Observations:
5009
1. One bridge as per --> viewtopic.php?t=143620
If you do not want to use the single bridge for vlans and just have the vlan on the port, then simply assign the vlan to the port as you have done and remove bridge and also the bridge port you created for the vlan as well as the /interface bridge vlan.
2. Suggest you should also add the vlan to the LAN interface list
3. There should be nothing stopping bridge users and vlan users from reaching each other as the firewall wall rules as setup do not block LAN to LAN traffic.
4. If not using IPV6 then disable it and remove all the address lists and firewall rules for ipv6 leaving just two.
add chain=input action=drop
add chain=forward action=drop
5. Set mac server by itself, not secure to NONE
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
viewtopic.php?t=182276
CS310
6. The only connection between the CRS310 and the RB5009 is via the vlan and the CRS310 gets its IP from this vlan thus
ASSIGN the VLAN to the bridge, not the port.
7. You have assigned vlan225 as access ports for ether1-2 which is fine but no traffic on the rest if that is what is desired. sfpplus port is correctly set in basic form for trunk port carrying vlans.
8. Not sure what your doing with neighbours discovery but only one interface is required in this setup.
/interface list
add name= MANAGE
/interface list members
add interface=vlan2225
/ip neighbours discovery-settings
set discover-interface-list=MANAGE
8. NO IP DHCP Client required (remove) , the address is assigned to the CRS310 via the vlan.
9. Further additions/modifications
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.225.1
/ip dns
set allow-remote-requests=yes servers=192.168.225.1
5009
1. One bridge as per --> viewtopic.php?t=143620
If you do not want to use the single bridge for vlans and just have the vlan on the port, then simply assign the vlan to the port as you have done and remove bridge and also the bridge port you created for the vlan as well as the /interface bridge vlan.
2. Suggest you should also add the vlan to the LAN interface list
3. There should be nothing stopping bridge users and vlan users from reaching each other as the firewall wall rules as setup do not block LAN to LAN traffic.
4. If not using IPV6 then disable it and remove all the address lists and firewall rules for ipv6 leaving just two.
add chain=input action=drop
add chain=forward action=drop
5. Set mac server by itself, not secure to NONE
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
viewtopic.php?t=182276
CS310
6. The only connection between the CRS310 and the RB5009 is via the vlan and the CRS310 gets its IP from this vlan thus
ASSIGN the VLAN to the bridge, not the port.
7. You have assigned vlan225 as access ports for ether1-2 which is fine but no traffic on the rest if that is what is desired. sfpplus port is correctly set in basic form for trunk port carrying vlans.
8. Not sure what your doing with neighbours discovery but only one interface is required in this setup.
/interface list
add name= MANAGE
/interface list members
add interface=vlan2225
/ip neighbours discovery-settings
set discover-interface-list=MANAGE
8. NO IP DHCP Client required (remove) , the address is assigned to the CRS310 via the vlan.
9. Further additions/modifications
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.225.1
/ip dns
set allow-remote-requests=yes servers=192.168.225.1
Statistics: Posted by anav — Sun Jan 14, 2024 6:12 pm