I have two hosts, each connected to a different mikrotik device that I would like to be able to reach each other over vlan.
pc1 <-> eth4 / mikrotik1 / eth3 < - > eth3 / mikrotik2 / eth4 <-> pc2
PCs are connected to mikrotik's ether3, and mikrotik's are connected to each other over ether4.
I want eth4 to be access port for vlan10, and eth3 hybrid (vlan1 - untagged, vlan10 - tagged)
With my current setup, pc1 can ping mikrotik1 , pc2 can ping mikrotik2, but no tagged traffic goes between mikrotik1 and mikrotik2 over eth3. At the same time, untagged traffic goes fine over the same physical interface.
With the setup below, I can ping mikrotik2 from mikrotik1 with ip 10.5.205.X (untagged interface), but not luck when using 10.0.0.X (tagged interface). local traffic (pc - mikrotik over eth4) goes fine.
I am almost there, but missing some basic info how to add ether3 to vlan 10 while allowing untagged traffic at the same time, can you help me?
I am testing it on 2x hap lite (RB941-2nD) - my test environment, but at the of the day it will be running this on crs 326 and crs 328
here's my config of mikrotik2 - it is almost identical on mikrotik1:
[admin@hap-lite-b-hp] > /export hide-sensitive
# sep/22/2021 22:04:04 by RouterOS 6.48.4
# software id = MLRS-PPDF
#
# model = RB941-2nD
# serial number = D0550C4357A2
/interface bridge
add admin-mac=48:8F:5A:C2:89:7A auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-C2897E station-roaming=enabled wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-uplink
set [ find default-name=ether3 ] name=ether3-interlink
set [ find default-name=ether4 ] name=ether4-hp
/interface vlan
add interface=bridge name=vlan-10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-uplink
add bridge=bridge comment=defconf interface=ether3-interlink
add bridge=bridge comment=defconf interface=ether4-hp pvid=10
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
add bridge=bridge interface=vlan-10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3-interlink untagged=ether4-hp vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=LAN
/ip address
add address=10.5.205.152/24 interface=bridge network=10.5.205.0
add address=10.0.0.4/24 interface=vlan-10 network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.5.205.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward
add action=accept chain=input
add action=accept chain=output
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=10.5.205.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=hap-lite-b-hp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@hap-lite-b-hp] >