Hello..
My setup is "working" and have access to my wireless ap, and all designated vlans seem to work on tagged and untagged ports, tho only have access through LAN.

The setup Qotom 1U --> CRS328 --> GS7665

I want to setup a mgmt vlan on network. I have a opnsense on the qotom with 4 vlans and 1 mgmt vlan 99. I had problems getting the opnsense to use the just 1 sfp+, and i bricked my opnsense on the qotom several times now. So now Lan and vlan99 is on igc2 (2.5gbe)/ether 23 and the 4 vlans on sfp+/sfp1plus. I've setup ip and and routes "correctly", but can't access vlan99 on untagged ether 8. How do i troubleshoot this? Do i have to keep LAN, or have to let Lan and vlan99 run side by side or smth else needed?

This article may be of your interest

Bridging and Switching
Management access configuration
https://help.mikrotik.com/docs/spaces/R ... figuration

Find the appropriate switch example: viewtopic.php?t=143620
Decent video: https://www.youtube.com/watch?v=YLtGQAQ8iS0

This article may be of your interest

Bridging and Switching
Management access configuration
https://help.mikrotik.com/docs/spaces/R ... figuration

Thx i need to find another way to access mgnt as it's not working now. I have tagged and vlan filtering on now..

Find the appropriate switch example: viewtopic.php?t=143620
Decent video: https://www.youtube.com/watch?v=YLtGQAQ8iS0

I'll try the link and get more comfortable with it.

I have used the exact guide in link 2, worked a charm except vlan99..

Without seeing any config, no facts, no evidence, impossible to advise further.

Without seeing any config, no facts, no evidence, impossible to advise further.

Do i show the config in text form - or do screenshots of different configs in winbox?

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

model = CRS328-24P-4S+
# serial number =
/interface bridge
add ingress-filtering=no name=Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether16 ] disabled=yes
set [ find default-name=ether17 ] disabled=yes
set [ find default-name=ether18 ] disabled=yes
set [ find default-name=ether19 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether21 ] disabled=yes
set [ find default-name=ether22 ] disabled=yes
set [ find default-name=ether24 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface vlan
add comment="\"MGMT\"" interface=Bridge name=vlan0.5.99 vlan-id=99
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=192.168.1.2-192.168.1.100
/port
set 0 name=serial0
/interface bridge port
add bridge=Bridge comment=AP-99-10-20-30 interface=ether1
add bridge=Bridge comment=iot ingress-filtering=no interface=ether2 pvid=20
add bridge=Bridge ingress-filtering=no interface=ether3 pvid=10
add bridge=Bridge comment=Trusted ingress-filtering=no interface=ether4 pvid=10
add bridge=Bridge comment=Trusted ingress-filtering=no interface=ether5 pvid=10
add bridge=Bridge comment=Trusted ingress-filtering=no interface=ether6 pvid=10
add bridge=Bridge comment=DMZ ingress-filtering=no interface=ether7 pvid=40
add bridge=Bridge interface=ether8
add bridge=Bridge interface=ether23
add bridge=Bridge interface=sfp-sfpplus1 unknown-unicast-flood=no
add bridge=Bridge comment=DMZ interface=sfp-sfpplus2 pvid=40 \
unknown-unicast-flood=no
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=Bridge comment=MGMT tagged=ether23,Bridge,ether1 untagged=ether8 \
vlan-ids=99
add bridge=Bridge comment=Trusted tagged=sfp-sfpplus1,ether1,Bridge vlan-ids=10
add bridge=Bridge comment=DMZ tagged=sfp-sfpplus1 untagged=ether7,sfp-sfpplus2 \
vlan-ids=40
add bridge=Bridge comment=iot tagged=Bridge,ether1,sfp-sfpplus1 untagged=ether2 \
vlan-ids=20
add bridge=Bridge comment=Guest tagged=Bridge,ether1,sfp-sfpplus1 vlan-ids=30
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.99.2/24 comment=defconf interface=ether2 network=\
192.168.99.0
add address=192.168.99.2/24 comment="\"MGMT\"" interface=vlan0.5.99 network=\
192.168.99.0
/ip dhcp-client
add disabled=yes interface=Bridge
/ip dns
set servers=9.9.9.9,1.1.1.1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.9.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=MGMT disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.99.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=
/system note

You have to set pvid=99 on ether8 ... currently these are not correctly related:

/interface bridge port
add bridge=Bridge interface=ether8

/interface bridge vlan
add bridge=Bridge comment=MGMT tagged=ether23,Bridge,ether1 untagged=ether8 \
vlan-ids=99

Default pvid setting (and thus not shown in export) is pvid=1 ...

You have to set pvid=99 on ether8 ... currently these are not correctly related:

/interface bridge port
add bridge=Bridge interface=ether8

/interface bridge vlan
add bridge=Bridge comment=MGMT tagged=ether23,Bridge,ether1 untagged=ether8 \
vlan-ids=99

Default pvid setting (and thus not shown in export) is pvid=1 ...

Yeah both my opnsense and the 328 moved to Vlan99, maybe need to static map the GS7665, as it did not move to 99..

Anything else i missed?

bridge=Bridge interface=ether8 pvid=99

Only management vlan has bridge tagged in /interface bridge vlan.
....

model = CRS328-24P-4S+
# serial number =
/interface bridge
add ingress-filtering=no name=Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether24 ] name=OffBridge24
/interface vlan
add comment="\"MGMT\"" interface=Bridge name=vlan0.5.99 vlan-id=99
/interface list
add name=TRUSTED
/interface bridge port
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether1 comment=AP-99-10-20-30
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether2 pvid=20 comment="iot-accessport"
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether3 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether4 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether5 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether6 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether7 pvid=40 comment=DMZ
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether8 pvid=99 comment="management pc"
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether23
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=sfp-sfpplus1 unknown-unicast-flood=no
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=sfp-sfpplus2 pvid=40 comment=DMZ unknown-unicast-flood=no
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=Bridge comment=Trusted tagged=ether1,sfp-sfpplus1 untagged=ether3,ether4,ether5,ether6 vlan-ids=10
add bridge=Bridge comment=iot tagged=ether1,sfp-sfpplus1 untagged=ether2 vlan-ids=20
add bridge=Bridge comment=DMZ tagged=ether1,sfp-sfpplus1 untagged=ether7,sfp-sfpplus2 vlan-ids=40
add bridge=Bridge comment=MGMT tagged=Bridge,ether1,sfpplus1,ether23 untagged=ether8 vlan-ids=99
/interface list member
add interface=vlan0.5.99 list=TRUSTED
add interface=OffBridge24 list=TRUSTED
/ip address
add address=192.168.99.2/24 comment="\"MGMT\"" interface=vlan0.5.99 network=192.168.99.0
add address=192.167.77.1/30 interface=OffBridge24 network=192.168.77.0
/ip dns
set servers=192.168.99.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.99.1 routing-table=main
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.99.1

I personally would not use ether8 as management port as any tom dick and harry can plug a device into ether 8 and be automatically in the management network.
At least with off bridge 24, you have to know to put 192.168.77.2 into the IPV4 settings to gain access.

Only management vlan has bridge tagged in /interface bridge vlan.
....

model = CRS328-24P-4S+
# serial number =
/interface bridge
add ingress-filtering=no name=Bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether24 ] name=OffBridge24
/interface vlan
add comment="\"MGMT\"" interface=Bridge name=vlan0.5.99 vlan-id=99
/interface list
add name=TRUSTED
/interface bridge port
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether1 comment=AP-99-10-20-30
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether2 pvid=20 comment="iot-accessport"
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether3 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether4 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether5 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether6 pvid=10
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether7 pvid=40 comment=DMZ
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether8 pvid=99 comment="management pc"
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=ether23
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=sfp-sfpplus1 unknown-unicast-flood=no
add bridge=Bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=sfp-sfpplus2 pvid=40 comment=DMZ unknown-unicast-flood=no
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=Bridge comment=Trusted tagged=ether1,sfp-sfpplus1 untagged=ether3,ether4,ether5,ether6 vlan-ids=10
add bridge=Bridge comment=iot tagged=ether1,sfp-sfpplus1 untagged=ether2 vlan-ids=20
add bridge=Bridge comment=DMZ tagged=ether1,sfp-sfpplus1 untagged=ether7,sfp-sfpplus2 vlan-ids=40
add bridge=Bridge comment=MGMT tagged=Bridge,ether1,sfpplus1,ether23 untagged=ether8 vlan-ids=99
/interface list member
add interface=vlan0.5.99 list=TRUSTED
add interface=OffBridge24 list=TRUSTED
/ip address
add address=192.168.99.2/24 comment="\"MGMT\"" interface=vlan0.5.99 network=192.168.99.0
add address=192.167.77.1/30 interface=OffBridge24 network=192.168.77.0
/ip dns
set servers=192.168.99.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.99.1 routing-table=main
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.99.1

I personally would not use ether8 as management port as any tom dick and harry can plug a device into ether 8 and be automatically in the management network.
At least with off bridge 24, you have to know to put 192.168.77.2 into the IPV4 settings to gain access.

"/ip address
add address=192.168.99.2/24 comment="\"MGMT\"" interface=vlan0.5.99 network=192.168.99.0
add address=192.167.77.1/30 interface=OffBridge24 network=192.168.77.0"

This would still be smth like 192.168.99.x/30 right, i dont understand how the addition of 192.167.77.1/30 works i must admit?

Thx for the guided help in the config - tho i have a hard time understanding all the settings. I have made the offbridge24 and will get this done, mgmt network should be hidden or no point..

the idea is that 192.168.77.1/30 means only two usable IP addresses 192.168.77.1 and 192.167.77.2
hence plug in your laptop to ether24 and ensure 192.168.77.2 is set manually on the laptops IPV4 settings.

This creates a safe spot to do vlan configs on any mikrotik device.
You can disable the port after if you dont want to keep it.

the idea is that 192.168.77.1/30 means only two usable IP addresses 192.168.77.1 and 192.167.77.2
hence plug in your laptop to ether24 and ensure 192.168.77.2 is set manually on the laptops IPV4 settings.

This creates a safe spot to do vlan configs on any mikrotik device.
You can disable the port after if you dont want to keep it.

I'm stuck here, how do i add the list member - both of these?

/interface list member
add interface=vlan0.5.99 list=TRUSTED
add interface=OffBridge24 list=TRUSTED

/ip address
add address=192.168.99.2/24 comment="\"MGMT\"" interface=vlan0.5.99 network=192.168.99.0
add address=192.167.77.1/30 interface=OffBridge24 network=192.168.77.0
/ip dns
set servers=192.168.99.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.99.1 routing-table=main
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.99.1