Disabling vLans not working as expected

I have a CRS125-24G-1S on 6.45.7 with RouterOS that I use as a Smart Switch and DHCP server.

This CRS has 5 bridges on it for separation of networks.

It is not a gateway. The main gateway is a 2011.

1 bridge is mostly untagged traffic for management of network devices, cameras, servers, and access control stuff.
1 bridge is just for VOIP, also untagged.
1 bridge is a mix of tagged and untagged interfaces.
The other 2 are strictly tagged interfaces for wireless only. Kids networks.

I have a toughswitch that passes the vlans to my unifi APs.

In the past, I have been able to disable the bridge and it would kill all traffic to the corresponding network. Wireless devices would still show that they were connected to the wireless AP, but the internet would stop for these devices. I would use the bridges as an easy way to disable the kids networks to either get their attention or if they were not doing stuff they were supposed to (chores, homework, etc) or just being an a-hole.

I have noticed lately that disabling those bridges have no effect on tagged interfaces, I would have to reboot for it to take effect and kill the traffic. It only does this for the interfaces that are tagged. If the bridge has untagged interfaces in it, the untagged devices will get kicked of right away, while the tagged ones still work just fine. I have also tried disabling the tagged interface itself going to the toughswitch, everything still works. If I disable the untagged (main) interface it drops both the untagged and tagged like I would expect.

All networks get to the main router via 1 cable with 1 network untagged and 4 networks tagged so there can’t be another path out. After the bridges and vlans are disabled, I can still ping the device IPs from the main router with 0 hops as long as the 2 interfaces they rely on are vlans, so it’s a layer 2 not a reroute somewhere. If 1 of the interfaces the connection relies on is not a vlan, it severs the connection right away.

I have even deleted a vlan interface and it still worked as if it was there until a reboot.

Enabling and disabling a bridge in RouterOS is way faster and easier than setting firewall rules or disabling the wireless networks in Unifi. It also lets me do it without breaking other networks while the change is happening. Especially since I normally do this with the app on my phone.

It used to work just fine. Now it seems like changes to vlans interfaces do not take effect instantly like everything else does in RouterOS.

Why the change? Was this intentional or a side product of another change in an update?

It’s not like you can easily lock yourself out of a local Mikrotik messing with vlans like you can do on other devices since you can usually fall back on MAC winbox or MAC telnet.

It is possible to configure CRS1xx for VLANs in two distinctly different ways: using vlan-aware bridge and switch chip commands. I would expect quite different behaviour between these two ways.

So if you don’t mind, post full CRS configuration (/export hide-sensitive) so that we get a better picture about how your CRS is configured and why it doesn’t behave the way you expect it to.

I created all the vlans by going to interfaces, add, vlan, select vlan id, select interface. I then can add these interfaces into any bridge like any other interface and have both real ports and vlans in same bridge.

# nov/21/2019 17:52:11 by RouterOS 6.45.7
# software id = D8QN-ADC5
#
# model = CRS125-24G-1S
# serial number = 524004ADFEFB
/interface bridge
add admin-mac=4C:5E:0C:A3:46:50 auto-mac=no fast-forward=no name=\
    "Autumn Network Bridge"
add admin-mac=4C:5E:0C:A3:46:50 auto-mac=no fast-forward=no name=\
    "LAN Network Bridge"
add admin-mac=4C:5E:0C:A3:46:4E auto-mac=no fast-forward=no name=\
    "Main Network Bridge"
add admin-mac=4C:5E:0C:A3:46:45 auto-mac=no fast-forward=no name=\
    "VOIP Network Bridge"
add admin-mac=4C:5E:0C:A3:46:50 auto-mac=no fast-forward=no name=\
    "Xander Network Bridge"
/interface ethernet
set [ find default-name=ether1 ] comment="Temp For 8-Port Rack mPower" l2mtu=\
    4064 speed=100Mbps
set [ find default-name=ether2 ] l2mtu=4064 speed=100Mbps
set [ find default-name=ether3 ] l2mtu=4064 speed=100Mbps
set [ find default-name=ether4 ] l2mtu=4064 speed=100Mbps
set [ find default-name=ether5 ] l2mtu=4064 speed=100Mbps
set [ find default-name=ether6 ] l2mtu=4064 speed=100Mbps
set [ find default-name=ether7 ] comment=HASS.IO l2mtu=4064 speed=100Mbps
set [ find default-name=ether8 ] comment="mFi Server" l2mtu=4064 speed=\
    100Mbps
set [ find default-name=ether9 ] comment="LAN Gig Switch Top" l2mtu=4064 \
    speed=100Mbps
set [ find default-name=ether10 ] comment="LAN Gig Switch Left" l2mtu=4064 \
    speed=100Mbps
set [ find default-name=ether11 ] comment="LAN Gig Switch Right" l2mtu=4064 \
    speed=100Mbps
set [ find default-name=ether12 ] comment=Plex/Desktop-PC l2mtu=4064 speed=\
    100Mbps
set [ find default-name=ether13 ] comment="Sara's Desk AP/Switch" l2mtu=4064 \
    speed=100Mbps
set [ find default-name=ether14 ] comment="MailServer/UNMS - Main Network" \
    l2mtu=4064 speed=100Mbps
set [ find default-name=ether15 ] comment=\
    "TS Right Cameras - Untagged Main Network" l2mtu=4064 speed=100Mbps
set [ find default-name=ether16 ] comment=\
    "TS Top Cameras and mFi - Untagged Main Netowrk" l2mtu=4064 speed=100Mbps
set [ find default-name=ether17 ] comment=\
    "TS Left Wireless Gear - Untagged Main Network" l2mtu=4064 speed=100Mbps
set [ find default-name=ether18 ] l2mtu=4064 speed=100Mbps
set [ find default-name=ether19 ] comment="Webserver Pi - Main Network" \
    l2mtu=4064 speed=100Mbps
set [ find default-name=ether20 ] comment=\
    "The Dude MT - Untagged Main Network" l2mtu=4064 speed=100Mbps
set [ find default-name=ether21 ] comment=\
    "RackMount Reboot Board - Main Network" l2mtu=4064 speed=100Mbps
set [ find default-name=ether22 ] comment=\
    "New Uplink - Untagged Main Network" l2mtu=4064 speed=100Mbps
set [ find default-name=ether23 ] comment=\
    "Main Router for vLans - Untagged Main Network - OLD" disabled=yes l2mtu=\
    4064 speed=100Mbps
set [ find default-name=ether24 ] comment=Bad disabled=yes l2mtu=4064 speed=\
    100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
    l2mtu=4064
/interface vlan
add interface=ether20 name="Autumn Dude" vlan-id=103
add interface=ether20 name=CameraDude vlan-id=11
add interface=ether7 name="Hass Autumn" vlan-id=103
add interface=ether7 name="Hass LAN" vlan-id=101
add interface=ether7 name="Hass Main New" vlan-id=100
add interface=ether7 name="Hass Xander" vlan-id=102
add interface=ether20 name=LANDude vlan-id=101
add interface=ether23 name="Main Autumn Network" vlan-id=103
add interface=ether23 name="Main LAN Network" vlan-id=101
add interface=ether23 name="Main Xander Network" vlan-id=102
add interface=ether13 name="Sara's Desk VOIP" vlan-id=10
add interface=ether17 name="TS Left Autumn" vlan-id=103
add interface=ether17 name="TS Left LAN" vlan-id=101
add interface=ether17 name="TS Left Xander" vlan-id=102
add interface=ether22 name="Uplink Autumn" vlan-id=103
add interface=ether22 name="Uplink LAN" vlan-id=101
add interface=ether22 name="Uplink VOIP Network" vlan-id=10
add interface=ether22 name="Uplink Xander" vlan-id=102
add interface=ether20 name=VOIPDude vlan-id=10
add interface=ether20 name=XanderDude vlan-id=102
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add hotspot-address=10.5.50.1 name=hsprof1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=10.10.10.100-10.10.10.200
add name=dhcp_pool11 ranges=10.103.0.100-10.103.0.200
add name=dhcp_pool12 ranges=10.101.0.100-10.101.0.200
add name=dhcp_pool13 ranges=10.100.0.100-10.100.0.200
add name=dhcp_pool14 ranges=10.102.0.100-10.102.0.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="VOIP Network Bridge" \
    lease-time=1d name="VOIP Network DHCP"
add address-pool=dhcp_pool11 disabled=no interface="Autumn Network Bridge" \
    lease-time=1d10m name="Autumn Network DHCP"
add address-pool=dhcp_pool12 disabled=no interface="LAN Network Bridge" \
    lease-time=1d10m name="LAN Netowrk DHCP"
add address-pool=dhcp_pool13 disabled=no interface="Main Network Bridge" \
    lease-time=1d10m name="Main Network DHCP"
add address-pool=dhcp_pool14 disabled=no interface="Xander Network Bridge" \
    lease-time=1d10m name="Xander Network DHCP"
/queue type
set 0 kind=red red-burst=200 red-limit=600 red-max-threshold=500 \
    red-min-threshold=100
/queue simple
add comment=8 disabled=yes max-limit=64k/0 name=P2P packet-marks=P2P queue=\
    default/default target="" total-queue=default
add comment=1 disabled=yes name=mFi priority=1/1 queue=default/default \
    target=10.11.11.0/24 total-queue=default
add comment=2 disabled=yes name=VOIP priority=2/2 queue=default/default \
    target=10.10.10.4/32 total-queue=default
add comment=3 disabled=yes name="My Media Devices" priority=3/3 queue=\
    default/default target=\
    10.10.10.10/32,10.10.10.17/32,10.10.10.11/32,10.10.10.9/32,10.10.10.8/32 \
    total-queue=default
add comment=4 disabled=yes name="Dad's Media Devices" priority=4/4 queue=\
    default/default target=10.10.10.21/32,10.10.10.22/32 total-queue=default
add comment=7 disabled=yes name="All Other" priority=7/7 queue=\
    default/default target="" total-queue=default
/queue tree
add disabled=yes limit-at=35M max-limit=35M name=global-in packet-mark=\
    global-in parent=global queue=default
add disabled=yes limit-at=20M max-limit=20M name=global-out packet-mark=\
    global-out parent=global queue=default
add disabled=yes limit-at=3M max-limit=35M name=P2P-in packet-mark=P2P-In \
    parent=global-in queue=default
add disabled=yes limit-at=500k max-limit=500k name=P2P-out packet-mark=\
    "P2P out" parent=global-out queue=default
add disabled=yes limit-at=8M max-limit=35M name=mFi-In packet-mark=mFi-In \
    parent=global-in priority=1 queue=default
add disabled=yes limit-at=5M max-limit=20M name=mFi-out packet-mark=mFi-out \
    parent=global-out priority=1 queue=default
add disabled=yes limit-at=3M max-limit=35M name=VoIP-In packet-mark=VoIP-In \
    parent=global-in priority=2 queue=default
add disabled=yes limit-at=2M max-limit=20M name=VoIP-Out packet-mark=VoIP-Out \
    parent=global-out priority=2 queue=default
add disabled=yes limit-at=10M max-limit=35M name=My-Media-In packet-mark=\
    My-Media-In parent=global-in priority=3 queue=default
add disabled=yes limit-at=5M max-limit=20M name=My-Media-Out packet-mark=\
    My-Media-Out parent=global-out priority=3 queue=default
add disabled=yes limit-at=5M max-limit=35M name=Dads-Media-In packet-mark=\
    Dads-Media-In parent=global-in priority=4 queue=default
add disabled=yes limit-at=4M max-limit=20M name=Dads-Media-Out packet-mark=\
    Dads-Media-Out parent=global-out priority=4 queue=default
add disabled=yes limit-at=6M max-limit=35M name=Other-In packet-mark=Other-In \
    parent=global-in priority=6 queue=default
add disabled=yes limit-at=3500k max-limit=20M name=Other-Out packet-mark=\
    Other-Out parent=global-out priority=6 queue=default
/routing bgp instance
set default disabled=yes out-filter=bgpout redistribute-connected=yes \
    redistribute-static=yes router-id=10.10.10.1
/routing ospf instance
set [ find default=yes ] disabled=yes
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=SMBrrb
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge="Main Network Bridge" comment=\
    "Main Unifi/Hass/Bind/Mailserver Pi vLan" interface=*63
add bridge="Main Network Bridge" comment="Dude - Untagged Main" interface=\
    ether20
add bridge="Main Network Bridge" comment=\
    "RackMount Reboot Board - Untagged Main" interface=ether21
add bridge="Main Network Bridge" comment="Main Internet" interface=ether22
add bridge="Main Network Bridge" comment="Main Router - Untagged Main" \
    interface=ether23
add bridge="Autumn Network Bridge" comment="Autumn Internet" interface=\
    "Uplink Autumn"
add bridge="Autumn Network Bridge" comment="Autumn Main Router vLan" \
    interface="Main Autumn Network"
add bridge="LAN Network Bridge" comment="LAN Internet" interface="Uplink LAN"
add bridge="LAN Network Bridge" comment="LAN Main Router vLan" interface=\
    "Main LAN Network"
add bridge="Xander Network Bridge" comment="Xander Internet" interface=\
    "Uplink Xander"
add bridge="Xander Network Bridge" comment="Xander Main Router vLan" \
    interface="Main Xander Network"
add bridge="VOIP Network Bridge" comment="VOIP Main Router vLan" interface=\
    "Uplink VOIP Network"
add bridge="Autumn Network Bridge" comment="Autumn Dude vLan" interface=\
    "Autumn Dude"
add bridge="LAN Network Bridge" comment="LAN Dude vLan" interface=LANDude
add bridge="VOIP Network Bridge" comment="VOIP Dude vLan" interface=VOIPDude
add bridge="Xander Network Bridge" comment="Xander Dude vLan" interface=\
    XanderDude
add bridge="Main Network Bridge" comment="TS Rack Left - Untagged Main" \
    interface=ether17
add bridge="Autumn Network Bridge" comment="Autumn TS Left vLan" interface=\
    "TS Left Autumn"
add bridge="LAN Network Bridge" comment="LAN TS Left vLan" interface=\
    "TS Left LAN"
add bridge="Xander Network Bridge" comment="Xander TS Left vLan" interface=\
    "TS Left Xander"
add bridge="Main Network Bridge" comment="Webserver Pi - Untagged Main" \
    interface=ether19
add bridge="Autumn Network Bridge" comment="Autumn Hass vLan" interface=\
    "Hass Autumn"
add bridge="VOIP Network Bridge" comment="VOIP Hass vLan" interface=*68
add bridge="Xander Network Bridge" comment="Xander Hass vLan" interface=\
    "Hass Xander"
add bridge="LAN Network Bridge" comment="LAN Hass vLan" interface="Hass LAN"
add bridge="Main Network Bridge" comment="TS Top - Untagged Main" interface=\
    ether16
add bridge="Main Network Bridge" comment="TS Rack Right - Untagged Main" \
    interface=ether15
add bridge="Main Network Bridge" comment="Unifi Video/UNMS/mFi esxi" \
    interface=ether14
add bridge="LAN Network Bridge" comment="Sara's Desk Switch - Untagged LAN" \
    interface=ether13
add bridge="VOIP Network Bridge" comment="Sara's Desk VOIP vLan" interface=\
    "Sara's Desk VOIP"
add bridge="LAN Network Bridge" comment=Desktop-PC interface=ether12
add bridge="LAN Network Bridge" comment="LAN Gig Switch Right" interface=\
    ether11
add bridge="LAN Network Bridge" comment="LAN Gig Switch Left" interface=\
    ether10
add bridge="Main Network Bridge" comment="Hass Main New" interface=\
    "Hass Main New"
add bridge="LAN Network Bridge" comment="LAN Gig Switch Top" interface=ether9
add bridge="Main Network Bridge" comment="mFi Server" interface=ether8
add bridge="LAN Network Bridge" interface=*6E
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set accept-redirects=yes accept-source-route=yes
/ipv6 settings
set max-neighbor-entries=1024
/interface l2tp-server server
set enabled=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set enabled=yes port=5558
/ip address
add address=10.10.10.2/24 comment="DHCP Managemnt for VOIP Network" \
    interface="VOIP Network Bridge" network=10.10.10.0
add address=10.100.0.2/24 comment="DHCP Management for Main Network" \
    interface="Main Network Bridge" network=10.100.0.0
add address=10.103.0.2/24 comment="DHCP Management for Autumn Network" \
    interface="Autumn Network Bridge" network=10.103.0.0
add address=10.101.0.2/24 comment="DHCP Management for LAN Network" \
    interface="LAN Network Bridge" network=10.101.0.0
add address=10.102.0.2/24 comment="DHCP Management for Xander Network" \
    interface="Xander Network Bridge" network=10.102.0.0
/ip dhcp-server lease
add address=10.10.10.20 client-id=1:0:59:dc:bb:80:3a comment=VoIP \
    mac-address=00:59:DC:BB:80:3A server="VOIP Network DHCP"
add address=10.100.0.200 client-id=1:b8:27:eb:f0:61:ef comment="Webserver Pi" \
    mac-address=B8:27:EB:F0:61:EF server="Main Network DHCP"
add address=10.100.0.207 client-id=1:dc:9f:db:85:cc:3a comment=\
    "Basement Media 3-Port mPower" mac-address=DC:9F:DB:85:CC:3A server=\
    "Main Network DHCP"
add address=10.100.0.206 client-id=1:4:18:d6:91:d9:80 comment=\
    "Backyard Light mSwitch" mac-address=04:18:D6:91:D9:80 server=\
    "Main Network DHCP"
add address=10.100.0.205 client-id=1:24:a4:3c:e7:c2:18 comment=\
    "Porch Outlet 1-Port mPower" mac-address=24:A4:3C:E7:C2:18 server=\
    "Main Network DHCP"
add address=10.100.0.204 client-id=1:dc:9f:db:85:cd:37 comment=\
    "Garage Relay 3-Port mPower" mac-address=DC:9F:DB:85:CD:37 server=\
    "Main Network DHCP"
add address=10.100.0.203 client-id=1:dc:9f:db:85:cd:71 comment=\
    "Shane's Desk 3-Port mPower" mac-address=DC:9F:DB:85:CD:71 server=\
    "Main Network DHCP"
add address=10.100.0.202 client-id=1:24:a4:3c:d7:4c:92 comment=\
    "Sara's Desk 3-Port mPower" mac-address=24:A4:3C:D7:4C:92 server=\
    "Main Network DHCP"
add address=10.100.0.201 client-id=1:24:a4:3c:e7:c2:3a comment=\
    "Christmas Tree/Computer Room Light 1-Port mPower" mac-address=\
    24:A4:3C:E7:C2:3A server="Main Network DHCP"
add address=10.102.0.100 client-id=1:c4:61:8b:3a:c3:3b comment=\
    "Xander's iPhone SE" mac-address=C4:61:8B:3A:C3:3B server=\
    "Xander Network DHCP"
add address=10.100.0.100 comment="Rayne Google Home" mac-address=\
    38:8B:59:A0:6B:8A server="Main Network DHCP"
add address=10.103.0.100 client-id=1:98:10:e8:11:8c:99 comment=\
    "Autumn's Old iPhone" mac-address=98:10:E8:11:8C:99 server=\
    "Autumn Network DHCP"
add address=10.100.0.51 comment="MyQ Garage Door Opener" mac-address=\
    64:52:99:52:7C:1F server="Main Network DHCP"
add address=10.103.0.101 client-id=1:90:dd:5d:62:62:eb comment=\
    "Autumn's iPhone" mac-address=90:DD:5D:62:62:EB server=\
    "Autumn Network DHCP"
add address=10.103.0.102 client-id=1:f4:f:24:6c:6:e9 comment=\
    "Autumn's Apple Watch" mac-address=F4:0F:24:6C:06:E9 server=\
    "Autumn Network DHCP"
add address=10.102.0.101 client-id=1:88:78:73:4:73:dd comment=\
    "Xander's Chromebook" mac-address=88:78:73:04:73:DD server=\
    "Xander Network DHCP"
add address=10.100.0.20 client-id=1:dc:9f:db:16:6:82 comment=\
    "TS Rack Left - Wireless" mac-address=DC:9F:DB:16:06:82 server=\
    "Main Network DHCP"
add address=10.100.0.30 client-id=1:f0:9f:c2:e6:56:8 comment="Garage PTP AP" \
    mac-address=F0:9F:C2:E6:56:08 server="Main Network DHCP"
add address=10.100.0.31 client-id=1:78:8a:20:1c:55:22 comment=\
    "Garage PTP CPE" mac-address=78:8A:20:1C:55:22 server="Main Network DHCP"
add address=10.100.0.50 client-id=1:64:16:66:2c:19:72 comment=\
    "Home Nest Thermostat" mac-address=64:16:66:2C:19:72 server=\
    "Main Network DHCP"
add address=10.100.0.151 client-id=1:f0:9f:c2:af:95:dc comment=\
    "Unifi HD Living Room AP" mac-address=F0:9F:C2:AF:95:DC server=\
    "Main Network DHCP"
add address=10.100.0.152 client-id=1:80:2a:a8:10:52:6b comment=\
    "Unifi AC Lite 2nd Floor Outside AP" mac-address=80:2A:A8:10:52:6B \
    server="Main Network DHCP"
add address=10.100.0.101 client-id=1:24:e3:14:e0:d1:6a comment=\
    "Raynes iPhone" mac-address=24:E3:14:E0:D1:6A server="Main Network DHCP"
add address=10.100.0.153 client-id=1:80:2a:a8:10:52:fb comment=\
    "Unifi AC Lite Basement AP" mac-address=80:2A:A8:10:52:FB server=\
    "Main Network DHCP"
add address=10.101.0.107 client-id=1:4c:82:cf:de:de:ea mac-address=\
    4C:82:CF:DE:DE:EA server="LAN Netowrk DHCP"
add address=10.100.0.23 client-id=1:24:a4:3c:3d:a2:ea comment="TS Garage" \
    mac-address=24:A4:3C:3D:A2:EA server="Main Network DHCP"
add address=10.100.0.154 client-id=1:80:2a:a8:10:53:b1 comment=\
    "Unifi AC Lite Garage AP" mac-address=80:2A:A8:10:53:B1 server=\
    "Main Network DHCP"
add address=10.100.0.155 client-id=1:78:8a:20:70:c0:20 comment=\
    "Unifi Mesh Playground AP" mac-address=78:8A:20:70:C0:20 server=\
    "Main Network DHCP"
add address=10.102.0.102 comment="Xander's Google Home" mac-address=\
    E4:F0:42:2E:42:5A server="Xander Network DHCP"
add address=10.100.0.21 client-id=1:4:18:d6:7:42:f2 comment=\
    "TS Rack Top - Cameras and mFi" mac-address=04:18:D6:07:42:F2 server=\
    "Main Network DHCP"
add address=10.100.0.208 client-id=1:f0:9f:c2:b4:a1:1 comment="Breaker mPort" \
    mac-address=F0:9F:C2:B4:A1:01 server="Main Network DHCP"
add address=10.100.0.22 client-id=1:4:18:d6:7:43:1c comment=\
    "TS Rack Right - Cameras" mac-address=04:18:D6:07:43:1C server=\
    "Main Network DHCP"
add address=10.101.0.11 comment="Hue Bridge" mac-address=00:17:88:26:2A:5D \
    server="LAN Netowrk DHCP"
add address=10.101.0.10 client-id=1:94:de:80:9:39:97 comment=Desktop-PC \
    mac-address=94:DE:80:09:39:97 server="LAN Netowrk DHCP"
add address=10.100.0.102 client-id=1:84:85:6:d7:8d:be comment=\
    "Shane's Desk Camera Viewer" mac-address=84:85:06:D7:8D:BE server=\
    "Main Network DHCP"
add address=10.100.0.210 client-id=1:24:a4:3c:e7:be:9d comment=\
    "Pool Filter mPower" mac-address=24:A4:3C:E7:BE:9D server=\
    "Main Network DHCP"
add address=10.101.0.143 client-id=1:a4:31:35:b9:1a:5d mac-address=\
    A4:31:35:B9:1A:5D server="LAN Netowrk DHCP"
add address=10.100.0.209 client-id=1:24:a4:3c:e7:c2:9 comment=\
    "Dehumidifiers mPower" mac-address=24:A4:3C:E7:C2:09 server=\
    "Main Network DHCP"
add address=10.100.0.211 client-id=1:4:18:d6:9c:b0:91 comment=\
    "Dining Room Light mPort" mac-address=04:18:D6:9C:B0:91 server=\
    "Main Network DHCP"
add address=10.100.0.199 comment="mFi Server" mac-address=00:21:70:6C:0D:3B \
    server="Main Network DHCP"
add address=10.100.0.149 client-id=\
    ff:f9:ef:47:df:0:2:0:0:ab:11:4:ac:19:71:d1:7f:de:cb comment=\
    "CloudKey Gen2 - Static" mac-address=74:83:C2:71:B4:35 server=\
    "Main Network DHCP"
add address=10.100.0.148 client-id=1:f0:9f:c2:13:13:a9 comment=\
    "Protect Dog Cage" mac-address=F0:9F:C2:13:13:A9 server=\
    "Main Network DHCP"
add address=10.100.0.147 client-id=1:4:18:d6:50:a6:fe comment=\
    "Protect Front Porch" mac-address=04:18:D6:50:A6:FE server=\
    "Main Network DHCP"
add address=10.100.0.146 client-id=1:80:2a:a8:4e:a7:98 comment=\
    "Protect Front Stairway" mac-address=80:2A:A8:4E:A7:98 server=\
    "Main Network DHCP"
add address=10.100.0.145 client-id=1:80:2a:a8:4e:64:3 comment=\
    "Protect Computer Room" mac-address=80:2A:A8:4E:64:03 server=\
    "Main Network DHCP"
add address=10.100.0.144 client-id=1:4:18:d6:23:dd:d2 comment=\
    "Protect Backdoor" mac-address=04:18:D6:23:DD:D2 server=\
    "Main Network DHCP"
add address=10.100.0.143 client-id=1:4:18:d6:50:a7:4a comment=\
    "Protect Garage Yard" mac-address=04:18:D6:50:A7:4A server=\
    "Main Network DHCP"
add address=10.100.0.142 client-id=1:f0:9f:c2:2f:46:40 comment=\
    "Protect Front Yard" mac-address=F0:9F:C2:2F:46:40 server=\
    "Main Network DHCP"
add address=10.100.0.141 client-id=1:80:2a:a8:4e:bb:f8 comment=\
    "Protect Driveway" mac-address=80:2A:A8:4E:BB:F8 server=\
    "Main Network DHCP"
add address=10.100.0.140 client-id=1:4:18:d6:50:a9:b9 comment=\
    "Protect Garage Door" mac-address=04:18:D6:50:A9:B9 server=\
    "Main Network DHCP"
add address=10.100.0.139 client-id=1:f0:9f:c2:2f:41:d5 comment=\
    "Protect Playground" mac-address=F0:9F:C2:2F:41:D5 server=\
    "Main Network DHCP"
add address=10.100.0.251 comment=HASS.IO mac-address=B8:27:EB:74:22:9A \
    server="Main Network DHCP"
add address=10.100.0.250 comment="Mail Server/UNMS" mac-address=\
    00:1C:C0:38:C5:42 server="Main Network DHCP"
add address=10.100.0.52 client-id=1:0:62:6e:55:8d:dd comment=Foscam \
    mac-address=00:62:6E:55:8D:DD server="Main Network DHCP"
add address=10.100.0.53 client-id=1:0:40:8c:86:e6:7f comment=Axis \
    mac-address=00:40:8C:86:E6:7F server="Main Network DHCP"
add address=10.103.0.103 client-id=1:8c:45:0:99:41:cd comment="Zachs Phone" \
    mac-address=8C:45:00:99:41:CD server="Autumn Network DHCP"
add address=10.100.0.138 client-id=1:fc:ec:da:d9:6a:f1 comment=\
    "Protect DoorBell Camera" mac-address=FC:EC:DA:D9:6A:F1 server=\
    "Main Network DHCP"
add address=10.101.0.120 client-id=1:0:22:48:9b:d8:23 comment=PS4 \
    mac-address=00:22:48:9B:D8:23 server="LAN Netowrk DHCP"
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.100.0.0/24 gateway=10.100.0.1
add address=10.101.0.0/24 gateway=10.101.0.1
add address=10.102.0.0/24 gateway=10.102.0.1
add address=10.103.0.0/24 gateway=10.103.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes in-interface=ether1 \
    new-packet-mark=globalin passthrough=yes
add action=mark-packet chain=prerouting disabled=yes dst-port=80 \
    new-packet-mark=http passthrough=no protocol=tcp
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set enabled=yes port=8989
/ip proxy access
add action=deny dst-host=*.io redirect-to=10.11.11.245/gomc.html
/ip route
add check-gateway=ping distance=1 gateway=10.100.0.1
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="VOIP Network Bridge" type=internal
add type=internal
add forced-ip=192.81.63.90 interface=ether3 type=external
add interface=ether4 type=internal
/mpls ldp
set enabled=yes lsr-id=10.105.0.1 transport-address=10.105.0.1
/routing bgp peer
add disabled=yes name=AP remote-address=10.10.10.3 remote-as=65530 ttl=\
    default
add disabled=yes name="Dads House" remote-address=10.10.10.2 remote-as=65530 \
    ttl=default
add disabled=yes name=Moms out-filter=mom-out remote-address=10.10.10.28 \
    remote-as=65530 ttl=default
add disabled=yes name=Matt out-filter=matt-out remote-address=10.10.10.40 \
    remote-as=65530 ttl=default
/snmp
set enabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name="Main MT Switch"
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set XanderDude disabled=yes display-time=5s
set VOIPDude disabled=yes display-time=5s
set "Uplink Xander" disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6 disabled=yes display-time=5s
set ether7 disabled=yes display-time=5s
set ether8 disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
set "Uplink LAN" disabled=yes display-time=5s
set ether11 disabled=yes display-time=5s
set ether12 disabled=yes display-time=5s
set ether13 disabled=yes display-time=5s
set ether14 disabled=yes display-time=5s
set ether15 disabled=yes display-time=5s
set ether16 disabled=yes display-time=5s
set ether17 disabled=yes display-time=5s
set ether18 disabled=yes display-time=5s
set ether19 disabled=yes display-time=5s
set ether20 disabled=yes display-time=5s
set "Uplink Autumn" disabled=yes display-time=5s
set ether21 disabled=yes display-time=5s
set ether22 disabled=yes display-time=5s
set ether23 disabled=yes display-time=5s
set ether24 disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set "TS Left Xander" disabled=yes display-time=5s
set "TS Left LAN" disabled=yes display-time=5s
set "TS Left Autumn" disabled=yes display-time=5s
set "Sara's Desk VOIP" disabled=yes display-time=5s
set "Main Xander Network" disabled=yes display-time=5s
set "Uplink VOIP Network" disabled=yes display-time=5s
set "Main LAN Network" disabled=yes display-time=5s
set "Main Autumn Network" disabled=yes display-time=5s
set LANDude disabled=yes display-time=5s
set "Hass Xander" disabled=yes display-time=5s
set "Hass Main New" disabled=yes display-time=5s
set "Hass LAN" disabled=yes display-time=5s
set "Hass Autumn" disabled=yes display-time=5s
set CameraDude disabled=yes display-time=5s
set "Autumn Dude" disabled=yes display-time=5s
set "VOIP Network Bridge" disabled=yes display-time=5s
set "Main Network Bridge" disabled=yes display-time=5s
set "Xander Network Bridge" disabled=yes display-time=5s
set "Autumn Network Bridge" disabled=yes display-time=5s
set "LAN Network Bridge" disabled=yes display-time=5s
/system ntp client
set enabled=yes primary-ntp=216.218.254.202 secondary-ntp=204.2.134.164
/tool user-manager database
set db-path=user-manager

Some of the settings are old like queues and tunnels from when this was a gateway router.

That is not the proper way to do it.
Not only all vlan handling is done by CPU when configured this way, but it also can lead to erroneous behaviour:

https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_in_bridge_with_a_physical_interface

Thanks for the info. It’s always worked just fine this way. I’ll try it the other way when I have some time to reconfigure everything and see if that makes it work like it used to

Following these instructions will also not work.

Most untagged ports are connected to the Main Bridge.

I selected vlan filtering. It created a dynamic instance in bridge, vlans for Main Network Bridge with an id of 1 with all the ports as untagged. So that seems to work so far.

For 1 of the Networks that uses tagged traffic, I removed all the vlan interfaces. I also on Bridge, vlans, created a instance:

bridge = Main Network Bridge (tried the other bridge, but not ports showed in current tagged or untagged since nothing is in the bridge)
vlan ids = 103
tagged = ports that should have the tagged traffic
untagged = none as there are none for this network

This lists the tagged ports under current except for the one that is not in the Main Bridge since that one only uses tagged traffic for all networks.

Now I think these vlans are working bu I cannot say for sure because I can no longer figure out how to set a static on my phone after android 10 update and DHCP was managed by the CRS.

I now cannot have the CRS use an IP on this vlan bridge.

This is what I need:

Main Network Bridge - Mostly untagged, with a few tagged on a layer 2. An IP on Main Bridge for management and DHCP server.
LAN Bridge - Half untagged, half tagged on a layer 2. An IP on LAN Bridge. An IP on LAN Bridge for management and DHCP server.
Kid 1 Bridge - all tagged currently on a layer 2. An IP on Kid 1 Bridge for management and DHCP server.
Kid 2 Bridge - same as Kid 1.

Some ether ports needs to have - untagged Main, tagged LAN, tagged Kid1, tagged Kid2.
1 ether port needs to have - untagged none, tagged all others.

This seems to be the most con-diluted way of doing vlans I have ever saw and doesn’t seem to allow the CRS to actually be apart of the vlan networks, only pass them.
The way I did it before worked great up until stuff was changed in a recent update which I had to do because of exploits in RouterOS.

I’m afraid there is a bit of confusion here. When you talked about having both ports and VLANs on any bridge, you likely had in mind that you could make a bridge per each VLAN by making as many /interface vlan vlan-id=X as you needed trunk ports in that VLAN, create a bridge dedicated for that VLAN X, and make all those /interface vlan vlan-id=X, as well as possibly some ethernet interfaces directly, the member ports of that bridge. So VLAN X was present tagged on all ports to which those member /interface vlan vlan-id=X were attached, and untagged on all ethernet interfaces which were direct members of the bridge.

I think that the change which has made your approach stop working (temporarily!) is the one brought by 6.41, which is the replacement of “ethernet master port” (which you didn’t use) by another way of integrating the software bridge functionality with the one of the hardware switch. Because with this approach, one of the bridges is chosen (maybe it’s more than one on CRS1xx, you can check that) to have a “hardware-accelerated forwarding”, which merely means that traffic among the member ports of that bridge is forwarded by the switch chip directly, without bothering the CPU, and unless vlan filtering is activated on the bridge (or the switch chip itself), also without taking care about any VLAN tags. So if ports A and B are both members of an accelerated bridge, both tagless frames and frames with any VLAN tag are forwarded directly between them, so they bypass the path “vlan interface for vlan X attached to A, bridge for vlan X, vlan interface for vlan X attached to B”.

The “hardware acceleration” can be disabled by setting the hw parameter of each /interface bridge port row to no. This would have been enough to do while your original configuration was still in place.

As @xvo has pointed out, the new “single bridge with vlan-filtering for all VLANs” approach is less complex to configure and possibly also less CPU-consuming in operation (but that’s a speculation, you’d have to test that) than the “one bridge per VLAN” approach.

In this new approach, you need just a single /interface vlan per each VLAN to which you want to connect the IP stack of the device (e.g. to provide the DHCP server capability for the VLAN or to have management access to the device).

And in this new approach, instead of disabling bridges, you can disable the rows represeting the VLANs in /interface bridge vlan table. But you still have to set hw=no on rows of interface bridge port.

You could also let the switch chip do all the job and disable the rows in /interface ethernet switch vlan, but on CRS1xx, the configuration of tagging on untagging on the switch chip itself is much more complex (because it’s much more flexible and powerful) than on simpler devices with a switch chip, so while this last option is less CPU-consuming, it may be quite nerve-consuming to grasp.

I think I get what you are saying. I will try this more when I have time. Since kid2 moved out, I can leave that broken for now.

OK, so just one more bit which is often missed because it doesn’t sound logical until you realize that the name “bridge” actually refers to two objects which are tightly linked together but still distinct: the bridge itself (as in, software emulator of a switch) and its virtual member port to which the higher layers of the network stack are connected.

So when you want to access the VLAN from the device, rather than just forward its frames among its external ports, it is not enough to create an /interface vlan interface=bridge, but the “bridge” as a member port must be also added to the tagged list in the row of /interface bridge vlan referring to the “bridge” as the real bridge (software switch).

Similarly, the pvid parameter of the bridge configuration is related to the “bridge” as the member port, so that port becomes an access one for that VLAN on the bridge.

Disabling HW Offload on all ports, gives me back what I had before.

I get that I am using the CPU, always have been since I never did it the Master-Slave way as you figured out. CPU sits around 25%. That’s the main reason for the 2011 being the main router and this one just being a managed switch, the firewall rules, vpns, etc. where creating too much CPU load and causing speed issues. Seems to work just fine this way though.

Maybe I will play around with the other way at a later date, but this gets me what I need right now.

Thanks for the help.