Hello, Can somebody check what is wrong with this configuration. USG is giving addresses and VLAN-s,on each port on CRS 226 I have internet, but non of devices can communicate to each other. What to do ?

Anyone ? Ormar 1 and Ormar 2 are connected to Glavni ormar.. do I have to route something ?
CRS212
/interface ethernet
set [ find default-name=sfp1 ] auto-negotiation=no master-port=ether1
set [ find default-name=sfp2 ] auto-negotiation=no master-port=ether1
set [ find default-name=sfp3 ] auto-negotiation=no master-port=ether1
set [ find default-name=sfp4 ] auto-negotiation=no master-port=ether1
set [ find default-name=sfp5 ] auto-negotiation=no master-port=ether1
set [ find default-name=sfp6 ] auto-negotiation=no master-port=ether1
set [ find default-name=sfp7 ] auto-negotiation=no master-port=ether1
set [ find default-name=sfp8 ] master-port=ether1
set [ find default-name=sfp9 ] auto-negotiation=no master-port=ether1
set [ find default-name=sfp10 ] master-port=ether1 sfp-rate-select=low
set [ find default-name=sfpplus1 ] sfp-rate-select=low
/interface vlan
add interface=ether1 name=Mgmt_VLAN98 vlan-id=98
/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp2,sfp1,sfp4,sfp3,sfp6,sfp5,ether1,sfp8,sfp7,sfp9 vlan-id=1
add tagged-ports=sfp2,sfp1,sfp6,ether1,sfp7 vlan-id=102
add tagged-ports=sfp2,sfp1,sfp4,sfp3,sfp6,sfp5,ether1,sfp7 vlan-id=106
add tagged-ports=sfp4,sfp3,sfp5,ether1 vlan-id=108
add tagged-ports=ether1,sfp7 vlan-id=104
add tagged-ports=sfp1,sfp3,sfp6,ether1 vlan-id=100
add tagged-ports=\
switch1-cpu,sfp2,sfp1,sfp4,sfp3,sfp6,sfp5,ether1,sfp8,sfp7,sfp10,sfp9 \
vlan-id=98
/interface ethernet switch egress-vlan-translation
add customer-vlan-format=untagged-or-tagged ports=\
ether1,sfp1,sfp2,sfp3,sfp4,sfp5,sfp6,sfp7,sfp8,sfp9,sfp10 \
service-vlan-format=untagged-or-tagged
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=100 ports=sfp8
add customer-vid=0 new-customer-vid=106 ports=sfp10
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 egress-vlan-tag-table-lookup-key=according-to-bridge-type \
per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wr\
r-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
/interface ethernet switch vlan
add ports=sfp2,sfp1,sfp6,ether1,sfp7 vlan-id=102
add ports=sfp2,sfp1,sfp4,sfp3,sfp6,sfp5,ether1,sfp8,sfp7,sfp9 vlan-id=106
add ports=sfp4,sfp3,sfp5,ether1 vlan-id=108
add ports=switch1-cpu,sfp2,sfp1,sfp4,sfp3,sfp6,sfp5,ether1,sfp7,sfp10 vlan-id=\
98
add ports=ether1,sfp7 vlan-id=104
add ports=sfp1,sfp3,sfp6,ether1,sfp8,sfp10,sfp9 vlan-id=100
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether1 network=\
192.168.88.0
add address=192.168.98.10/24 interface=Mgmt_VLAN98 network=192.168.98.0
/ip route
add distance=1 gateway=sfp2
add distance=1 gateway=192.168.98.1
/system clock
set time-zone-name=Europe/Sarajevo
/system identity
set name=CRS212

CRS226
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=1Gbps
/interface vlan
add interface=sfp-sfpplus1 name=Mgmt_VLAN98 vlan-id=98
/interface ethernet
set [ find default-name=ether1 ] master-port=sfp-sfpplus1
set [ find default-name=ether2 ] master-port=sfp-sfpplus1
set [ find default-name=ether3 ] master-port=sfp-sfpplus1
set [ find default-name=ether4 ] master-port=sfp-sfpplus1
set [ find default-name=ether5 ] master-port=sfp-sfpplus1
set [ find default-name=ether6 ] master-port=sfp-sfpplus1
set [ find default-name=ether7 ] master-port=sfp-sfpplus1
set [ find default-name=ether13 ] master-port=sfp-sfpplus1
set [ find default-name=ether14 ] master-port=sfp-sfpplus1
set [ find default-name=ether15 ] master-port=sfp-sfpplus1
set [ find default-name=ether16 ] master-port=sfp-sfpplus1
set [ find default-name=ether17 ] master-port=sfp-sfpplus1
set [ find default-name=ether18 ] master-port=sfp-sfpplus1
set [ find default-name=ether19 ] master-port=sfp-sfpplus1
set [ find default-name=ether20 ] master-port=sfp-sfpplus1
set [ find default-name=ether24 ] master-port=sfp-sfpplus1
/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid
/interface ethernet switch egress-vlan-tag
add tagged-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether13,ether14,ethe\
r15,ether16,ether17,ether18,ether19,ether20,sfp-sfpplus1" vlan-id=1
add tagged-ports=ether1,ether2,ether3,ether4,sfp-sfpplus1 vlan-id=102
add tagged-ports=ether5,ether6,sfp-sfpplus1 vlan-id=100
add tagged-ports=\
switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-id=\
98
add tagged-ports=ether1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 \
vlan-id=106
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=106 ports=\
ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 25 egress-vlan-tag-table-lookup-key=according-to-bridge-type \
per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wr\
r-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 26 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4 vlan-id=1
add ports=ether1,ether2,ether3,ether4,sfp-sfpplus1 vlan-id=102
add ports="ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,sfp-s\
fpplus1" vlan-id=106
add ports="switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether13,ether14\
,ether15,ether16,ether17,ether18,ether19,ether20,ether24,sfp-sfpplus1" \
vlan-id=98
add ports=ether5,ether6,sfp-sfpplus1 vlan-id=100
/ip address
add address=192.168.89.1/24 interface=sfp-sfpplus1 network=192.168.89.0
add address=192.168.98.11/24 interface=Mgmt_VLAN98 network=192.168.98.0
/ip route
add distance=1 gateway=192.168.98.1
/lcd interface pages
set 0 interfaces=ether1,ether2,ether3,ether4,ether5,ether6,ether20,sfp-sfpplus1
/system clock
set time-zone-name=Europe/Sarajevo
/system identity
set name=CRS226_1
/system routerboard settings
set protected-routerboot=disabled
[admin@CRS226_1] >

CRS 226_2
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=1Gbps
/interface vlan
add interface=sfp-sfpplus1 name=Mgmt_VLAN98 vlan-id=98
/interface ethernet
set [ find default-name=ether1 ] master-port=sfp-sfpplus1
set [ find default-name=ether2 ] master-port=sfp-sfpplus1
set [ find default-name=ether3 ] master-port=sfp-sfpplus1
set [ find default-name=ether4 ] master-port=sfp-sfpplus1
set [ find default-name=ether5 ] master-port=sfp-sfpplus1
set [ find default-name=ether6 ] master-port=sfp-sfpplus1
set [ find default-name=ether7 ] master-port=sfp-sfpplus1
set [ find default-name=ether16 ] master-port=sfp-sfpplus1
set [ find default-name=ether17 ] master-port=sfp-sfpplus1
set [ find default-name=ether18 ] master-port=sfp-sfpplus1
set [ find default-name=ether19 ] master-port=sfp-sfpplus1
set [ find default-name=ether20 ] master-port=sfp-sfpplus1
set [ find default-name=ether24 ] master-port=sfp-sfpplus1
/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid
/interface ethernet switch egress-vlan-tag
add tagged-ports="ether1,ether2,ether3,ether4,ether5,ether6,ether16,ether17,ethe\
r18,ether19,ether20,sfp-sfpplus1" vlan-id=1
add tagged-ports=ether1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 \
vlan-id=102
add tagged-ports=\
switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-id=\
98
add tagged-ports=ether1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 \
vlan-id=106
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=106 ports=\
ether16,ether17,ether18,ether19,ether20
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,\
wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 25 egress-vlan-tag-table-lookup-key=according-to-bridge-type \
per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wr\
r-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 26 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8\
,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4 vlan-id=1
add ports=ether1,ether2,ether3,ether4,sfp-sfpplus1 vlan-id=102
add ports=ether16,ether17,ether18,ether19,ether20,sfp-sfpplus1 vlan-id=106
add ports="switch1-cpu,ether1,ether2,ether3,ether4,ether5,ether6,ether16,ether17\
,ether18,ether19,ether20,ether24,sfp-sfpplus1" vlan-id=98
/ip address
add address=192.168.89.1/24 interface=sfp-sfpplus1 network=192.168.89.0
add address=192.168.98.12/24 interface=Mgmt_VLAN98 network=192.168.98.0
/ip route
add distance=1 gateway=192.168.98.1
/lcd interface pages
set 0 interfaces=ether1,ether2,ether3,ether4,ether5,ether6,ether20,sfp-sfpplus1
/system clock
set time-zone-name=Europe/Sarajevo
/system identity
set name=CRS226_2
/system routerboard settings
set protected-routerboot=disabled
[admin@CRS226_2] >

A blind shot - first of all I have to state that I have no CRS in my portfolio, but I had a feeling that you have to list all ports belonging to the same VLAN regardless whether they are tagged or tagless members of that VLAN, which is not the case e.g. for VID 106 on CRS226 (što, ako upravo razumijem, je Ormar1) where you have only listed tagless-on-the-wire ports under /interface ethernet switch vlan:

I had to finish this VLAN=106 on this CRS, because radio devices connected on Ormar 1 and Ormar 2 are not-compatible with VLAN tagging at all. I Can't ping devices on same VLAN between these locations

I'm not sure we talk about the same thing. What I say is that each port should be listed in /interface ethernet switch vlan, no matter whether it adds/removes the tag on ingress/egress. So it is OK that you had to set some ports of VLAN 106 as access ones to allow connection of devices which do not support VLAN tagging into this VLAN, but to me it is not OK that you haven't permitted VLAN 106 on the trunk ports on which you have defined egress handling of that VLAN.

I agree that you did include the sfp-sfpplus1 into the list on Ormar 1 and Ormar 2 along with the tagless ports, but I have no idea how the switch chip handles the discrepancy between egress handling and vlan/port mapping.

So I'd either add also the tagged ports to the "vlan member port list":

/interface ethernet switch vlan
set [find vlan-id=106] ports="ether1,ether2,ether3,ether4,ether5,ether6,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,sfp-sfpplus1"


or remove the actually unused ports from the egress handling list:

/interface ethernet switch egress-vlan-tag
set [find vlan-id=106] tagged-ports=sfp-sfpplus1

just to remove the contradiction between the two lists.

So You think that should be done on Glavni ormar CRS 212 too ?
From the Hand written sheme, UBNT USG can't see UNIFIs.. so You think that is the problem with VLAN 102, which is for UNIFIs ?
For me it was logical that I don't need Routes, but on each port I have internet connection, but devices can't see each other

I'm lost. In none of your configurations I could find any access port for VLAN 102 - all ports of VLAN 102 are tagged on all three Ormars. Which implies that the Unifi devices connected to ether1 and ether2 of Ormar 1 must use VLAN 102 tagged, is that true? If not, I have no idea how they could have internet, as those ports do not act as access ones for any VLAN at all. The only idea which comes to my mind is that CRS' switch chips allow tagless packets internally - if they do, this could be an explanation if tagless frames would make it through the whole network to some DHCP server and gateway. So what is the subnet you expect to live in VLAN 102, and where is the gateway to the internet for that subnet located?

Next, none of the Mikrotik devices has an /interface vlan vlan-id=102, so none of them acts as a router for any IP subnet in VLAN 102. So I don't know whether the Unifi devices connected to Ormar 1 are in the same subnet like the USG. Also, on the connection between the USG and Glavni Ormar, VLAN 102 is missing in the list on the drawing, may it be also missing in the configuration of the USG?

And one more - you have configured

/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid

but you seem to be using normal customer VLANs, at least because the ingress mapping rules assign new-customer-vid rather than new-service-vid.

So again the switch chips may behave in an unexpected way given that the frames supposingly have no service (802.1ad) tags, only customer ones (802.1Q). I would assume it only causes a single common forwarding table to be used for all C-VLANs, which is harmless in your loopless setup, but maybe it has some other effects.

I'm lost. In none of your configurations I could find any access port for VLAN 102 - all ports of VLAN 102 are tagged on all three Ormars. Which implies that the Unifi devices connected to ether1 and ether2 of Ormar 1 must use VLAN 102 tagged, is that true? If not, I have no idea how they could have internet, as those ports do not act as access ones for any VLAN at all. The only idea which comes to my mind is that CRS' switch chips allow tagless packets internally - if they do, this could be an explanation if tagless frames would make it through the whole network to some DHCP server and gateway. So what is the subnet you expect to live in VLAN 102, and where is the gateway to the internet for that subnet located?

It is imagined that UNIFIs have uses tagged VLAN 102 on theirselfes. And it's working like that.
DHCP and gateway is on USG. It is configurated only like one DHCP with VLAN=102 on it. But USG can't see any of UNIFIs even they have internet access.

Next, none of the Mikrotik devices has an /interface vlan vlan-id=102, so none of them acts as a router for any IP subnet in VLAN 102. So I don't know whether the Unifi devices connected to Ormar 1 are in the same subnet like the USG. Also, on the connection between the USG and Glavni Ormar, VLAN 102 is missing in the list on the drawing, may it be also missing in the configuration of the USG?

On USG I have no routes, only 6 VLAN's. VLAN 102 for UNIFIs, VLAN=100 for some MESH UBNT devices tagged, VLAN=106 for taggless devices and for internally office network, VLAN=98 for managment (not working), VLAN=104 for UBNT PROs, VLAN 108 is nothing.

And one more - you have configured

/interface ethernet switch
set bridge-type=service-vid-used-as-lookup-vid

but you seem to be using normal customer VLANs, at least because the ingress mapping rules assign new-customer-vid rather than new-service-vid.

So again the switch chips may behave in an unexpected way given that the frames supposingly have no service (802.1ad) tags, only customer ones (802.1Q). I would assume it only causes a single common forwarding table to be used for all C-VLANs, which is harmless in your loopless setup, but maybe it has some other effects.

I tried to find some explanations on forums, and nothing came out, so I configured everything using this link https://wiki.mikrotik.com/wiki/Manual:CRS_examples ...
If You have some suggestions, please help with it

If DHCP server at USG is running in VLAN 102, the Unifis get their IP configurations from there using that same VLAN and can access Internet using those IP configurations (so they get an own address and a gateway, and that gateway is the USG's own IP address in VLAN 102) but the USG itself is unable to reach the Unifis, then I would expect the issue to be some firewalls in Unifi's settings or something in the USG's setting, not a problem with Mikrotik's VLAN handling. Because if the Unifis "have internet", the packets must flow bidirectionally between the USG and each of the Unifis, except that the connections are initiated from Unifi side whereas access to Unifis from USG is initiated from USG side.

Another issue would be if you were actually unable to access the Unifis not from the USG itself but from another system via the USG; in that case, a route to the subnet in VLAN 102 may be missing on that other system if the USG is not that system's default route too.

Yes, UNIFIs are working, but they do not getting address automatically. Bigger problem is that devices on same VLAN can't see each other

Can you arping between the devices on the same VLAN? If yes, I'd look for firewall issues on the ping servers (devices which receive echo requests and should respond with echo responses).

If they do not respond to arping, I would look for L2 issues.

Unifi devices use client isolation.

Oh, I haven't noticed the Unifis do not get their addresses from the DHCP server, that adds a new dimension to the problem.

So when they "have internet", does it mean that you manually assign them addresses from the subnet from which they should have got them via DHCP?

As for client isolation, I think it would explain why two wireless clients of the same Unifi AP cannot talk to each other, but not why the USG cannot talk to the Unifi APs.

Nevertheless, my question remains valid - does arp ping go through bi-directionally between the USG and the Unifi APs?