I have the following setup:
hEX PoE
ether1 connected to network 192.168.1.0/24
ether5 connected to Raspberry Pi 3 B w/ VLAN support
I started w/ the sample config, and did some tinkering when things did not work as expected.
Basically, I can manage the device from ether1. ether5 should be the trunk port but I cannot get any traffic thru. When I try to ping from raspi to IP 192.168.92.1 (sw1-exp, VLAN2) or 192.168.94.1 (sw1-exp, VLAN4); all I can see on the switch side are ARP queries which do not get any answers. The queries look like this on raspi side (b8:... is raspi) :
Code: Select all
21:33:01.350816 b8:27:eb:XX:XX:XX > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 46: vlan 2, p 0, ethertype ARP, Request who-has 192.168.92.1 tell 192.168.92.50, length 28
Here is the redacted config:
Code: Select all
# nov/25/2017 21:16:39 by RouterOS 6.41rc52
# software id = ...
#
# model = 960PGS
# serial number = ...
/interface bridge
add admin-mac=64:D1:54:XX:XX:XX auto-mac=no comment=defconf disabled=yes \
name=bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface vlan
add interface=bridge1 name=vlan2 vlan-id=2
add interface=bridge1 name=vlan4 vlan-id=4
/interface ethernet switch port
set 2 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.90.128-192.168.90.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether2-master
/interface bridge vlan
add bridge=bridge1 tagged=ether5 untagged=ether2-master,vlan2 vlan-ids=2
add bridge=bridge1 tagged=ether5 untagged=ether4,vlan4 vlan-ids=4
/interface ethernet switch vlan
add independent-learning=yes ports=ether5,ether2-master,switch1-cpu switch=\
switch1 vlan-id=2
add independent-learning=yes ports=ether5,ether4,switch1-cpu switch=switch1 \
vlan-id=4
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/ip address
add address=192.168.90.1/24 comment=defconf interface=ether3 network=\
192.168.90.0
add address=192.168.92.1/24 interface=ether2-master network=192.168.92.0
add address=192.168.94.1/24 interface=ether4 network=192.168.94.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.90.0/24 comment=defconf gateway=192.168.90.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.90.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="special network, also on ether1" \
dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=...
/system identity
set name=sw1-exp
/system package update
set channel=release-candidate
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-interface=ether5