What I am trying to accomplish is to take one of my old RB750r2 routers and make it function as a simple VLAN switch, with 1 trunk port containing 4 VLANs, and the other four ports each having one of the VLANs (untagged) - sometimes referred to as a "Router on a Stick". If I was doing this in a SwitchOS devices, I would be done in 30 seconds (or less). This is being done only to avoid having to run four Cat-5 cables to a rack shelf with four Raspberry Pis on it.
I followed pcunite's nice tutorial in: viewtopic.php?t=143620
using the switch example and could not make it work. I poked at it for a while and still does not work. So clearly I don't know what I'm doing.
If the image does not work, here is a direct link to it: http://extraphotos.info/mikrotik/Router-3.png
I have eliminated most of the firewall simply to make sure that was not causing me any problems. Once I get the bridge working the way it should, I can put the security back. This is all on my home LANs behind my RB4011 main router.
BTW, if I should be doing this completely different, let me know...
Code: Select all
# jan/02/1970 01:36:13 by RouterOS 6.49.6
# software id = <redacted>
#
# model = RouterBOARD 750 r2
# serial number = <redacted>
/interface bridge
add admin-mac=4C:5E:0C:04:3E:2D auto-mac=no comment=defconf name=BR-1 \
protocol-mode=none
/interface vlan
add interface=BR-1 name=VALN_006 vlan-id=6
add interface=BR-1 name=VLAN_005 vlan-id=5
add interface=BR-1 name=VLAN_101 vlan-id=101
add interface=BR-1 name=VLAN_201 vlan-id=201
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=BR-1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether2 pvid=6
add bridge=BR-1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether3 pvid=5
add bridge=BR-1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether4 pvid=201
add bridge=BR-1 comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether5 pvid=101
add bridge=BR-1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=BR-1 tagged=ether1 untagged=ether3 vlan-ids=5
add bridge=BR-1 tagged=ether1 untagged=ether2 vlan-ids=6
add bridge=BR-1 tagged=ether1 untagged=ether5 vlan-ids=101
add bridge=BR-1 tagged=ether1 untagged=ether4 vlan-ids=201
/interface list member
add comment=defconf interface=BR-1 list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/ip address
add address=192.168.201.253/24 interface=ether4 network=192.168.201.0
add address=192.168.101.253/24 interface=ether5 network=192.168.101.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=Temp connection-state=""
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/system identity
set name=RasPi-switch
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN