I have my RB4011iGS+RM currently set up with three bridges for three subnets (management, LAN, IoT), each bridge has two physical ethernet ports. I need to have all three subnets on a Wi-Fi AP that will be connected on ether10 (the only PoE port), so I figured I’d create 3 VLANs corresponding to the subnets via /interface vlan, add them to their respective bridges and use ether10 as a trunk port with all three, but while reading through the wiki, I’ve found that this is one of the common misconfigurations and probably won’t work - https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_in_bridge_with_a_physical_interface
Apparently the new way is to use Bridge VLAN Filtering, which if I understand correctly turns the bridge into a VLAN-aware virtual switch, creating something like a virtual router-on-a-stick setup.
I think I understand most of the principles of this setup from reading the wiki, but I still have a few questions:
A physical interface (ether10 in my case) cannot be added to multiple bridges. Is the best practice to create one big bridge with all the VLANs and then separate the ports using PVIDs (set them as access ports), or can I keep the three separate bridges (I noticed you can add a tagged port under /interface bridge vlan even if the port wasn’t added to the bridge using /interface bridge ports)?
If I will have to create one big bridge for all the subnets, I will be left with only one L3 interface (the new bridge). How do I set up firewall between the subnets? The PVID field on the bridge itself can be used to allow all VLANs to the CPU for routing, but what would be the settings in /ip addresses and /ip firewall?
are there any extra performance or security settings that I should be aware of?
The guide mentioned by @anav and the wiki/help pages are a good start, in general random blogs/videos found on the web tend to use obsolete methods, less than optimal, or wrong.
Yes
or can I keep the three separate bridges (I noticed you can add a tagged port under > /interface bridge vlan > even if the port wasn’t added to the bridge using > /interface bridge ports> )?
The /interface bridge vlan settings only apply to members added under /interface bridge port. It would be nice if Winbox/CLI added a warning comment if VLAN settings are applied to ports which are not bridge members, but they don’t.
If I will have to create one big bridge for all the subnets, I will be left with only one L3 interface (the new bridge). How do I set up firewall between the subnets? The PVID field on the bridge itself can be used to allow all VLANs to the CPU for routing, but what would be the settings in > /ip addresses > and > /ip firewall> ?
The bridge itself has an interface to the CPU for access to services such as an IP address, DHCP server, etc. This interface, which has the same name as the bridge, is automatically a member of the bridge - it doesn’t appear under /interface bridge port. Other than that it is like any other member and can be included in the /interface bridge vlan settings, but is often overlooked and the cause of lack of connectivity.
Just as with your ether10 interface you would configure the bridge interface to have the VLANs tagged, but in the case of the bridge interface you then use /interface vlan objects to provide the VLAN encapsulation/decapsulation for each VLAN you wish the CPU to have access to. If you previously had three bridges, e.g. bridge10, bridge20 & bridge30 you would instead use three VLAN interfaces, e.g. bridge-vlan10, bridge-vlan20 & bridge-vlan30 attached to the single bridge
Thanks to both of you, while the settings are not very intuitive, they make perfect sense and work like a charm once understood. This was the main thing I was missing (for some reason I thought the /interface vlan menu was deprecated):
My setup now works as expected, but I’m still curious about this:
Once I enable Bridge VLAN filtering, the IP address set on the bridge is ignored? So far it seems like it is, but it’s not marked as invalid in /ip address
Is there a way to restrict which VLANs are sent to which trunk port? For example if I would like to send VLANs 10, 20 and 30 via ether10, but only 10 and 20 via ether9 (with both ethernet interfaces in the same bridge)
The implicit bridge-to-CPU port can be configured as an access, trunk or hybrid port, just as with any other bridge ports. An IP address on the bridge itself relates to untagged bridge-to-CPU traffic. The untagged membership for access or hybrid ports is dynamically added - an /interface bridge vlan shows the actual memberships.
To convert a hybrid port to a trunk port, i.e. tagged only, add frame-types=admit-only-vlan-tagged ingress-filtering=yes to the bridge definition for the bridge-to-CPU port, or the interface ports under /interface bridge port for the other ports
Is there a way to restrict which VLANs are sent to which trunk port? For example if I would like to send VLANs 10, 20 and 30 via ether10, but only 10 and 20 via ether9 (with both ethernet interfaces in the same bridge)
That is configured by the interface ports added to tagged= under /interface bridge vlan, so tagged=bridge,ether9,ether10 for both VLAN IDs 10 & 20, but tagged=bridge,ether10 for VLAN ID 30.
To convert a hybrid port to a trunk port, i.e. tagged only, add > frame-types=admit-only-vlan-tagged ingress-filtering=yes > to the bridge definition for the bridge-to-CPU port, or the interface ports under > /interface bridge port > for the other ports
Good to know.
That is configured by the interface ports added to > tagged= > under > /interface bridge vlan> , so > tagged=bridge,ether9,ether10 > for both VLAN IDs 10 & 20, but > tagged=bridge,ether10 > for VLAN ID 30.
Oh, I had everything under one entry in /interface bridge vlan (-‸ლ). I got confused by the fact that you can add multiple VLAN IDs under one entry. It makes much more sense now.
Thanks a lot for all the info, this is all I needed to know.
You can, and it is fine if you have a large collection of the same VLANs on several tagged interfaces. However, if you wish to have differing sets of VLANs on the interfaces you should create separate /interface bridge vlan entries as any VLAN ID can only exist in one entry.
There is also a warning in the documentation regarding having multiple VLAN IDs with trunk and access ports - “The vlan-ids parameter can be used to specify a set or range of VLANs, but specifying multiple VLANs in a single bridge VLAN table entry should only be used for ports that are trunk ports. In case multiple VLANs are specified for access ports, then tagged packets might get sent out as untagged packets through the wrong access port, regardless of the PVID value.”
