Would anyone be kind enough to advise whether the VLAN Bridge feature supported by Mikrotik is proprietarily designed to function solely across Tik devices? I have discovered a multitude of threads, configurations and instructional videos highlighting the bridge features, but cannot seem to confirm cases where the acting router is not a mikrotik, but the acting switch is.

Example 1: Mikrotik Router <Trunk Tagged VLAN20/VLAN30> Mikrotik Switch (VLAN Bridge Enabled)

vs

Example 2: Non Mikrotik Router <Trunk Tagged VLAN20/VLAN30> Mikrotik Switch (VLAN Bridge Enabled)

To put it simply, MT devices accept trunk ports, access ports and hybrid ports without issues, regardless of vendor.
Internally, this is the best guide for at least routers... viewtopic.php?t=143620

Anav,

Thank you for confirming my sanity on this one, although in my particular case I cannot seem to procure a bridged VLAN configuration that seems to operate as intended. I have bridged and bridged and bridged a multitude of ways, following multiple threads, videos, and instructional guides including the WIKI to no resolve.

Long story short, I fall under example two where my Router is a Non Mikrotik Router and my switch (which was the router at one point, is now a simplified L2 acting switch - Mikrotik) Once VLAN's were configured and throw into the mix with the bridge at the Tik, the device seems not function as intended, period. The acting "switch" at the moment is a CCR1009-7G-1C-PC which does not have a switch chip, but rather each interface is independently pegged to the CPU. I wonder if this is where I am failing to account for parts of the configuration or if this has any relevance.

In essence, the objective is to configure the CCR1009 as a bridged VLAN switch, where the combo (ETH port) accepts the VLAN trunk from the router. Interface ETH1 would be reserved for passing through the trunk to another switch, ETH2-7 would be reserved for LAN devices that are tagged/untagged as needed.

Without seeing the config, its hard to know where you went wrong.
In general, MT device gets IP from the trusted VLAN,
This is the only vlan that will have the bridge tagged in /interface bridge vlans
The rest of the vlans are tagged on the incoming trunk port and either tagged out another trunk port or untagged out an access port, as required.
Only the trusted vlan needs to be created or identified as belonging to the bridge.
To make it clear, dns servers should be allowed and the one identified as gateway of trusted vlan
To make it clear, IP route should point to gateway of trusted vlan
Firewall rules in general are not required.

Apologies for the delay Anav. I've provided the last configuration that seemed to operate to an extent, but truly not as intended. Personally, I have a feeling there may be a much more efficient configuration path.

Router eth4 <Trunk> Mikrotik combo1
172.20.30.1/25 (Network 1/VID1) Untagged
172.20.40.1/25 (Network 2/VID20) Tagged

Mikrotik
ETH2 is passing along the correct Vlan20/IP related information, but I am unable to ping the associated gateway from that port (172.20.40.1)
ETH1 seems to be passing along both Vlans
Ports 3-7 are out of the question just for the sake of testing and management purposes.

You're configuring VLANs in an awkward way (essentially you're not using bridge as VLAN-aware entity). Consequently you can not use hybrid port (which your ether1 is passing tagged VLAN20 and untagged one ... where it doesn't matter how other end treats it (untagged VID1 ... if it's untagged, then VID is assigned/removed on port itself) as port member ... it'll carry all VLANs to governing bridge(s) if physical interface is made member of bridge. This is different than the bridge for VLAN 20 where you have to put the vlan interface between physical interface and bridge and that interface does the frame selection. And there's no similar filter which would pass only untagged frames.

As @anav suggested: study the tutorial linked in @anav's post and use single vlan-aware bridge.

mkx/anav,

Thank you. While I considered your suggestion and applied the necessary adjustments for a "vlan-aware bridge", I am uncertain of how to approach the configuration for passing through trunk related data ingressing at COMBO1 out of ETH1 which is intended to uplink to another switch. Are we to assume that the port would be configured with default pvid such as the Combo1 port?

PVID settings on different bridge ports are independent. The only criterion when deciding if a port needs PVID (and which VID) is config of the device connecting to that port. If the other device is configured to send and receive untagged frames (IMO a bad idea for trunk ports), then port on this side has to be configured with PVID, and value should be set so that untagged frames from remote device end up in correct VLAN. PVID on remote device, sometimes called "native VLAN", technically doesn't matter, but from "state of admin's mind" point of view it's usually preferable to set same value on both ends.

And, since PVIDs are independent, different hybrid (trunk with native vlan) ports can have different PVID set.

But again, as this exercise proves: use of hybrid ports is best to be avoided if device on other end permits.

In simple terms, if passing vlans from one smart device to another, this is done normally via a TRUNK PORT at both ends.
There should be no PVID assigned which basically tells the router untag the traffic leaving the port and tag the traffic entering the port with this vlan.
Not relevant between two smart devices carrying many vlans for distribution, at least at one side. Whenever the tagged traffic goes to a dumb device that cannot read vlans, such as a PC, dumb switch, dumb AP etc, that is an access port...

For example I look at this...........note the slight modification I made...
That most of your ports are access ports leading to dumb devices. Everything seems correct!
Bridge ports 2-5 are part of the vlan10 subnet and Bridge port 6 is part of the vlan20subnet.

/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10 {access port}
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10 {access port}
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10 {access port}
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10 {access port}
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=20 {access port}
add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=combo1 {trunk port}

Hybrid ports tend to be rare, but one can only have one untagged vlan at any port regardless of type ( can only strip or add back in one vlan) and the rest are one or more tagged vlans that flow through like a trunk port.
The key is that both devices at either side are capable of dealing with hybrid ports.

Where you didn,t manage to follow the linked document is the /bridge vlan settings. Think of these as detailing each VLAN separately.
1. In general, the bridge should be tagged along with any ports requiring tagging for all vlans.

2. Each line shall accurately depict what traffic is flowing at each port for that VLAN.

3. Ports that require untagging NEED NOT BE entered for a vlan but the bridge still needs to be tagged.
The reason is that with PVID set on the bridge port, the router at traffic flow time will automatically add the untagged port to the config (dynamically).
HOWEVER, I prefer and recommend that folks manually put in the untaggings so that they can cross-check the config against /interface bridge ports to make sure everything makes sense visually.

4. In your case below, it may seem right, but what you have missed is the bridge tagging. I would also manually insert the untaggings.

From:
/interface bridge vlan
add bridge=bridge1 tagged=combo1 vlan-ids=10
add bridge=bridge1 tagged=combo1 vlan-ids=20

TO:
/interface bridge vlan
add bridge=bridge1 tagged=bridge,combo1 untagged=ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=bridge,combo1 untagged=ether6 vlan-ids=20

Thank you mkx/anav.

Duly noted. I truly appreciate both of your inputs on all of this and have manually added those interfaces as suggested.

1) Additionally, is it best practice to add the default native vlan1 versus allowing this to configure itself dynamically?

EX: add bridge=bridge1 untagged=bridge1 vlan-ids=1

2) The trunk established at the router by default sends native vlan1 untagged. Followed by the addition of vlan10 tagged, vlan20 tagged. I opted to transition my primary block (default vlan1) over to a newly configured network supporting vlan10 (to do away with untagged default vlan1)

"Hybrid ports tend to be rare, but one can only have one untagged vlan at any port regardless of type ( can only strip or add back in one vlan) and the rest are one or more tagged vlans that flow through like a trunk port.
The key is that both devices at either side are capable of dealing with hybrid ports."

As for the trunk, I've opted to configure another spare Tik similarly to handle a secondary dedicated trunk directly from the Router, versus attempting to pass-through which does not seem feasible via the conventional bridging method. If I may ask, what makes this any different than let's say plugging in an AP capable of accessing these vlans? For example, if I were to plug in an AP to ETH1 with the current configuration below, I presume leaving the default values on that port would pass along all vlans through that port on to what is plugged at the interface (In this case the AP) where there the AP can be assigned either or both networks relative to their respective VLANs (network 1 vlan10, network2 vlan20)

Would this need to be explicitly called out below?

/interface bridge
add name=bridge1 vlan-filtering=yes
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10 {access port}
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10 {access port}
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10 {access port}
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10 {access port}
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=20 {access port}
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=combo1 {trunk port}
add bridge=bridge1 interface=ether1 {hybrid port? uplink to AP accessing both VLAN10/20}
/interface bridge vlan
add bridge=bridge1 tagged=combo1 untagged=ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge1 tagged=combo1 untagged=ether6 vlan-ids=20
add bridge=bridge1 untagged=bridge1 vlan-ids=1

Hi there,
No you do not need to make any configuration for vlan1, the router handles that transparently and dynamically in the background.
The admin focus should be on the data vlans!

Hi there,
No you do not need to make any configuration for vlan1, the router handles that transparently and dynamically in the background.
The admin focus should be on the data vlans!

Thus I have no clue why you would wish to use or pass VLAN1 carrying data to any device???
For example I connect via trunk port my main router to ( and no need for vlan1 identification etc...)
a. another hex router setup as s switch
b. another MT router Natted.
c. two TP smart APs
d. Netgear and TP link managed switches
+++++++++++++++++++++++++++++++++
Access ports to
e. dumb switches
f. dumb access points
g. computers
h. media players

++++++++++++++++++++++++++++++++++++

The mistake your making is starting off with attempting to use a subnet that has not been identified as a vlan.
Make all subnets into vlans, and its quick and easy.

Now lets say on ether5 for example you have a legitimate requirement to pass a hybrid vlan ( be it voip device or a unifi vlan with controller and Aps etc..)
Then its simple.
FROM smart device to hybrid device, create a hybrid port at both ends.

ON MT
/interface bridge port ---> PVID the SINGLE vlan that needs to arrive at the unifi controller without tags, (what it uses for admin purposes as default and NOT vlan1 but the vlan you pick to untag)
/interface bridge vlan ---> the rest of the tagged vlans that need to go through this port one or more etc... most likely your wifi vlans, home, guest, iot etc.......

/interface bridge port
add bridge=br1 interface=ether5 pvid=xx

/inteface bridge vlan
add bridge=br1 tagged=br1,etherX,etherY untagged=ether5,ether8 vlan-id=xx
add bridge=br1 tagged=br1,etherX,ether5 vlan-ids=xy
add bridge=br1 tagged=br1,etherX,etherY vlan-ids=zz
add bridge=br1 tagged=br1,ether5 vlan-ids=ab

Where for example etherX and etherY are smart switches which need the trusted or management vlan xx (where they get their IP address) and ether 5 goes to unifi controller and thus it gets its IP address from this vlan as well from the untagged traffic, and ether8 which is an admin pc, wihich is on the trusted subnet as well and it gets vlan traffic untagged when it leaves the MT port and tagged when incoming on the port. A work vlan xy, needs to go to switch at etherX and to ether 5 to reach the smart AP for work wifi
Another network zz, needs to go to switches at etherX and etherY
Finally, a guest vlan only needs to through ether 5 to the smart APs.

Anav, (Did not see your latest response, this is not a reply to the most recent update, Reading as we speak)

Apologies if I caused any confusion here.

Router:
VLAN1 Supports Network 1 172.20.30.1/25 (No longer utilizing this network, but is enabled by default for maintaining mgmt access to the router)
VLAN10 Supports Network 2 172.20.40.1/25 (all devices)
VLAN20 Supports Network 3 172.20.50.1/25 (other devices)

ETH1's configuration as it pertains to a (Smart AP) that would require access to both VLANS 10/20, If I am following, am I to assume the adjustments below to allow for this?

/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=20
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=combo1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=combo1 untagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=10
add bridge=bridge1 tagged=combo1 untagged=ether1,ether6 vlan-ids=20
add bridge=bridge1 untagged=bridge1 vlan-ids=1

Get rid of the ideas of using vlan1 for a vlan, turn it into vlan11 for example, and carry one.

Get rid of the ideas of using vlan1 for a vlan, turn it into vlan11 for example, and carry one.

Thank you anav, and apologies for the delayed response. I am sure as you can imagine, life gets in the way at times. Since our last discussion, I was able to play around with the configs as instructed and yielded great results.

Please post your latest complete config and I will be happy to review.
Reading through the posts again, you should not need to use another device (bypass this acting switch) to pass vlans to another switch!!
Its trunk in ( all vlans), rest of ports are either trunk out to smart device, or access port out to dumb devices.

Please post your latest complete config and I will be happy to review.
Reading through the posts again, you should not need to use another device (bypass this acting switch) to pass vlans to another switch!!
Its trunk in ( all vlans), rest of ports are either trunk out to smart device, or access port out to dumb devices.

Mesquite,

Thank you! I'd very much appreciate your input.

Please note the following:

Combo1 - Vlan Trunk - Uplink to RTR Interface.

Ether 1 - UAP1 - Supports a single Ubiquiti AP (requires access to all vlans 10,20,99)
Ether 6 - SWR1 - Supports a terminal L3 switch (requires access to all vlans 10,20,99)

All other interfaces are strictly vlan 10 supported access/dummy ports.

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] name="combo1 - Vlan TRNK"
set [ find default-name=ether1 ] name="ether1 - UAP1"
set [ find default-name=ether6 ] name="ether6 - SWR1"
/interface vlan
add interface=bridge1 name=BASE_VLAN vlan-id=99
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge1 interface="ether6 - SWR1" pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface="combo1 - Vlan TRNK"
add bridge=bridge1 interface="ether1 - UAP1" pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" untagged=ether2,ether3,ether4,ether5,ether7 vlan-ids=10
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" vlan-ids=20
add bridge=bridge1 tagged="bridge1,combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" vlan-ids=99
/interface list member
add interface=BASE_VLAN list=BASE
/ip address
add address=172.20.60.2/28 interface=BASE_VLAN network=172.20.60.0
/ip cloud
set update-time=no
/ip cloud advanced
set use-local-address=yes
/ip dns
set servers=172.20.60.1
/ip route
add distance=1 gateway=172.20.60.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=CCR-SW101
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Trunk ports do not require pvid so at first blush I would do this............
From this:
add bridge=bridge1 interface="ether6 - SWR1" pvid=10
add bridge=bridge1 interface="ether1 - UAP1" pvid=10

TO:
add bridge=bridge1 interface="ether6 - SWR1" ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge1 interface="ether1 - UAP1" ingress-filtering=yes frame-types=admit-only-vlan-tagged

However if the Unifi is expecting the management traffic to come in UNTAGGED ( the subnet the UAP1 gets its IP address from as does the SWITCH, then at least ether1 *UAP1" but not the switch is actually correct as a HYBRID PORT but not for vlan10 !!!!

add bridge=bridge1 interface="ether1 - UAP1" pvid=99

Similarly looking at /interface bridge vlan settings, you have the UAP port tagged for every VLANID, which is contrary to you setting pvid10.
We have established 10 is wrong anyway it should be 99, if it has to be a trunk port ---> UAP1 expects management subnet untagged.

from this:
/interface bridge vlan
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" untagged=ether2,ether3,ether4,ether5,ether7 vlan-ids=10
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" vlan-ids=20
add bridge=bridge1 tagged="bridge1,combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" vlan-ids=99

TO TWO POSSIBLE CASES:
UAP is setup like any other normal smart device and gets all vlanst to it tagged. ( and yours is correctly setup for this as is )
/interface bridge vlan
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" untagged=ether2,ether3,ether4,ether5,ether7 vlan-ids=10
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" vlan-ids=20
add bridge=bridge1 tagged="bridge1,combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" vlan-ids=99

UAP expects management subnet to come in untagged.
/interface bridge vlan
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" untagged=ether2,ether3,ether4,ether5,ether7 vlan-ids=10
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" vlan-ids=20
add bridge=bridge1 tagged="bridge1,combo1 - Vlan TRNK,"ether6 - SWR1" untagged="ether1 - UAP1" vlan-ids=99

While reviewing these I also saw another error, a problem I see often when people uses quotes for names of ports.......... RUN ON PORTS
YOu cannot use single set of quotes around two or even three entries. Each one is SEPARATE

"combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1"

Should be
"combo1 - Vlan TRNK","ether1 - UAP1","ether6 - SWR1"

+++++++++++++++++++++++++++++++++++++++

In summary /Interface Bridge Ports and /Interface Bridge Vlans have to match up, in terms if you need trunk ports, access ports and any hybrid ports.
When an MT acting as NOT a router but as a switch or AP/switch, only the management vlan needs to tagged on the bridge ( as you have done ).

Mesquite,

Duly noted. I've updated the configuration and can confirm that we are still operational with both the UAP and SWR PVID at 99 with frame type set to VLAN-Tagged-Only.

As for the quotations, I cannot speak for why mikrotik exports the interface labeling this way, but I can confirm that my interfaces have no quotations whatsoever.

/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface="ether6 - SWR1" pvid=99
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface="combo1 - Vlan TRNK"
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface="ether1 - UAP1" pvid=99
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" untagged=ether2,ether3,ether4,ether5,ether7 vlan-ids=10
add bridge=bridge1 tagged="combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" vlan-ids=20
add bridge=bridge1 tagged="bridge1,combo1 - Vlan TRNK,ether1 - UAP1,ether6 - SWR1" vlan-ids=99

Hi there, if its adding quotes its because you are not and in the case of bridge vlan interfaces who knows what the result is ????
YOU CANNOT put in interface names with spaces !! If you want to, you have to put quotes around the name.
So either
a. create interface names without any spaces
OR
b. create interface names with spaces and quote symbols!

My-interface-name
OR
"My interface name"

This is a contradictory statement.
Duly noted. I've updated the configuration and can confirm that we are still operational with both the UAP and SWR PVID at 99 with frame type set to VLAN-Tagged-Only.

/interface bridge ports:
a. Either the bridge ports are identified as TRUNK PORTS ( vlan-tags only) and NO pvid
OR
b. the bridge port is identified as an ACCESS port (vlan tags priority and untagged ) and WITH pvid
OR
c. the bridge port is identified as a HYBRID port ( accept all ) and WITH pvid.

/interface bridge vlans
a. any ports associated with trunk in bridge ports are Tagged in these rules for the given vlanID
b. any ports associated with access in bridge ports are UNTagged in these rules for the given vlanID
c. any ports associated with Hybrid in bridge ports are UNtagged for the the given vlanID and any other vlans are tagged for this port.

To be clear, I would never use these rules, IF the intent is to have TRUNK ports, you are not, you are actually ATTEMPTING to set up hybrid ports.
IF its a unifi switch and unifi AP, they very well may be setup to accept the management vlan untagged ( which is their default setting ) in which case your setup is STILL not quite correct.
I would burn unifi equipment before using it for this reason alone. Plus I cant afford their products!

add bridge=bridge1 frame-types=admit-only-vlan-tagged interface="ether6 - SWR1" pvid=99
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface="ether1 - UAP1" pvid=99

Here is the contradiction, you are staing the port is only carring tagged vlans......... yet you also put a PVID.
SO
either its a hybrid port and you need not to limit frame type ( accept all ) and keep the pVID
OR
its a trunk port, you keep the admit only vlan tagged and remove the PVID.

Apologies for my ignorance, but now I am confused. My understanding is that the UAP is expecting everything other than (default vlan 1 untagged) as tagged. In this case vlan's 10,20,99 would be expected as tagged.

When a UAP first initiates, it assigns pvid1 by default and this cannot be changed. Once all vlans (10,20,99) have been added and configured, you then have an option per each AP to enable what is called "network override." This allows you to dictate the management vlan (in my case, 99)

According to UI,

"By default, a UniFi device’s Management Network will be assigned according to the Native VLAN configured on the switch port it is connected to. To change a device's Management Network, follow these steps:

1) Determine what network (VLAN) you would like to assign as the device's Management Network.

- Ensure that the desired VLAN is tagged on all relevant switch ports between the UniFi device and your network’s gateway.

Note: Do not assign this VLAN as the Native VLAN for the switch port the UniFi device is directly connected to. This will break connectivity."

Additionally, the smart switch connected to Ether6 assumes pvid1 untagged by default, but its management can be decided (in my case vlan 99) just as the UAP.

With all that said, and assuming I am understanding this all correctly, I presume I would be requiring hybrid ports, unless you think otherwise. I have attached two approaches below.

Admit all, with PVID set to default 1, while tagging all other vlans (10,20,99) for both Ether1, Ether6.

/interface bridge port
add bridge=bridge1 interface=ether6-SWR1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=combo1-Vlan-TRNK
add bridge=bridge1 interface=ether1-UAP1

/interface bridge vlan
add bridge=bridge1 tagged=combo1-Vlan-TRNK,ether1-UAP1,ether6-SWR1 untagged=ether2,ether3,ether4,ether5,ether7 vlan-ids=10
add bridge=bridge1 tagged=combo1-Vlan-TRNK,ether1-UAP1,ether6-SWR1 vlan-ids=20
add bridge=bridge1 tagged=bridge1,combo1-Vlan-TRNK,ether1-UAP1,ether6-SWR1 vlan-ids=99

OR

Admit only vlan tagged, with PVID set to default 1, while tagging all other vlans (10,20,99) for both Ether1, Ether6.

/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether6-SWR1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=combo1-Vlan-TRNK
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1-UAP1

/interface bridge vlan
add bridge=bridge1 tagged=combo1-Vlan-TRNK,ether1-UAP1,ether6-SWR1 untagged=ether2,ether3,ether4,ether5,ether7 vlan-ids=10
add bridge=bridge1 tagged=combo1-Vlan-TRNK,ether1-UAP1,ether6-SWR1 vlan-ids=20
add bridge=bridge1 tagged=bridge1,combo1-Vlan-TRNK,ether1-UAP1,ether6-SWR1 vlan-ids=99


Please do correct me if I am wrong.

Its up to you to figure out how the UNIFI can work or the managed switch you have.
All I know is that, at least for the MIkrotik device.

/interface bridge port
An access port or hybrid port require the PVID of the single subnet(vlan) traversing the port and leaving the port untagged, and return traffic entering the port is then tagged with that vlan.
A trunk port has NO PVID set, as the traffic flows both ways in and out of the port as tagged traffic to that vlan.
The hybrid port also has vlans traversing the port tagged in both directions....

Both examples, above, are almost identical, the only difference between them is on the second example you are more restrictive in frame types. Both will work assuming no hybrid ports and both unifi and switch properly accept management vlan coming in as tagged.