Apologies for implementing bad BB etiquette. My post got ignored under General, so I figured I may have posted in the wrong forum and am placing it here. I thow myself at the mercy of the moderators of course. Should they wish to rather move my other post to the beginner basics forum and squash this one, or have me delete the other I'd be happy to oblige. Below a copypasta of my original post:

Hi all.
I have a CRS125 with 6.42.3 on it.
Below is an image that shows a simplification of my setup with the important bits relevant to this post.


Extra info

LAN BRIDGE => Has DHCP server x.x.12.x/24 - Works as expected. Plug in cable, get address.
VLAN 20 => HAS DHCP SERVER - Works as Expected. Associate with WiFi, get VLAN 20 address. (VLAN 20 is an interface on LAN BRIDGE)
ISOLATE BRIDGE => NO DHCP SERVER. (Want the ETH ports on it to be tagged with VLAN 100)
VLAN 100 => HAS DHCP SERVER x.x.11.x/24 - Works as Expected. Associate with WiFi, get VLAN 100 address. (VLAN 100 is an interface on ISOLATE BRIDGE)
VLAN 200 => HAS DHCP SERVER - Works as x.x.10.x/24 Expected. Associate with WiFi, get VLAN 200 address.(VLAN 200 is an interface on ISOLATE BRIDGE)

On the UNIFI AP and UNIFI Switch I have all the relevant WiFi set up, there is one untagged wifi that works as expected, and then three tagged wifi's that works as expected. On port 1 on the Unifi switch I have the untagged and VLAN20 network going to a port on the LAN BRIDGE, and that works fine.

On port 2 on the Unifi switch I have ONLY VLAN 100 and VLAN 200 configured, and when I associate with the WiFi SSID that has those VLAN tags I get routher through port 23 and out to the Internet.
(I am planning to isolate ISOLATE BRIDGE from the rest of the LAN, probably through some firewall rules denying access to between the various subnets, unless there is a way to just keep ISOLATE BRIDGE traffic away from LAN BRIDGE. But that is a later problem.)
My challenge is when I plug a PC into any of the ports on ISOLATE BRIDGE. Now I understand that if ISOLATE BRIDGE does not have a DHCP server, then I won't get an address, that is expected behavior. My question is, how do I avoid having to add another DHCP server using the pool of VLAN 100? VLAN 200 will be WiFi only, but on VLAN 100 I will have wifi as well as Ether net devices. I could simply add another DHCP server to ISOLATE BRIDGE and use the VLAN 100 pool, but that is putting a bandaid on what I actually want. I want ports 17, 19 and 21 to be a part of VLAN 100 like any WiFi client that associates with the VLAN 100 SSID is.

I have used port 19 as my test subject, and have tried the following:

- Remove port 19 from ISOLATE BRIDGE > "Cannot remove dynamic port"
- Fine, REMOVE ISOLATE BRIDGE > OK, but I have INTERFACE LISTS! Ether 17, 19, 21, 23 are part of ISOLATE LIST (allowing for easy firewall rules yay) and now I cannot change port 19 because it is still seen as a dynamic port.
- Fine, REMOVE ISOLATE LIST > Nope, port 19 still dynamic.
(restore config, start again)
- Change PVID of ISOLATE BRIDGE TO 100 > No effect, Interface still fails connection.
- CHANGE PVID of Port 19? > Cannot change dynamic port.
- What about changing the PVID of Isolate list? > "Couldn't change bridge port <isolate list> interface list already added as bridge"
- MOVE DHCP SERVER TO ISOLATE BRIDGE > OK now Interface 19 gets DHCP, but VLAN 100 does not.
- Change port 19 under /interface/ethernet/switch and do various VLAN-y things based on various Mikrotik guides > No joy, the port still does not hand out DHCP.
(restore config, start again)
- Add a VLAN to the Bridge with ID 100 and tag port 19 > no effect. (remove that bridge VLAN)
- Change PVID of ISOLATE BRIDGE to 100 and tick "VLAN FILTERING" > Now two dynamic VLANs appear under bridges, one with VLAN 100, and one with VLAN 1, on vlan 100 there are two entries for "ISOLATE BRIDGE" under "current untagged", and two entries on VLAN 1 with port 23 and port 19 as "current untagged". The DHCP client behavior of port 19 remains dead.
- OK, NOW move the DHCP server to ISOLATE BRIDGE? > Welp, now port 19 isn't getting DHCP under this config either, but the wifi clients on VLAN 100 still does, so at least I have my VLAN getting DHCP when the bridge is PVID 100. That's a step forward, but VLAN 100 now has no Internet access, so a step back there. A bonus is that I can also not see my onsite webserver which is on LAN BRIDGE, so isolation achieved, how to give them Internet Access though? I am happy to figure out that problem if I can get port 19 to behave as expected. Unfortunately VLAN 200 ALSO does not have Internet access when I set ISOLATE BRIDGE PVID to 100, but they do get addresses in the VLAN 200 pool still.
- Set the PVID of ISOLATE BRIDGE to 1, but enable VLAN tagging > OK, now I can also manually tag the VLAN on port 19 on ../bridge/vlans, and also get DHCP from the VLAN 100 SSID, as well as the VLAN 200 SSID, but NOT port 19, and none of the VLANs have access to Internet.
- under /interface/ethernet/switch/vlan do:
- ingress-vlan-translation add ports=ether19 customer-vid=0 new-customer-vid=100 sa-learning=yes
- vlan add ports=ether19 vlan-id=100 learn=yes
(Neither of the above allow me to plug a PC into port 19 and get any form of DHCP.)
At this point I reset my CRS to the last working config because keeping track of what I did gets hard and rolling back to where I get Internet + addresses on the VLAN 100 and 200 SSID's is more effort than just hitting restore && reboot.

So that is what I tried, and I cannot get my VLAN setup to work like I want it. In short, without changing anything else that works as expected, I want:

ISOLATE BRIDGE - (VLAN 100 DHCP server)
- VLAN 100 - (Get VLAN 100 DHCP from ISOLATE BRIDGE)
- VLAN 200 - (VLAN 200 DHCP Server)
- ethernet17 (vlan 100) - (Client PC Get VLAN 100 DHCP from ISOLATE BRIDGE )
- ethernet19 (vlan 100) - (Client PC Get VLAN 100 DHCP from ISOLATE BRIDGE )
- ethernet21 (vlan 100) - (Client PC Get VLAN 100 DHCP from ISOLATE BRIDGE )
- ethernet23 (vlan 100 + vlan 200) - (WiFi SSID for VLAN 100 and VLAN 200 hand out DHCP on the espective VLANs as per the DHCP servers associated with those networks.)

I am unsure why interface lists are shown as bridges, but they are, and I cannot modify them, nor their client physical interfaces. I can also not remove client interfaces from a bridge once added, and once added to an interface list I cannot do anything with a physical interface, even if I delete the interface list. It's like the physical interfaces are "locked down" and nothing short of a complete reset to default with no bridges and lists will allow me to meddle with them.

Making changes in /interface/ethernet/switch doesn't seem to have any effect. Why there still isn't a GUI for the switch port on 6.43 is unclear, it would be nice to have an interface to peer through and see if there are any problems.

Any advice will be appreciated.

Hi,

I've read this a number of times and I think I understand what you are trying to do, although I may still not have it right in my head.

I actually do something similar on the CRS125 in that I have 3 VLAN's running on it (all isolated from each other in groups of ports) and a seperate router with 4 nics in it, one for WAN and the other 3 for the vlans that each have different IP address ranges etc. The CRS does no routing itself and there is no interchange between the VLAN's on the CRS, that is all done in the router.

The way I do it, I only have the one bridge, covering every port and I deal with the VLAN's on the switch chip, so that I get wirespeed switching. The difference for me though and why I'm not really going to be able to help is that I do all of my DHCP etc in the seperate router, away from the CRS. It may be that you have to use more bridges to supply the DHCP from the CRS125.

Happy to post some config of the way I do it if you think it would help, but because I don't do the DHCP on the CRS, I suspect my config won't work for your needs.

Sorry I couldn't be more help.

Happy to post some config of the way I do it if you think it would help, but because I don't do the DHCP on the CRS, I suspect my config won't work for your needs.

I would really appreciate it if you would.

If only to give me some insight into that switching setup which I want to get into.

Thanks in advance.

Hi,

The usual caveats apply. This is what is working for me, I'm a long way from being a Mikrotik expert and am happy to be corrected by someone who is.

The config for running with the single bridge and the VLAN's managed by the switch chip is actually really simple. I did rip out a load of CAPsMAN config, but hopefully I didn't take anything important with it.

Hopefully the config is self evident, but ports 21 and 22 are for VLAN 200, one to the router and one that I can patch to for testing VLAN 200 functionallity. The same for ports 23 and 24 although for VLAN 300. Ports 17 through to 20 are trunk ports off to other switches etc, all carrying VLAN 100, 200 & 300 traffic. Port 1 is the link to the router for VLAN 100 and ports 2 through to 16 are VLAN 100 access ports. Hopefully that makes sense.

The main router that ports 1, 21 & 23 are connected to handles DHCP, DNS etc. for the 3 VLANs and routes between them and a 4th NIC to the Internet as allowed by the firewall on that router. Switching is all HW offload at wirespeed on the CRS125 within the one bridge.

Hopefully this is of some small help

EDIT: I did a: /system reset-configuration no-defaults=yes then loaded the config in by hand again and this time it worked.
I updated the device from 6.38.x to 6.42.3, it is possible the upgrade that enforces the change from the master-port syntax to bridges might have been the source of the issue. I think this is posible because the dynamic vlans for 4090 and 4094 that could not be removed are now gone. 4090 and 4094 were not in use in my config, so i think they are an artifact left over from the upgrade script.

Have you verified that egress traffic on ether19 is not tagged?

I am struggling with the same issue, however i have narrowed the first issue down to a problem regarding access ports. Here is a super simple example of a switch with one trunk port and one access port.

First the cisco IOS equivalent is very straight forward:
According to the documentation the equivalent for RouterOS > 6.41 is:
Traffic enters the trunk just fine, however it is switched out ether11 with vlan 35 tag intact.
I have tried a few things that intuitively made sense to me:
Nothing seems to work.I am however hesitant to call it a bug just yet, because Mikrotik has made major syntax changes to the switch configuration the documentation does not keep up. The vast majority of tutorials reference the pre-6.41 "Master port" syntax.

Hi man.

Had the week from hell so only back to fiddling with the CRS over this weekend.

I really appreciate that you posted your config, I apologise for not responding sooner.

Will let you know how it goes!