Hi
I want to configure a RB951G to separate the “Native VLAN” and VLAN101 which arrive are both at Ether1 and bridge VLAN101 with Ether5 and the Native VLAN with Ether4.
My config looks like this:
/interface bridge
add l2mtu=1598 name=bridge-1 protocol-mode=none
add l2mtu=1594 name=bridge-2 protocol-mode=none
/interface vlan
add interface=ether1-slave-local l2mtu=1594 name=vlan101 vlan-id=101
/interface bridge port
add bridge=bridge-2 interface=ether5-slave-local
add bridge=bridge-2 interface=vlan101
add bridge=bridge-1 interface=ether1-slave-local
add bridge=bridge-1 interface=ether4-slave-local
Now my question:
Since this config doesn’t work on 5.25 but does work on 6.10, I’m not 100% sure if this is the right way to do this. Maybe it’s a bug in 5.25 so it didn’t work then or may it’s a bug in 6.10 so it works now, even if it shouldn’t. 
Does someone have an idea how this is configured the right way?
Many thanks!
I think that you would be better to do this on the switch chip.
Add VLANs 0 and 101 in the switch menu.
Make port “A” a member of both VLANs.
Make port “B” a member of VLAN 0.
Make port “C” a member of VLAN 101.
Set the VLAN mode for these three ports to “secure”.
Set the VLAN Header to “leave as is” for ports “A” & “B”.
Set the VLAN Header to “always strip” for port “C”.
Port “A” is the combined port.
Port “B” is the untagged traffic from port “A” - still untagged.
Port “C” is the VLAN 101 traffic from port “A” - now untagged.
If you want the CPU to be able to access the untagged or tagged VLAN 101 traffic you will need to make the CPU port a member of the relevant VLANs too.
Thank you for the reply. You’re right. In general that would be better.
The problem is that I need to use the firewall to filter some connections. So, it’s not possible to use the switch chip.
OK - try this then. You probably need two bridges. With references to your diagram:
- Make a bridge between ether1 & ether4.
- Make a VLAN interface for VLAN 101 on the first bridge.
- Make a second bridge between the VLAN 101 interface and ether5.
- Apply a bridge filter to filter the bridge traffic between ether1 and ether4 to non-VLAN traffic.
The filter should be something like:
/interface bridge filter
add chain=forward in-interface=ether1 mac-protocol=!vlan out-interface=ether4
add chain=forward in-interface=ether4 mac-protocol=!vlan out-interface=ether1
add action=drop chain=forward in-interface=ether1 out-interface=ether4
add action=drop chain=forward in-interface=ether4 out-interface=ether1Maybe you can take care of your other filtering on the bridge filters too.