Hello there. I'm clearly fighting my own blind spot, however I am not able to make L2/L3 running on my pair of CCR2216.
The desired setup:
CCR2216 - thor as primary border router and switch for Proxmox server pve1
CCR2216 - freya as secondary border router and switch for Proxmox server pve1
pve1 - bonded client with tagging to distribute future VMs to different zones

I've folowed this guide with some minor modifications: https://help.mikrotik.com/docs/display/ ... tion+Group

## Thor's config:
/interface bridge
add name=bridge1 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="Installation uplink"
set [ find default-name=sfp28-1 ] comment=pve1_1
set [ find default-name=sfp28-11 ] comment="Router crosslink"
set [ find default-name=sfp28-12 ] comment="Router crosslink"

/interface vlan
add comment=management interface=bridge1 name=vlan1254 vlan-id=1254
add comment="PtP VLAN" interface=ether1 name=vlan3125 vlan-id=3125

/interface bonding
add mode=802.3ad name=crosslink slaves=sfp28-11,sfp28-12 transmit-hash-policy=layer-3-and-4
add mlag-id=101 mode=802.3ad name=pve1_1 slaves=sfp28-1 transmit-hash-policy=layer-3-and-4

/interface vrrp
add interface=vlan1254 name=vrrp1254 priority=200 sync-connection-tracking=yes vrid=254

/interface bridge mlag
set bridge=bridge1 peer-port=crosslink

/interface bridge port
add bridge=bridge1 interface=crosslink pvid=99
add bridge=bridge1 interface=pve1_1

/interface bridge vlan
add bridge=bridge1 tagged=pve1_1,crosslink,bridge1 vlan-ids=1000-1254

/ip address
add address=171.25.220.177 comment="peer uplink" interface=vlan3125 network=171.25.220.176
add address=10.64.254.252/24 comment="management thor" interface=vlan1254 network=10.64.254.0
add address=10.64.254.254 interface=vrrp1254 network=10.64.254.254

/ip dns
set servers=8.8.8.8

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=171.25.220.176 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=yes target-scope=10

/system identity
set name=thor


## Freya's config
/interface bridge
add name=bridge1 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] comment="Installation uplink"
set [ find default-name=sfp28-1 ] comment=pve1_1
set [ find default-name=sfp28-11 ] comment="Router crosslink"
set [ find default-name=sfp28-12 ] comment="Router crosslink"

/interface vlan
add comment=management interface=bridge1 name=vlan1254 vlan-id=1254
add comment="PtP VLAN" interface=ether1 name=vlan3126 vlan-id=3126

/interface bonding
add mode=802.3ad name=crosslink slaves=sfp28-11,sfp28-12 transmit-hash-policy=layer-3-and-4
add mlag-id=101 mode=802.3ad name=pve1_1 slaves=sfp28-1 transmit-hash-policy=layer-3-and-4

/interface vrrp
add interface=vlan1254 name=vrrp1254 priority=110 sync-connection-tracking=yes vrid=254

/interface bridge mlag
set bridge=bridge1 peer-port=crosslink

/interface bridge port
add bridge=bridge1 interface=crosslink pvid=99
add bridge=bridge1 interface=pve1_1

/interface bridge vlan
add bridge=bridge1 tagged=pve1_1,crosslink,bridge1 vlan-ids=1000-1254

/ip address
add address=171.25.220.179 comment="peer uplink" interface=vlan3126 network=171.25.220.178
add address=10.64.254.253/24 comment="management freya" interface=vlan1254 network=10.64.254.0
add address=10.64.254.254 interface=vrrp1254 network=10.64.254.254

/ip dns
set servers=8.8.8.8

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=171.25.220.178 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=yes target-scope=10

/system identity
set name=freya

## pve1 network config:
iface enp129s0f0 inet manual
iface enp129s0f1 inet manual

auto bond0
iface bond0 inet manual
bond-slaves enp129s0f0 enp129s0f1
bond-miimon 100
mond-mode 802.3ad
bond-xmit-hash-policy layer3+4

auto vmbr0
iface vmbr0 inet manual
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 1000-1254

auto vlan1254
iface vlan1254 inet static
address 10.64.254.1/24
gateway 10.64.254.254
vlan-raw-device vmbr0

Please, what am I missing? The Routers can ping each other, on all devices the bonding is verified working. brctl on Linux shows correct tagging, however I cannot ping from pve1 any Mikrotik's IP no matter what.

First thing that jumps out to me is this typo:

I know it's confusing, but it really was a typo when writing here as I was re-typing it from KVM. The host had it right.