I know this have been covered many times, however, I can connect to some devices but not others on my CRS112. If I am in the same vlan I can talk to all devices within it, but when I cross between vlans on the same bridge group, I can ping laptops, but not cameras. Setup below

Firmware 6.42.1
/interface bridge
add name=LAN-BRIDGE
/interface vlan
add interface=LAN-BRIDGE name=Security vlan-id=20
add interface=LAN-BRIDGE name=WiFi vlan-id=10
/interface bridge port
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
add bridge=LAN-BRIDGE interface=ether8
add bridge=LAN-BRIDGE interface=ether1

/interface ethernet switch egress-vlan-tag
add disabled=yes tagged-ports=switch1-cpu vlan-id=20
/interface ethernet switch egress-vlan-translation
add customer-vid=20 customer-vlan-format=untagged-or-tagged new-customer-vid=\
0 ports=ether2,ether4,ether6,ether8 service-vlan-format=untagged-or-tagged
add customer-vid=10 customer-vlan-format=untagged-or-tagged disabled=yes \
new-customer-vid=0 ports=ether8 service-vlan-format=untagged-or-tagged
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether2,ether4,ether6,ether8
add customer-vid=0 disabled=yes new-customer-vid=10 ports=ether8
/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether4,ether6,ether8 vlan-id=20
add disabled=yes ports=switch1-cpu,ether8 vlan-id=10

/ip address
add address=10.54.9.254/24 interface=LAN-BRIDGE network=10.54.9.0
add address=10.54.20.254/24 interface=Security network=10.54.20.0
add address=10.54.10.254/24 interface=WiFi network=10.54.10.0
add address=10.54.9.254/24 interface=LAN-BRIDGE network=10.54.9.0

So as long as I plug all devices into ports 2,4,6,8 I can communicate as expected. When I use ether1 for my laptop I (which is on the LAN-BRIDGE [10.54.9.0]) I cannot ping the camera plugged into ether2 which is vlan 20. Yet, I can plug a second laptop into ether2 or 4,6, or 8 and ping between the two networks. Can someone direct me to what I am doing wrong? I have tried two different cameras.

I would say you must replace, under /interface ethernet switch vlan,

add disabled=yes ports=switch1-cpu,ether8 vlan-id=10

by

add ports=switch1-cpu,ether1 vlan-id=10


as otherwise VID 10 is not enabled on any of the switch ports.

You have some vlan10 configurations disabled as explained by @sindy above, i'll assume you've done that intentionally since it isn't working and continue to what i think is the issue.

i'd look into this:

add customer-vid=0 new-customer-vid=20 ports=ether2,ether4,ether6,ether8
add customer-vid=0 disabled=yes new-customer-vid=10 ports=ether8

You are translating the customer-vid=0 (untagged traffic) from ether8 to vlan10 and 20 how is that done, based on what? which devices are going into which vlan? To be honest i don't see how that could work, I think you either have to tag both vlans coming into ether8 and remove ingrees-translation for that port or do a hybrid port.

also do the following and test connection to vlan20:
remove all rules in

/interface ethernet switch egress-vlan-translation

this line must remain disabled

add customer-vid=0 disabled=yes new-customer-vid=10 ports=ether8

Can you reach any vlan20 device now? then vlan10 ingress-translation is the problem, else i have no idea.

Your right....my apologies as I have been adding and removing configurations. I now have it enabled like so:


/interface ethernet switch egress-vlan-translation
add customer-vid=20 customer-vlan-format=untagged-or-tagged new-customer-vid=0 ports=ether2,ether4,ether6 service-vlan-format=untagged-or-tagged
add customer-vid=10 customer-vlan-format=untagged-or-tagged new-customer-vid=0 ports=ether8 service-vlan-format=untagged-or-tagged
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether2,ether4,ether6
add customer-vid=0 new-customer-vid=10 ports=ether8
/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether4,ether6 vlan-id=20
add ports=switch1-cpu,ether8 vlan-id=10

I have tried removing all the egress translations but no difference. Now connecting my laptop to port 8, I get the 10 vlan with a 10 ip address so I assume that is working correctly. Same with ether2,4,6 I get a 20 vlan address. Therefore I think it is setup pretty close, I just cannot understand why pinging to another laptop works but not with the cameras [Between ports 8 and 2,4,6]. I have doubled check ip configs on all devices to make sure the gateways were good.

If all the devices get IP addresses via DHCP and each device can ping the gateway IP in its subnet (10.54.x0.254), it normally would have to be the firewall rules what blocks the inter-VLAN routing.

But do I get you right that a notebook connected to VLAN 10 can talk to another notebook connected to VLAN 20 but not to a camera in VLAN 20? If so, you may not be aware that most Windows network drivers strip the VLAN headers of received frames by default, so it may be that untagging doesn't work properly which this feature of Windows hides, but the cameras' drivers don't have this "feature" so they ignore tagged frames.

I have no experience with CRS so I don't know whether the retagging works the way you expect it to work and why service tag is specified as part of the egress rule at all. One thing is to replace one VID by another VID on ingress and egress, another one is to add another tag where you receive tagged frames from a customer and add another tag to each of them so that you could connect two customer's sites by a single service VLAN and transport the "normal" VLANs transparently between them.

Your right....my apologies as I have been adding and removing configurations. I now have it enabled like so:


/interface ethernet switch egress-vlan-translation
add customer-vid=20 customer-vlan-format=untagged-or-tagged new-customer-vid=0 ports=ether2,ether4,ether6 service-vlan-format=untagged-or-tagged
add customer-vid=10 customer-vlan-format=untagged-or-tagged new-customer-vid=0 ports=ether8 service-vlan-format=untagged-or-tagged
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether2,ether4,ether6
add customer-vid=0 new-customer-vid=10 ports=ether8
/interface ethernet switch vlan
add ports=switch1-cpu,ether2,ether4,ether6 vlan-id=20
add ports=switch1-cpu,ether8 vlan-id=10

I have tried removing all the egress translations but no difference. Now connecting my laptop to port 8, I get the 10 vlan with a 10 ip address so I assume that is working correctly. Same with ether2,4,6 I get a 20 vlan address. Therefore I think it is setup pretty close, I just cannot understand why pinging to another laptop works but not with the cameras [Between ports 8 and 2,4,6]. I have doubled check ip configs on all devices to make sure the gateways were good.

Maybe i got mixed up in translation. On this config did you remove everything from egress-vlan-tag and remove from ingress-vlan-translation the vlan20? Then you will with certainty have access to vlan10 from bridge. if you want vlan20 to work you must tag it on the device connected to ether8 and add ether8 to switch vlan number 20. So in ether8 you will have hybrid port. vlan10 untagged vlan20 tagged.