Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

AzDsL · June 1, 2022, 11:42pm

Good day everyone!

I have an existing CCR1009-7G-1C-1S+ running for my 50 plus PPPoE subscribers and 1 hotspot server.

Objective: to establish multiple hotspot servers with different customized login page to be able to segregate different hotspot per area.

Initial Solution that failed: I created multiple VLANs and created hotspot server on each VLAN with different hotspot login page. The multiple hotspot with individual VLAN assignment worked but when I enabled the VLAN-Filtering at bridge, all my PPPoE accounts as well as the old existing hotspot without VLAN were lost and network traffic was gone.

Question: is VLAN cannot be added on an existing non-VLAN set-up? What is the best solution to be able to establish multiple hotspot servers in a single MT with existing non-VLAN PPPoE subscribers?
It is very hard to migrate my 50+ PPPoE subscribers to VLAN because they are located in different remote sites/areas in which I have to physically visit each customer site to enable VLAN on their CPE ONT/modem to be able to sync with the CCR1009-7G-1C-1S+.

Thank you in advance for your help. Will be highly appreciated.

AzDsL · June 2, 2022, 3:40pm

a gentle follow up on this query please. i badly need a solution on how to activate multiple VLANs for the different hotspot without losing my existing non-vlan PPPoE subscribers. thank you.

mkx · June 2, 2022, 4:39pm

The default config on SOHO class devices (not sure if CCRs are similar in this respect) is that all bridge ports, including bridge interface, have pvid set to 1 and all ports allow any frame types on ingress (untagged and tagged). At the same time ingress-filtering is not enabled. So in theory, if everything is left at default, enabling vlan-filtering on bridge should allow everything untagged to work just as it does when vlan filtering is disabled. Tagged traffic will probably break at this point without proper config in /interface bridge vlan section.

After one enables vlan filtering (and things still work), it’s time for gentle changes in the direction wanted. Every time take care not to break running config with VLAN ID 1.

AzDsL · June 3, 2022, 12:41am

Thank you very much for your reply. I already tried enabling vlan-filtering in bridge after i configured the desired multiple VLANs for the hotspot servers but unfortunately all existing PPPoE configurations as well as the old hotspot (without VLAN) were gone, hence, I was forced to do MT config restoration using my backup file.

Now, i am thinking to include VLAN 1 in all ports/interfaces config where my non-VLAN PPPoE and Hotspot traffics are passing through (though you already said VLAN 1 is the default ID).

By the way, will Safe Mode can easily revert my old MT configuration should the new config won’t work?

holvoetn · June 3, 2022, 6:06am

Yes, provided the number of changes you make is limited to < 100 in between toggling Safe Mode (each deactivation of Safe mode, clears buffer of changes to revert).
You can prepare almost everything without activating VLAN filtering on bridge so take small steps.

Using a separate ROS device to get the configuration correct might be easier ? A simple mAP could suffice ?
Doing this on a production device is not ideal. Getting the concept of the config and the process to move on a separate environment might be less disruptive for your users.

mkx · June 3, 2022, 12:36pm

The problem with changing L2 setup (VLAN falls into this category) is that if things are not exactly right, everything falls apart big time (unlike L3 setup which mostly doesn’t break just everything at the same time). That’s why I mentioned gentle changes. With your “already prepared everything” we can’t say which of those gazillion changes actually break things. That’s why I mentioned going from existing running non-VLAN setup by first enabling VLAN filtering (again, I’m not entirely sure it’s that simple) and only later building additional stuff.

And yes, “safe mode” is your friend. In case your best friend “lab setup” isn’t available.

AzDsL · June 6, 2022, 12:47am

Hello Everyone!

I just tried putting VLAN ID 1 on all ports/interfaces where non-VLAN PPPoE traffic are passing but to no avail. When I enabled VLAN-Filtering at bridge, all PPPoE accounts were gone.

below is my current interface/brifge config prior to activating vlan-filtering,

[admin@WISP] > interface bridge export

jun/05/2022 11:24:44 by RouterOS 6.48.3

model = CCR1009-7G-1C-1S+

/interface bridge
add name=bridge-PPPOE
/interface bridge port
add bridge=bridge-PPPOE comment=“olt area-2” interface="ether4 OLT AREA-2 "
add bridge=bridge-PPPOE interface=ether5-OLT AREA-1
add bridge=bridge-PPPOE interface=ether6
add interface="ether7 "
add bridge=bridge-PPPOE interface=combo1
/interface bridge vlan
add bridge=bridge-PPPOE tagged=“ether4 OLT AREA-2 ,ether5-OLT AREA-1” vlan-ids=2221
add bridge=bridge-PPPOE tagged=“ether4 OLT AREA-2 ,ether5-OLT AREA-1” vlan-ids=2222
add bridge=bridge-PPPOE untagged=“ether4 OLT AREA-2 ,ether5-OLT AREA-1” vlan-ids=1
add bridge=bridge-PPPOE tagged=“ether4 OLT AREA-2 ,ether5-OLT AREA-1” vlan-ids=2223
[admin@WISP] > interface export
/interface bridge
add name=bridge-PPPOE
/interface ethernet
set [ find default-name=combo1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full rx-flow-control=auto
tx-flow-control=auto
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether1-PTT-DIA
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether2-PTT-DSL
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether3-PLDT-DSL
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name="ether4 OLT SMT "
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether5-OLT
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full rx-flow-control=auto
tx-flow-control=auto
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full
loop-protect=on name="ether7 " rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,2500M-full,5000M-full,10000M-full
/interface vlan
add interface=bridge-PPPOE name=MGMT-Admin vlan-id=1
add interface=bridge-PPPOE name=VLAN-2221 vlan-id=2221
add interface=bridge-PPPOE name=VLAN-2222 vlan-id=2222
add interface=bridge-PPPOE name=VLAN-2223 vlan-id=2223
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-PPPOE comment=“olt area-2” interface="ether4 OLT AREA-2 "
add bridge=bridge-PPPOE interface=ether5-OLT AREA-1
add bridge=bridge-PPPOE interface=ether6
add interface="ether7 "
add bridge=bridge-PPPOE interface=combo1
/interface bridge vlan
add bridge=bridge-PPPOE tagged=“ether4 OLT AREA-2 ,ether5-OLT AREA-1” vlan-ids=2221
add bridge=bridge-PPPOE tagged=“ether4 OLT AREA-2 ,ether5-OLT AREA-1” vlan-ids=2222
add bridge=bridge-PPPOE untagged=“ether4 OLT AREA-2 ,ether5-OLT AREA-1” vlan-ids=1
add bridge=bridge-PPPOE tagged=“ether4 OLT AREA-2 ,ether5-OLT AREA-1” vlan-ids=2223
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface=bridge-PPPOE service-name=WISP
[admin@WISP] >

Hope someoine can help. Thank you.

mkx · June 6, 2022, 5:25am

There are (at least) two problems which makes your “smooth” transition from untagged to tagged not possible:

you only have PPPoE server configured on bridge-PPPOE interface which works for untagged ports. You have to configure PPPoE server on all VLAN interfaces where clients will eventually land (e.g. VLAN-2221, etc.)
even if you get the previous bullet right, clients connected to ports with PVID other than 1 set after you enable VLAN filtering. The reason is that they will start talking to different PPPoE server (the one configured on corresponding VLAN interface instead of bridge interface).

While you can avoid problems mentioned in bullet #1, you can’t get away from bullet #2.

To make everything right I highly recommend you to set up lab installation in order to make transition with only single drop (due to second bullet). Without it you will possibly have to “try and fail” many more times.

LdB · June 6, 2022, 6:10am

Not tried it on Mikrotik but it’s common to do that on ubiquiti dream machines … what you need is a hybrid port

The port contains a PVID (untagged) and any number of VID’s (tagged)
Most switches can also do it.

If you can do it on a Mikrotik it would be done the same way … so I tried it on a CCR1009-8G-1S-1S+ just using winbox
I created a bridge for each VID and one for the PVID
Create each VID VLAN on the ethernet port on the interfaces screen
Now go back to the bridge and on the port settings connect each VLAN on the port to it’s bridge “admit only VLAN tagged” and set the VLAN ID with ingress filtering on
Now finally for the PVID on the bridge port connect it to the ethernet port itself with “admit only untagged and priority tagged” with ingress filtering on

As expected you now have a hybrid port with a PVID bridge and a number of VLAN bridges which you can connect the PPPOE to each one

AzDsL · June 6, 2022, 6:45pm

There are (at least) two problems which makes your “smooth” transition from untagged to tagged not possible:

you only have PPPoE server configured on bridge-PPPOE interface which works for untagged ports. You have to configure PPPoE server on all VLAN interfaces where clients will eventually land (e.g. VLAN-2221, etc.)

even if you get the previous bullet right, clients connected to ports with PVID other than 1 set after you enable VLAN filtering. The reason is that they will start talking to different PPPoE server (the one configured on corresponding VLAN interface instead of bridge interface).

While you can avoid problems mentioned in bullet #1, you can’t get away from bullet #2.

To make everything right I highly recommend you to set up lab installation in order to make transition with only single drop (due to second bullet). Without it you will possibly have to “try and fail” many more times.

Thank you for the response. Just to avoid any confusion, I have only one bridge created and it was named bridge-PPPOE because the only traffic passing on that bridge
back then were the non-VLAN PPPoE accounts. The Hotspot traffic was just added to this bridge-PPPOE later on, hence, currently all PPPoE traffic are not just the only one passing to that bridge but also the non-VLAN Hotspot traffic.

If I am going to configure another PPPoE Servers on each VLAN, then i need also to reconfigure and enable VLAN on each remote customer’s modem/router (ONT CPE) to be able to sync with the mikrorik. Hence, I would just prefer to retain the PPPoE configuration using non-VLAN interfaces.

What I really need to accomplish now is to create multiple hotspot servers using VLAN-2221, VLAN-2222, VLAN-2223 and leave all PPPoE accounts to the non-VLAN interface.

AzDsL · June 6, 2022, 7:05pm

Not tried it on Mikrotik but it’s common to do that on ubiquiti dream machines … what you need is a hybrid port

The port contains a PVID (untagged) and any number of VID’s (tagged)
Most switches can also do it.

If you can do it on a Mikrotik it would be done the same way … so I tried it on a CCR1009-8G-1S-1S+ just using winbox
I created a bridge for each VID and one for the PVID
Create each VID VLAN on the ethernet port on the interfaces screen
Now go back to the bridge and on the port settings connect each VLAN on the port to it’s bridge “admit only VLAN tagged” and set the VLAN ID with ingress filtering on
Now finally for the PVID on the bridge port connect it to the ethernet port itself with “admit only untagged and priority tagged” with ingress filtering on

As expected you now have a hybrid port with a PVID bridge and a number of VLAN bridges which you can connect the PPPOE to each one

Thank you for your response.
Sorry but i am a little bit confused, can a physical interface (e.g. Ethernet 4, Ethernet 5) be assigned to multiple bridges? my current and only bridge right now is the one i named “bridge-PPPOE” in which all traffic from the PPPoE and Hotspot clients are passing through.

when you say “created bridge for each VID”, are you saying i need to create a separate bridge for each of my VID (e.g. VLAN-2221, VLAN-2222, VLAN-2223 and VLAN-1)? Therefore aside from my existing bridge named “bridge-PPPOE” , do i also need to create separate bridges for each VID?

AzDsL · June 7, 2022, 1:35am

For your clearer understanding, I renamed the bridge and interfaces. As you can see both PPPoE (non-VLAN) and Hotspot (non-VLAN) are passing through the same bridge and sent to the two OLTs.

/interface bridge
add name=“bridge-PPPoE & Hotspot”
/interface vlan
add interface=“bridge-PPPoE & Hotspot” name=MGMT-Admin vlan-id=1
add interface=“bridge-PPPoE & Hotspot” name=VLAN-2221 vlan-id=2221
add interface=“bridge-PPPoE & Hotspot” name=VLAN-2222 vlan-id=2222
add interface=“bridge-PPPoE & Hotspot” name=VLAN-2223 vlan-id=2223
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=“bridge-PPPoE & Hotspot” comment=“olt 1” interface="ether4 OLT 1 "
add bridge=“bridge-PPPoE & Hotspot” interface=“ether5-OLT 2”
add bridge=“bridge-PPPoE & Hotspot” interface=ether6
add interface="ether7 "
add bridge=“bridge-PPPoE & Hotspot” interface=combo1
/interface bridge vlan
add bridge=“bridge-PPPoE & Hotspot” tagged=“ether4 OLT 1 ,ether5-OLT 2”
vlan-ids=2221
add bridge=“bridge-PPPoE & Hotspot” tagged=“ether4 OLT 1 ,ether5-OLT 2”
vlan-ids=2222
add bridge=“bridge-PPPoE & Hotspot” untagged=“ether4 OLT 1 ,ether5-OLT 2”
vlan-ids=1
add bridge=“bridge-PPPoE & Hotspot” tagged=“ether4 OLT 1 ,ether5-OLT 2”
vlan-ids=2223
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface=“bridge-PPPoE & Hotspot” service-name=MyWISP

Your further help will be much appreciated. Thank you.

LdB · June 7, 2022, 4:19am

This bit is correct … with question/proviso … “bridge-PPPoE & Hotspot” is not a valid interface name on my router and OS
Hence I am going to replace it with a standard name … lets say “PPPoE-Ether” and you don’t need pvid 1 that will be the raw port

So your ether?? port interface name I am assuming is “PPPoE-Ether”

/interface vlan
add interface="PPPoE-Ether" name=VLAN-2221 vlan-id=2221
add interface="PPPoE-Ether" name=VLAN-2222 vlan-id=2222
add interface="PPPoE-Ether" name=VLAN-2223 vlan-id=2223

But now each VLAN needs a Bridge because you are going to ingress filter that ONE VLAN PER BRIDGE
So you need 4 bridges one for old customers (untagged) and 3 for new vlans
again slight name change on that illegal name for me

/interface bridge
add name="bridge-PPPoE-Ether"
add name="bridge_vlan2221"
add name="bridge_vlan2222"
add name="bridge_vlan2223"

Now you need to connect the bridges to the vlan interfaces on port and for the PVID to the eth port raw

/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=PPPoE-Ether

So you now have 4 bridges … 3 connected to the eth port vlan sub interfaces you created and one connected to the eth port interface itself

You now have yourself a hybrid port .. untagged goes to “bridge-PPPoE-Ether” and the tagged go to there respective bridges.

Now all you do is connect the 4 PPPOE servers to each bridge and each PPPOE server can only see the filtered traffic to that particular bridge.
Each bridge is really about a point to apply a filter to only allow certain traffic in and onto that bridge
From an outbound (egress perspective) they all mingle on the one ethernet cable.

mkx · June 7, 2022, 5:25am

I’m sorry but I’m now lost as to what exactly you’re trying to achieve.

LdB · June 7, 2022, 8:15am

At a guess is trying to make a multi access hotspot via a multi SSID access point .. he sort of describes that in the OP

Each VLAN becomes its own SSID on those AP’s and the untagged is the management

So in his case it probably goes something like this
untagged = AP management
2221 = Guest Wifi
2222 = 25/5Mb paying customer
2223 = 50/10Mb paying customers

Ubiquiti, Dlink and Cisco have them but I am sure there are more vendors out there
Here is the dlink setup
https://kb.netgear.com/30611/How-do-I-create-multiple-SSID-s-to-operate-on-multiple-VLAN-s
Key part that is a hybrid port (3 tagged and 1 untagged)

On ubiquiti I know the untagged management is a server that “adopts the multi SSID access points” and they call it “adopting” you the assign what SSID networks then appear on the device and name it etc.

Whatever the case the guts of it is you need a hybrid port .. a port with 1 PVID and any number of VIDS
I just built one manually using bridges.

AzDsL · June 8, 2022, 12:17am

Basically, I just want to establish 3 different hotspot servers with individual hotspot log-in page. My current MT set-up is 1 bridge without VLAN carrying both 50 plus PPPoE customers and 1 Hotspot. The only possible way to have 3 different hotspot servers is to assign VLAN for each hotspot server. Let’s say for example: VLAN 2221 for Hotspot Server 1, VLAN 2222 for Hotspot Server 2 and VLAN 2223 for Hotspot Server 3. Then leave all PPPoE traffic to the default “no-VLAN” port.

AzDsL · June 8, 2022, 12:20am

This bit is correct … with question/proviso … “bridge-PPPoE & Hotspot” is not a valid interface name on my router and OS
Hence I am going to replace it with a standard name … lets say “PPPoE-Ether” and you don’t need pvid 1 that will be the raw port

So your ether?? port interface name I am assuming is “PPPoE-Ether”
/interface vlan
add interface="PPPoE-Ether" name=VLAN-2221 vlan-id=2221
add interface="PPPoE-Ether" name=VLAN-2222 vlan-id=2222
add interface="PPPoE-Ether" name=VLAN-2223 vlan-id=2223
But now each VLAN needs a Bridge because you are going to ingress filter that ONE VLAN PER BRIDGE
So you need 4 bridges one for old customers (untagged) and 3 for new vlans
again slight name change on that illegal name for me
/interface bridge
add name="bridge-PPPoE-Ether"
add name="bridge_vlan2221"
add name="bridge_vlan2222"
add name="bridge_vlan2223"
Now you need to connect the bridges to the vlan interfaces on port and for the PVID to the eth port raw
/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=PPPoE-Ether
So you now have 4 bridges … 3 connected to the eth port vlan sub interfaces you created and one connected to the eth port interface itself

You now have yourself a hybrid port .. untagged goes to “bridge-PPPoE-Ether” and the tagged go to there respective bridges.

Now all you do is connect the 4 PPPOE servers to each bridge and each PPPOE server can only see the filtered traffic to that particular bridge.
Each bridge is really about a point to apply a filter to only allow certain traffic in and onto that bridge
From an outbound (egress perspective) they all mingle on the one ethernet cable.

Thank you very much for the help. I just have one question before I implement this set-up, do I need to enable “VLAN-Filtering” on all bridges including the Bridge-PPP0E-Ether?

LdB · June 8, 2022, 7:14am

You don’t need “vlan filtering” (as in the tick box on a bridge) on any of the bridges the ingress filter makes sure each bridge can only see one set of traffic … if you tick it probably still works but it will be doing nothing. All the bridge is doing is giving you a place to connect an ethernet sub-interface to a DHCP or PPPOE server.

AzDsL · June 9, 2022, 12:06am

I tried your recommended config but to no avail. Luckily the PPPoE traffic were not lost after implementing the ingress filtering but all the hotspot login pages did not appear when connecting to each assigned AP via VLAN.

Did I missed out something? Please see below my config.

/interface bridge
add name=“bridge-PPPoE - Ether”
add name=bridge-VLAN-2221
add name=bridge-VLAN-2222
add name=bridge-VLAN-2223
/interface vlan
add interface=“bridge-PPPoE - Ether” name=MGMT-Admin vlan-id=1
add interface=“bridge-PPPoE - Ether” name=VLAN-2221 vlan-id=2221
add interface=“bridge-PPPoE - Ether” name=VLAN-2222 vlan-id=2222
add interface=“bridge-PPPoE - Ether” name=VLAN-2223 vlan-id=2223
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=“bridge-PPPoE - Ether” interface=“ether4 OLT 1”
add bridge=“bridge-PPPoE - Ether” interface=“ether5-OLT 2”
add bridge=bridge-VLAN-2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=
VLAN-2221 pvid=2221
add bridge=bridge-VLAN-2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=
VLAN-2222 pvid=2222
add bridge=bridge-VLAN-2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=
VLAN-2223 pvid=2223
add bridge=“bridge-PPPoE - Ether” frame-types=admit-only-untagged-and-priority-tagged
ingress-filtering=yes interface=MGMT-Admin
/interface bridge vlan
add bridge=“bridge-PPPoE - Ether” tagged=“ether4 OLT 1 - ,ether5-OLT 2” vlan-ids=2221
add bridge=“bridge-PPPoE - Ether” tagged=“ether4 OLT 1 - ,ether5-OLT 2” vlan-ids=2222
add bridge=“bridge-PPPoE - Ether” untagged=“ether4 OLT 1 - ,ether5-OLT 2” vlan-ids=1
add bridge=“bridge-PPPoE - Ether” tagged=“ether4 OLT 1 - ,ether5-OLT 2” vlan-ids=2223
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface=“bridge-PPPoE - Ether” service-name=MyWISP

Thank you in advance for your help.

LdB · June 9, 2022, 5:40am

Sigh … I am going to dispense with the stupid names and just leave it as either? as an example this is what you require for a hybrid port

Ether? <==========UNTAGGED FILTER=========> Bridge_VLAN1 <=========> Some Tik service
VLAN 2221 <==== 2221 TAGGED FILTER =======> Bridge_VLAN2221 <=========> Some Tik service
VLAN 2222 <==== 2222 TAGGED FILTER =======> Bridge_VLAN2222 <=========> Some Tik service
VLAN 2223 <==== 2223 TAGGED FILTER =======> Bridge_VLAN2223 <=========> Some Tik service

If you don’t need to inject Tik services into each bridge you can do it with 1 bridge which is what the following junk is for

/interface bridge vlan
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2221
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2222
add bridge="bridge-PPPoE - Ether" untagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=1
add bridge="bridge-PPPoE - Ether" tagged="ether4 OLT 1 - ,ether5-OLT 2" vlan-ids=2223

That didn’t come from me so you have merged two totally different concepts in your head <<<<

A bridge allows you to inject IP’s, servcies etc from the Tik but at other times the Tik just needs to pass the vlans thru which is when you would use that latter case.
So there are many ways of setting up the bridge use with VLAN depending what you are doing.

Now lets go to you!!!
Clearly you have two ports you are setting up for OLT’s on ether4 and ether5 and you need two HYBRID ports
So how about I just connect them for you to the brdiges for you and please don’t add or change anything

First create the bridges

/interface bridge
add name="bridge-PPPoE-Ether"
add name=bridge-VLAN-2221
add name=bridge-VLAN-2222
add name=bridge-VLAN-2223

Now create 3 VLAN subinterface VID’s on each ether port we will use the ether interface itself for the untagged

/interface vlan
add interface="ether4" name=VLAN-2221_eth4 vlan-id=2221
add interface="ether4" name=VLAN-2222_eth4 vlan-id=2222
add interface="ether4" name=VLAN-2223_eth4 vlan-id=2223
/interface vlan
add interface="ether5" name=VLAN-2221_eth5 vlan-id=2221
add interface="ether5" name=VLAN-2222_eth5 vlan-id=2222
add interface="ether5" name=VLAN-2223_eth5 vlan-id=2223

Now lets connect those two ports to the 4 bridges … 3 VLANS and 1 Ether Port Interface

/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221_eth4
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222_eth4
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223_eth4
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4
/interface bridge port
add bridge=bridge_vlan2221 pvid=2221 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2221_eth5
add bridge=bridge_vlan2222 pvid=2222 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2222_eth5
add bridge=bridge_vlan2223 pvid=2223 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=VLAN-2223_eth5
add bridge=bridge-PPPoE-Ether pvid=1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5

We now have 2 HYBRID ports Ether4 and Ether5 connected to the bridges.

Lets draw it at this point so you get what that all does

                         ether4 ======= untagged ======  bridge-PPPoE-Ether (VLAN 1) ======= untagged ===== ether 5
                  VLAN-2221_eth4 ====== tagged 2221 ========== bridge_vlan2221 ============tagged 2221 ====VLAN-2221_eth5
                  VLAN-2222_eth4 ====== tagged 2222 ========== bridge_vlan2222 ============tagged 2222 ====VLAN-2223_eth5
                  VLAN-2223_eth4 ====== tagged 2223 ========== bridge_vlan2223 ============tagged 2223 ====VLAN-2223_eth5

So now you can inject tik services (DHCP/PPPOE) or put Ip’s and route thru any of those individual bridges.

Now you obviously have a PPPOE server that needs to go into bridge-PPPoE-Ether.
What service needs to inject into vlan2221, vlan2222 and vlan2223 ??? I am guessing it is DHCP’s