CRS125-24G-1S
RouterOS v6.41
FW type = ar9344
FW = 3.33

i currently have a working setup, which i've backed up so i always have something to fall back to. it currently runs a cable modem into eth1, which i used a quick set for basic router usage. it made a bridge which includes eth2-24 and sfp+. as i understand it, this is taxing on the cpu, and doesnt allow my devices to file transfer across the LAN as quick as they should since this device is mostly a switch with basic routing features built in. the front panel allocates the rj45 jacks into 3 sections of 8, i am using these sections to visually separate my eth jacks into three sections: a basic routing group of 8, a VLAN with internet access, and another VLAN which only has access to other VLANS and devices behind the gateway, but NO INTERNET ACCESS. is this achievable?

the following is what i am hoping to do with my CRS. i've spent all weekend reading wiki pages and forum posts and cannot seem to get this working:

*cable modem -> eth1 (gateway, need to implement masquerading so that eth2-16 have internet access)
*section 1 (ROUTING) = eth2-8 ---> statically assigned computers, rpi3, nas, wAP
*section 2 (VLAN1) = eth9-16 ------> internet access
*section 3 (VLAN2) = eth17-24 ----> LAN only, no internet access (IoT devices)
*SFP+ disabled*
*all VLANs should be able to talk to each other if possible. the purpose of VLAN2 is to prevent certain devices on my network from accessing the internet. i would also like to benefit from the wire-speed capabilities this device claims it can do between my computer and NAS.

thank you for reading, i hope to learn a lot here.

Hi,

Here are some articles about VLANs on CRS125:

https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
https://wiki.mikrotik.com/wiki/Manual:CRS_examples
https://wiki.mikrotik.com/wiki/Manual:C ... ith_Trunks

Hi,

Here are some articles about VLANs on CRS125:

https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
https://wiki.mikrotik.com/wiki/Manual:CRS_examples
https://wiki.mikrotik.com/wiki/Manual:C ... ith_Trunks

thanks, but my original post stated that i've read all the articles here on the site. it may have all the information i need, but i cannot parse it because i cannot understand it, hence why i posted here. anyone else wanna chime in? i'd like to think that this is basic stuff for many of you here. i'm not sure how i should be bridging my WAN port to each individual VLAN (or if there should be a bridge between each VLAN). i've assigned a DHCP server for each VLAN (with different subnets), and given each server its own pool of addresses to use, but still no dice...

Hi

Q: what is the difference between section 1 & 2? seems like one and same to me, except dhcp could serve fixed leases to devices in section 1.

your CRS can't do vlan filtering in hardware so don't try to, as it will cost you performance.
https://wiki.mikrotik.com/wiki/Manual:S ... Offloading

(assuming section 1 and 2 are same vlan1)

Define separate bridges for "vlan1" & "2". All ports are untagged.
on wan masq only traffic coming from vlan1 (and leaving wan) + define forward block from vlan2 to wan (can be in raw again, ex: drop if dst-address=!192/8)

in RAW table mark communication between vlan1 <> vlan2 -> action=no-track (no need in conntrack)

I think that's it. (high level at least)