to post a quick follow-up to my thread. I am on site and everything is working well with the VLAN routing and the Mikrotik config. Thank you for your help.

I created a VLAN99 for the management of my managed switches and when I am able to access the interface when my PC is on VLAN 99 and within the same subnet. I did notice that when my PC is on a different subnet and VLAN, i cannot access the management interface even though I set up a route between the VLAN my PC was on and the management VLAN99. The issue appears to be that the switch I am using does not allow for a gateway configuration for the management interface IP and therefore it doesn’t know to route to any other network. Is this common or a best practice in the industry that the management VLAN is not supposed to be bridged or routed to other VLANs and it is assumed that the management clients would be on the same VLAN when being managed?

For example, if I have a WIFI VLAN and a MGMT VLAN - would it be normal to assume that you should be able to manage the network from a laptop connected to WIFI?

It’s not a big deal - just a small observation I noted. Perhaps it’s a peculiarity of the switches we are using - Allen Bradley Stratix 5700. They are essentially cisco switch hardware running IOS in the background (slightly customized for industrial controls) with a web interface for less intelligent people like me.

Thanks again!

Yes it is possible that the Allen Bradley switches are intentionally dumbed down - of that I have no information. Mikrotik switches running SwitchOS also have no ability to specify a gateway, but they will just send packets back to whatever the switch received the packet from - whether that is a directly connected computer, another switch, or a router. I know at home my desktop PC is not on the same LAN as the management VLAN for my switches so traffic between the PC and switches has to be routed. Works fine…

I don’t think it is a limitation of the Allen Bradley Statix 5700, just that it was probably setup without any gateway configured, and without a gateway, you will be limited to communicating with the switch from the same subnet. In general, SCADA equipment should be isolated, as quite a bit of SCADA equipment assumes that it is on a private network and most of the security is pretty lax because of that assumption.

Reference: Stratix 5700 Express Set-Up

The Stratix5700 switches seem dumbed down based on the web interface but I believe it’s also possible to confgure using IOS type commands. I think the Stratix5700 is basically an re-branded IE-2000 switch with some customizations. I SSH’d into the switch to see what kind of IOS configuration is running in the background and there are 100’s of lines on a right out of the box config regarding QOS and class-mapping. I assume this one of the tweaks they have done to try and prioritize CIP (common industrial protocol) packets and the like. Short sample below.

One of the main reasons why I had to get the Mikrotik router up and going to quickly is that supply chain issues have delayed our main IT switch and routers from being delivered on time and I needed something to route these VLANs so that I don’t have to go back and change IP addresses,etc on 100s of devices. We keep hearing “covid” as the reason for everything. I’m not a network guy by any means and I appreciate all the help provided to me on this forum.

mls qos map policed-dscp  24 27 31 43 46 47 55 59 to 0
mls qos map dscp-cos  9 11 12 13 14 15 to 0
mls qos map dscp-cos  25 26 28 29 30 to 2
mls qos map dscp-cos  40 41 42 44 45 49 50 51 to 4
mls qos map dscp-cos  52 53 54 56 57 58 60 61 to 4
mls qos map dscp-cos  62 63 to 4
mls qos map cos-dscp 0 8 16 27 32 47 55 59
mls qos srr-queue input bandwidth 40 60
mls qos srr-queue input threshold 1 16 66
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 40 60
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0 2
mls qos srr-queue input cos-map queue 2 threshold 2 4
mls qos srr-queue input cos-map queue 2 threshold 3 3 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 2 8 10
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 9 11 12 13 14 15 16 17
mls qos srr-queue input dscp-map queue 1 threshold 3 18 19 20 21 22 23 25 26
mls qos srr-queue input dscp-map queue 1 threshold 3 28 29 30
mls qos srr-queue input dscp-map queue 2 threshold 2 32 33 34 35 36 37 38 39
mls qos srr-queue input dscp-map queue 2 threshold 2 40 41 42 44 45 49 50 51
mls qos srr-queue input dscp-map queue 2 threshold 2 52 53 54 56 57 58 60 61
mls qos srr-queue input dscp-map queue 2 threshold 2 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 27 31 43 46 47 48 55
mls qos srr-queue input dscp-map queue 2 threshold 3 59
mls qos srr-queue output cos-map queue 1 threshold 3 7
mls qos srr-queue output cos-map queue 2 threshold 2 1
mls qos srr-queue output cos-map queue 2 threshold 3 0 2 4
mls qos srr-queue output cos-map queue 3 threshold 3 5 6
mls qos srr-queue output cos-map queue 4 threshold 3 3
mls qos srr-queue output dscp-map queue 1 threshold 3 59
mls qos srr-queue output dscp-map queue 2 threshold 2 8 10
mls qos srr-queue output dscp-map queue 2 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue output dscp-map queue 2 threshold 3 9 11 12 13 14 15 16 17
mls qos srr-queue output dscp-map queue 2 threshold 3 18 19 20 21 22 23 25 26
mls qos srr-queue output dscp-map queue 2 threshold 3 28 29 30 32 33 34 35 36
mls qos srr-queue output dscp-map queue 2 threshold 3 37 38 39 40 41 42 44 45
mls qos srr-queue output dscp-map queue 2 threshold 3 49 50 51 52 53 54 56 57
mls qos srr-queue output dscp-map queue 2 threshold 3 58 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 43 46 47 48 55
mls qos srr-queue output dscp-map queue 4 threshold 3 24 27 31
mls qos queue-set output 1 buffers 10 25 40 25
mls qos queue-set output 2 buffers 10 25 40 25
no mls qos rewrite ip dscp
mls qos
!
!

!
class-map match-all 1588-PTP-General
 match access-group 107
class-map match-all 1588-PTP-Event
 match access-group 106
class-map match-all CIP-Implicit_dscp_any
 match access-group 104
class-map match-all CIP-Other
 match access-group 105
class-map match-all voip-data
 match ip dscp ef
class-map match-all voip-control
 match ip dscp cs3  af31
class-map match-all CIP-Implicit_dscp_43
 match access-group 103
class-map match-all CIP-Implicit_dscp_55
 match access-group 101
class-map match-all CIP-Implicit_dscp_47
 match access-group 102
!
policy-map Voice-Map
 class voip-data
  set dscp ef
  police 320000 8000 exceed-action policed-dscp-transmit
 class voip-control
  set dscp cs3
  police 32000 8000 exceed-action policed-dscp-transmit
policy-map CIP-PTP-Traffic
 class CIP-Implicit_dscp_55
  set ip dscp 55
 class CIP-Implicit_dscp_47
  set ip dscp 47
 class CIP-Implicit_dscp_43
  set ip dscp 43
 class CIP-Implicit_dscp_any
  set ip dscp 31
 class CIP-Other
  set ip dscp 27
 class 1588-PTP-Event
  set ip dscp 59
 class 1588-PTP-General
  set ip dscp 47

If you can’t set the default gateway for the management interface of the switch, then the only other option I am aware of is to use NAT masquerade on the Router interface connecting to the switch. That will make it appear to the switch that the traffic is sourced from the router, and therefore on the same subnet as the management interface, so the routing table won’t be used; instead it will use the mac address of the router’s interface as discovered by ARP.