Bridge VLAN Filtering fails after reboot on x86 with Intel I210, but works after toggling vlan-filtering off/on

Title: Bridge VLAN Filtering fails after reboot on x86 with Intel I210, but works after toggling vlan-filtering off/on

Hi,

I am seeing a strange Bridge VLAN Filtering issue on RouterOS x86.

Hardware:

  • RouterOS x86

  • Intel I210 NIC

  • Main router, PPPoE WAN

  • LAN bridge with VLAN Filtering

  • Tested on RouterOS 7.21.4 long-term

  • Also tested upgrade to 7.23.1 stable, same behavior

Network design:

  • bridge-lan with vlan-filtering=yes

  • Main LAN: 192.168.20.1/24

  • IoT VLAN: vlan30-iot, VLAN ID 30, 192.168.30.1/24

  • LAN ports are untagged for main LAN

  • AP trunk port carries main LAN untagged and VLAN30 tagged

  • Firewall/NAT/PCC are configured, but the issue also appears before normal routing works

Bridge/VLAN idea:

/interface bridge
add name=bridge-lan vlan-filtering=yes

/interface vlan
add interface=bridge-lan name=vlan30-iot vlan-id=30

/interface bridge vlan
add bridge=bridge-lan vlan-ids=1 untagged=bridge-lan,ether2-LAN,ether3-LAN,ether4-LAN
add bridge=bridge-lan vlan-ids=30 tagged=bridge-lan,ether4-LAN

/ip address
add address=192.168.20.1/24 interface=bridge-lan
add address=192.168.30.1/24 interface=vlan30-iot

Problem:
After reboot, clients on the main LAN can get DHCP normally, but they cannot ping or access the gateway 192.168.20.1, and cannot access the Internet.

The strange part is that the configuration looks correct after reboot:

  • Ethernet link is up

  • Bridge port is active

  • Bridge VLAN table looks correct

  • DHCP can work

  • But ARP / gateway access / normal traffic does not work

If I manually toggle Bridge VLAN Filtering after boot, the network immediately recovers:

/interface bridge set bridge-lan vlan-filtering=no
:delay 2s
/interface bridge set bridge-lan vlan-filtering=yes

After this, everything works normally until the next reboot.

I also noticed that unplugging/replugging the LAN/AP port can sometimes recover the network, which looks similar to forcing the bridge port / VLAN state to be reinitialized.

What I have tested:

  1. Normal bridge without vlan-filtering works fine after reboot.

  2. Bridge VLAN Filtering enabled causes the issue after reboot.

  3. Main LAN directly on bridge-lan reproduces the issue.

  4. Main LAN on an explicit vlan1-main interface also reproduced the issue.

  5. Directly connected client also reproduced it, so it is not only an AP/Wi-Fi issue.

  6. Upgrading from 7.21.4 long-term to 7.23.1 stable did not fix it.

  7. Toggling vlan-filtering off/on after boot always restores connectivity.

Current workaround:
I added a startup script to reinitialize Bridge VLAN Filtering after boot:

/system script
add name=fix-vlan-filtering-startup policy=read,write,test source={
    :delay 45s
    :log warning "Startup fix: restarting bridge vlan-filtering"
    /interface bridge set bridge-lan vlan-filtering=no
    :delay 2s
    /interface bridge set bridge-lan vlan-filtering=yes
    :log warning "Startup fix: bridge vlan-filtering restarted"
}

/system scheduler
add name=fix-vlan-filtering-startup start-time=startup \
    on-event="/system script run fix-vlan-filtering-startup" \
    policy=read,write,test

This workaround works, but it looks like the Bridge VLAN Filtering runtime state is not initialized correctly during boot.

Question:
Has anyone seen a similar issue on RouterOS x86 with Intel I210 NICs and Bridge VLAN Filtering?

Could this be related to bridge VLAN Filtering initialization, FDB/CPU port VLAN state, bridge fast-forward, or NIC driver/offload behavior?

I can provide supout.rif generated while the device is in the failed state before toggling vlan-filtering.

There is a topic full of things recommended to do...or not.
One of the "or not" is using vlan id 1, don't do that.

Change this:

/interface vlan
add interface=bridge-lan name=vlan30-iot vlan-id=30

/interface bridge vlan
add bridge=bridge-lan vlan-ids=1 untagged=bridge-lan,ether2-LAN,ether3-LAN,ether4-LAN
add bridge=bridge-lan vlan-ids=30 tagged=bridge-lan,ether4-LAN

/ip address
add address=192.168.20.1/24 interface=bridge-lan
add address=192.168.30.1/24 interface=vlan30-iot

To this:

/interface vlan
add interface=bridge-lan name=vlan20-home vlan-id=20
add interface=bridge-lan name=vlan30-iot vlan-id=30

/interface bridge vlan
add bridge=bridge-lan vlan-ids=20 tagged=bridge-lan untagged=ether2-LAN,ether3-LAN,ether4-LAN
add bridge=bridge-lan vlan-ids=30 tagged=bridge-lan,ether4-LAN

/ip address
add address=192.168.20.1/24 interface=vlan20-home
add address=192.168.30.1/24 interface=vlan30-iot

While you are at it...I'll search the topic I was referring to.
And...found it:
The twelve Rules of Mikrotik Club - RouterOS / Beginner Basics - MikroTik community forum

Also...more info on VLAN's an be found in this great topic:
Using RouterOS to VLAN your network - RouterOS / Useful user articles - MikroTik community forum

Thanks for the help; I tried it, but the problem persists.

/system script
add name=switch-main-vlan1-to-vlan20 policy=read,write,test source={
/interface bridge vlan set [find where bridge=bridge-lan and vlan-ids=1] vlan-ids=20 comment="Main LAN VLAN 20"

/interface bridge set bridge-lan pvid=20

/interface bridge port set [find where interface=ether2-LAN] pvid=20
/interface bridge port set [find where interface=ether3-LAN] pvid=20
/interface bridge port set [find where interface=ether4-LAN] pvid=20

:log warning "Main LAN changed from VLAN 1 to VLAN 20"

}

/system script run switch-main-vlan1-to-vlan20

There must be a missunderstanding...that script won't bring you to the advised configuration. Therefor the problem persists.

No, the configuration is definitely fine.

bridge-lan pvid=20
ether2-LAN pvid=20
ether3-LAN pvid=20
ether4-LAN pvid=20

/interface bridge vlan:
Main LAN VLAN 20 untagged=bridge-lan,ether2-LAN,ether3-LAN,ether4-LAN
IoT VLAN 30 tagged=bridge-lan,ether4-LAN

Good to hear, maybe I misunderstood...: