Hi all,

I am using CRS326 as my switch while using vlan filtering and it works okay. However by an accident, I had misconfigured the bridge VLAN settings by selecting the "admit only VLAN tagged" in the Frame Types selector. After that, I cannot connect the switch via Winbox.

Can anyone help me out to reconnect to the switch? Thanks very much in advance.

That's why always have one port off the bridge so you can access device in case of misconfiguration. Do you see your device MAC address in neighbors in winbox ?

On your PC, you can configure your network adapter to use tagged vlan, instead of untagged. Here is a guide for Windows https://woshub.com/configure-multiple-vlan-on-windows/ and one for Linux https://ostechnix.com/configure-vlan-tagging-in-linux/

An option If you have a serial port, use that as out of band management and adjust the config that way.

Just reset the switch to factory defaults (button press during powerup) and load your latest configuration backup.

That's why always have one port off the bridge so you can access device in case of misconfiguration. Do you see your device MAC address in neighbors in winbox ?

Yes I saw the MAC address in winbox, but can not log in no matter via MAC address or IP address...

On your PC, you can configure your network adapter to use tagged vlan, instead of untagged. Here is a guide for Windows https://woshub.com/configure-multiple-vlan-on-windows/ and one for Linux https://ostechnix.com/configure-vlan-tagging-in-linux/

Thanks for the guides. I try to set VLAN ID in Windows, as the PVID is 1 by default and only tagged packet can be admitted, so I set the VLAN ID to 1, but still couldn't log in...

Did I choose the wrong VLAN ID?

Just reset the switch to factory defaults (button press during powerup) and load your latest configuration backup.

Thanks for the suggestion, but the switch is about 100 miles away from me and I hope I can work it out remotely...

Ok then the possibilities seem to be to use the console port (assuming you can find someone nearby to plug a cable).
And lesson for next time: when you do that kind of config, always first click the "safe mode" button and click it again when you are done.
When making mistakes like this, it will roll back the configuration to how it was when you first clicked safe mode.

Also, on devices with enough storage, always make 2 partitions and copy the active to the second partition regularly.
When something like this happens, you can ask the local people to unplug the power cord, plug it back in, wait 10-15 seconds, and unplug/replug it again.
The device will then boot from the second partition where the config (and RouterOS version) is as you last copied it.
Also useful when an upgrade does not turn out to be an improvement.

So no wireguard connectivity to the switch??

Thanks for the guides. I try to set VLAN ID in Windows, as the PVID is 1 by default and only tagged packet can be admitted, so I set the VLAN ID to 1, but still couldn't log in...

Did I choose the wrong VLAN ID?

From your screenshot it should be 1. Is the PC on the same Layer 2 network as the switch (you mentioned that you are far away from the switch). Did you set the VLAN ID it in the driver setting? Driver support varies, I think. Can you try the "Hyper-V" way from the guide above instead (section Create Multiple VLANs with Windows Hyper-V Role)? It should be more consistent. I always use the Hyper-V virtual switch feature and then create virtual Hyper-V adapters to use different tagged VLAN networks at the same time and it works well (the port on my PC acts as a hybrid port).

Thanks for the guides. I try to set VLAN ID in Windows, as the PVID is 1 by default and only tagged packet can be admitted, so I set the VLAN ID to 1, but still couldn't log in...

Did I choose the wrong VLAN ID?

From your screenshot it should be 1. Is the PC on the same Layer 2 network as the switch (you mentioned that you are far away from the switch). Did you set the VLAN ID it in the driver setting? Driver support varies, I think. Can you try the "Hyper-V" way from the guide above instead (section Create Multiple VLANs with Windows Hyper-V Role)? It should be more consistent. I always use the Hyper-V virtual switch feature and then create virtual Hyper-V adapters to use different tagged VLAN networks at the same time and it works well (the port on my PC acts as a hybrid port).

Thanks very much for the guidance. Actually I am using an ESXi and I use distributed switch to get the similar setting as the Hyper-V virtual switch. I tried a VLAN Distributed Port Group with VLAN 1, as well as setting VLAND ID to 1 in driver settings, while setting my Distributed Port Group as VLAN trunking. (Of course VLAN1 is included), the virtual machine, which is on the same Layer2 network as the switch, still could not find the switch in Winbox... Actually I think this is wierd...

Do you have a way to capture some traffic on that port on your host?

Assuming the only interface defined on the CRS using ethernet was the bridge, then I don't think there is any recovery without a serial connection, or a factory reset (and losing the previous config).

The bridge interface is connected to the switch ASIC via untagged traffic over the internal trunk link. You blocked that by changing frame type to "admit only VLAN tagged".

If you had a vlan interface defined for vlan x, and a switch port with vlan x membership, and if there were no firewall rules blocking access, then you may be able to connect using that vlan interface.

But @anav brings up a valid point. If the switch was 100 miles away, how were you managing it before? Ideally you would have a VPN connection. If you had a VPN interface (like wireguard) on the CRS, then you should still be able to connect via that method. If you don't, then you are going to need to make a trip, or get someone at the remote location to be your assistant.

I can't think a way that using tagged traffic will work to the bridge interface that is expecting untagged traffic (over the switch ASCI to CPU internal "trunk link"). See CRS326-24G-2S+IN block diagram which shows all ethernet connections are via the 98DS3236 switch ASIC. The only other access is via the RJ45 serial port.

But @anav brings up a valid point. If the switch was 100 miles away, how were you managing it before?

It doesn't really matter. If L2 configuration gets screwed, then no amount of L3/L4/L6 connectivity helps. Because all of it depends on working L2.

Disagree because its mkx of course, if the WIreguard has access to the input chain, and not connected to the bridge in any way ( the main culprit in these things ), perhaps wireguard would not be affected.