Think I’ve got it.
I’ve had to add a vlan0 for the untagged vlan and had to add my “lan” ports to it. Then, the filtering works.
/interface bridge
add admin-mac=08:55:31:32:61:D3 auto-mac=no comment=defconf name=bridge
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=combo1,switch1-cpu,sfp4,sfp5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=combo1
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=sfp2
add bridge=bridge comment=defconf interface=sfp3
add bridge=bridge comment=defconf interface=sfp4
add bridge=bridge comment=defconf interface=sfp5
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp4,sfp5 vlan-id=1337
/interface ethernet switch vlan
add ports=switch1-cpu,sfp4,sfp5 vlan-id=1337
add ports=switch1-cpu,combo1,sfp4,sfp5 vlan-id=0
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
But I can’t find out what the port “switch1-cpu” is for and when should I add it to a vlan or not?
Regards
Daniel