Bridging VLANs only (and not untagged traffic)

Hi,

I am trying to figure out how to bridge VLANs only between two interfaces, but not untagged traffic.

If I create a bridge with “VLAN FIltering” enabled, it automatically creates a PVID and bridges untagged traffic.
If I create a bridge without “VLAN FIltering” enabled, then the bridge does not care nor forwards tagged traffic (the Bridge → VLAN rules are inactive).

As I dont want to expose the VLANs on the bridge or on any interface (I just want to bridge them), I am not sure what to do now.

When adding a port to vlan-enabled bridge, you can always set what types of frames are admitted. E.g. frame-types=admit-only-vlan-tagged ingress-filtering=yes will only admit tagged frames on ingress.

Hi subway have a read through this article…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Fear not, the pvid default is 1 which does not get in the way of any config setup you wish to do in terms
of a mix of vlans and non vlans.

Its actually easier IMHO to use all VLANs and not to use the bridge for any DHCP or non-bridge functions.
All the control is at your finger tips in the firewall rules.
The input chain is used to control traffic TO/FRO the router (for config purposes or router services like DNS).
The forward chain is used to control traffic through the router (lan to lan, lan to wan, and wan to lan).

The best approach is to make the last rule in the forward chain
add chain=forward action=drop comment=“drop all else”

With that as the last rule you are basically stating STOP all layer3 traffic in all directions.
Then as the admin all you need to add above this rule is traffic you wish to allow.

For example
standard default forward chain rules you can keep.
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid

+++++++++++++++++++++++++++++++++++++++++++++++++++++++
add chain=forward action=drop comment=“drop all else”

Now put all the traffic you wish to allow where the +++++++++++++ are located.
examples.
a. Internet traffic
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
b. Port forwarding (external users reach an internal server).
add chain=forward action=accept forward comment=“allow port forwarding” connection-nat-state=dstnat
connection-state=new in-interface-list=WAN
c. sharing a printer on one vlan
add chain=forward action=accept in-interface-list=LAN dst-address=IPofSharedPrinter.

In summary everything is blocked by the last rule so all one needs to do is any traffic you wish to allow!

---- In terms of vlans, one identifies through interface bridge ports (and interface vlan settings) whether or not traffic leaves a router port untagged or tagged and whether traffic arriving at port is tagged. As per the article above…

When vlan-filtering is set to yes on the bridge, you can set frame-types on the individual /interface bridge port rows to admit-only-vlan-tagged.

When vlan-filtering is set to no on the bridge, you can use /interface bridge filter rules to drop packets not matching mac-protocol=vlan.