Landed here because I too was surprise SwOS doesn't have HTTPS support. Using a CRS-328. Also surprising to read some of the views that hand-wave away the security implications. I wouldn't expect anyone serious about security to take such a position, and as a vendor of networking equipment I would i...

I have tried connecting the trunk ports directly from the HEXs > cAP ac and traffic is passed normally. It works fine.

So it looks to be an issue with the switch and some subtle combination of how the HEXs is passing traffic to it versus the cAP ac.

Thanks,
t04s

I haven't tried connecting them directly and bypassing the switch. I assume that will work but I can try and report back.

Thanks,
t04s

It's odd isn't it? I have seen many examples showing trunk defined as 'any' but in what seems like a newer doc here it defines a trunk as 'only untagged' . It does say though; CSS106 devices running SwOS version 2.12 can filter RSTP BPDU packets when enabling VLAN filtering on ports (VLAN Mode enabl...

Sorry, a bit more information. Omitted some obvious stuff. I'm trying to access via an access port on the switch CSS106 on VLAN10 which is the management VLAN. But there are no restrictions in the firewall or anything so it could easily be VLAN 12, 13 or 14 that I was testing. I'm just connecting in...

Hi, Hopefully someone can shed some light on this issue. I have a small setup consisting of a HEXs (RB760iGS), CSS106 (RB260GSP) and a cAP ac (RBcAPGi-5acD2ND). There is a trunk uplink carrying four VLANs from the HEXs > CSS106. This is implemented using bridge VLAN filtering and specific VLAN inter...

Changed all VHIDs and VRIDs so they are distinct and all is well again. Hopefully this helps someone else. The behavior experienced was odd because the VIPs worked and were accessible on the network to access both the Mikrotik and pfSense, but all outbound routes from Mikrotik > pfSense became disab...

Through further testing it appears there is possibly some conflict between CARP and VRRP. The vrid/vhid I'm using are the same on the Mikrotik (VRRP) and pfSense (CARP). Changing one of the vhid's on the pfSense gets the relevant route working. I've found possibly related issues here and here . Does...

Hi, thanks for taking a look. I've replaced the diagram on the post above with much more detail. To answer your question directly, no, the /24 subnets are used for each VLAN on both the trunk uplink and trunk links to the lower switches into the rest of the network. See below for further information...

Sure. EDIT: with a better image... https://i.ibb.co/gj35JMS/TM-Network-Failover.jpg This only shows the fully redundant part of the network, excluding any infrastructure none critical. Each have redundant links fully interconnected. Pfsenses provide WAN/NAT and Internet firewall. Uplinks are trunks ...

Hi everyone, Have been trying to add a second redundant Mikrotik router into an existing setup but following the VRRP configuration as per the Mikrotik docs doesn't work for me. I have several VLAN trunk uplinks from switches to the Mikrotik, and an onwards trunk to a firewall/WAN device. Mangle rul...

Which other parts do you want me to post? Here is the detailed and updated config since the OP; /interface Flags: D - dynamic; X - disabled, R - running; S - slave; P - passthrough 0 RS name="eth01-lan" default-name="ether1" type="ether" mtu=1500 actual-mtu=1500 l2mtu=1...

Sadly this didn't resolve it. I'd thought this had cracked it. The network had seemed more responsive but about four days later both uplinks to the Mikrotik from the 10G Netgears went into the D-Disable state, which was a worse case than before and brings down the network as one of those operates as...

Hi, When reviewing this, I'm not sure what specific configuration you would like me to provide? I don't think I explained fully, but both sides are not Mikrotik devices for the IPSec VPN connection. On the side in question the Mikrotik is uplinked to a firewall that provides WAN, NAT, Internet firew...

You would, but the full configuration wasn't provided so any other use if interfaces was unknown. Of course, was merely pointing out I remembered I needed to do that. Not really relevant. The reason for the rules is this isn't the NAT device, that's the uplinked firewall. The trunk uplink is to hav...

This is working a treat! Appreciate the help. Had to also update DHCP relay to use the new VLAN interfaces. So far so good. There is one final thing however; I use routing marks in the mangle table to mark outbound (public IPs) per VLAN so I can pick it up in the routing rules and send to the correc...

Understood. Will try reconfiguring the bridge VLAN setup as per best practice.

Thanks,
t04s

Thanks for the pointers. What's odd is that RSTP is already enabled on the bridges and bridge ports are set to auto which are being dynamically detected as edge=yes . But yes, it seems like a reconfiguration to a single bridge is needed. I did try this and had some issue but will give it another go....

Hi Larsa,

Thanks for the reply. Unfortunately the local side is a Draytek 3910 but I can certainly get that from the remote side.

No problem, I'll come back on that.

Thanks,
t04s

I'm not sure what business or organisation you are referring to.

There already is a better solution in place so it's not an issue. This was a question purely for understanding. If you don't want to contribute, discuss and/or help then I don't understand what the purpose of you responding is.

I'm sorry, I thought this was a forum to post questions and ask for help... otherwise what's the point of it?

Thanks,
t04s

RouterOS: v7.2.2 Router: CCR1036-12G-4S --- Hi, Hopefully someone can help. We've recently been having RSTP problems with one of our switches, where a failover link has been getting disabled. From what I read it looks like the problem could be that we don't have VLAN filtering on our bridges which s...

Does anyone have any ideas about the best way to achieve this?

Thanks,
t04s

RouterOS: v6.48.4 Router: CCR1036-12G-4S --- Hi, We have a remote site with four VLANs configured such as; Management VLAN - 172.22.20.0/24 VLAN 1 - 172.22.21.0/24 VLAN 2 - 172.22.22.0/24 VLAN 3 - 172.22.23.0/24 Inter-VLAN routing is enabled and we restrict back VLAN traffic using the built-in firew...