VLAN vs. bridge VLAN

liszca · Mon Feb 17, 2025 9:14 pm

Having the RB5009 on hand I want to setup VLAN for the "Guest WiFi". Next I wan to separate my Servers in two different VLANs.

I think it is possible to use just one bridge and create trunk ports for the Servers VLAN, but where are the VLANs configured?

/interface vlan
/interface bridge vlan

My Draft:
ether2 is a trunk port, VLAN 178 & 100 (which then is connected to the CRS326)
ether5-8 goes directly to the APs, but what to do for the Guest WiFi? In my understanding it will got tagged when the user connects to the guest wifi, but where to remove VLAN Tags so guests have internet access.

Without exact details, is the solution like this:
under

/interface vlan

VLAN 178, 100 & 10 are to be configured?
under

/interface bridge vlan

the actual port configuration is done (Access- or Trunkport)?

anav · Mon Feb 17, 2025 9:26 pm

viewtopic.php?t=143620

Vlans can be assigned to ports or WLANs no problem,
One bridge, ALL subnets as vlans ( so make the bridge subnet a vlan as well, no dhcp for the bridge )

liszca · Mon Feb 17, 2025 10:57 pm

so make the bridge subnet a vlan as well, no dhcp for the bridge

I decided to have one on the bridge, because my last configuration with CAPsMAN could lose a CAP and it never reconnected. Still not sure what exactly caused that, but the CAP was found wenn directly connected to the CAPsMAN router.

liszca · Tue Feb 18, 2025 6:42 pm

Following the Hybrid_switch.rsc and focusing on Accessport.
I have the following problem: after the last step when activating "VLAN Filtering" after disconnecting my LAN Cable I never get an IP Address assigned. But before I could see trafic on the VLAN Interface as I expected.

Bridge Port Configuration:

/interface bridge port
add bridge=bridgeLocal comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=20

VLAN Interfaces:

/interface vlan
add interface=bridgeLocal name=vlan20 vlan-id=20

Bridge before activating VLAN Filtering:

/interface bridge
add admin-mac=D4:01:C3:E5:2A:A4 auto-mac=no comment=defconf name=bridgeLocal protocol-mode=no

Bridge VLAN is empty.

liszca · Tue Feb 18, 2025 8:23 pm

I didn't have dhcp server on the VLAN interface. I just changed its name but not the interface.

anav · Tue Feb 18, 2025 9:07 pm

Sorry cant help with no information. Need full config to comment appropriately.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

liszca · Sun Feb 23, 2025 4:42 am

I managed to get the VLANs working, kind of the Internet keeps not showing up.

But doing /tools/ping 8.8.8.8 interface=ppp-out I get the wanted reply.

Besides no Internet I haven't yet looked into on how to isolate my VLANs against each other.

Also L2TP with IPsec is working.

But looking at the example configurations router.rsc and switch.rsc I cannot figure out whats actualy wrong with my configuration.

Here is my current config:

# 2025-02-23 03:35:42 by RouterOS 7.17.2
/interface bridge
add admin-mac=D4:01:C3:E5:2A:A4 auto-mac=no comment=defconf name=bridgeLocal \
    protocol-mode=none vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes \
    user=ppp_srabbiosi1
/interface vlan
add interface=bridgeLocal name=vlan10 vlan-id=10
add interface=bridgeLocal name=vlan20 vlan-id=20
add interface=bridgeLocal name=vlan178 vlan-id=178
add interface=bridgeLocal name=vlan1000 vlan-id=1000
/caps-man datapath
add bridge=bridgeLocal client-to-client-forwarding=yes name=Office20 vlan-id=\
    20 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=der-space
add authentication-types=wpa2-psk encryption=aes-ccm name=GreenMountain
/caps-man configuration
add country=germany datapath=Office20 installation=any mode=ap name=Office \
    rx-chains=0,1,2,3 security=GreenMountain ssid=test tx-chains=0,1,2,3
add country=germany datapath=Office20 installation=any mode=ap name=cfg1 \
    rx-chains=0,1,2,3 security=der-space ssid=der-space tx-chains=0,1,2,3
/caps-man interface
add configuration=Office disabled=no l2mtu=1600 mac-address=48:8F:5A:57:E3:85 \
    master-interface=none name=Keller-1 radio-mac=48:8F:5A:57:E3:85 \
    radio-name=488F5A57E385
add configuration=Office disabled=no l2mtu=1600 mac-address=48:8F:5A:57:E3:84 \
    master-interface=none name=Keller-2 radio-mac=48:8F:5A:57:E3:84 \
    radio-name=488F5A57E384
/interface list
add name=WAN
add name=LAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms="aes-256-c\
    bc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc\
    ,aes-128-ctr,aes-128-gcm,3des" lifetime=0s
/ip pool
add name=dhcp20 ranges=192.168.20.100-192.168.20.254
add name=dhcp10 ranges=192.168.10.100-192.168.10.254
add name=dhcp178 ranges=192.168.178.100-192.168.178.254
add name=dhcp1000 ranges=192.168.0.100-192.168.0.254
add name=ovpn ranges=192.168.178.92-192.168.178.99
/ip dhcp-server
add address-pool=dhcp20 comment="Office Wifi" interface=vlan20 name=dhcp20
add address-pool=dhcp10 comment="Guest Wifi" interface=vlan10 name=dhcp10
add address-pool=dhcp178 comment=Server interface=vlan178 name=dhcp178
add address-pool=dhcp1000 comment=filip interface=vlan1000 name=dhcp1000
/ppp profile
set *0 use-upnp=yes
add bridge=bridgeLocal change-tcp-mss=yes dns-server=\
    192.168.178.251,192.168.178.252 local-address=192.168.178.91 name=ovpn \
    remote-address=ovpn use-encryption=required use-ipv6=no
set *FFFFFFFE use-ipv6=no
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    4C:75:25:30:E9:ED ssid-regexp="^der-space\$"
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    DC:97:BA:D3:1E:F9 ssid-regexp="^der-space\$"
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    B4:CE:40:A4:68:7E signal-range=-120..120 ssid-regexp="^der-space\$" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    34:60:F9:0F:9E:15 mac-address-mask=00:00:00:00:00:00 signal-range=\
    -120..120 ssid-regexp="^der-space\$" time=\
    0s-1d,sun,mon,tue,wed,thu,fri,sat
add action=reject allow-signal-out-of-range=10s disabled=no ssid-regexp=\
    "^der-space\$"
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
    suggest-same-version
/caps-man provisioning
add action=create-enabled master-configuration=Office name-format=identity
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes ingress-filtering=no \
    interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5 pvid=20
add bridge=bridgeLocal comment=defconf interface=ether6 pvid=20
add bridge=bridgeLocal comment=defconf interface=ether7 pvid=20
add bridge=bridgeLocal comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether8 pvid=20
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus1
/interface bridge vlan
add bridge=bridgeLocal tagged=sfp-sfpplus1,ether4 vlan-ids=10
add bridge=bridgeLocal tagged=sfp-sfpplus1,ether4 vlan-ids=20
add bridge=bridgeLocal tagged=sfp-sfpplus1,ether4 vlan-ids=178
add bridge=bridgeLocal tagged=sfp-sfpplus1,ether4 vlan-ids=1000
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=ovpn enabled=\
    yes one-session-per-host=yes use-ipsec=required
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLocal list=LAN
add interface=vlan20 list=VLAN
add interface=vlan10 list=VLAN
add interface=vlan178 list=VLAN
add interface=vlan1000 list=VLAN
/interface ovpn-server server
add mac-address=FE:A3:93:79:5D:2D name=ovpn-server1
/ip address
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.178.1/24 interface=vlan178 network=192.168.178.0
add address=192.168.0.1/24 interface=vlan1000 network=192.168.0.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.178.179 client-id=1:74:ac:b9:41:23:bc mac-address=\
    74:AC:B9:41:23:BC server=dhcp178
add address=192.168.178.178 client-id=1:48:8f:5a:39:cf:e4 mac-address=\
    48:8F:5A:39:CF:E4 server=dhcp178
add address=192.168.178.177 client-id=1:48:8f:5a:3a:4f:f1 mac-address=\
    48:8F:5A:3A:4F:F1 server=dhcp178
add address=192.168.178.169 client-id=1:48:8f:5a:57:d7:a7 mac-address=\
    48:8F:5A:57:D7:A7 server=dhcp178
add address=192.168.178.168 client-id=1:3c:ec:ef:71:1d:df comment=\
    "IPMI - node1.der-space.prod" mac-address=3C:EC:EF:71:1D:DF server=\
    dhcp178
add address=192.168.178.167 client-id=1:48:8f:5a:57:e3:83 mac-address=\
    48:8F:5A:57:E3:83 server=dhcp178
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 \
    netmask=24
/ip dns
set servers=192.168.178.251,192.168.178.252
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from VLAN" \
    in-interface-list=!VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.178.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 \
    enc-algorithm=aes-256,aes-192,aes-128
/ip service
set www-ssl certificate=webfig disabled=no
/ppp secret
add name=antrobotics profile=ovpn
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RB5009UPr
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=192.53.103.108 comment=ptbtime1.ptb.de
add address=192.53.103.104 comment=ptbtime2.ptb.de

johnson73 · Sun Feb 23, 2025 11:49 am

To make the traffic flow more correct and make it easier for you to orient yourself, we divide the firewall rules - first the ''Input'' and then the ''forward'' chain. Firewall rules policy is executed from top to bottom and if, for example, you have arranged the FW entries incorrectly, then the traffic flow will not be correct and this will affect not only Internet access, speed, but also security.
For example, using 2 Vlans with such a configuration will be ok. You can correct your config because you are missing entries in the "forward" chain.
INPUT CHAIN --> To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN --> Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.

Specify your IP addresses in the Address list, add more if necessary, etc. In the Forward section, if necessary, then create additional rules and you can specify which VLAN will go to which, etc.
I hope this solution will help you.

/interface list member
add interface=ether1 list=WAN
add  interface=bridge1 list=LAN
add interface=VLAN10 list=LAN
add interface=VLAN20 list=LAN
add interface=VLAN20 list=TRUSTED
/ip firewall address-list
add address=192.168.1.0/24 list=Admin
add address=10.10.10.0/24 list=VLAN10
add address=10.10.20.1/24 list=VLAN20
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.10.10.1/24 interface=vlan10 network=10.10.10.0
add address=10.10.20.1/24 interface=vlan20 network=10.10.20.0

/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=L2TP disabled=yes dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" disabled=yes \
    in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=TRUSTED \
    src-address-list=Admin
add action=drop chain=input comment="Drop all else" { add this rule as the last rule entered, so you dont lock yourself out }

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fatsttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=VLAN-Access dst-address-list=Admin \
    src-address-list=VLAN20
add action=accept chain=forward comment=VLAN-Access dst-address-list=VLAN20 \
    src-address-list=VLAN10
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN \
    src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=VLAN out-interface-list=WAN \
    src-address=10.10.10.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
    10.10.20.0/24

liszca · Sun Feb 23, 2025 10:05 pm

Hey Johnson, looking at your configuration example I noticed you are using "/ip firewall address-list" in places where I tried to use "/interface list member", my assumption is I cannot use the interface list in the firewall rules right!?

In the firewall filter your rules look sorted Input, forward, srcnat. Does this mean Input chain is set before the other chains?

Also you have some rules with "disabled=yes" if I wanted them to be enabled its just about remove "disabled=yes" option?

sindy · Sun Feb 23, 2025 10:19 pm

You can use both (in|out)-interface(-list) and (src|dst)-address(-list) in firewall filter rules, but until recently you could not use in-interface or in-interface-list in the srcnat chain of firewall nat for unclear reason, and you cannot use out-interface(-list) in dstnat and prerouting for obvious reasons (at these stages of packet processsing, the out interface is not known yet).

For operation of the router itself, only the mutual order of rules in the same chain is relevant. For easy readability for the human administrator, it is useful to put all the rules that belong to the same chain together, preserving their order.

Also the order of chains in tables in the configuration does not affect the order of their actual processing - dstnat always goes before forward, which in turn always goes before srcnat, whereas in the configuration export, nat always goes after filter. There is much more to it, but until you start fiddling with mangle, raw, and possibly ipsec, this should be enough.

And yes, setting disabled to no enables the rule.

johnson73 · Sun Feb 23, 2025 10:44 pm

Hey Johnson, looking at your configuration example I noticed you are using "/ip firewall address-list" in places where I tried to use "/interface list member", my assumption is I cannot use the interface list in the firewall rules right!?

In the firewall filter your rules look sorted Input, forward, srcnat. Does this mean Input chain is set before the other chains?

Also you have some rules with "disabled=yes" if I wanted them to be enabled its just about remove "disabled=yes" option?

Why can't you use an address list? That's exactly what is recommended. We define an address list with all the addresses we need and then the firewall rules will specify the flow - from -> to. Looking at your firewall configuration, it is clear that the outgoing traffic is not specified correctly, so you also have no internet. There are no rules - LAN->Wan....
Mikrotik traffic flow always starts with the ''Input'' chain. This chain defines everything related to incoming traffic.
Then follows the ''forward'' chain, which means the traffic flow that goes through the router. This is correct. More about packet Flow - https://help.mikrotik.com/docs/spaces/R ... n+RouterOS
If in my example there was a disabled rule, ok, you can enable it and the rule will start working. See for yourself what you need. Your configuration needs to be corrected because the rules must be specified correctly...what goes out, what comes in.
ScrNat is not meant to be sorted, it is the IP-Firewall-Nat section....Masquarade..(the specific subnet's exit to the internet)

sindy · Sun Feb 23, 2025 10:50 pm

Mikrotik traffic flow always starts with the ''Input'' chain. This chain defines everything related to incoming traffic.
Then follows the ''forward'' chain, which means the traffic flow that goes through the router.

This wording is a bit misleading. In reality, it is an exclusive or: a received packet may either go through the input chain (if its destination address is one of router's own ones) or through the forward chain (otherwise). And whether you place the input rules before or after the forward ones in configuration has no importance for the router.

anav · Sun Feb 23, 2025 11:41 pm

As sindy noted, these are two distinct paths for traffic, its not about one follows the other.
However, take an interesting case to illustrate!
A person wants to connect to a server on the LAN, via port XXX from the WWW.
and does the following ( adds rules to both the input chain and forward chain creating possible conflict )

/input chain rule
add chain=input action=accept dst-port=XXX protocol=tcp
/forward chain rule
add chain=forward action=accept connection-nat-state=dstnat
/ip firewall nat
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=XXX protocol=tcp to-address=LAN-Server-IP

What will happen>?>>
Some routing decision needs to be made eventually, does the router choose, input or forward.

The key is too understand the chains hierarchy and that is at least for incoming traffic, and that is only one path and that is through prerouting.
From prerouting traffic gets funneled off as matches are made and the last match in prerouting is dstnat.
Does the fact that Dst-nat exists in the prerouting chain tell us that in fact the traffic will never touch the input chain and will reach the LAN server??

Yes, and thus this traffic, although accounted for in input chain rules, never reaches the input chain.
The only way to get that traffic to a different path would be to mangle in prerouting.

liszca · Mon Feb 24, 2025 3:38 pm

For example, using 2 Vlans with such a configuration will be ok. You can correct your config because you are missing entries in the "forward" chain.
INPUT CHAIN --> To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN --> Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.

Removed: They didn't lead me anywhere

liszca · Tue Feb 25, 2025 6:07 pm

I figured out following issues with my config, after that it worked:
Interface-list WAN had ether1 instead of ppp-out
and I forgot to Tag also the bridge in all the VLANs.

One super convenient thing I figured out:

Its easily possible to ping from one network to another:

/tool/ping src-address=192.168.10.1 192.168.20.1

liszca · Wed Feb 26, 2025 4:57 pm

Somehow I struggle with adding the CRS326 via trunk port.

Here is the question, is adding BASE_VLAN or MGMT VLAN mandatory for it to work or is that just a convenience feature for the Admin?

the router Trunk port is set like this:

/interface bridge vlan
add bridge=bridgeLocal tagged=sfp-sfpplus1,ether4,bridgeLocal vlan-ids=10
add bridge=bridgeLocal tagged=sfp-sfpplus1,bridgeLocal,ether4 vlan-ids=20
add bridge=bridgeLocal tagged=sfp-sfpplus1,bridgeLocal,ether4 vlan-ids=178
add bridge=bridgeLocal tagged=sfp-sfpplus1,bridgeLocal,ether4 vlan-ids=1000

I do expect the configuration of the CRS is causing the problem. Because on the routers Ether4 gave me the expected IP from vlan178 when vlan178 was activated on the laptops network interface.

Switch Trunk port:

/interface bridge
add admin-mac=D4:01:C3:3A:FE:D9 auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=20
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=178
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=1000

Then I went for a ping:

/tool/ping 192.168.178.1 interface=sfp-sfpplus1

And I got a timeout message.

anav · Wed Feb 26, 2025 5:30 pm

My Draft:
ether2 is a trunk port, VLAN 178 & 100 (which then is connected to the CRS326)
comment: Ensure you also send the TRUSTED or BASE VLAN to any smart device as that is the subnet it gets its IP address from!

............
ether5-8 goes directly to the APs, but what to do for the Guest WiFi? In my understanding it will got tagged when the user connects to the guest wifi, but where to remove VLAN Tags so guests have internet access.
Comment: If they are smart APs, then you send them the vlans they need for users plus the trusted or BASE VLAN in a trunk port.
If they are dumb APs, then one untags the single vlan to that device for which it will provide a WLAN.
Note: WLAN traffic from the smart AP, is tagged upon entry to the device and goes to where that VLAN is allowed, traffic coming out of the AP towards users is untagged for that vlan as user devices cannot read tags.

anav · Wed Feb 26, 2025 5:33 pm

Somehow I struggle with adding the CRS326 via trunk port.

Here is the question, is adding BASE_VLAN or MGMT VLAN mandatory for it to work or is that just a convenience feature for the Admin?

The BASE VLAN is not mandatory. If you have a TRUSTED VLAN, where kids and their friends are not playing or a spouse who is trigger happy and clicks on any link is not using etc............
and is not connected to spouse work or your work, then you dont need a BASE or management vlan. This means all smart devices would get an IP on the TRUSTED VLAN etc.....
Personal decision. Remember this is the way you will reach all the smart devices for config purposes.

anav · Wed Feb 26, 2025 5:43 pm

What is disturbing to me is being only shown snippets, do not comment on a config without context of the whole as configs are interrelated.............
and also, the fact that in the first post you stated port 2 trunk to CRS326
and ports 5-8 are APs.

However your latest 5009 snippet seems to indicate NO SUCH THING ???
there is no ether2 or 5-8 shown.
In other words, if you dont show complete latest configs, and there is no consistency, I wont waste my time.

Two points I can pass on:

1. if there is no untagging involved in ports with all the same tagging, one can do this.
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,sfp-sfpplus1,ether4 vlan-ids=10,20,178,1000

2. On the Switch, you have to include the bridge being tagged on the Trusted or Base VLAN............ Lets say it was vlan 20 for example................
From:
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=20
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=178
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=1000

/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=10,178,1000
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2 vlan-ids=20

liszca · Wed Feb 26, 2025 7:43 pm

So its working, but I didn't get how to prove that its working with the MikroTik tools.

liszca · Wed Feb 26, 2025 7:47 pm

The BASE VLAN is not mandatory. If you have a TRUSTED VLAN, where kids and their friends are not playing or a spouse who is trigger happy and clicks on any link is not using etc............
and is not connected to spouse work or your work, then you dont need a BASE or management vlan. This means all smart devices would get an IP on the TRUSTED VLAN etc.....
Personal decision. Remember this is the way you will reach all the smart devices for config purposes.

Yeah I think its a good idea doing that.

By the way thank you guys for helping me out, I learned a lot which otherwise I wouldn't maybe I would have given up on doing it myself.

VLAN vs. bridge VLAN

VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN

Re: VLAN vs. bridge VLAN