I have a home network lab that I play around with various routers. I have a 750Gl that I would like to setup as a bridge router between my home network an another router sitting on port 2. Then ports 3,4,5 will be on separate vlans serviced by the back end router. On the back end router I have one Ethernet with 3 vlans, 10, 100, 200. Vlan 10 is the NAT’d interface, to the back end routers wan vlan (10), Vlan’s 100 and 200 3 ,4, 5.. So to net it out. Port 1 Wan, Port 2 a Trunk with vlan 10, 100, 200, vlan 10 routes to wan, vlans 100, 200 to port 3, and 4. Then I can decide what to do with port 5.
Thanks for the pointer. I ended up using this youtube video https://www.youtube.com/watch?v=Rj9aPoyZOPo and it got me close. On port 2 I have an external Opnsense router with 3 vlans, 10=wan 100=home 200=guest. I setup an IP address and DHCP server on the Microtik router vlan wan(10) but the Opnsense router is not getting a dhcp address on the vlan10 interface. I have Microtik port 3 set to home(100) and Microtik port 4 set to guest(200) and they both are getting the proper subnet IPs from the port 2 Opnsense external router.
An observation, if I set an ip address on the home interface (192.168.1.205) but can’t ping it from a system on the home vlan (100). Same goes for the wan (10) if I set a static IP on my Opnsense router’s vlan 10 interface. So I am missing something. Here is a pastebin https://pastebin.com/Ds1mEk4T of my config. Thanks again for any ideas.
Under /interface vlan you should reference the parent bridge (BR1), not the child interfaces (ether2).
For traffic from the switch chip to the CPU you have to include the switch1-cpu port in the configuration under /interface ethernet switch vlan. If you are just switching traffic between ports you do not need /interface vlan entries for them - the home and guest entries are likely redundant in your setup.
Other than that the current settings are ether2: 10,100,200 tagged; ether3: 100 untagged; ether4: 200 untagged & 100 tagged.
As noted in the documentation “For devices with QCA8337 and Atheros8327 switch chips a default vlan-header=leave-as-is should be used. When vlan-mode=secure is configured, it ignore switch port vlan-header options. VLAN table entries handle all the egress tagging/untagging and works as vlan-header=leave-as-is on all ports. It means what comes in tagged, goes out tagged as well, only default-vlan-id frames are untagged at the egress of port.”
You have configured the DHCP server on ether1, there is none on the “wan” VLAN.
If the Mikrotik is really connected to 108.20.x.x public address having firewall rules would be a good idea.
Its working for the most part now with just 2 minor things to make this project compete.
I think the key was adding switch1-cpu to each vlan.
A few comments on your prior suggestions
The /interface vlan entries are needed to add IP addresses and dhcp server to the vlans.
ether1 has a dhcp client and gets an IP address from my external network (IE simulated WAN).
I changed the names of vlan 10 and 100 for clarity, 10 is OpnsenseWan 100 is OpnsenseLan
The issue I have now is I can ping the switch ip I setup on OpnsenseLan (192.168.1.205) from the Opnsense router on ether2 but can’t ping it from the client (192.168.1.36) on ether3. The client on ether3 can ping the Opnsense lan ip of 192.168.1.254. I also need to setup a management vlan to complete this. Pastebin of the current config https://pastebin.com/0pC9bz0E
Any idea why ping isn’t working from the client on ether3 (vlan 100) to the OpnsenseLan ip of 192.168.1.205?
Yes. Many old guides refer to ether2 which was applicable when using the old master-port switch configuration in RouterOS 6.40.x and earlier. With current versions you should use the bridge, the interface aspect of the bridge is the CPU end of the connection to the switch1-cpu port of the switch chip.
Thank you for all your guidance. I will have to read more to understand your above statement. Things are working and I can get to the 750gl via the wan vpn IP. I think there is an issue with the lan IP conflicting with the Opnsense router. I’ll do some more testing later this week. Anyway here is the pastebin https://pastebin.com/YRqZ5L0bof my final config unless you see something I should change.
You haven’t provided a diagram of your setup and how you would like it to work. With multiple network interfaces on devices you often end up with triangular routes, traffic in one direction goes via a third device, e.g. A → B but B → C → A, firewall connection tracking can see these incomplete connections as invalid and block them, or the third device may not have the appropriate routes.
Currently on the Mikrotik anything to the 108.20.117.0/24 subnet will egress via OpnsenseWan, similarly 192.168.1.0/24 via OpnsenseLan, everything else will egress via the default route added by the DHCP client on ether1.
Port 1 - Wan port to external network (no vlan) set as a DHCP client. In my case I added it to my guest network that has an IP address range of 192.168.200.0/27 (srcnat masquerade)
Port 2 - VLAN trunk port with VLAN IDs of 10, 100, 200. This is where the Opnsense system sits
Port 3+4 VLAN 100
Port 5 - Floater for testing VLANs 10 and 200 ( I change the VLAN ids here as needed )
Now to the simple fix: In /interface ethernet switch port I had switch1-cpu set to disable once I set it to secure I could ping the IP addresses on the same vlan.
Again a big thanks for all your links and descriptions. I would never have gotten this to work without your guidance. Let me know if you still have any questions.