Hi bought myself a CRS125-24G-1S2HnD-IN and would like to connect to my servers from my workstation. Servers have several tagged/untagged VLANs attached so i configure a hybrid port for them. For the workstation i have one untagged vlan (ingress 888) and one tagged vlan (678) . Currently I'm unable to ping the untagged vlan (888) interfaces of the servers and/or the switch from the workstation (interface 23) or from any other servers (interfaces 3-11). Though I can ping the tagged vlans. Did i do anything wrong with ingress/egress translation rules? Please let me know, i'm busy with this for 3 weeks now ... and i can tell ya, trunks/hybrid ports on a CRS aren't easy to config

[admin@MikroTik] > export
# jan/02/1970 07:18:40 by RouterOS 6.23
# software id = 09TT-8K3D
#

/interface wireless
set [ find default-name=wlan1 ] l2mtu=2290
/interface ethernet
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
set [ find default-name=ether6 ] master-port=ether2
set [ find default-name=ether7 ] master-port=ether2
set [ find default-name=ether8 ] master-port=ether2
set [ find default-name=ether9 ] master-port=ether2
set [ find default-name=ether10 ] master-port=ether2
set [ find default-name=ether11 ] master-port=ether2
set [ find default-name=ether23 ] master-port=ether2

/interface vlan
add interface=ether2 l2mtu=1584 name=vlan27 vlan-id=27
add interface=ether2 l2mtu=1584 name=vlan34 vlan-id=34
add interface=ether2 l2mtu=1584 name=vlan49 vlan-id=49
add interface=ether2 l2mtu=1584 name=vlan678 vlan-id=678
add interface=ether2 l2mtu=1584 name=vlan888 vlan-id=888

/port
set 0 name=serial0

/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2,ether5,ether8,switch1-cpu vlan-id=27
add tagged-ports=ether2,ether3,ether6,ether10,switch1-cpu vlan-id=34
add tagged-ports=ether2,ether7,ether9,ether11,switch1-cpu vlan-id=49
add tagged-ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ethe\
r10,ether11,ether23,switch1-cpu" vlan-id=678

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=888 ports=ether3 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether4 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether5 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether6 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether7 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether8 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether9 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether10 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether11 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether23 sa-learning=yes
add customer-vid=0 new-customer-vid=888 ports=ether2 sa-learning=yes

/interface ethernet switch vlan
add ports=ether2,ether5,ether8,switch1-cpu vlan-id=27
add ports=ether2,ether3,ether6,ether10,switch1-cpu vlan-id=34
add ports=ether2,ether7,ether9,ether11,switch1-cpu vlan-id=49
add ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,eth\
er11,ether23,switch1-cpu" vlan-id=678
add ports="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,eth\
er11,ether23,switch1-cpu" vlan-id=888

/ip address
add address=10.8.0.1/24 interface=vlan27 network=10.8.0.0
add address=10.9.0.1/24 interface=vlan34 network=10.9.0.0
add address=10.10.0.1/24 interface=vlan49 network=10.10.0.0
add address=10.11.0.1/24 interface=vlan678 network=10.11.0.0
add address=10.12.0.1/24 interface=vlan888 network=10.12.0.0

/ip firewall filter
add action=drop chain=input comment="default configuration" in-interface=\
ether1
add chain=forward comment="default configuration" connection-state=\
established,related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=ether1

Seems that you only need to add vlan888 tagging on CPU port to make it work:

Seems that your reply is correct because after entering the command, i can now ping all the machines on vlan888. How could i miss such simple fact ... thnx!

Edit: Ok, i understand that switch1-cpu port on the switch must be able to egress packets with vlanid888 to the CPU. But how knows the CPU that these packets should then be untagged and to be send to the switch? Is that information derived from the ingress option in some smart way? I'm just trying to understand how this works.

Below what i found in the wiki, thing is, i never specified the untagged format for vlanid888 in my config

Edit: Ok, i understand that switch1-cpu port on the switch must be able to egress packets with vlanid888 to the CPU. But how knows the CPU that these packets should then be untagged and to be send to the switch? Is that information derived from the ingress option in some smart way? I'm just trying to understand how this works.

CPU does not know anything about removing the tag, it sends tagged vlan888 through its vlan interface to switch-chip "switch1-cpu" port. The switch-chip then decides whether to remove the vlan tag if the traffic is further forwarded to port which had proper ingress translation rule for that vlan.

Below what i found in the wiki, thing is, i never specified the untagged format for vlanid888 in my config

That setting refers from "egress-vlan-tag" table to each switch port "egress-vlan-mode" which by default is "unmodified", it allows to override default egress action on specific ports.