Hi there!
I am new to Mikrotik and would like to be assisted in my configs. I really like the Mikrotik capability.
I have two WAN connections and 4 VLANS. 3 VLANS 10,20 and 30 are on the Switch ether 2,3 and respectively. VLAN 40 is on ether 3 of the R1. VLAN 99 is the management VLAN.
The problem I have is that I cannot ping the gateway for any of the VLANS e.g. hosts on 10.10.10.0/24 cannot ping 10.10.10.1.
I cannot connect to the Switch using the 10.99.99.2 as the ping says error.
I have exported the current configs for both the Router and the Switch and would appreciate to be guided.

ROUTER (R1)

jul/13/2021 18:34:40 by RouterOS 6.48.3

/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=combo1 ] comment=ISP1
set [ find default-name=ether1 ] comment=ISP2
/interface vlan
add interface=ether2 name=vlan10-Cust.1 vlan-id=10
add interface=ether2 name=vlan20-Cust.2 vlan-id=20
add interface=ether2 name=vlan30-Cust.3 vlan-id=30
add interface=ether3 name=vlan40-HOME vlan-id=40
add interface=ether2 name=vlan99-MGMT vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool1 ranges=10.20.20.2-10.20.20.254
add name=dhcp_pool2 ranges=10.30.30.2-10.30.30.254
add name=dhcp_pool3 ranges=10.40.40.2-10.40.40.254
add name=dhcp_pool4 ranges=10.99.99.2-10.99.99.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10-Cust.1 lease-time=1d
name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=vlan20-Cust.2 lease-time=1d
name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=vlan30-Cust.3 lease-time=1d
name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface=bridge lease-time=1d name=
dhcp4
add address-pool=dhcp_pool4 disabled=no interface=vlan99-MGMT lease-time=1d
name=dhcp5
/queue tree
add max-limit=30M name=Cust.1-UPLOAD packet-mark=Cust.1-UPLOAD parent=global
add max-limit=30M name=Cust.1-DOWNLOAD packet-mark=Cust.1-DOWNLOAD parent=global
add max-limit=7M name=Cust.2-UPLOAD packet-mark=Cust.2-UPLOAD parent=global
add max-limit=7M name=Cust.2-DOWNLOAD packet-mark=Cust.2-DOWNLOAD parent=global
add max-limit=7M name=Cust.3-UPLOAD packet-mark=Cust.3-UPLOAD parent=global
add max-limit=7M name=Cust.3-DOWNLOAD packet-mark=Cust.3-DOWNLOAD parent=global
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=vlan40-HOME
add bridge=bridge interface=ether2
/ip address
add address=10.10.10.1/24 interface=vlan10-Cust.1 network=10.10.10.0
add address=10.20.20.1/24 interface=vlan20-Cust.2 network=10.20.20.0
add address=10.30.30.1/24 interface=vlan30-Cust.3 network=10.30.30.0
add address=10.40.40.1/24 interface=vlan40-HOME network=10.40.40.0
add address=10.99.99.1/24 interface=vlan99-MGMT network=10.99.99.0
/ip dhcp-client
add comment=ISP1 disabled=no interface=combo1
add comment=ISP2 disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.20.20.0/24 gateway=10.20.20.1
add address=10.30.30.0/24 gateway=10.30.30.1
add address=10.40.40.0/24 gateway=10.40.40.1
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=Cust.1-UPLOAD
passthrough=yes src-address=10.10.10.0/24
add action=mark-packet chain=prerouting new-packet-mark=Cust.2-UPLOAD
passthrough=yes src-address=10.20.20.0/24
add action=mark-packet chain=prerouting new-packet-mark=Cust.3-UPLOAD
passthrough=yes src-address=10.30.30.0/24
add action=mark-packet chain=postrouting dst-address=10.30.30.0/24
new-packet-mark=Cust.3-DOWNLOAD passthrough=yes
add action=mark-packet chain=postrouting dst-address=10.20.20.0/24
new-packet-mark=Cust.2-DOWNLOAD passthrough=yes
add action=mark-packet chain=postrouting dst-address=10.10.10.0/24
new-packet-mark=Cust.1-DOWNLOAD passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.10.10.0/24
add action=masquerade chain=srcnat src-address=10.20.20.0/24
add action=masquerade chain=srcnat src-address=10.30.30.0/24
add action=masquerade chain=srcnat src-address=10.40.40.0/24
add action=masquerade chain=srcnat src-address=10.99.99.0/24
/ip route
add distance=1 gateway=192.168.200.1 routing-mark=To_ISP1
add distance=1 gateway=192.168.0.1 routing-mark=To_ISP2
/ip route rule
add src-address=10.10.10.0/24 table=To_ISP1
add src-address=10.20.20.0/24 table=To_ISP2
add src-address=10.30.30.0/24 table=To_ISP2
add src-address=10.40.40.0/24 table=To_ISP1


SWITCH (S1)

jan/02/1970 10:30:54 by RouterOS 6.48.3

/interface bridge
add name=bridge1
/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=
ether1,ether2,ether3,ether4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether1 vlan-id=10
add tagged-ports=ether1 vlan-id=20
add tagged-ports=ether1 vlan-id=30
add tagged-ports=switch1-cpu,ether1 vlan-id=99
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=30 ports=ether4
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4 vlan-id=10
add ports=ether1,ether2,ether3,ether4 vlan-id=20
add ports=ether1,ether2,ether3,ether4 vlan-id=30
add ports=switch1-cpu,ether1 vlan-id=99
/ip address
add address=10.99.99.2/24 interface=vlan99 network=10.99.99.0
/ip firewall filter
add action=accept chain=forward in-interface=all-vlan out-interface=all-vlan
/ip route
add distance=1 gateway=10.99.99.1
/system identity
set name=S1

Suggest you read through this link and revise your setup. Not much is done correctly

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Switch and Router models ?

Also many information around in the Mikrotik wiki…

Router - CCR1009-7G-1C-PC
Switch - CRS112-8P-4S-IN

CRS112 does not suppport Bridge VLAN filtering along with VLANs…
So you should use the old way of VLANs…

Examples here :https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#VLAN

But the CCR1009 does so you should use the link provided for that device.

thank you guys..

For the switch this is a decent guide…
https://www.youtube.com/watch?v=Rj9aPoyZOPo

Have to be careful with this one.

The CCR1009-8G has a switch chip on 1-4.

The CCR1009-7G does not.

Why do you waste our time with that post,
a. the 8G must be an old model as its not on the website
b. if you read the posts and specifically post #4 clearly states a 7G model.

Because of the way the sequence of posts went.

The post prior to the one I quoted said

“CRS112 does not suppport Bridge VLAN filtering along with VLANs…
So you should use the old way of VLANs…”

Yours directly following says

“But the CCR1009 does so you should use the link provided for that device.”

You makes it sound like it supports bridge vlan filtering in hardware.

I think anav did not clearly communicate what he (probably) meant:

The CRS112 does not have hardware support for bridge VLAN filtering, and the CPU in that device is quite weak, so using bridge VLAN filtering on it is not really practical, and you are best off setting up VLANs using the CRS1xx/2xx switch chip method.

The CCR1009 also doesn’t have hardware support for bridge VLAN filtering, but the CPU in that device is quite powerful by comparison, and so it can handle it. Furthermore, since the currently available CCR1009 models do not have a switch chip, there is no other way of setting up VLANs that can be hardware offloaded, and therefore there is no disadvantage to using bridge VLAN filtering on those devices (i.e. any other method will not reduce CPU usage and the load on the device).

That I agree with and understand. But the way it was written above could have been misconstrued by someone newer to mikrotik. And I was fearful he was referring to the older hardware that did have a switch chip in it. While the newer version does not. Which of course did not require such a poor reply.

Thanks charming mud guy!

As for the drive by poster this is not a fear problem its a literacy problem on your part…
Why you read my post without the OPs post is mind boggling.

I also own the CCR1009-7G and run about 15 vlans in bridge filtermode.

I read what he had wrote, and am familiar with what he has. What I was fearful of was that you may of confused it with the older model with the switch chip when you made your suggestion. I have seen this on the forum several times(Not you specifically, but the model). Unfortunately, without personally knowing you, we cannot possibly know exactly whats going through your mind. I also have about 25 of the same model as him in the field, mixed along with about 200 or so others.

This forum is here to help people, and its very easy to get tunnel vision on subject matters. Just trying to help clarify for other readers. Berating people is not necessary, nor helpful.

Stop making excuses, you simply needed to state that you had missed what the OP wrote period.
Instead of making a million excuses that dont fly.
You invented shit that doesnt exist, so I am simply informing you to stop making problems that are not there.

You can use the CCR with Software VLANs as well…
In general you can create VLANs either in hardware or in Software…
There are 3 ways you can do that, 1. Bridge VLAN Filtering ( it will consume CPU resources for devices that do not support it ), 2. Switch Chip VLANs ( for devices with Switch Chip, old methodm configuration depends on the switch chip model ) 3. Software VLANs ( /Interface VLAN )
It all depends on what you need to accomplish…

For example, lets say you have a CCR1009 and a CRS 328 switch, you can create VLANs on the Switch using Bridge VLAN Filtering, and on the CCR the Port ( Trunk ) connected with the CRS328 would be done in Software .. So you could create your VLANs on the SFP Port of the CCR1009 under /interface VLAN and connect it to the Trunk port of the CRS328…

Zach you are blowing my mind LOL.
Please write a user article explaining software vlans!!

Actually there are two ways (numbers 1. and 2. above) to securely pass VLAN-tagged frames between two bridged/switched ports.

The third variant mentioned above (as number 3.) is complementary to any of methods 1. or 2. when ROS (router, switch, …) needs to take part in a particular VLAN (as a L3 entity).
Use of method 3. in sense of passing VLAN-tagged frames between ports is more of an abuse. However before mehod 1. came to ROS, it was the only way of dealing with VLAN-tagged frames on devices without switch chips. It does offer some other possibilities for hacks (such as changing VLAN ID when passing traffic between ports … which is not possible with method 1. and only a few switch chip models can do it when using method 2.).

For @anav:

/interface vlan
add name=e1v100 interface=ether1 vlan-id=100
add name=e2v100 interface=ether2 vlan-id=100
/interface bridge
add name=bridge_v100
/interface bridge port
add bridge=bridge_v100 port=e1v100
add bridge=bridge_v100 port=e2v100
add bridge=bridge_v100 port=ether3

Frames tagged with VID 100 can now pass between etehr1 and ether2, ether3 is untagged member of that VLAN.

Translation to bridge vlan-filtering config:

/interface bridge
add name=bridge_v100 vlan-filtering=yes
/interface bridge port
add bridge=bridge_v100 port=ether1
add bridge=bridge_v100 port=ether2
add bridge=bridge_v100 port=ether3 pvid=100
/interface bridge vlan
add bridge=bridge_v100 tagged=ether1,ether2 untagged=ether3 vlan-ids=100