I try to set up a network as follows:
There is a TP-Link AP with two vlan ssid-s. The AP talks to my Mikrotik RB2011UiAS-2HnD-IN router port ether5 (one of the GB ports on 8327 chip). The port is attached to the main bridge “bridge”. There are 3 VLAN type interfaces defined, all using bridge as their interface (VLAN 32, 64, 96). There are four DHCP servers (with all address, pool, etc. defined correctly). One is connected to the bridge (88) and the others one-by-one to the three VLAN-s (32, 64, 96).
The bridge has VLAN IDs set to 1-4094 set. The switch (switch1) also has VLAN IDs all set one-by-one to 32, 64, 96 to be included in port5.

Now the two ssid tagged traffic (64, 96) goes through normally from the EndDevice-AP-ether5-bridge-vlan64/96 and gets IP from 64/96. The problem is with the AP management traffic (the APs own IP request). I think it is coming in as untagged (asked on a TP-Link forum but got no answer yet), so normally it goes AP-ether5-bridge and gets IP from the DHCP server attached to the bridge (88). What I would like to convert the untagged traffic of the AP into a tagged VLAN traffic with VLAN ID 32 and hence go something like AP-ether5-bridge-VALN32. I tried many different settings with no success.

I tried to configure the port in the switch to VLAN mode disabled (actually tried other options too), Add if missing, Default VLAN 32. I would assume this should do what I want, i.e. to add the VLAN 32 tag to any untagged traffic, but it has no effect at all.
I also tried to set the bridge to VLAN filtering true (with default settings) and in ether5 port assignment to the bridge set PVID 32. It also seems to be what I want, but instead of changing the AP’s untagged traffic to 32, it even changed the tagged traffic of the ssid-s to untagged (I guess), so even the end device gets IP from the DHCP server 88 (the one attached to the bridge directly).

Can someone help, what do I do wrong and how to do it right?

Thanks,

/export hide-sensitive file=anynameyouwish

Thanks in advance if you look at it.

I tried many ways. This is the current set-up with both the switch port add-if-missing logic and trying to do it on the bridge level. My problem is on Port ether5 where the AP is connected to. I also use port 2 and 3 in this bridge. Other ports are used outside the bridge (and deleted from the config).

apr/14/2021 14:47:09 by RouterOS 6.47.4

software id = E0K7-FZPC

model = RB2011UiAS-2HnD

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan32backbone vlan-id=32
add interface=bridge name=vlan64private vlan-id=64
add interface=bridge name=vlan96guest vlan-id=96
/interface ethernet switch port
set 1 vlan-header=always-strip
set 2 default-vlan-id=64
set 3 default-vlan-id=96 vlan-header=add-if-missing
set 5 default-vlan-id=32 vlan-header=add-if-missing
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment="The pool for the Private VLAN"
name=pool64 ranges=192.168.64.240-192.168.64.254
add comment="The pool for the guest WiFi" name=pool96 ranges=
192.168.96.100-192.168.96.200
add comment="The pool for the backbone"
name=pool32 ranges=192.168.32.48-192.168.32.240
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=pool64 disabled=no interface=vlan64private name=dhcpPrivate
add address-pool=pool96 disabled=no interface=vlan96guest name=dhcpGuest
add address-pool=pool32 disabled=no interface=vlan32backbone name=
dhcpBackbone
/interface bridge port
add bridge=bridge interface=ether2 pvid=64
add bridge=bridge interface=ether3 pvid=96
add bridge=bridge interface=ether5 pvid=32
add bridge=bridge interface=vlan32backbone pvid=32
add bridge=bridge interface=vlan64private pvid=64
add bridge=bridge interface=vlan96guest pvid=96
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether5 untagged=vlan96guest vlan-ids=96
add bridge=bridge tagged=ether5 untagged=ether2,ether3,vlan64private
vlan-ids=64
add bridge=bridge untagged=vlan32backbone,ether5 vlan-ids=32
/interface ethernet switch vlan
add independent-learning=no ports=ether3,ether5,switch1-cpu switch=switch1
vlan-id=32
add independent-learning=no ports=ether2,ether3,ether5,switch1-cpu switch=
switch1 vlan-id=64
add independent-learning=no ports=ether3,ether5,switch1-cpu switch=switch1
vlan-id=96
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=vlan96guest list=LAN
add interface=vlan64private list=LAN
add interface=vlan32backbone list=LAN
/ip address
add address=192.168.88.1/24 comment=
"This is temporarily the default, to be deleted later" interface=bridge
network=192.168.88.0
add address=192.168.64.1/24 comment="The VLAN network for the family"
interface=vlan64private network=192.168.64.0
add address=192.168.96.1/24 comment="The VLAN network for guests" interface=
vlan96guest network=192.168.96.0
add address=192.168.32.1/24 comment=
"The VLAN network for the routing devices" interface=vlan32backbone
network=192.168.32.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.32.0/24 gateway=192.168.32.1
add address=192.168.64.0/24 gateway=192.168.64.1
add address=192.168.88.0/24 gateway=192.168.88.1
add address=192.168.96.0/24 gateway=192.168.96.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/lcd
set time-interval=weekly
/system clock
set time-zone-name=Europe/Budapest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

One more comment: When I downloaded the config, VLAN filtering was off (I am trying every combination, I can think of). It is the same when add name=bridge vlan-filtering=yes.

It should be, I dont work with vlan switch configuration so someone else will have to chime in.

You can deal with VLANs either using bridge vlan-filtering or using switch chip, not both. As long as you have vlan-filtering set to no, bridge setup does not do any harm.

However this part does does harm regardless of the way you’ll configure VLANs:

/interface bridge port
add bridge=bridge interface=vlan32backbone pvid=32
add bridge=bridge interface=vlan64private pvid=64
add bridge=bridge interface=vlan96guest pvid=96

Get rid of it. Never ever add VLAN interface, created off bridge (/interface vlan add interface=bridge …) back to same bridge, you’re creating kind of a shortcut.

And get rid of the rest of VLAN related config under /interface bridge if you’re going switch-chip way. Keep the /interface vlan stuff, it’s needed either way.


BTW: verify that these are set as needed.

/interface ethernet switch port
set 1 vlan-header=always-strip
set 2 default-vlan-id=64
set 3 default-vlan-id=96 vlan-header=add-if-missing
set 5 default-vlan-id=32 vlan-header=add-if-missing

AFAIK index 1 refers to ether2, … index 3 refers to ether4 and index 5 refers to switch1-cpu … check by running /interface ethernet switch port print. Also beware that AR8327 and QCA8337 largely ignore vlan-header setting and, if default-vlan-id is set, always untag frames for that VLAN on egress.

Dear mkx,

Thanks. I tried two things.

First the switch version. The relevant config parts:

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan32backbone vlan-id=32
add interface=bridge name=vlan64private vlan-id=64
add interface=bridge name=vlan96guest vlan-id=96
/interface ethernet switch port
set 1 vlan-header=always-strip
set 2 default-vlan-id=64
set 3 default-vlan-id=96
set 5 default-vlan-id=32 vlan-header=add-if-missing
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=pool96 disabled=no interface=vlan96guest name=dhcpGuest
add address-pool=pool32 disabled=no interface=vlan32backbone name=
dhcpBackbone
/interface bridge port
add bridge=bridge interface=ether2 pvid=64
add bridge=bridge interface=ether3 pvid=96
add bridge=bridge interface=ether5 pvid=32
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge disabled=yes tagged=ether5 untagged=vlan96guest vlan-ids=96
add bridge=bridge disabled=yes tagged=ether5 untagged=
ether2,ether3,vlan64private vlan-ids=64
add bridge=bridge disabled=yes untagged=vlan32backbone,ether5 vlan-ids=32
/interface ethernet switch vlan
add independent-learning=no ports=ether3,ether5,switch1-cpu switch=switch1
vlan-id=32
add independent-learning=no ports=ether2,ether3,ether5,switch1-cpu switch=
switch1 vlan-id=64
add independent-learning=no ports=ether3,ether5,switch1-cpu switch=switch1
vlan-id=96

As you see the bridge has no vlan filtering switched on, interface vlan kept as earlier, ether5 switch adds missing tag 32, interface bridge port has the three vlan related items removed and also the interface bridge lan items are disabled. So this should be the switch version. The only point you mention I did not understood was: " if default-vlan-id is set, always untag frames for that VLAN on egress." Where shall I set that vlan32 to port ether5 is stripped? I thought that can be set under interface bridge vlan, but that is disabled in this set-up.
The result is that the AP still gets its IP from the default pool (i.e. from the dhcp server attached to the bridge) and not from the vlan32 pool. What is even worse is that my mobile connected to the ssid96, gets an IP from the dhcp96 but only for 30 seconds (sort of temporary, not the normal 10 minutes). On the mobile I see an IP configuration error and the device cannot connect properly.

The other version is the bridge:

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge pvid=
32 vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan32backbone vlan-id=32
add interface=bridge name=vlan64private vlan-id=64
add interface=bridge name=vlan96guest vlan-id=96
/interface ethernet switch port
set 1 vlan-header=always-strip
set 2 default-vlan-id=64
set 3 default-vlan-id=96
set 5 default-vlan-id=32
/interface bridge port
add bridge=bridge interface=ether2 pvid=64
add bridge=bridge interface=ether3 pvid=96
add bridge=bridge interface=ether5 pvid=32
/interface bridge vlan
add bridge=bridge tagged=ether5 untagged=vlan96guest vlan-ids=96
add bridge=bridge tagged=ether5 untagged=ether2,ether3,vlan64private
vlan-ids=64
add bridge=bridge untagged=vlan32backbone,ether5 vlan-ids=32
/interface ethernet switch vlan
add independent-learning=no ports=ether3,ether5,switch1-cpu switch=switch1
vlan-id=32
add independent-learning=no ports=ether2,ether3,ether5,switch1-cpu switch=
switch1 vlan-id=64
add independent-learning=no ports=ether3,ether5,switch1-cpu switch=switch1
vlan-id=96

As you see, bridge vlan fitering is on, switch add-if-missing is not set. Now the result is even worse, the mobile is stuck at Obtaining IP address, but on the dhcp server I never see it getting an address at all.

The only configuration that works is when the switch leave-as-is (i.e. do nothing) and bridge vlan filtering is off. Then the two vlans do what they should, only the AP management does not go to the respective vlan (not surprising as noone sets it).

Regarding your last question (internet ethernet switch port) I am only concern re ether5 for the time being. The rest I think is OK, but before testing it, I want to fix ether 5.

If you are going to attempt the bridge vlan filtering method,
please use this reference. Every time I see the words “switch chip”, I want to barf!

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

The switch chip version: did you verify the section I emphasized? The switch1-cpu port should be all tagged, but (if I’m right) it’s set with default-vlan-id=32 meaning it will untag frames belonging to VLAN 32 when handing them over to CPU (bridge) and thus vlan interface vlan32backbone doesn’t see any of them.

I suggest you to read the tutorial @anav linked, it’ll help you understand things a bit better. Which will help you if you decide to go the switch chip way.

Thanks for your replies.

@anav: I came across this thread from almost every direction I tried to approach the vlan problem, so I read it multiple times. I think I understand the first part (sort-of tutorial) and found it a great resource. The second part sometimes confuses me (individual problems, contradicting opinions) so it can easily be that I still miss the obvious hidden in there.

@mkx: I checked the switch chip story. My numbering is different (0 is the sfp1, 5 is ether5 and switch1-cpu is 11), and the latter was set to disabled, leave-as-is.

But anyway, I came to the conclusion that my set-up was too complex for debugging. I decided to go for the vlan filtering option and drop the switch chip for the time being. So now I made a HW factory reset and a bare minimum config. Made ether3 the only port for the bridge, set its pvid to 33. Made one vlan (vlan33) with its interface to the bridge and a new dhcp server to work on vlan33 (and the necessary address, network). On "interface bridge lan" I made vlan33 as an untagged element, but did not add ether3 explicitly since as I noticed the system does it automatically, based on the bridge port value. Instead of using my hybrid trunk AP, I simply attached a PC to ether3 (on the AP the tagged traffic seemed to work, the problem was always with the untagged).

What I expected is that the PC communicates untagged, the pvid of ether3 adds a tag 33 and it gets into the bridge, the bridge sends to vlan33 (as untagged) and it gets an IP there, sends back to the bridge (with a tag) and from the bridge (again removing the tag based on the fact that ether3 is on the list of Current untagged) to ether3 and onto the PC. From this list I see everything explicitly set, except when vlan33 sends back an untagged packet who adds back the tag 33. I hope it is done because vlan33 is a vlan, so it should know, but it is not as explicit as on ether3 the PVID.

What I see in real life: under "bridge hosts" there is a dummy MAC (the bridge's MAC I guess) is on VID 33 and an empty VID (untagged I guess) and the real MAC of the PC is on VID 33 (i.e. it gets the 33 tag from ether3 ingress). I do not see vlan33 as a host (maybe I should not even do). I also see on the "interfaces interface" list that ether3 has many times data of about 400-500 bytes (guess the DHCP requests). Still the PC does not get an IP. I also checked the firewall stats and see nothing special (well, I am not sure what I should see anyway).

What I also tried is to change the bridge's PVID to a different number (111), but the only difference is that under "bridge hosts" the dummy MAC of the bridge is 3 times, under VID empty, 33 and also 111

Could you have a look at this minimal configuration and help me with some ideas what is wrong. That would probably solve the original problem as well.

Thanks again,

apr/15/2021 11:46:52 by RouterOS 6.47.4

software id = E0K7-FZPC

model = RB2011UiAS-2HnD

/interface bridge
add name=bridge pvid=33 vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan33 vlan-id=33
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool33 ranges=192.168.33.2-192.168.33.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool33 disabled=no interface=vlan33 name=dhcp33
/interface bridge port
add bridge=bridge interface=ether3 pvid=33
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=vlan33 vlan-ids=33
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=ether1 list=LAN
add interface=vlan33 list=LAN
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.33.1/24 interface=vlan33 network=192.168.33.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.33.0/24 gateway=192.168.33.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN

No PVID! Interface bridge should be tagged for VLAN 33.


The next one is completely wrong:

should be like this:

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=33

(untagged setting is optional).

(1) Keep Bridge vlan to the default of pvid=1 (not 33)

(2) Create a second vlan for the other network (and dont give the bridge any duties other than bridge (not dhcp for example).

(3) This line means nothing and does nothing and has nothing to do with the reference ???
/interface bridge vlan
add bridge=bridge untagged=vlan33 vlan-ids=33

(4) This makes no sense to me.
add interface=ether1 list=WAN
add interface=ether1 list=LAN

(5) Add the DNs servers to this part (same as gateway entry)

Since there is no diagram its hard to understand what is going on or desired with any certainty.
So I will assume that you dont really need a separate management interface and that you will simply be the admin on the home LAN and the homelan will also be the managment interface.
Here is an example of 3 vlans, 88 32,64,. (88 is the mngmt and homeLAN)

/interface bridge
add name=bridge pvid=1 vlan-filtering=yes
/interface vlan
add interface=bridge name=Homevlan vlan-id=88
add interface=bridge name=Guests32 vlan-id=32
add interface=bridge name=Devices64 vlan-id=64
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/ip pool
add name=home_pool ranges=192.168.88.2-192.168.88.254
add name=guest_pool ranges=192.168.32.2-192.168.32.254
add name=devices_pool ranges=192.168.64.10-192.168.64.254
/ip dhcp-server
add address-pool=home_pool disabled=no interface=Homevlan name=server-home
add address-pool=guest_pool disabled=no interface=Guests32 name=server-guest
add address-pool=devices_pool disabled=no interface=bridge name=server-devices
/ip address
add address=192.168.88.1/24 interface=Homevlan network=192.168.88.0
add address=192.168.32.1/24 interface=Guests32 network=192.168.32.0
add address=192.168.64.1/24 interface=Devices64 network=192.168.64.0
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1
add address=192.168.32.0/24 gateway=192.168.32.1 dns-server=192.168.32.1
add address=192.168.64.0/24 gateway=192.168.64.1 dns-server=192.168.64.1
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=Homevlan list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

You will note there are no bridge port assignment nor bridge vlan assignment because as again there is no clarity provided.
So will assume eth1 goes to wan, eth2 goes to TP link Access point (IM assuming it handles vlan tags), eth3, goes to your PC, eth4 goes to an iot-device hub, ether5 goes to another access point that cannot read vlan tags (and is for house wifi), and ether6 goes to a managed smart switch for future smart device uses…

/interface bridge port
add bridge=bridge interface=ether2 frame-type=allow only tagged frames ingres-filtering=yes
add bridge=bridge interface=ether3 frame-type=allow only priority and utagged frames ingress-filter=yes pvid=88
add bridge=bridge interface=ether4 frame-type=allow only priority and utagged frames ingress-filter=yes pvid=64
add bridge=bridge interface=ether5 frame-type=allow only priority and utagged frames ingress-filter=yes pvid=88
add bridge=bridge interface=ether6 frame-type=allow only tagged frames ingress-filtering=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether6 untagged=ether3,ether5 vlan-ids=88
add bridge=bridge tagged=bridge,ether2,ether6 untagged=ether4 vlan-ids=64
add bridge=bridge tagged=bridge,ether2  vlan-ids=32

mkx, anav,

Thanks a million. It works.

@anav

(2) indeed that was my original plan. The default dhcp was just kept for the time being to see if a dhcp request does not reach the vlan linked dhcp server but can be served on the bridge direclty. In my final set-up I exactly want as you say it below.

(3) mkx also criticized that I added the vlan to the bridge as an untagged interface. My logic was that the vlan works as a port and its “internal traffic” is untagged, so when the bridge communicates to the vlan, the vlanID should be removed. I see that it works regardless whether I explicitly add it or not, and actually vlan33 is not even shown in the “bridge VLANs” list (“means nothing” as you also say). Is it because the vlan is a special animal that knows to remove the tag it gets, or the other way round the bridge knows that it talks to a vlan so it removes the tag OR it is that the vlan internally still carries the vlanID?

(4) It was just a quick and dirty trick so I can manage the router from the WAN port (it is actually connected to my main router - the one to be replaced eventually). The firewall would not allow it unless ether1 is part of the LAN (or I start playing with the firewall). In the final version ether1 should definitely NOT be part of the LAN.

@mkx

• As you say (and also I mentioned) in “interace bridge vlan” I intentionally did not add untagged=ether3 as I see that once the bridge port has a PVID it is automatically considered an untagged port of the given vlan in the bridge (as can be seen in “bridge VLANs” list). Are there advantages of explicitely saying it (e.g. security, flexibility, etc.) or it really does not matter? I see that anav also lists them explicitely, so it should have some benefit, but I don’t know.

@anav, @mkx.

The big thing was the tagged=bridge and you both also mention not to set pvid=33 for the bridge. I also tried 111 (not 1, as it can be default in some devices). I am still about to fully understand this strange concept to add back the bridge itself as tagged element for the vlan33 inside the same bridge. I guess it is because of the dual nature of a bridge, being a bridge and an interface at the same time. I thought it over and tested and came up with the follwoing understanding. Can you confirm if it is right:

(Option 1) We DO SET tagged=bridge for vlan33 AND set the bridge’s PVID to something else (=111).
A packet arrives to ether3 untagged, ether3 adds its PVID 33 to it and forwards it to the bridge. Since it has a VlanID and this ID (=33) egress is tagged, the bridge gives it tagged to the right interface, i.e. to vlan33 (and maybe some others) and everything works smooth. This is the intented set-up you suggested.

The three other options are confusing, and I would like to understand what happens:

(Option 2) We DO NOT SET tagged=bridge for vlan33 AND set the bridge’s PVID to the same (=33). It implicitely means that we did untagged=bridge (or we can even do it explicitely). This was what I mainly tried (and failed).
A packet arrives to ether3 untagged, ether3 adds its PVID to it and forwards it to the bridge. Now comes the problem of the dual nature of the bridge.
If it were just an interface it should simply forward (egress) the packet with the vlanID in the packet to the right VLAN (and so the PVID of the bridge should not even matter).
On the other hand if the bridge behaves primarily as a bridge, then it forwards the packet (to the bridge as an interface) already untagged, because the bridge (interface) is listed as an untagged element of the bridge (as a bridge). Even in this case I would assume the bridge (as an interface) adds back its default PVID to the packet and still send it to the right VLAN.
What happens in reality (as I found) is that the ether3 adds the vlan tag (33) but the bridge (as a combination of being a bridge and an interface) forwards the packet untagged. The untagged message is processed by the dhcp server of the bridge (if it is the dhcp request). This is how my PC (or earlier the AP) got an 88 IP and drove me crazy.

(Option 3) We DO SET tagged=bridge for vlan33 AND set the bridge’s PVID also to the same (=33).
I expected that this is very similar to Option 1. It turned out that the behaviour is unpredictable. If I set FIRST tagged=bridge and SECOND PVID=33, then in the “bridge VLANs” list “bridge” remains as Current Tagged and it works as Option 1. If I set FIRST PVID=33 (and implicitely the “bridge” goes to Current Untagged), and SECOND I try to set (force) the “bridge” into the Tagged category, it does not work, it remains Untagged. In this case it works as Option 2.

(Option 4) We DO NOT SET tagged=bridge for vlan 33 AND set the bridge’s PVID to something else (=111). In this case bridge is neither Tagged (since not set explicitely) nor Untagged (as it is untagged to 111 and can only be untagged to one vlan).
A packet arrives to ether3 untagged, ether3 adds its PVID 33 to it and forwards it to the bridge. The bridge (as an interface) is not linked to this vlan (neither tagged, nor untagged) it drops/rejects it and nothing happens. The PC keeps trying to get a dhcp but bounces back. This is what I experienced for long.

@anav,

Thanks for the detailed configs. I will use the more specific set-ups from it (like ingress filtering, etc.).

In general, Tagged is for trunk ports and Untagged is for access ports.
PVID is set on a bridge port when the link is to a dumb device that cannot read tags and therefore the router has to know what tag to assign to incoming traffic on that port and later to strip the tags off.
The default pvid of every port and bridge is 1. The only time one changes a PVID is when one needs to "touch’ a dumb device.
ex. bridge port (etherport) going to a PC
ex bridge port (wlan port) going out on wifi from that device (this only occurs on MT wifi routers or MT wifi access points as other brands do not use this method).
Any bridge port that is carrying vlan traffic to a smart device should be tagged in the bridge vlan settings.
This includes a switch ether1 receiving vlan traffic (uplink).

The bridge itself should be tagged for any vlan-id that is going to smart devices!
The bridge itself should be tagged for the manangement vlan ID even if its only coming to the device over the trunk port (uplink) and not sent out anywhere (no access ports, trunk ports or wlan ports).

The reasons can be better explained by someone who better understands MT networking.

By the way to add confusion, in bridge vlan setting one does not have to explicitly state the untagged ports as the MT device will do this automatically however, to understand a config I think its far better to be explicit and one can then quickly visually confirm the setup is as desired.

To add even more confusion, we can discuss hybrid ports.
Two examples.
UNIFI controller requires the managment vlan to come in to the device untagged and the wlan vlans as per normal tagged.
VOIP phone which are constructed in such a way to expect the VOIP traffic to come in on a VLAN, and the attached PC to get the incoming untagged traffic.

In both cases one has to stick to the standard PVID type assignement in the bridge port (to clearly identify the ONE allowed untagged trafffic stream) but Importantly DO NOT LIMIT FRAMES.
In the bridge vlan assignments ALSO assign the tagged vlans you wish to shove through the hybrid port along with the untagged port.
In the case of the unifi controller it could be one or more vlans, and in the case of the VOIP phone normally one vlan.