Hi,

I would appreciate some help with configuring multiple VLANs over BOND interface.

I have Router 4011 series and CRS 326 24G 2S RM in SwitchOS mode.

I need to use eth6, eth7 and eth8 Router ports for BONDing as trunk port on Switch (in switchOS). I have set up Switch like this: eth2 and eth9 and eth17 as Striced and Tagged and default VLANID 1, so the ethernet cables from router ports 6,7,8 are connected to the switch ports 2,9 and 17. Other switch ports are defined as untagged with appropriate VLAN ID.

I have configured the Router : ports 6,7,8 deleted from the default bridge and added to BOND interface named Bond-1. Mode: 802.3ad Link monitoring: mi, Hash policy: layer 3 and 4. VLANs named: vlan60 ID=60 interface=Bond-1 and so on for Vlan70 and Vlan80.

Then, I created new bridge = VLANs-Bridge-BOND. Vlan filltering checked. PVID=1. In Bridge→VLANs I added: Bridge=VLANs-Bridge-BOND, VLAN IDs=60.70.80. Tagged=VLANs-Bridge-BOND and tagged=Bond-1.

I set up Addresses and DHCP for vlan60, vlan70 and vlan80, also made the masquarade in Firewall NAT.

Everything works fine (internet connection, addressing) but PING is not working, sharing also…even when users are in the same VLAN.

What is the problem here?

Maybe it has to do with the reasons behind Rules #1 and #2 of the Mikrotik Club?:

No,

vlan names are: Vlan60, Vlan70 and Vlan80.

It's not a matter of the NAME of interface but the TAG you use. You can call it even VLAN_MY_PRECIUS_SECRET_NETWORK but PVID=1 would be a culprit.

TAGs are 60,70, and 80.

Also, forgot to mention, on the switch, in the LAG menu, I have changed status to active for the switchports connected to the router’s BONDed ethernet ports. I haven’t set any firewall rules on the router.

Everything works fine, internet connection, pinging public DNS, local DHCP addressing, but workstations in the same LAN cannot ping each other.

One more question: In the router configuration, “Interfaces” menu, for each VLAN interface, “General” tab underneath the VLAID value, for the “Interface:” valure, should I chose (from the drop down list) BOND or the bridge that BOND is assigned to? Seems it works fine both ways.

It would help if you share /interface and /ip

(or better...a complete export)

/export file=anynameyoulike

Remove serial and any other private info, post as Preformatted text by using the </> button.

Excllent idea.

I am total beginner with mikrotik devices.

Here is the config:

2025-12-16 11:29:10 by RouterOS 7.20.6

software id = X9I3-F01K

model = RB4011iGS+5HacQ2HnD

serial number =

/interface bridge
add name=LAN-Eth9
add name=VLANs-bridge-BOND vlan-filtering=yes
add name=WAN-bridge
add admin-mac=78:9A:18:94:97:B1 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-80D82F
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX distance=indoors frequency=auto mode=ap-bridge ssid=
MikroTik-80D82F wireless-protocol=802.11
/interface bonding
add mode=802.3ad name=Bond-1 slaves=ether6,ether7,ether8
transmit-hash-policy=layer-3-and-4
/interface vlan
add interface=Bond-1 name=vlan60 vlan-id=60
add interface=Bond-1 name=vlan70 vlan-id=70
add interface=Bond-1 name=vlan80 vlan-id=80
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf
disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.90.2-192.168.90.254
add name=dhcp_pool2 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool3 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool4 ranges=192.168.70.2-192.168.70.254
add name=dhcp_pool5 ranges=192.168.80.2-192.168.80.254
add name=dhcp_pool6 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool7 ranges=192.168.70.2-192.168.70.254
add name=dhcp_pool8 ranges=192.168.80.2-192.168.80.254
add name=dhcp_pool9 ranges=192.168.70.2-192.168.70.254
add name=dhcp_pool10 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool11 ranges=192.168.80.2-192.168.80.254
add name=dhcp_pool12 ranges=192.168.80.2-192.168.80.254
add name=dhcp_pool13 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool14 ranges=192.168.70.2-192.168.70.254
add name=dhcp_pool15 ranges=192.168.80.2-192.168.80.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=LAN-Eth9 lease-time=3d18h30m name=dhcp1
add address-pool=dhcp_pool13 interface=vlan60 name=dhcp4
add address-pool=dhcp_pool14 interface=vlan70 name=dhcp2
add address-pool=dhcp_pool15 interface=vlan80 name=dhcp3
/port
set 0 name=serial0
set 1 name=serial1
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=LAN-Eth9 comment=defconf interface=ether9
add bridge=WAN-bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=VLANs-bridge-BOND interface=Bond-1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=VLANs-bridge-BOND tagged=VLANs-bridge-BOND,Bond-1 vlan-ids=60
add bridge=VLANs-bridge-BOND tagged=VLANs-bridge-BOND,Bond-1 vlan-ids=70
add bridge=VLANs-bridge-BOND tagged=VLANs-bridge-BOND,Bond-1 vlan-ids=80
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.90.1/24 interface=LAN-Eth9 network=192.168.90.0
add address=192.168.60.1/24 interface=vlan60 network=192.168.60.0
add address=192.168.70.1/24 interface=vlan70 network=192.168.70.0
add address=192.168.80.1/24 interface=vlan80 network=192.168.80.0
/ip dhcp-client
add default-route-tables=main interface=WAN-bridge
/ip dhcp-server network
add address=192.168.60.0/24 gateway=192.168.60.1
add address=192.168.70.0/24 gateway=192.168.70.1
add address=192.168.80.0/24 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
add address=192.168.90.0/24 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.60.0/24 list=VLANovi
add address=192.168.70.0/24 list=VLANovi
add address=192.168.80.0/24 list=VLANovi
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.90.0/24
add action=masquerade chain=srcnat src-address=192.168.60.0/24
add action=masquerade chain=srcnat src-address=192.168.70.0/24
add action=masquerade chain=srcnat src-address=192.168.80.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Podgorica
/system leds
add interface=wlan1 leds="wlan1_signal1-led,wlan1_signal2-led,wlan1_signal3-le
d,wlan1_signal4-led,wlan1_signal5-led" type=wireless-signal-strength
add interface=wlan1 leds=wlan1_tx-led type=interface-transmit
add interface=wlan1 leds=wlan1_rx-led type=interface-receive
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hi,

just to inform you that today everything works fine. Ping, sharing is OK. Didn’t chaned anything..

That's good news!

When you want feedback though...what is the purpose of all bridges? One seems to be sufficient!?
Why all the pools? Even seems to be overlapping...
When doing VLAN, you don't want to have a DHCP server on the bridge (personal preference).
What is the use of the four additional NAT rules?