ROMON fails with frame-types=admit-only-vlan-tagged

Josephny · Thu Apr 10, 2025 6:23 pm

I have an RB5009 (ether7) connected to a CRS326 (ether1) with vlan-id=32 setup.

I think the VLAN is working nicely regardless of the frame=type setting for ether 7. But, when I change ether7 from frame=type=admit-all to frame-type=admit-only-vlan-tagged I lose the ability to connect to the CRS via ROMON from the 5009.

CRS326 config:

# 2025-04-10 11:20:26 by RouterOS 7.18.2
# software id = 4RSG-G05N
#
# model = CRS326-24G-2S+
# serial number = HGC09QKCXFY
/interface bridge
add admin-mac=D4:01:C3:83:B5:2F auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add comment=vlan32 interface=bridge name=vlan32 vlan-id=32
/interface list
add name=LAN
add name=TRUSTED
/ip pool
add comment=OffiBridge name=OffBridge ranges=192.168.55.100-192.168.55.200
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,sfp-sfpplus1 vlan-ids=32
/interface list member
add interface=bridge list=LAN
add interface=vlan32 list=TRUSTED
add interface=bridge list=TRUSTED
/interface ovpn-server server
add mac-address=FE:31:7F:F7:44:46 name=ovpn-server1
/ip address
add address=192.168.2.7/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.21.32.2/24 interface=vlan32 network=10.21.32.0
add address=192.168.55.1 comment=OffBridge interface=ether24 network=\
    192.168.55.1
/ip dhcp-server
add address-pool=OffBridge comment=OffBridge interface=ether24 name=Offbridge
/ip dns
set servers=1.1.1.1,10.21.32.1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.21.32.1 routing-table=main \
    suppress-hw-offload=no
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system clock
set time-zone-name=America/New_York
/system identity
set name=CRS326
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool romon
set enabled=yes
/tool sniffer
set filter-interface=vlan32 filter-ip-protocol=icmp

This is the RBN5009 config:

# 2025-04-10 11:20:57 by RouterOS 7.18.2
# software id = 7RPI-TTI6
#
# model = RB5009UG+S+
# serial number = HJ30
/interface bridge
add admin-mac=F4:1E:57:C3:6E:8A auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged name=bridge port-cost-mode=short vlan-filtering=\
    yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=\
    "Server1 -- Blue Iris vlan62 access port"
set [ find default-name=ether3 ] comment=\
    "Server2 -- Proxmox/HA vlan62 access port"
set [ find default-name=ether4 ] comment=\
    "hAPax3-downstairs trunk vlans 2, 12, 32, 42"
set [ find default-name=ether5 ] comment=\
    "hAPax3-upstairs trunk vlans 2, 12, 32, 42"
set [ find default-name=ether6 ] comment="Joseph PC access port vlan32"
set [ find default-name=ether7 ] comment="MGMT access port vlan32"
set [ find default-name=ether8 ] comment=OffBridge
set [ find default-name=sfp-sfpplus1 ] comment=CSS326
/interface wireguard
add comment=Wireguard disabled=yes listen-port=53212 mtu=1420 name=wireguard1
/interface vlan
add comment="TV VLAN42" interface=bridge name=vlan-TV vlan-id=42
add comment="Guest WiFi VLAN2" interface=bridge name=vlan-guest vlan-id=2
add comment="IoT  VLAN12" interface=bridge name=vlan-iot vlan-id=12
add comment="Management VLAN32" interface=bridge name=vlan-mgmt vlan-id=32
add comment="MOCA VLAN52" interface=bridge name=vlan-moca vlan-id=52
add interface=bridge name=vlan-printers vlan-id=82
add comment="Servers VLAN62" interface=bridge name=vlan-server vlan-id=62
add comment="VONAGE VLAN72" interface=bridge name=vlan-vonage vlan-id=72
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
add name=Iot-Cameras
/ip pool
add comment=offbridge-dhcp-server name=offbridge-dhcp-server ranges=\
    192.168.55.2-192.168.55.200
add name=guest-pool ranges=10.21.2.100-10.21.2.252
add name=iot-pool ranges=10.21.12.100-10.21.12.252
add name=cameras-pool ranges=10.21.22.100-10.21.22.252
add name=mgmt-pool ranges=10.21.32.100-10.21.32.252
add name=TV-pool ranges=10.21.42.100-10.21.42.252
add name=MOCA-pool ranges=10.21.52.100-10.21.52.252
add name=servers-pool ranges=10.21.62.100-10.21.62.252
add name=vonage-pool ranges=10.21.72.100-10.21.72.252
/ip dhcp-server
add address-pool=guest-pool interface=vlan-guest name=dhcp-guest
add address-pool=iot-pool interface=vlan-iot name=dhcp-iot
add address-pool=mgmt-pool interface=vlan-mgmt name=dhcp-mgmt
add address-pool=offbridge-dhcp-server comment=offbridge-dhcp-server \
    interface=ether8 name=offbridge-dhcp-server
add address-pool=MOCA-pool interface=vlan-moca name=dhcp-moca
add address-pool=servers-pool interface=vlan-server name=dhcp-servers
add address-pool=TV-pool interface=vlan-TV name=dhcp-TV
add address-pool=vonage-pool interface=vlan-vonage name=dhcp-vonage
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="hAPax3-upstairs trunk vlan1" interface=ether5
add bridge=bridge comment="JRS PC; assign vlan32; access port" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=32
add bridge=bridge comment=\
    "MGMT; assign vlan32; access port -- temp trunk for CRS" interface=ether7
add bridge=bridge comment="CSS326; trunk vlan1" frame-types=\
    admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge comment=\
    "Server1 -- Blue Iris; assign vlan62 tag; access port" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 \
    internal-path-cost=10 path-cost=10 pvid=62
add bridge=bridge comment=\
    "Server2 -- Proxmox/HA; assign vlan62 tag; access port" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 \
    internal-path-cost=10 path-cost=10 pvid=62
add bridge=bridge comment="hAPax3-downstairs; trunk vlan1" frame-types=\
    admit-only-vlan-tagged interface=ether4 internal-path-cost=10 path-cost=\
    10
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment=\
    "ports bridge,4,5,sfp to carry vlan2 tagged frames out of 5009" tagged=\
    bridge,ether4,ether5,sfp-sfpplus1 vlan-ids=2
add bridge=bridge comment=\
    "port bridge,4,5,sfp to carry vlan12 tagged frames out of 5009" tagged=\
    bridge,ether4,ether5,sfp-sfpplus1 vlan-ids=12
add bridge=bridge comment="ports bridge,4,5,sfp to carry vlan32 out of 5009 AN\
    D assign vlan32 to frames arriving on ports 6,7 -- temp moved 7 to tagged \
    from untagged" tagged=bridge,sfp-sfpplus1,ether4,ether5,ether7 untagged=\
    ether6 vlan-ids=32
add bridge=bridge comment=\
    "ports bridge,4,5,sfp to carry vlan42 frames out of 5009" tagged=\
    bridge,ether4,ether5,sfp-sfpplus1 vlan-ids=42
add bridge=bridge comment="ports bridge,sfp to carry vlan52 out of 5009" \
    tagged=bridge,sfp-sfpplus1 vlan-ids=52
add bridge=bridge comment="ports bridge,sfp to carry vlan62 frames out of 5009\
    \_AND assign vlan62 to frames arriving ports 2,3" tagged=\
    bridge,sfp-sfpplus1 untagged=ether2,ether3 vlan-ids=62
add bridge=bridge comment=\
    "ports bridge,sfp to carry vlan72 frames out of 5009" tagged=\
    bridge,sfp-sfpplus1 vlan-ids=72
add bridge=bridge comment=\
    "ports bridge,sfp to carry vlan 82 frames out of 5009" tagged=\
    bridge,sfp-sfpplus1 vlan-ids=82
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=TRUSTED
add interface=ether8 list=TRUSTED
add interface=wireguard1 list=LAN
add comment="LAN OffBridge" interface=ether5 list=LAN
add comment="TRUSTED OffBridge" interface=ether5 list=TRUSTED
add comment="LAN VLAN2" interface=vlan-guest list=LAN
add comment="LAN VLAN22" interface=*D list=LAN
add comment="LAN VLAN12" interface=vlan-iot list=LAN
add comment="LAN VLAN32" interface=vlan-mgmt list=LAN
add comment="TRUSTED VLAN32" interface=vlan-mgmt list=TRUSTED
add interface=vlan-iot list=Iot-Cameras
add interface=*D list=Iot-Cameras
add comment="TEMP " interface=ether1 list=TRUSTED
add comment="LAN VLAN62" interface=vlan-server list=LAN
add comment="LAN VLAN52" interface=vlan-moca list=LAN
add comment="LAN VLAN42" interface=vlan-TV list=LAN
add interface=ether7 list=TRUSTED
/interface ovpn-server server
add mac-address=FE:4D:49:0E:82:FA name=ovpn-server1
/ip address
add address=192.168.55.1/24 interface=ether8 network=192.168.55.0
add address=10.10.100.212/24 interface=wireguard1 network=10.10.100.0
add address=10.21.2.1/24 interface=vlan-guest network=10.21.2.0
add address=10.21.12.1/24 interface=vlan-iot network=10.21.12.0
add address=10.21.32.1/24 interface=vlan-mgmt network=10.21.32.0
add address=10.21.42.1/24 interface=vlan-TV network=10.21.42.0
add address=10.21.52.1/24 interface=vlan-moca network=10.21.52.0
add address=10.21.62.1/24 interface=vlan-server network=10.21.62.0
add address=10.21.72.1/24 interface=vlan-vonage network=10.21.72.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=cameras-pool interface=*D name=dhcp-cameras
/ip dhcp-server alert
add alert-timeout=1d disabled=no interface=bridge
/ip dhcp-server network
add address=10.21.2.0/24 dns-server=10.21.2.1 gateway=10.21.2.1
add address=10.21.12.0/24 dns-server=10.21.12.1 gateway=10.21.12.1
add address=10.21.22.0/24 dns-server=10.21.22.1 gateway=10.21.22.1
add address=10.21.32.0/24 dns-server=1.1.1.1 gateway=10.21.32.1
add address=10.21.42.0/24 dns-server=10.21.42.1 gateway=10.21.42.1
add address=10.21.52.0/24 dns-server=10.21.52.1 gateway=10.21.52.1
add address=10.21.62.0/24 dns-server=10.21.62.1 gateway=10.21.62.1
add address=10.21.72.0/24 dns-server=10.21.72.1 gateway=10.21.72.1
add address=192.168.55.0/24 dns-server=1.1.1.1 gateway=192.168.55.1 netmask=\
    24
/ip dns
set allow-remote-requests=yes cache-size=10000KiB servers=1.1.1.1,9.9.9.9
/ip dns static
add address=10.21.32.1 name=212-rb5009-new.212.internal type=A
add address=10.21.32.1 name=RB5009-new.212.internal ttl=9w6d10h40m type=A
add address=10.21.32.1 name=212.10.10.100.212.internal ttl=9w6d10h40m type=A
add address=10.21.32.22 name=JRS-PC.212.internal type=A
add address=192.168.2.2 comment=212router.internal name=212router.internal \
    type=A
add address=10.21.32.2 comment=212router.internal name=212router.internal \
    type=A
add address=10.10.100.80 comment=729router.internal name=729router.internal \
    type=A
/ip firewall address-list
add address=XXXXX.dyndns.org list=dynamic-WANIP
add address=192.168.0.103 comment="Home Assistant" list=\
    ALLOWED-REMOTE-SERVERS
add address=192.168.55.0/24 list=admin
add address=10.0.0.0/8 list=admin
add address=192.168.2.168 comment="Blue Iris 2" list=ALLOWED-REMOTE-SERVERS
add address=192.168.0.101 comment="Blue Iris" list=ALLOWED-REMOTE-SERVERS
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow INPUT users to services" \
    dst-port=53 in-interface-list=LAN log-prefix=users-to-services protocol=\
    udp
add action=accept chain=input comment="Allow INPUT users to services" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow INPUT from TRUSTED" \
    in-interface-list=TRUSTED
add action=accept chain=input comment="Allow INPUT WG Handshake" dst-port=\
    51880 log-prefix=Allow-WG-Handshake protocol=udp
add action=accept chain=input comment="NTP to Devices" in-interface=vlan-mgmt \
    protocol=udp src-port=123
add action=drop chain=input comment="Drop all INPUT" log-prefix=DROP-ALL
add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack established related" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow FORWARD LAN to WAN" \
    in-interface-list=LAN log-prefix=Allow-LAN-WAN out-interface-list=WAN
add action=accept chain=forward comment="Allow FORWARD TRUSTED" \
    in-interface-list=TRUSTED log-prefix=Allow-TRUSTED out-interface-list=LAN
add action=accept chain=forward comment=\
    "Allow FORWARD Admin & remote wg admin to wireguard" in-interface-list=\
    TRUSTED out-interface=wireguard1 src-address-list=admin
add action=accept chain=forward comment=\
    "Allow FORWARD IOT-CAMERAS iface to ALLOWED-REMOTE-SERVER" \
    dst-address-list=ALLOWED-REMOTE-SERVERS in-interface-list=Iot-Cameras \
    out-interface=wireguard1
add action=accept chain=forward comment="Allow WG relay" in-interface=\
    wireguard1 out-interface=wireguard1
add action=drop chain=forward comment="Drop all FORWARD" log-prefix=DROP-ALL
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355-Cameras disabled=no distance=1 dst-address=192.168.5.0/24 \
    gateway=wireguard1 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=76 disabled=no distance=1 dst-address=192.168.30.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=371 disabled=no distance=1 dst-address=192.168.40.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=125 disabled=no distance=1 dst-address=192.168.70.0/24 gateway=\
    wireguard1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.4.0/24 gateway=10.10.100.80 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/8 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=America/New_York
/system identity
set name=212-RB5009-New
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=104.16.132.229
/system script
add dont-require-permissions=yes name=export-download owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n\
    \n/system\
    \n:local cdate [clock get date] \
    \n:local yyyy  [:pick \$cdate 0  4]\
    \n:local MM    [:pick \$cdate 5  7]\
    \n:local dd    [:pick \$cdate 8 10]\
    \n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\
    \n/export show-sensitive file=\"\$identitydate\"\
    \n\
    \n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/\$[\$identitydate].\
    rsc\" dst-path=\"/mikrotik-backups/\$[\$identitydate].rsc\" address=192.16\
    8.2.22 port=21 user=mikrotik password=XXXXX\
    \n\
    \n/file remove \"\$[\$identitydate].rsc\"\
    \n\
    \n:log info (\"Uploaded rsc backup to 192.168.2.22 as \".\$identitydate)"
add dont-require-permissions=yes name=Netwatch owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    ###################################\
    \n# Netwatch script\
    \n#\
    \n# Used as both up and down script\
    \n# Created Jotne 2021 v1.5\
    \n#\
    \n####################################\
    \n:local Host \$host\
    \n/tool netwatch\
    \n:local Status [get [find where host=\"\$Host\"] status]\
    \n:local Comment [get [find where host=\"\$Host\"] comment]\
    \n:local Interval [get [find where host=\"\$Host\"] interval]\
    \n:local Since [get [find where host=\"\$Host\"] since]\
    \n:log info \"script=netwatch watch_host=\$Host comment=\\\"\$Comment\\\" \
    status=\$Status interval=\$Interval since=\\\"\$Since\\\"\"\
    \n\
    \n:local thisBox [/system identity get name];\
    \n\
    \n:tool e-mail send to=jXXXXX@domain.com subject=\"\$thisBox \$Status\
    \_to \$Host\" body=( [ :system clock get date ] . \" \" . [ :system clock \
    get time ] . \"\$thisBox \$Status to \$Host\" )\
    \n"
/tool e-mail
set from=jXXXXX@domain.com port=587 server=smtp.gmail.com tls=starttls \
    user=jXXXXX@domain.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool netwatch
add comment=Netwatch-8.8.4.4 disabled=no down-script=Netwatch host=8.8.4.4 \
    http-codes="" interval=5m name=Netwatch-8.8.4.4 test-script="" type=\
    simple up-script=Netwatch
add disabled=no down-script=Netwatch host=192.168.0.11 http-codes="" \
    interval=1m name=Netwatch-192.168.0.11 test-script="" type=simple \
    up-script=Netwatch
/tool romon
set enabled=yes

anav · Thu Apr 10, 2025 6:50 pm

SWITCH
Why are you treating the switch like a router?
The only address on the switch is the one given to the switch over the management vlan32 ???
Bridge is not involved............ reminder to look at switch example: viewtopic.php?t=143620
There is only need of ONE interface list entry, aka TRUSTED, which the bridge has nothing to do with...............

/interface list member
add interface=vlan32 list=TRUSTED
add interface=ether24 list=TRUSTED

Josephny · Thu Apr 10, 2025 7:10 pm

SWITCH
Why are you treating the switch like a router?
The only address on the switch is the one given to the switch over the management vlan32 ???
Bridge is not involved............ reminder to look at switch example: viewtopic.php?t=143620
There is only need of ONE interface list entry, aka TRUSTED, which the bridge has nothing to do with...............

/interface list member
add interface=vlan32 list=TRUSTED
add interface=ether24 list=TRUSTED

Removing:

/ip address
add address=192.168.2.7/24 comment=defconf interface=bridge network=\
    192.168.2.0

And making the only interface list "TRUSTED" with vlan32 and ether24 did not fix the problem.

Amm0 · Thu Apr 10, 2025 7:40 pm

Edit: I'd originally thought it was RoMON getting dropped, @sindy confirms the bridge's frame-types= are passed.

See @sindy's post : viewtopic.php?p=1137826#p1137981

Josephny · Thu Apr 10, 2025 8:02 pm

Logically, RoMON is not a tagged packet, so bridge is dropping it. This gets into the topic of Layer2 ethertype's... See https://en.wikipedia.org/wiki/EtherType#Values

While not explicitly shown.... by setting frame-types=admit-only-vlan-tagged you're saying you only want "VLAN" ethertypes. RoMON uses it own ethertype, 0x88BF — so it neither a IP nor VLAN+IP packet — so RoMON won't pass.

And RoMON works even in FUBAR IP routing because it's not an IP or VLAN packets, so the custom ethertype is how it's able to connect everywhere transparently.

Wow, great understanding and explanation.

So what is the recommended configuration? To use admit-only-vlan-tagged or not? If yes, how would I access the CRS with Winbox?

anav · Thu Apr 10, 2025 8:03 pm

ROUTER

You have a disconnect and duplication when I noted on your trusted listed you had three ports ( vice just one trusted offbridge port ) identified.
The fallout of that is

1. a. in ethernet interface settings you identify ether5 as the hapax upstairs, and on /interface bridge ports ( athough missing frame types of tagged only )
b. In Interface list you have --> both wrong and should be removed!
add comment="LAN OffBridge" interface=ether5 list=LAN
add comment="TRUSTED OffBridge" interface=ether5 list=TRUSTED

2. It would appear that ether8 is actually your Offbridge port is 8. ( as per ethernet interface identification and member of Trusted list already )
NEED to then add:
add interface=ether8 list=LAN

3. REMOVE ether7 from the interface list Trusted.
Why do you have it here? The access port is for vlan32 (management vlan) and thus the PC already has access to the LAN/TRUSTED via vlan32 interface entries???

4. You have other interface errors indicated by the *D entries on the config.........
add comment="LAN VLAN22" interface=*D list=LAN
add interface=*D list=Iot-Cameras

5. Not sure of the purpose here............. but feels like a security risk!.
add comment="TEMP " interface=ether1 list=TRUSTED

6. This has no place on interface list. Should be removed.
add comment=defconf interface=bridge list=LAN

7. Besides the normal 8 dhcp server config entries you have an additional entry further below.
/ip dhcp-server
add address-pool=cameras-pool interface=*D name=dhcp-cameras

8. Assigning ether7, tagged here
add bridge=bridge comment="ports bridge,4,5,sfp to carry vlan32 out of 5009 AN\
D assign vlan32 to frames arriving on ports 6,7 -- temp moved 7 to tagged \
from untagged" tagged=bridge,sfp-sfpplus1,ether4,ether5,ether7 untagged=\
ether6 vlan-ids=32

Conflicts with ethernet interface identification: -->set [ find default-name=ether6 ] comment="Joseph PC access port vlan32"

So what is now on ether7??

anav · Thu Apr 10, 2025 8:05 pm

What are you using ROMON for,,,,,,,,,that is not available through neighbours discovery?

Josephny · Thu Apr 10, 2025 8:13 pm

What are you using ROMON for,,,,,,,,,that is not available through neighbours discovery?

I need Romon to access the CRS.

Do your corrections allow me to do this?

Josephny · Thu Apr 10, 2025 8:20 pm

8. Assigning ether7, tagged here
add bridge=bridge comment="ports bridge,4,5,sfp to carry vlan32 out of 5009 AN\
D assign vlan32 to frames arriving on ports 6,7 -- temp moved 7 to tagged \
from untagged" tagged=bridge,sfp-sfpplus1,ether4,ether5,ether7 untagged=\
ether6 vlan-ids=32

Conflicts with ethernet interface identification: -->set [ find default-name=ether6 ] comment="Joseph PC access port vlan32"

So what is now on ether7??

What is the conflict?

I am having difficulty identifying the conflict.

ether7 is the CRS.

anav · Thu Apr 10, 2025 8:51 pm

I access all my downstream devices, ax3 ap, hex switch, etc via neighbours discovery not ROMON (via winbox)

Amm0 · Thu Apr 10, 2025 10:00 pm

(deleted)

anav · Thu Apr 10, 2025 11:08 pm

So what is now on ether7??
What is the conflict?

I am having difficulty identifying the conflict.

ether7 is the CRS.

The config paints a conflicted story?
set [ find default-name=sfp-sfpplus1 ] comment=CSS326

Hard to find ether7 tagged for any vlans going to CRS326 ???
/interface bridge vlan
add bridge=bridge comment=\
"ports bridge,4,5,sfp to carry vlan2 tagged frames out of 5009" tagged=\
bridge,ether4,ether5,sfp-sfpplus1 vlan-ids=2
add bridge=bridge comment=\
"port bridge,4,5,sfp to carry vlan12 tagged frames out of 5009" tagged=\
bridge,ether4,ether5,sfp-sfpplus1 vlan-ids=12
add bridge=bridge comment=\
"ports bridge,4,5,sfp to carry vlan42 frames out of 5009" tagged=\
bridge,ether4,ether5,sfp-sfpplus1 vlan-ids=42
add bridge=bridge comment="ports bridge,sfp to carry vlan52 out of 5009" \
tagged=bridge,sfp-sfpplus1 vlan-ids=52
add bridge=bridge comment="ports bridge,sfp to carry vlan62 frames out of 5009\
\_AND assign vlan62 to frames arriving ports 2,3" tagged=\
bridge,sfp-sfpplus1 untagged=ether2,ether3 vlan-ids=62
add bridge=bridge comment=\
"ports bridge,sfp to carry vlan72 frames out of 5009" tagged=\
bridge,sfp-sfpplus1 vlan-ids=72
add bridge=bridge comment=\
"ports bridge,sfp to carry vlan 82 frames out of 5009" tagged=\
bridge,sfp-sfpplus1 vlan-ids=82

anav · Thu Apr 10, 2025 11:12 pm

Who told you this............... ??????
I need Romon to access the CRS

its clear that even though ROMON should not be affected by vlan tag settings on the bridge itself, they are, so avoid its use is my advice.

Josephny · Thu Apr 10, 2025 11:53 pm

What is the conflict?

I am having difficulty identifying the conflict.

ether7 is the CRS.
The config paints a conflicted story?
set [ find default-name=sfp-sfpplus1 ] comment=CSS326

Hard to find ether7 tagged for any vlans going to CRS326 ???
/interface bridge vlan
add bridge=bridge comment=\
"ports bridge,4,5,sfp to carry vlan2 tagged frames out of 5009" tagged=\
bridge,ether4,ether5,sfp-sfpplus1 vlan-ids=2
add bridge=bridge comment=\
"port bridge,4,5,sfp to carry vlan12 tagged frames out of 5009" tagged=\
bridge,ether4,ether5,sfp-sfpplus1 vlan-ids=12
add bridge=bridge comment=\
"ports bridge,4,5,sfp to carry vlan42 frames out of 5009" tagged=\
bridge,ether4,ether5,sfp-sfpplus1 vlan-ids=42
add bridge=bridge comment="ports bridge,sfp to carry vlan52 out of 5009" \
tagged=bridge,sfp-sfpplus1 vlan-ids=52
add bridge=bridge comment="ports bridge,sfp to carry vlan62 frames out of 5009\
\_AND assign vlan62 to frames arriving ports 2,3" tagged=\
bridge,sfp-sfpplus1 untagged=ether2,ether3 vlan-ids=62
add bridge=bridge comment=\
"ports bridge,sfp to carry vlan72 frames out of 5009" tagged=\
bridge,sfp-sfpplus1 vlan-ids=72
add bridge=bridge comment=\
"ports bridge,sfp to carry vlan 82 frames out of 5009" tagged=\
bridge,sfp-sfpplus1 vlan-ids=82

Okay, I understand.

I am waiting for delivery of an SFP cable. until then I wanted to use ether 7 temporarily. So, I had it all set up to use SFP between 5009 and CRS.

I do have vlan32 carried over ether7 -- just to get a basic level of functioning.

Josephny · Thu Apr 10, 2025 11:59 pm

Who told you this............... ??????
I need Romon to access the CRS

its clear that even though ROMON should not be affected by vlan tag settings on the bridge itself, they are, so avoid its use is my advice.

So this test bed (5009-lab and CRS) is set up as such:

5009-lab is connected to an operational 5009 (aka 5009-operational) which is my home network (flat, single /24 LAN).

Hence, the PCs I use to run Winbox can see the main network's 5009-lab, but cannot see the CRS connected it to.

With admit-vlan-tagged-only NOT set, I can romon into the 5009-lab and the 5009-lab will let me connect to the CRS.

If admit-vlan-tagged-only IS set, ROMON does not work.

My only way in to the CRS is to MAC-TELNET from 5009-lan to the CRS. This leaves me with only the CLI, which I am learning, but still need winbox somewhat.

Josephny · Fri Apr 11, 2025 12:14 am

And bridge will drop RoMON if it's admit-only-vlan-tagged, period — RoMON is not "VLAN tagged"

Got it -- RoMON is not carried across vlan-tagged frames because RoMON frames are neither IP nor IP+VLAN type frames. (Is this an accurate way of describing it?).

anav · Fri Apr 11, 2025 12:16 am

According to CGX, there were no shortcomings to using bridge itself vlan tagged, so I hesitate to completely swallow the information provided by AMMO and maybe in-between is a more accurate answer????

It would appear to me that any data from a PC trying to talk ROMON that is assumed to be on the management vlan would get tagged on entry (regardless if it was ethernet with embedded romon information). So logically it should work. From the Documentation, ROMON is not a vlan entity and thus should not even be seen. I gather then you have a physical cable attached between master5009 and Lab5009 then?? Where is that indicated on the LAB 5009 config??
If that traffic is coming over a trunk port, router to router, on vlan32, my guess is that it will work.

Josephny · Fri Apr 11, 2025 12:19 am

I gather then you have a physical cable attached between master5009 and Lab5009 then??
where is that indicated on the LAB 5009 config??

ether1 (WAN)

anav · Fri Apr 11, 2025 12:34 am

Only stating there was a second 5009 at play at such a late stage, and that the Romon issue stemmed from the first one to the Switch was a criminal omission. Consider yourself flogged

Your punishment is having to eat the entire plate of smoked meat served at Katz's.

Josephny · Fri Apr 11, 2025 12:41 am

Only stating there was a second 5009 at play at such a late stage, and that the Romon issue stemmed from the first one to the Switch was a criminal omission. Consider yourself flogged
Your punishment is having to eat the entire plate of smoked meat served at Katz's.

LOL!!!!

Just trying to keep you all on your game.

But, speaking of high crimes, pastrami is cured first, then smoked for flavor! Such an omission!

anav · Fri Apr 11, 2025 12:56 am

We are going to connect the PC on the master router to the lab router directly on vlan32.

So ensure vlan32 is associated with ether1 as well, on the lab router. To facilitate the idea, lets say on the master 5009, its etherport YY that you have connected to the lab5009.
Further, you have our pc on the master router port X, that you required to be able to read ROMON for both lab devices.

Assuming you have vlans setup already, on the master router, it should be easy and will assume LAN subnet, feeding WANIP to lab5009, is vlan11.
Just create two entries. to connect vlan32 to the PC. no need to add any addresses or anything else, this is a reverse to switch scenario.
The Master router knows nothing about this subnet etc..

ADD
/interface bridge port
add bridge=bridge frame-types=admit-only-priority-and-untagged interface=etherX pvid=32 comment="access port for PC on master router on vlan32"
add bridge=bridge frame-types=admin-only-tagged interface=etherYY comment="trunk port to lab 5009"
/interface bridge vlan
add bridge=bridge tagged=bridge,etherYY untagged=etherX vlan-ids=32
add bridge=bridge tagged=bridge,etherYY untagged=???? vlan-id=11 ( imagine there are other ports on the same LAN as the lab 5009, if not no extra entries are required )

Note: Over this connection the lab 5009 will give an IP address to the pC connected to the port on the master router through the vlan32 connection .

So on the LAB Router
define vlan
add interface=bridge name=vlanWAN11 vlan-id=11
/interface bridge port
add bridge=bridge frame-types=admin-only-tagged interface=ether1 comment="trunk from master 5009"

/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether4,ether5,ether7,ether1 untagged=\
ether6 vlan-ids=32

/ip dhcp client
add add-default-route=yes comment=default-route-distance=1 interface=vlanWAN11

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
We carry the dchp from the master router LAN ( the lab 5009 WANIP ) in vlan 11
We create a transparent tunnel on vlan32 to reach the PC on the Master 5009 from the lab5009 vlan32 subnet.

The goal is that PC should be able to ROMON into the lab 5009 and the crs326.

Josephny · Fri Apr 11, 2025 1:18 am

I do like the goal, but the 5009-master is not set up for vlan.

I bought a second 5009 (5009-lab) and the CRS (to replace the CSS) to set these up independently, learn, test, make sure they work before swapping them in for the 5009-master and css.

It looks like without VLANs on the 5009-master, the solution above won't work, right?

Josephny · Fri Apr 11, 2025 1:31 am

You inspired and guided me to another solution!

The Windows PC I'm sitting at is wired to 5009-master with a (locally) statically assigned ip of 192.168.2.22

But, it also has a built in wifi adapter.

And (another thing I hadn't mentioned is that) I have an ax3 also plugged into 5009-lab.

So, I enabled the wifi adapter on the desktop, connected the the SSID on the ax3 configured for the managment vlan (32), and sure enough, winbox now shows the CRS as a neighbor!

I'm assuming this works because the desktop PC now has an ip (on the wifi interface) of 10.21.32.252/24 and the CRS has an ip of 10.21.32.2/24

That is to say, they are passing ethernet frames on the same broadcast domain without having to traverse vlans.

(Yes, I'm sure all you people with far deeper understanding than me are cringing at my phraseology -- sorry!)

sindy · Fri Apr 11, 2025 6:12 pm

Logically, RoMON is not a tagged packet, so bridge is dropping it.

I've made some tests, and although it sounds perfectly logical, the behavior is actually totally different.

Most ROMON frames have destination MAC address 01:80:C2:00:88:BF, which fits into the "link local" MAC address range. So 802.1D compliant bridges never forward them. RouterOS processes ROMON frames as soon as it receives them on an L2 interface. Whether that interface is a member port of any bridge and if yes, what is the frame-types setting, is irrelevant.

But each RouterOS device acts as a ROMON router/forwarder so it facilitates ROMON communication between its neighbors.

anav · Fri Apr 11, 2025 7:47 pm

Hi Sindy, I dont think the OP has a problem using ROMON when behind the LAB 5009 to reach the connected CRS326 also part of the lab network.
The OP, although didnt provide the pertinent information or the pertinent config, only disclosed the fact that he was actually behind another 5009, that provided the WANIP (ip dhcp client from a flat network), far down the conversation.

But, your insight is still valuable and means that in general for connected devices ROMON should work. It wont work coming on a subnet that is not a vlan that has no relation to any vlan and expect to reach other devices on vlans.

sindy · Fri Apr 11, 2025 8:05 pm

My post intentionally refers to @Amm0's one in particular, just for the case that someone comes searching and gets mislead by it. But unless @Amm0 edits his, few people will probably notice mine.

Amm0 · Fri Apr 11, 2025 8:32 pm

My post intentionally refers to @Ammo's one in particular, just for the case that someone comes searching and gets mislead by it. But unless @Ammo edits his, few people will probably notice mine.

Fixed. I swear I'd seen that cause not RoMON work in past. But re-tested it, you're right.

anav · Fri Apr 11, 2025 11:20 pm

Well based on the avatar, I guess that post could be considered a dud!

)

Amm0 · Fri Apr 11, 2025 11:23 pm

Well based on the avatar, I guess that post could be considered a dud! )

So what is the summary on why RoMON does not work here? I lost track of the conversation.

anav · Fri Apr 11, 2025 11:40 pm

Well based on the avatar, I guess that post could be considered a dud! )
So what is the summary on why RoMON does not work here? I lost track of the conversation.

The OP was trying to use romon from on a PC behind a second rb5009 (that was giving the lab 5009) a WANIP on its flan LAN, to reach the CRS326 that was behind the lab 5009.
The OP initially gave the impression that he was unable to reach the CRX326 from a PC also behind the Lab 5009 and provided the two configs as releveant ( both lab 5009 and CRS).
Sindy verified that between two connected devices, both with bridge itself having vlan-tagged only frames, was NO impediment to romon.

Josephny · Fri Apr 11, 2025 11:50 pm

So what is the summary on why RoMON does not work here? I lost track of the conversation.
The OP was trying to use romon from on a PC behind a second rb5009 (that was giving the lab 5009) a WANIP on its flan LAN, to reach the CRS326 that was behind the lab 5009.
The OP initially gave the impression that he was unable to reach the CRX326 from a PC also behind the Lab 5009 and provided the two configs as releveant ( both lab 5009 and CRS).
Sindy verified that between two connected devices, both with bridge itself having vlan-tagged only frames, was NO impediment to romon.

I'm probably misunderstanding, but I was RoMON-connected to the 5009-lab which was wired to the the CRS. The 5009-lab saw the CRS when frame-types=admit-all but did not see the CRS when frame-types=admit-vlan-tagged-only. My understanding is that RoMON was simply not carried across the vlan-tagged frames between the two.

anav · Sat Apr 12, 2025 12:59 am

Hi Ammo, Im assuming the distinction was soley at the LAB Rb 5009 regarding changing the Bridge settings ( and not the CRS326 which I am assuming are set at vlan-tagged only on bridge itself )
....

romon.jpg

The admins work around was to ignore the ethernet connection and connect to an AP behind the LAB RB5009 on the management vlan32.

ROMON fails with frame-types=admit-only-vlan-tagged

ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged

Re: ROMON fails with frame-types=admit-only-vlan-tagged