Beginner VLAN questions

mattbiegner22 · Tue Mar 25, 2025 6:36 am

Hello,

I'm relatively new to mikrotik [and networking in general] and am trying to setup a few VLANs for my home network. Specifically, right now I'm trying to setup a management VLAN (99) as a confidence booster for myself to prove I can do this. Right now, I'm just trying to get an RB3011UiAS, CRS326-24G-2S+ and 2 Synology diskstations to talk to each other on the same VLAN. See the diagram below:

vlan99-2.jpg

Anyway, so right now after following a youtube tutorial, I'm able to get the CRS326 to talk to the 2 Synology NAS units, but can't ping out to the router. Similarly, I can't ping the CRS326 from the router either. In a weird turn of events, I tried rebooting the router and could momentarily ping 10.10.99.1 from the CRS326 (and could ping everything from the router), but then the CRS326 session timed out and when I re-logged in I lost the ability to ping 10.10.99.1. I'm assuming I have a routing problem but I cant for the life of me figure out where the problem is.

See the following router and switch configs:

RB3011UiAS config:

# 2025-03-24 19:05:02 by RouterOS 7.18.2
# software id = PT7B-Q7JZ
#
# model = RB3011UiAS
# serial number = E7E70FD05ECE
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bonding
add mode=802.3ad name="lacp_src=rb3011UiAS_dst=crs326-24g-2s+" slaves=\
    ether3,ether6
/interface vlan
add interface="lacp_src=rb3011UiAS_dst=crs326-24g-2s+" name=vlan99 vlan-id=99
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=sec1
/interface wifi configuration
add channel.band=5ghz-ac .skip-dfs-channels=all .width=20/40mhz country=\
    "United States" datapath=datapath1 disabled=no name=cfg1 security=sec1 \
    ssid="Nakatomi Plaza Wifi 5G"
add channel.band=2ghz-ax .width=20/40mhz country="United States" datapath=\
    datapath1 disabled=no name=cfg2 security=sec1 ssid=\
    "Nakatomi Plaza Wifi 2G"
/interface wifi
# operated by CAP 10.10.1.7, traffic processing on CAP
add channel.frequency=2300-7000 configuration=cfg1 configuration.mode=ap \
    disabled=no name=cap-wifi1 radio-mac=78:9A:18:72:17:9C
# operated by CAP 10.10.1.7, traffic processing on CAP
add configuration=cfg2 configuration.mode=ap disabled=no name=cap-wifi2 \
    radio-mac=78:9A:18:72:17:9D
/ip pool
add name=dhcp ranges=10.10.1.80-10.10.1.126
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface="lacp_src=rb3011UiAS_dst=crs326-24g-2s+"
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether10
/interface bridge vlan
add bridge=bridge1 tagged="lacp_src=rb3011UiAS_dst=crs326-24g-2s+" vlan-ids=\
    99
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=FE:89:40:16:89:80 name=ovpn-server1
/interface wifi cap
set caps-man-addresses=127.0.0.1 discovery-interfaces=bridge1 enabled=yes
/interface wifi capsman
set enabled=yes interfaces=bridge1 package-path="" require-peer-certificate=\
    no upgrade-policy=none
/ip address
add address=10.10.1.1/25 interface=bridge1 network=10.10.1.0
add address=10.10.99.1/28 interface=vlan99 network=10.10.99.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.1.0/25 dns-server=10.10.1.11,10.10.1.12 domain=HOME.local \
    gateway=10.10.1.1 netmask=25
/ip firewall address-list
add address=10.10.1.0/25 comment=General list=LANs
add address=e7e70fd05ece.sn.mynetname.net list=WANs
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connections for hairpin NAT" dst-address-list=WANs \
    new-connection-mark="Hairpin NAT" src-address-list=LANs
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Required Rule for all outbound WAN traffic" out-interface=ether1
add action=masquerade chain=srcnat comment=\
    "Hairpin NAT allows routing of LAN resources using WAN hostnames" \
    connection-mark="Hairpin NAT"
add action=dst-nat chain=dstnat comment="Port forward: HTTPS" \
    dst-address-list=WANs dst-port=443 protocol=tcp to-addresses=10.10.1.10 \
    to-ports=443
add action=dst-nat chain=dstnat comment=\
    "Port forward: HTTP (for certificate renewal only)" dst-address-list=WANs \
    dst-port=80 protocol=tcp to-addresses=10.10.1.10 to-ports=80
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=RB3011UiAS
/system note
set show-at-login=no
/tool romon
set enabled=yes

CRS326-24G-2S+ config:

# 2025-03-24 21:11:19 by RouterOS 7.18.2
# software id = VCMN-0DTR
#
# model = CRS326-24G-2S+
# serial number = HGC09X36BN2
/interface bridge
add admin-mac=D4:01:C3:83:C0:CF auto-mac=no name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99
/interface bonding
add mode=802.3ad name="lacp_src=crs326-24g-2s+_dst=dc1.home.local" slaves=\
ether6,ether8
add mode=802.3ad name="lacp_src=crs326-24g-2s+_to_crs309-1g-8s+" slaves=\
sfp-sfpplus1,sfp-sfpplus2
add mode=802.3ad name="lacp_src=rb3011uias_to_crs326-24g-2s+" slaves=\
ether3,ether5
/interface list
add name=WAN
add name=LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether7
add bridge=bridge1 comment=defconf interface=ether9
add bridge=bridge1 comment=defconf interface=ether10 pvid=99
add bridge=bridge1 comment=defconf interface=ether11
add bridge=bridge1 comment=defconf interface=ether12
add bridge=bridge1 comment=defconf interface=ether13
add bridge=bridge1 comment=defconf interface=ether14
add bridge=bridge1 comment=defconf interface=ether15
add bridge=bridge1 comment=defconf interface=ether16
add bridge=bridge1 comment=defconf interface=ether17
add bridge=bridge1 comment=defconf interface=ether18 pvid=99
add bridge=bridge1 comment=defconf interface=ether19
add bridge=bridge1 comment=defconf interface=ether20
add bridge=bridge1 comment=defconf interface=ether21
add bridge=bridge1 comment=defconf interface=ether22
add bridge=bridge1 comment=defconf interface=ether23
add bridge=bridge1 comment=defconf interface=ether24
add bridge=bridge1 interface="lacp_src=rb3011uias_to_crs326-24g-2s+"
add bridge=bridge1 interface="lacp_src=crs326-24g-2s+_to_crs309-1g-8s+"
add bridge=bridge1 interface="lacp_src=crs326-24g-2s+_dst=dc1.home.local"
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=bridge1 tagged="lacp_src=rb3011uias_to_crs326-24g-2s+,bridge1" \
untagged=ether18,ether10 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/interface ovpn-server server
add mac-address=FE:F4:EB:25:D5:B4 name=ovpn-server1
/ip address
add address=10.10.99.2/28 interface=vlan99 network=10.10.99.0
add address=10.10.1.2/25 interface="lacp_src=rb3011uias_to_crs326-24g-2s+" \
network=10.10.1.0
/ip dhcp-client
add disabled=yes interface=bridge1
/ip dns
set servers=10.10.1.11
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.99.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=CRS326-24G-2S+
/system logging
add topics=debug
add topics=info
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool romon
set enabled=yes

erlinden · Tue Mar 25, 2025 2:42 pm

For (nearly) any VLAN question please read this great topic:
viewtopic.php?t=143620

mattbiegner22 · Tue Mar 25, 2025 8:00 pm

Thanks, but I've already tried that tutorial, as well as this one:

https://www.youtube.com/watch?v=YLtGQAQ8iS0

I'm still unable to ping from the switch to the router on my management vlan IPs.

CGGXANNX · Tue Mar 25, 2025 8:48 pm

On your RB3011UiAS you are missing the bridge1 port as tagged port of the VLAN entry. This line:

/interface bridge vlan
add bridge=bridge1 tagged="lacp_src=rb3011UiAS_dst=crs326-24g-2s+" vlan-ids=\
    99

should become:

/interface bridge vlan
add bridge=bridge1 tagged="lacp_src=rb3011UiAS_dst=crs326-24g-2s+,bridge1" vlan-ids=99

On the switch you have it correct.

mattbiegner22 · Tue Mar 25, 2025 9:53 pm

Ok, on the router this is what my vlan config looks like now (I renamed the interface to bonding1 and bonding3 for simplicity)

And I'm still only able to ping locally on each device:

[admin@CRS326-24G-2S+] > ping 10.10.99.1
SEQ HOST SIZE TTL TIME STATUS
0 10.10.99.1 timeout
1 10.10.99.1 timeout
2 10.10.99.1 timeout
3 10.10.99.2 84 64 124ms219us host unreachable
sent=4 received=0 packet-loss=100%

[admin@CRS326-24G-2S+] > ping 10.10.99.2
SEQ HOST SIZE TTL TIME STATUS
0 10.10.99.2 56 64 331us
1 10.10.99.2 56 64 253us
2 10.10.99.2 56 64 251us
sent=3 received=3 packet-loss=0% min-rtt=251us avg-rtt=278us max-rtt=331us

[admin@CRS326-24G-2S+] > ping 10.10.99.4
SEQ HOST SIZE TTL TIME STATUS
0 10.10.99.4 56 64 343us
1 10.10.99.4 56 64 421us
sent=2 received=2 packet-loss=0% min-rtt=343us avg-rtt=382us max-rtt=421us

[admin@CRS326-24G-2S+] > ping 10.10.99.5
SEQ HOST SIZE TTL TIME STATUS
0 10.10.99.5 56 64 448us
1 10.10.99.5 56 64 351us
2 10.10.99.5 56 64 356us
sent=3 received=3 packet-loss=0% min-rtt=351us avg-rtt=385us max-rtt=448us

[admin@RB3011UiAS] /interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE   VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge1        99  bridge1                         
                       bonding1                        
;;; added by pvid
1 D bridge1         1                  bridge1         
                                       ether4          
                                       ether8          
                                       bonding1        
                                       ether9          
                                       ether10  
                                       
[admin@CRS326-24G-2S+] /interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE   VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge1        99  bridge1         ether10         
                       bonding3        ether18         
;;; added by pvid
1 D bridge1         1                  bridge1         
                                       bonding1        
                                       ether7          
                                       ether9          
                                       ether11         
                                       ether12         
                                       ether22         
                                       ether24         
                                       bonding2        
                                       ether1          
                                       bonding3        
;;; added by pvid
2 D bridge1        20                  bonding4  

[admin@RB3011UiAS] /interface/bonding> print 
Flags: X - disabled; R - running 
 0  R ;;; LACP 802.23ad b/w RB3011UiAS and CRS326-24g-2s+
      name="bonding1" mtu=1500 mac-address=DC:2C:6E:A4:89:44 arp=enabled arp-timeout=auto 
      slaves=ether3,ether6 mode=802.3ad primary=none link-monitoring=mii arp-interval=100ms 
      arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=30secs 
      transmit-hash-policy=layer-2 min-links=0 

[admin@CRS326-24G-2S+] /interface/bonding> print
Flags: X - disabled; R - running 
 0  R ;;; LACP 802.23ad b/w CRS326-24G-2S+ and DC1.home.local
      name="bonding1" mtu=1500 mac-address=D4:01:C3:83:C0:D4 arp=enabled arp-timeout=auto slaves=ether6,ether8 mode=802.3ad primary=none 
      link-monitoring=mii arp-interval=100ms arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=30secs 
      transmit-hash-policy=layer-2 min-links=0 

 1  R ;;; LACP 802.23ad b/w CRS326-24g-2s+ and CRS309-1g-8s+ 
      name="bonding2" mtu=1500 mac-address=D4:01:C3:83:C0:E7 arp=enabled arp-timeout=auto slaves=sfp-sfpplus1,sfp-sfpplus2 mode=802.3ad 
      primary=none link-monitoring=mii arp-interval=100ms arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=30secs 
      transmit-hash-policy=layer-2 min-links=0 

 2  R ;;; LACP 802.23ad b/w RB3011UiAS and CRS326-24g-2s+
      name="bonding3" mtu=1500 mac-address=D4:01:C3:83:C0:D1 arp=enabled arp-timeout=auto slaves=ether3,ether5 mode=802.3ad primary=none 
      link-monitoring=mii arp-interval=100ms arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=30secs 
      transmit-hash-policy=layer-2 min-links=0 

 3  R ;;; LACP 802.23ad b/ww CRS326-24g-2s+ and DS3622xs+
      name="bonding4" mtu=1500 mac-address=D4:01:C3:83:C0:D0 arp=enabled arp-timeout=auto slaves=ether2,ether4 mode=802.3ad primary=none 
      link-monitoring=mii arp-interval=100ms arp-ip-targets="" mii-interval=100ms down-delay=0ms up-delay=0ms lacp-rate=30secs 
      transmit-hash-policy=layer-2 min-links=0

CGGXANNX · Tue Mar 25, 2025 9:57 pm

Oh, and this (on RB3011)

/interface vlan
add interface="lacp_src=rb3011UiAS_dst=crs326-24g-2s+" name=vlan99 vlan-id=99

should be

/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99

mattbiegner22 · Tue Mar 25, 2025 10:06 pm

That's what I thought I had and it's still not working...

[admin@RB3011UiAS] > /interface/vlan print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
#   NAME              MTU  ARP      VLAN-ID  INTERFACE
0 R management_vlan  1500  enabled       99  bridge1

anav · Wed Mar 26, 2025 4:22 pm

Repost both configs for review and use code tags for both.

mattbiegner22 · Wed Mar 26, 2025 10:56 pm

I did try to start from a clean slate, so the config is more complete than what I originally posted (it has NATing and firewall rules added)

Here's the router:

 # 2025-03-26 13:51:17 by RouterOS 7.18.2
# software id = PT7B-Q7JZ
#
# model = RB3011UiAS
# serial number = E7E70FD05ECE
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="WAN ethernet port"
set [ find default-name=ether2 ] comment="LACP Port 1: CRS326-24G-2S+"
set [ find default-name=ether4 ] comment=\
    "Alternate Management Port for CRS326-24G-2S+"
set [ find default-name=ether6 ] comment="LACP Port 2: CRS326-24G-2S+"
set [ find default-name=ether9 ] comment="Raspberry Pi POE Switch"
set [ find default-name=ether10 ] comment="WAP POE ethernet"
set [ find default-name=sfp1 ] comment="DISABLED FOR SECURITY" disabled=yes
/interface vlan
add interface=bridge1 name=mgmt_vlan vlan-id=99
/interface bonding
add comment="LACP: CRS326-24G-2S+" mode=802.3ad name=bonding1 slaves=\
    ether2,ether6
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no encryption="" name=sec1
/interface wifi
# operated by CAP 10.10.1.7, traffic processing on CAP
add channel.band=5ghz-ax .width=20/40/80mhz comment="Wireless - 5GHz" \
    configuration.country="United States" .mode=ap .ssid=\
    "Nakatomi Plaza WiFi 5G" datapath=datapath1 disabled=no name=cap-wifi1 \
    radio-mac=78:9A:18:72:17:9C security=sec1 security.wps=disable
# operated by CAP 10.10.1.7, traffic processing on CAP
add channel.band=2ghz-ax .width=20/40mhz comment="Wireless - 2.4GHz" \
    configuration.country="United States" .mode=ap .ssid=\
    "Nakatomi Plaza WiFi 2G" datapath=datapath1 disabled=no name=cap-wifi2 \
    radio-mac=78:9A:18:72:17:9D security=sec1 security.wps=disable
/ip pool
add name=dhcp ranges=10.10.1.80-10.10.1.126
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] disabled=yes
add addresses=10.10.1.0/25 authentication-protocol=SHA1 encryption-protocol=\
    AES name=private security=private
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 comment="Alternate Access Port for CRS326-24G-2S+" \
    interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 comment="Raspberry Pi POE Switch" interface=ether9
add bridge=bridge1 comment="WAP POE ethernet" interface=ether10
add bridge=bridge1 comment="DISABLED FOR SECURITY" disabled=yes interface=\
    sfp1
add bridge=bridge1 comment="LACP: CRS326-24G-8S+" interface=bonding1
/ipv6 settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bonding1,bridge1 vlan-ids=99
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wifi cap
set caps-man-addresses=127.0.0.1
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
    none
/ip address
add address=10.10.1.1/25 interface=bridge1 network=10.10.1.0
add address=10.10.99.1/28 interface=mgmt_vlan network=10.10.99.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.1.0/25 dns-server=10.10.1.11,10.10.1.12 domain=HOME.local \
    gateway=10.10.1.1 netmask=25
/ip dns
set allow-remote-requests=yes servers=10.10.1.11,10.10.1.12
/ip firewall address-list
add address=10.10.1.0/25 comment=General list=LAN
add address=e7e70fd05ece.sn.mynetname.net list=WAN
add address=10.10.1.1 list=router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connections for hairpin NAT" dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: hairpin nat" \
    connection-mark="Hairpin NAT" ipsec-policy=out,none
add action=dst-nat chain=dstnat comment=\
    "port forward: https connections to synbad.home.local" dst-address-list=\
    !router dst-address-type=local dst-port=443 protocol=tcp to-addresses=\
    10.10.1.10 to-ports=443
add action=dst-nat chain=dstnat comment=\
    "port forward: ovpn server to synbad.home.local" dst-address-list=!router \
    dst-address-type=local dst-port=1194 protocol=udp to-addresses=10.10.1.10 \
    to-ports=1194
add action=dst-nat chain=dstnat comment="port forward: http connections to syn\
    bad.home.local (for lets encrypt certificate renewals only - normally disa\
    bled)" disabled=yes dst-address-list=!router dst-address-type=local \
    dst-port=80 protocol=tcp to-addresses=10.10.1.10 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "port forward: DS3622XS+ ILOM to synbad.home.local" dst-address-list=\
    !router dst-address-type=local dst-port=57 protocol=tcp to-addresses=\
    10.10.1.10 to-ports=57
add action=dst-nat chain=dstnat comment=\
    "port forward: Mongo Database to synbad.home.local (Docker)" \
    dst-address-list=!router dst-address-type=local dst-port=27017 protocol=\
    tcp to-addresses=10.10.1.10 to-ports=27017
add action=dst-nat chain=dstnat comment=\
    "port forward: Postgres Database to synbad.home.local (Docker)" \
    dst-address-list=!router dst-address-type=local dst-port=2665 protocol=\
    tcp to-addresses=10.10.1.10 to-ports=2665
add action=dst-nat chain=dstnat comment=\
    "port forward: Maria Database to synbad.home.local (Docker)" \
    dst-address-list=!router dst-address-type=local dst-port=3306 protocol=\
    tcp to-addresses=10.10.1.10 to-ports=3306
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.10.1.0/25
set www-ssl address=10.10.1.0/25 certificate=https-cert disabled=no
set api disabled=yes
set winbox address=10.10.1.0/25
set api-ssl address=10.10.1.0/25
/snmp
set contact="Matthew Biegner" enabled=yes location=HOME trap-community=\
    private trap-interfaces=all
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=RB3011UiAS-RM
/system note
set show-at-login=no
/system package update
set channel=testing
/tool graphing interface
add allow-address=10.10.1.0/25

mattbiegner22 · Wed Mar 26, 2025 10:56 pm

And here's the switch (sorry, it wasn't letting me post 2 consecutive code tags):

# 2025-03-26 13:53:33 by RouterOS 7.18.2
# software id = VCMN-0DTR
#
# model = CRS326-24G-2S+
# serial number = HGC09X36BN2
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=mgmt_vlan vlan-id=99
/interface bonding
add comment="LACP: CRS309-1G-8S+" mode=802.3ad name=bonding1 slaves=\
    sfp-sfpplus1,sfp-sfpplus2
add comment="LACP: dc1.home.local" mode=802.3ad name=bonding2 slaves=\
    ether6,ether8
add comment="LACP: RB3011UiAS" mode=802.3ad name=bonding3 slaves=\
    ether3,ether5
add comment="LACP: NUC11PAHI7 media vlan" mode=802.3ad name=bonding4 slaves=\
    ether19,ether21
add comment="LACP: DS3622XS+ media vlan" mode=802.3ad name=bonding5 slaves=\
    ether2,ether4
/interface list
add name=WAN
add name=LAN
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] disabled=yes
add addresses=10.10.1.0/25 authentication-protocol=SHA1 encryption-protocol=\
    AES name=private security=private
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 comment="Hue Bridge" interface=ether7
add bridge=bridge1 comment=NUC11PAHI7 interface=ether9
add bridge=bridge1 comment="DS423 Management" interface=ether10 pvid=99
add bridge=bridge1 comment="NUC11PAHI7 Management" interface=ether11
add bridge=bridge1 comment="Proxmox Management" interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 comment="DS3622XS+ Management" interface=ether18 pvid=99
add bridge=bridge1 interface=ether20
add bridge=bridge1 comment="Sonos Play 1" interface=ether22
add bridge=bridge1 comment="Apple TV" interface=ether23
add bridge=bridge1 comment="Sonos Play 1" interface=ether24
add bridge=bridge1 comment="LACP: CRS309-1G-8S+" interface=bonding1
add bridge=bridge1 comment="LACP: dc1.home.local" interface=bonding2
add bridge=bridge1 comment="LACP: RB3011UiAS" interface=bonding3
add bridge=bridge1 comment="LACP: NUC11PAHI7 media vlan" interface=bonding4
add bridge=bridge1 comment="LACP: DS3622XS+ media vlan" interface=bonding5
/ipv6 settings
# ipv6 neighbor configuration has changed, please restart the device in order to apply the new settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bonding3 untagged=ether10,ether18 vlan-ids=\
    99
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=*24 list=LAN
/ip address
add address=10.10.1.2/25 interface=ether2 network=10.10.1.0
add address=10.10.99.2/28 interface=mgmt_vlan network=10.10.99.0
/ip dns
set servers=10.10.1.11,10.10.1.12
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.1.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.10.1.0/25
set www-ssl address=10.10.1.0/25 disabled=no
set api disabled=yes
set winbox address=10.10.1.0/25
set api-ssl address=10.10.1.0/25
/snmp
set contact="Matthew Biegner" enabled=yes location=HOME trap-community=\
    private trap-version=3
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=CRS326-24G-2S+
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

anav · Thu Mar 27, 2025 1:30 am

Cant help you since using capsman. Dont know how that interacts with bridges and vlans sorry.

mattbiegner22 · Thu Mar 27, 2025 1:35 am

is capsman known to interfere with bridges/vlans? If that's a problem I'm happy to remove it.

anav · Thu Mar 27, 2025 1:43 am

Looking at it more closely I dont see any vlans assigned in your cap so maybe tis okay.......
Just didnt want to put my foot in it, so to speak.,

Happy to take a look and pretend its not there LOL.

The first problem is that there is only one VLAN, the management vlan.
Where is the vlan for the WIFI> Assuming both are guest wifis and there would not be a different wifi, for anyone else???

So take your bridge DHCP and turn it into a vlan 11 for example.

What subnets (vlans) are going to ports 3,5,7,8,9,10 2 and 6 are going to switch, not sure why you have another port going to switch??

Also recommending taking a non-used port and making an Offbridge access to safely make bridge vlan changes and also as an emerg local access.

mattbiegner22 · Thu Mar 27, 2025 1:54 am

The alternate access interface between the rb3011 and crs326 was supposed to be my off-vlan access so i didn't keep kicking myself out, just poorly named.

Currently I'm just trying to get the management vlan (10.10.99.0/28) setup, everything else should be on vlan 1 (10.10.1.0/25). It was my understanding that everything defaults (maybe that's a poor choice of words) to pvid=1.

anav · Thu Mar 27, 2025 2:49 am

Okay how to create an offbridge port. REMOVE ether4 from /interface bridge ports

/interface ethernet
set [ find default-name=ether4 ] comment=OffBridge4

/interface list
add list=TRUSTED

/interface list member
add interface=OffBridge4 list=TRUSTED
add interface=mgmt_vlan list=TRUSTED
add interface=mgmt_vlan list=LAN
add interface=OffBridge4 list=LAN
add interface=public_vlan list=LAN

/ip address
add address=192.168.77.1/30 interface=OffBridge4 network=192.168.77.0
add address=10.10.99.1/28 interface=mgmt_vlan network=10.10.99.0
add address=10.10.1.1/25 interface=public_vlan network=10.10.1.0

Now simply plug in laptop to ether4 on the router, change IPV4 settings on the laptop to 192.168.77.2 and you should be in!!
Repeat for any mikrotik device when doing vlans and bridge.
++++++++++++++++++++++++++++++++++++++++
Additions/Mods

/interface vlan
add interface=bridge1 name=mgmt_vlan vlan-id=99
add interface=bridge1 name=public_vlan vlan-id=11

/ip pool
add name=dhcp ranges=10.10.1.80-10.10.1.126
add name=dhcp-manage ranges=10.10.99.2-10.10.99.14

/ip dhcp-server
add address-pool=dhcp interface=public_vlan name=dhcp1
add address-pool=dhcp-manage interface=mgmt_vlan name=dhcpMGMT

/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged comment="TRUNK 2+6 LACP: CRS326-24G-8S+" interface=bonding1
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether5 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether7pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether8 pvid=11
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether9 pvid=11 comment="R PI POE"
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether10 pvid=11 comment="WAP POE"

/interface bridge vlan
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bonding1 untagged=ether3,ether5,ether7,ether8,ether9,ether10 vlan-id=11
add bridge=bridge1 tagged=bridge1,bonding vlan-ids=99

set this to NONE, known to cause problems!!!
/interface detect-internet
set detect-interface-list=none

/ip dhcp-server network
add address=10.10.1.0/25 dns-server=10.10.1.11,10.10.1.12 domain=HOME.local \
gateway=10.10.1.1 netmask=25
/ip dhcp-server network
add address=10.10.99.0/28 dns-server=10.10.99.1 gateway=10.10.99.1 netmask=28

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface-list=TRUSTED
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp comment="users to services"
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp comment="users to services"
add action=drop chain=input comment="drop all else" { insert this rule here last of all rules to avoid getting locked out }
add action=accept chain=forward comment=" accept in ipsec " ipsec-policy=in,ipsec
add action=accept chain=forward comment=" accept out ipsec" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="access to all LAN" in-interface-list=TRUSTED out-interface-list=LAN
add action=drop chain=forward comment="drop all else"

See how far the above gets you.................
I am not sure of your mangle or nat rules....seems overly complex.

Missing:
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

anav · Thu Mar 27, 2025 2:56 am

On the switch, are all ports used, if not dont include them in config.
Why is ether2 part of an LACP and yet you have an address assigned to it.....

More to the point are all these other ports using 10.10.1.X addresses

mkx · Thu Mar 27, 2025 9:58 am

is capsman known to interfere with bridges/vlans? If that's a problem I'm happy to remove it.

It's not. WiFi only attaches to bridge (on CAP device), when it comes to VLANs there might be a complication if CAP is running wifi-qcom-ac driver. Running CAPsMAN definitely doesn't affect the way wired ports/devices handle brdige/vlan. Due to this additional complication it's a must to figure out VLAN configuration fully (by using wired ports, they are somehow easier to set up) and only later tackle the WiFi (with or without CAPsMAN).

mattbiegner22 · Sat Mar 29, 2025 6:02 am

Hi guys!

Sorry for the late response, but thanks for all the replies! I've been having all sorts of issues with the router. It seems to lose it's brains after even simple changes that shouldn't affect it, like adding a VLAN interface and assigning an IP when VLAN filtering is still disabled on the bridge.

I added the off bridge port and even connecting my laptop shows the router is resetting it's IP to 0.0.0.0 and I can't login to winbox by MAC or IP. I have to pull the power cord to get it back to normal.

Anyway, I've removed all the VLANs and need to take a hard look at this router. I'm also wondering if adding bonded links is maybe complicating things with implementing VLANs? I wouldn't think so since it's a port in the bridge and I wouldn't think the VLAN would really see a difference at a high level. I'm going to try to model this in software first and then go from there. Thanks!

anav · Sat Mar 29, 2025 4:44 pm

That is weird behaviour, perhaps the power cord or supply is wonky? Cables wonky? or maybe the router is toasted??
Suggest try netsinstall as well.

mattbiegner22 · Fri Apr 04, 2025 8:11 pm

So I've been using GNS3 and the CHR version of ROS to try and simulate what I want to accomplish without having my working network down for an extended period of time.

With that being said, I've taken the guidance from the previous posts here (mainly staying away from the default pvid=1) and I've been having much better success. So far, about 95% of the devices are pingable across the various VLANs (10=general, 20=media and 99=management).

The other thing I forgot to mention is that I did have to drop the MTU by 4 bytes on the VLAN interfaces in the virtual environment. That doesn't seem to be too huge of an issue.

Here's an overall topology of the bigger items on the network (black is VLAN10, orange is VLAN20 and red is VLAN99):

network_topology_250404.PNG

DC1 is setup as an independent LAG in Server 2022, which is why it shows 2 connections to both the router and the switch with 1 IP. Only 1 of the adapters is actually active. It was the best I could do without having MLAG on CHR.

With that being said, I am currently having 2 issues:

The Plex Media Server RHEL 9.3 server can ping across all the VLANs, but it's not responding to any ICMP echos from other devices. I'm suspecting this might be a RHEL issue and not related to the routing -- EDIT: Just figured it out....f****ing SElinux strikes again!

The routing has been performing somewhat slow. Additionally, it seems that every now and then the network times out and then it sort of "catches" up. If I start a ping, the latency will be 300-500ms and then finally drop to <1ms. after a little bit. This might be related to the virtualized enviornment but I'm not sure. See images below.

intermittent_slow_ping_performance_1_250404.PNG

intermittent_slow_ping_performance_2_250404.PNG

And here are the configs:
Router:

# apr/04/2025 16:36:21 by RouterOS 7.8
# software id =
#
/interface bridge
add comment=defconf name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="WAN interface" disable-running-check=no
set [ find default-name=ether2 ] comment="to primary ethernet switch lacp link 1 (switch1)" disable-running-check=no
set [ find default-name=ether3 ] comment="domain controller 1 alternate link" disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] comment="to primary ethernet switch lacp link 2 (switch2)" disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
set [ find default-name=ether9 ] disable-running-check=no
set [ find default-name=ether10 ] comment="WAP POE interface" disable-running-check=no
set [ find default-name=ether11 ] comment="sfp interface disabled for security" disable-running-check=no disabled=yes
/interface vlan
add interface=bridge1 mtu=1496 name=general_vlan vlan-id=10
add interface=bridge1 mtu=1496 name=management_vlan vlan-id=99
add interface=bridge1 mtu=1496 name=media_vlan vlan-id=20
/interface bonding
add comment="to primary ethernet switch" mode=802.3ad name=bonding1 slaves=ether2,ether6
/disk
set slot1 slot=slot1
set slot2 slot=slot2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=general_vlan_pool ranges=10.0.10.1-10.0.10.199
add name=media_vlan_pool ranges=10.0.20.1-10.0.20.199
add name=management_vlan_pool ranges=10.0.99.1-10.0.99.199
/ip dhcp-server
add address-pool=general_vlan_pool interface=general_vlan lease-time=1h name=general_vlan_dhcp
add address-pool=media_vlan_pool interface=media_vlan lease-time=1h name=media_vlan_dhcp
add address-pool=management_vlan_pool interface=management_vlan lease-time=1h name=management_vlan_dhcp
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 comment="to ethernet switch lacp" interface=bonding1
add bridge=bridge1 comment="domain controller 1 alternate link" interface=ether3 pvid=10
add bridge=bridge1 comment="hAPax^2 Wireless Access Point" interface=ether10
/interface bridge vlan
add bridge=bridge1 comment="General VLAN" tagged=bridge1,bonding1 vlan-ids=10
add bridge=bridge1 comment="Media VLAN" tagged=bridge1,bonding1 vlan-ids=20
add bridge=bridge1 comment="Management VLAN" tagged=bridge1,bonding1 vlan-ids=99
/ip address
add address=10.0.10.254/24 comment="General VLAN" interface=general_vlan network=10.0.10.0
add address=10.0.20.254/24 comment="Media VLAN" interface=media_vlan network=10.0.20.0
add address=10.0.99.254/24 comment="Management VLAN" interface=management_vlan network=10.0.99.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.0.10.0/24 comment="General VLAN" dns-server=10.0.10.250,10.0.10.251,10.0.10.1 gateway=10.0.10.254
add address=10.0.20.0/24 comment="Media VLAN" dns-server=10.0.10.250,10.0.10.251,10.0.10.1 gateway=10.0.20.254
add address=10.0.99.0/24 comment="Management VLAN" dns-server=10.0.10.250,10.0.10.251,10.0.10.1 gateway=10.0.99.254
/ip dns
set allow-remote-requests=yes servers=10.0.10.250,10.0.10.249
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward dst-address=10.0.10.0/24 src-address=10.0.99.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/system identity
set name=RB3011UiAS

mattbiegner22 · Fri Apr 04, 2025 8:12 pm

Sorry, this forum still won't let me post multiple code tags together.

Here's the CRS326:

# apr/04/2025 16:37:14 by RouterOS 7.8
# software id =
#
/interface bridge
add comment=defconf name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="to router lacp link 1" disable-running-check=no
set [ find default-name=ether2 ] comment="to router lacp link 2" disable-running-check=no
set [ find default-name=ether3 ] comment="domain controller 1 primary link" disable-running-check=no
set [ find default-name=ether4 ] comment="plex media server general vlan" disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
set [ find default-name=ether9 ] disable-running-check=no
set [ find default-name=ether10 ] disable-running-check=no
set [ find default-name=ether11 ] disable-running-check=no
set [ find default-name=ether12 ] disable-running-check=no
set [ find default-name=ether13 ] comment="plex media server media lacp port 1" disable-running-check=no
set [ find default-name=ether14 ] comment="plex media server media lacp port 2" disable-running-check=no
set [ find default-name=ether15 ] comment="DS3622xs+ media lacp port 1" disable-running-check=no
set [ find default-name=ether16 ] comment="DS3622xs+ media lacp port 2" disable-running-check=no
set [ find default-name=ether17 ] comment="proxmox ve management port" disable-running-check=no
set [ find default-name=ether18 ] comment="Plex Media Server Management Port" disable-running-check=no
set [ find default-name=ether19 ] disable-running-check=no
set [ find default-name=ether20 ] disable-running-check=no
set [ find default-name=ether21 ] comment="DS3622xs+ management port" disable-running-check=no
set [ find default-name=ether22 ] comment="DS423 management port" disable-running-check=no
set [ find default-name=ether23 ] disable-running-check=no
set [ find default-name=ether24 ] disable-running-check=no
set [ find default-name=ether25 ] comment="to fiber switch lacp link 1" disable-running-check=no
set [ find default-name=ether26 ] comment="to fiber switch lacp link 2" disable-running-check=no
/interface vlan
add interface=bridge1 mtu=1496 name=management_vlan vlan-id=99
/interface bonding
add comment="to router" mode=802.3ad name=bonding1 slaves=ether1,ether2
add comment="DS36223xs+ media vlan" mode=802.3ad name=bonding2 slaves=ether15,ether16
add comment="to fiber switch lacp" mode=802.3ad name=bonding3 slaves=ether25,ether26
add comment="plex media server media vlan" mode=802.3ad name=bonding4 slaves=ether13,ether14
/disk
set slot1 slot=slot1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 comment="to router lacp" interface=bonding1
add bridge=bridge1 comment="domain controller 1 primary link" interface=ether3 pvid=10
add bridge=bridge1 comment="DS3622XS+ Management VLAN" interface=ether21 pvid=99
add bridge=bridge1 comment="DS423 Management VLAN" interface=ether22 pvid=99
add bridge=bridge1 comment="DS3622XS+ Media VLAN" interface=bonding2 pvid=20
add bridge=bridge1 comment="to fiber switch lacp" interface=bonding3
add bridge=bridge1 comment="proxmox ve management vlan" interface=ether17 pvid=99
add bridge=bridge1 comment="plex media server management vlan" interface=ether18 pvid=99
add bridge=bridge1 comment="plex media server general vlan" interface=ether4 pvid=10
add bridge=bridge1 comment="plex media server media vlan" interface=bonding4 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=bonding1,bonding3 vlan-ids=10
add bridge=bridge1 tagged=bonding1,bonding3 untagged=bonding2,bonding4 vlan-ids=20
add bridge=bridge1 tagged=bridge1,bonding1,bonding3 untagged=ether17,ether21,ether22,ether18 vlan-ids=99
/ip address
add address=10.0.99.253/24 interface=management_vlan network=10.0.99.0
/ip route
add distance=1 gateway=10.0.99.254
/system identity
set name=CRS326-24G-2S+

mattbiegner22 · Fri Apr 04, 2025 8:13 pm

And the CRS309:

# apr/04/2025 16:41:03 by RouterOS 7.8
# software id =
#
/interface bridge
add comment=defconf name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="to ethernet switch lacp link 1" disable-running-check=no
set [ find default-name=ether2 ] comment="to ethernet switch lacp link 2" disable-running-check=no
set [ find default-name=ether3 ] comment="ds3622xs+ general lacp link 1" disable-running-check=no
set [ find default-name=ether4 ] comment="ds3622xs+ general lacp link 2" disable-running-check=no
set [ find default-name=ether5 ] comment="proxmox ve general lacp link 1" disable-running-check=no
set [ find default-name=ether6 ] comment="proxmox ve general lacp link 2" disable-running-check=no
set [ find default-name=ether7 ] comment="to office fiber switch lacp link 1" disable-running-check=no
set [ find default-name=ether8 ] comment="to office fiber switch lacp link 2" disable-running-check=no
set [ find default-name=ether9 ] disable-running-check=no
/interface vlan
add interface=bridge1 mtu=1496 name=management_vlan vlan-id=99
/interface bonding
add comment="to ethernet switch lacp" mode=802.3ad name=bonding1 slaves=ether1,ether2
add comment="ds3622xs+ media vlan" mode=802.3ad name=bonding2 slaves=ether3,ether4
add comment="proxmox ve general vlan" mode=802.3ad name=bonding3 slaves=ether5,ether6
add comment="to office fiber switch lacp" mode=802.3ad name=bonding4 slaves=ether7,ether8
/disk
set slot1 slot=slot1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 comment="to ethernet switch lacp" interface=bonding1
add bridge=bridge1 comment="proxmox ve general lacp" interface=bonding3 pvid=10
add bridge=bridge1 comment="ds3622xs+ general lcap" interface=bonding2 pvid=10
add bridge=bridge1 comment="to office fiber switch lacp" interface=bonding4
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bonding1,bonding4 vlan-ids=99
add bridge=bridge1 tagged=bonding1,bonding4 untagged=*D,bonding3 vlan-ids=10
add bridge=bridge1 tagged=bonding1,bonding4 vlan-ids=20
/ip address
add address=10.0.99.252/24 interface=management_vlan network=10.0.99.0
/ip route
add distance=1 gateway=10.0.99.254
/system identity
set name=CRS309-1G-8S+

anav · Fri Apr 04, 2025 8:38 pm

Router. Summary ( incomplete, not ready for deployment )

1. Not necessary, as the router dynamically untag the port, but it shows you understand the vlan filtering.
/interface bridge vlan
add bridge=bridge1 comment="General VLAN" tagged=bridge1,bonding1 untagged=ether3 vlan-ids=10

2. Firewall rules are not useful to protect the network but assuming you know that...... so any assessment of this config is moot.
Missing ip neighours discovery, interface lists etc.......

CRS326 Switch

3. Same comments for /interface bridge vlan and to add to be consistent in approach!! Not wrong but as stated, understanding is confirmed and also consistent story.
/interface bridge vlan
add bridge=bridge1 tagged=bonding1,bonding3 untagged=ether3,ether4 vlan-ids=10

4. Do not understand why your BONDs have pvid settings is a hybrid bond???

mattbiegner22 · Fri Apr 04, 2025 9:05 pm

bonding1 and bonding2 are trunks and don't have a specific pvid defined.

bonding3 and bonding4 are access ports going to a synology NAS and a linux media server, respectively, hence why they're marked as untagged. If there's an alternate way to do this I'm all ears but those 2 bonds are basically the interfaces to the physical servers.

Yes, I did specifically forget to mark ether3 and ether4 on on the /interface/bridge/vlan for vlan-id=10, but it appears once I set the pvid=10 on the port in the /interface/bridge/port area, ROS is listing those ports as current-untagged if i do a print. Is that ROS automatically adding those ports to the vlan on the bridge?

I'm not really interested in the firewall rules to protect vlans at this point. I would just like all the devices across the different vlans/subnets to talk first and save the config before I start trying fancy(er) stuff.

I still need to work on the neighbors and interface lists. Doesn't that just limit the discovery of neighbors to the management vlan interface (10.0.99.0)?

mattbiegner22 · Fri Apr 04, 2025 10:29 pm

So....I think I got everything resolved. But i am having a problem with very slow intervlan routing...like on the order of 1500-3000ms and occasionally timing out. But it is being routed to the other vlans...

EDIT: Ok, I think it's a CPU problem or potentially just a virtualization problem. Even though my CPU usage on the RB3011 is <1%, adjusting the router CPU to using 4 vCPUs (like an RB4011) instead of 2 vCPUs drastically speeds up routing.

anav · Fri Apr 04, 2025 11:11 pm

Okay matt that clears up that perspective.
Firewall rules will speed things up actually, especially with use of fastrack etc.. I mean on the router, switch requires no firewall rules.
Save turn OFF ipv6 if not using it.

Going back to the configs... then
switch 326

1. modify the first line for consistency
/interface bridge vlan
add bridge=bridge1 tagged=bonding1,bonding3 untagged=ether3 vlan-ids=10
add bridge=bridge1 tagged=bonding1,bonding3 untagged=bonding2,bonding4 vlan-ids=20
add bridge=bridge1 tagged=bridge1,bonding1,bonding3 untagged=ether17,ether21,ether22,ether18 vlan-ids=99

2. Interface......
/inteface list
add name=TRUSTED
/interface list members
add interface=management_vlan list=TRUSTED
add interface=OffBridge24 list=TRUSTED

3. /interface ethernet
set [ find default-name=ether24 ] name=OffBridge24

/ip address
add address=192.168.24.1/30 interface=OffBridge24 network=192.168.24.0

Access the router via port 24 by chaning ipv4 settings on laptop to 192.168.24.2

4. /tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

5. /ip neighbor discovery-settings
set discover-interface-list=TRUSTED

anav · Fri Apr 04, 2025 11:31 pm

Basic firewall for Router
BUT FIRST YOU NEED to add missing pieces!!

/interface list
add name=WAN
add name=LAN
add name=TRUSTED

/interface list member
add interface=ether1 list=WAN
add interface=general_vlan list=WAN
add interface=media_vlan list=WAN
add interface=management_vlan list=WAN
add interface=management_vlan list=TRUSTED

/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
( admin rules )
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { insert this rule here last to avoid getting locked out }
++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward cconnection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
(admin rules)
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to vlans" in-interface-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment="Drop all else"

AND of cOURSE
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
and
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

mattbiegner22 · Fri Apr 04, 2025 11:54 pm

thanks anav.

I've added the TRUSTED list and am working on the LAN list. I think those firewall rules make sense.

What purpose does limiting the IP discovery to the management VLAN (TRUSTED list) provide?

anav · Sat Apr 05, 2025 12:52 am

Why security of course! If you dont want any security
then simply

have two firewall rules
add chain=input action=accept comment="eviscerate me"
add chain=forward action=accept comment="bugger me"

mattbiegner22 · Sat Apr 05, 2025 6:30 am

Ok, cool, thanks anav.

I think I've got everything sorted now. Only thing left is when I set tool/mac-server/mac-winbox allowed-interface-list=TRUSTED and tool/mac-server allowed-interface-list=none, I can still login to winbox using a non management VLAN IP (ie: 10.0.10.254 and 10.0.20.254). I'm not sure if there's an additional filter rule I need to block.

I didn't add the drop all else rule yet because I'm trying not to get myself locked out now that I'm so close to done.

anav · Sat Apr 05, 2025 1:55 pm

Well the drop all rule will certainly cut out non trusted vlan access to winbox, since the interface list allows only trusted vlans, but without the drop all rule, nothing is really blocked,
mac-server winbox-mac-server is used in conjunction with neighbours discovery to make all smart MT devices show up with mac address on winbox.
So one merely has to click on the device and then enter username and password. THis does not stop any vlan user from accessing the router via winbox using the IPaddress:Winboxport.

The two blockers or limiters are /ip services and input chain rules. WRT to IP services, Winbox ( where the default of no entry allows all, but one can limit by IP address so subnets or individuals).
Typically a good idea is to limit at least by subnets here and use the input chain for any added granularity and for clarity at least same subnets blocked...
Most admins limit access to the router by both trusted subnets and then further by src-address-list of admin IPs, static dhcp leases or vpn Ips etc... depends on what practice you want to follow.

mattbiegner22 · Sat Apr 05, 2025 7:49 pm

Cool. So this is what I came up with to basically block all IP services on non management and off bridge IPs and interfaces:

/ip firewall address-list
add address=10.0.99.0/24 comment="management ip" list=allowed_router_access_ips
add address=192.168.0.0/30 comment="off bridge access ip" list=allowed_router_access_ips
add action=drop chain=input comment="block router access on non management IPs and Interfaces" dst-address-list=!allowed_router_access_ips dst-port=21,22,23,80,443,8291,8728,8729 in-interface-list=!TRUSTED protocol=tcp
add action=accept chain=input comment="allow router access on management IP and Interfaces" dst-address-list=allowed_router_access_ips dst-port=21,22,23,80,443,8291,8728,8729 in-interface-list=TRUSTED protocol=tcp

anav · Sat Apr 05, 2025 8:44 pm

All a waste of time.
Simply input chain last rule drop all else
Simply forward chain last rule drop all else

WInbox services, include all subnets that are TRUSTED, management vlan, offbridge port, and any other subnet where you may be coming from to access winbox and the router (like wireugard subnet).
Keep the ip neighbours and mac-server mac-winbox to TRUSTED interface list for ease of admin access.
Use INPUT CHAIN to reinforce the IP services entry and if needed one can drill down to only admin IPs with a firewall address list
( for example a trusted VLAN might be a home vlan and not a separate managment vlan, and thus an address list will ensure ONLY the admins devices have access OR......
you may have multiple wireguard peers but only one of them is the admin so the firewall address list lets you drilll down to that single user )

Beginner VLAN questions

Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions

Re: Beginner VLAN questions