Community discussions

just joined
Topic Author
Posts: 4
Joined: Wed Jul 25, 2018 6:22 am

Can't even ping to GW from access port on CRS

Sat May 04, 2019 8:18 pm


I just bought the Mikrotik CRS 326-24G-2S+ and I want to use it as a layer3 switch for my home network. So, I have created the following vlan 101, 102 and 99. My topology will be like this,

1). I will use ether1 for my uplink from router.
2). For ether 3, 4 and 5, I want to use them trunk links which will go to my Cisco SF 300-48P switches.
3). For ether 6 and 7, I will be used as access ports and for ether24 (which will be used as my MGMT Port).

I just searched on Mikrotik wiki and did the inter-vlan routing according to this link ( ... s_switches). But I can't even ping to my GW (vlan 99 MGMT) from my access port (ether24) which is directly connect to my PC. I also tested from other access ports. The result was the same. This is my script on my CRS.
You do not have the required permissions to view the files attached to this post.
Forum Guru
Forum Guru
Posts: 2985
Joined: Thu Mar 03, 2016 10:23 pm

Re: Can't even ping to GW from access port on CRS

Sat May 04, 2019 9:29 pm

In section /interface bridge port you have to add all physical ports which will participate in switching traffic (regardless VLAN). First instinct would be to fuss with multiple bridges, but that's not necessary, vlan-filtering will enforce separation. According to your description those ports are at least ether3, ether4, ether5, ether6, ether7 and ether24 ... depending on setup ether1 as well (which device is doing inter-VLAN routing, CRS or router? Beware that CRS has a relatively weak CPU and won't be able to perform fast inter-VLAN routing).

In section /interface bridge vlan you add as tagged ports: bridge (all VLANs will pass bridge as tagged) and any ports where VLANs will be tagged (the trunk ports towards other switches and possibly ether1 towards router?). You add as untagged all access ports for appropriate VLANs ...

After you make all the changes necessary, you'll have to set vlan-filtering=yes on bridge. But do that after you enable safe mode ... just in case.

Without constructing firewall filter rules management access is possible through any L3 interface (i.e. any interface with IP address set). So after you're happy with L2 setup, add firewall filters. Bare minimum would be

/ip firewall filter
add action=accept chain=input connection-state=established,related \
    comment="allow established and related"
add action=accept chain=input connection-state=new in-interface=MGMT \
    comment="allow any connections via MGMT interface"
add action=drop chain=input comment="drop all other connections"

Who is online

Users browsing this forum: Google [Bot] and 2 guests