Bridge itself = always untagged

Guscht · March 8, 2021, 11:05am

Hi,

It seems the Bridge itself must be always untagged to obtain connectivity.

I think thats because I see no way to configure a VLAN-ID (egress) for the bridge itself?!
We can define a PVID (ingress), but no egress VLAN-ID, like for a normal VLAN-Interfaces.

Or do I miss something?

tdw · March 8, 2021, 12:27pm

A bridge has two roles - its is both like a switch connecting various ethernet ports together, and also like an ethernet port to pass traffic to services on the Mikrotik itself. Somewhat confusingly the settings for both of these roles are made under /interface bridge - the frame-types, ingress-filtering and pvid for the bridge port role are made here, whereas for all other ports attached to the bridge these are set under /interface bridge port

So, by default the bridge-to-CPU connection will be an access port, adding the bridge to the tagged= port list in the statements under /interface bridge portvlan makes it a hybrid port, if you wish it to be a trunk (tagged only) port include frame-types=admit-only-vlan-tagged ingress-filtering=yes in the bridge statement under /interface bridge

Edit: Fixed typo in configuration section name

Guscht · March 8, 2021, 4:35pm

Hi tdw,

thanks for your explanation!

I am unable to add the Bridge itself under /interface bridge port:

If I set the Bridge as tagged VID100 under /interface bridge vlans no DHCP-IP will be assigned:

Setting the Bridge tagged and “admit only VLAN tagged” + “Ingress Filtering”, same result. No connectivity:

If I set the Bridge as untagged, the IP will be assigned via DHCP:

I find no way to make the Bridge itself work if I put the Bridge under tagged (nevertheless VLAN100 will the transmitted tagged).

tdw · March 8, 2021, 4:58pm

A typo in my post, I should have said “adding the bridge to the tagged= port list in the statements under /interface bridge vlan” not …/interface bridge port

If I set the Bridge as tagged VID100 under > /interface bridge vlans > no DHCP-IP will be assigned:

If you configure the CPU-to-bridge port/interface to be tagged then you need to something to encapsulate/decapsulate the VLAN, e.g.
/interface vlan
add interface=bridge1 name=bridge-vlan-100 vlan-id=100
and attach the IP address, DHCP server, firewall rules, etc. to this - anything attached directly to the CPU-to-bridge port/interface will only handle the untagged traffic