I am currently trying to change the vlan setup in our Network to the new way.
But how would you do the inter-vlan firewall rules, if there is only 1 Bridge with all vlans inside?
Example which is currently used:
add action=accept chain=forward in-interface=bridge-vlan10 out-interface=bridge-vlan20
add action=drop chain=forward
Bridge with all vlans inside will isolate those vlans from each other if things are set correctly. The only path between vlans lead via IP:
host10 <-> vlan10 <-> router's IP interface on vlan10 <---------+
firewall | routing
host20 <-> vlan20 <-> router's IP interface on vlan20 <---------+
Using in-interface in firewall rules is only an aid, it won’t work if there’s not something like
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
/ip address
add interface=vlan10 address=x.y.10.a/bb
add interface=vlan20 address=x.y.20.c/dd
In plain english, there is no layer 2 connectivity between vlans so only need forward firewall flter rules.
Just add what IP routing you want to permit at L3
Allow LAN to WAN
allow VLAN (some or all) to WAN
Allow VLANx to VLANy (subnet to subnet)
Allow VLAN (some or all or one vlanip) to LAN (for shared device like a printer).