Help out a VLAN noobie

Hi guys,

I am new to vlans, and I am trying to set one up. I am trying to set one one up on eth 5. I got dhcp running, and I do get a dhcp address on the machine. however I am not able to browse the web. I tried disabling some firewall rules, but I am a bit stumped. I am able to ping from the vlan computer to the bridge and the router.

could some one point me in the right direction?

thanks

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
port-cost-mode=short
add comment="vlan10 bridge" name=bridge10
/interface ethernet
set [ find default-name=ether2 ] advertise=
100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full
/interface vlan
add interface=bridge10 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2462 name="2.4 AX GHz Channel" width=
20mhz
add band=5ghz-ax disabled=no frequency=5260-5320,5745-5825 name=
"5GHz AX Channel" width=20/40/80mhz
/interface wifi security
add authentication-types=wpa3-psk disabled=no encryption=ccmp ft=yes
ft-over-ds=yes name=Security-Normal wps=disable
add authentication-types=wpa3-psk disabled=no encryption=ccmp ft=yes
ft-over-ds=yes name="Security-Guest " wps=disable
/interface wifi steering
add disabled=no name=steering1 rrm=yes wnm=yes
/interface wifi configuration
add channel="2.4 AX GHz Channel" country=Bolivia disabled=no mode=ap name=
"Configuration 2.4GHz AX" security=Security-Normal security.wps=disable
ssid="Mikrotik 2.4 GHz AX" steering=steering1
add channel="5GHz AX Channel" country=Bolivia disabled=no installation=indoor
mode=ap name="Configuration 5 GHz AX" security=Security-Normal ssid=
"Mikrotik 5 GHz AX" steering=steering1
add channel="5GHz AX Channel" country=Bolivia disabled=no hide-ssid=yes
installation=indoor mode=ap name="Configuration 5 GHz AX only" security=
Security-Normal ssid="agitame la marioneta 5G" steering=steering1
add channel="2.4 AX GHz Channel" country=Bolivia disabled=no mode=ap name=
"Configuration 2.4 GHz Agitame" security=Security-Normal security.wps=
disable ssid="agitame la marioneta" steering=steering1
add channel="5GHz AX Channel" country=Bolivia disabled=no installation=indoor
mode=ap name="Configuration 5 GHz Agitame" security=Security-Normal ssid=
"agitame la marioneta" steering=steering1
/ip firewall layer7-protocol
add name=Facebook regexp="^.+(facebook.com).$"
add name=Youtube regexp="^.+(youtube.com).$"
/ip pool
add name=dhcp ranges=10.20.30.201-10.20.30.254
add name=dhcp_pool3 ranges=10.10.0.2-10.10.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool3 interface=bridge10 name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add local-address=172.20.1.1 name=OVPN remote-address=dhcp_pool2
use-encryption=required
/queue simple
add comment="P30Lite Netflix throttle" disabled=yes max-limit=0/5M name=
"PLite Ntflx" packet-marks=Netflix target=10.20.30.204/32
add comment="ALL Youtube Throttle" disabled=yes max-limit=0/4M name=
"Throttle YT All" packet-marks=Youtube target=bridge
add comment="P30Lite All throttle" disabled=yes max-limit=0/10M name=
"PLite ALL" target=10.20.30.204/32,10.20.30.102/32
add comment="laptop ale All throttle" disabled=yes max-limit=0/64k name=
"Laptop ale" target=10.20.30.203/32
add comment="ALL Netflix Youtube Throttle" disabled=yes max-limit=0/15M name=
"Throttle alll ntfx/YT" packet-marks=Youtube,Netflix target=bridge
add disabled=yes max-limit=64k/64k name="Youtube WiiU" target=10.20.30.206/32
/queue tree
add name=Descarga parent=bridge queue=pcq-upload-default
add name=Subida parent=ether1 queue=pcq-download-default
add name="Prioridad1 Descarga" packet-mark="PRIO 1" parent=Descarga priority=
1 queue=pcq-upload-default
add disabled=yes name="Prioridad2 Descarga" packet-mark="PRIO 2" parent=
Descarga priority=2 queue=pcq-upload-default
add name="Prioridad3 Descarga" packet-mark="PRIO 3" parent=Descarga priority=
3 queue=pcq-upload-default
add name="Prioridad4 Descarga" packet-mark="PRIO 4" parent=Descarga priority=
4 queue=pcq-upload-default
add name="Prioridad6 Descarga" packet-mark="PRIO 6" parent=Descarga priority=
6 queue=pcq-upload-default
add name="Prioridad1 Subida" packet-mark="PRIO 1" parent=Subida priority=1
queue=pcq-download-default
add disabled=yes name="Prioridad2 Subida" packet-mark="PRIO 2" parent=Subida
priority=2 queue=pcq-download-default
add name="Prioridad3 Subida" packet-mark="PRIO 3" parent=Subida priority=3
queue=pcq-download-default
add name="Prioridad4 Subida" packet-mark="PRIO 4" parent=Subida priority=4
queue=pcq-download-default
add name="Prioridad5 Subida" packet-mark="PRIO 5" parent=Subida priority=5
queue=pcq-download-default
add name="Prioridad5 Descarga" packet-mark="PRIO 5" parent=Descarga priority=
5 queue=pcq-upload-default
add name="Prioridad6 Subida" packet-mark="PRIO 6" parent=Subida priority=6
queue=pcq-download-default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/zerotier
set zt1 disabled=no disabled=no
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=
zt1 name=zerotier1 network=abfd31bd47a7d060
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=bridge10 comment=defconf ingress-filtering=no interface=ether6
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
internal-path-cost=10 path-cost=10
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
add auth=sha1 certificate=Servidor cipher=aes256-cbc default-profile=OVPN
mac-address=FE:1A:C4:52:FA:13 name=ovpn-server1
require-client-certificate=yes
/interface wifi capsman
set enabled=yes interfaces=bridge package-path=/packages
require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment="5 GHz AX capable radio" disabled=
no master-configuration="Configuration 5 GHz Agitame" name-format=
"5 GHZ AX - %I" radio-mac=48:A9:8A:91:CF:6C slave-configurations=
"Configuration 5 GHz AX,Configuration 5 GHz AX only" slave-name-format=""
supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="2.4 GHz AX capable radio"
disabled=no master-configuration="Configuration 2.4 GHz Agitame"
name-format="2.4 GHz AX - %I" radio-mac=48:A9:8A:91:CF:6D
slave-configurations="Configuration 2.4GHz AX" supported-bands=2ghz-ax
/ip address
add address=10.20.30.1/24 comment=defconf interface=bridge network=10.20.30.0
add address=10.10.0.1/24 comment="VLAN 10" interface=bridge10 network=
10.10.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease

/ip dhcp-server network
add address=10.10.0.0/24 comment=VLAN10 dns-server=10.10.0.1 gateway=
10.10.0.1
add address=10.20.30.0/24 comment=defconf dns-server=
10.20.30.200,10.20.30.200 gateway=10.20.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.20.30.1 comment=defconf name=router.lan type=A
add address=10.20.30.160 name=un.raid type=A
add address=10.20.30.200 name=pi.hole type=A
add address=10.20.30.199 name=uni.fi type=A
/ip firewall address-list
add address=10.20.30.160 list="Excempt from Pihole"
add address=10.20.30.200 list="Excempt from Pihole"
add address=10.20.30.204 list="Excempt from Pihole"
add address=10.20.30.202 list="Excempt from Pihole"
add address=10.20.30.203 list="Excempt from Pihole"
/ip firewall filter
add action=accept chain=forward comment=
"Accept incoming zerotier one connections" in-interface=zerotier1
add action=accept chain=input comment=
"Accept incoming zero tier one connections" in-interface=zerotier1
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here"
add action=drop chain=input src-address-list="Brute Force"
add action=add-src-to-address-list address-list="Brute Force"
address-list-timeout=10m chain=input connection-state=new dst-port=8299
limit=!1/1m,5:packet protocol=tcp
add action=accept chain=input comment="Echo request - Evitar Ping Flood"
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=input comment="Echo reply" icmp-options=0:0 protocol=
icmp
add action=drop chain=input comment="Drop ICMP" protocol=icmp
add action=drop chain=input comment="Drop escaneadores de puertos"
src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=3d chain=input comment=
"------Escaneadores de puertos" protocol=tcp psd=10,3s,3,1
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=3d chain=input comment="------NMAP FIN Stealth scan"
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=3d chain=input comment="------SYN/FIN scan"
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=3d chain=input comment="------SYN/RST scan"
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=3d chain=input comment="------FIN/PSH/URG scan"
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=3d chain=input comment="------ALL/ALL scan"
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=3d chain=input comment="------NMAP NULL scan"
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input dst-port=1194 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting comment="PRIORIDAD 1"
new-connection-mark="PRIO 1" protocol=icmp
add action=mark-connection chain=output dst-port=53 new-connection-mark=
"PRIO 1" protocol=udp
add action=mark-connection chain=prerouting dst-port=53 new-connection-mark=
"PRIO 1" protocol=udp
add action=add-dst-to-address-list address-list=StarCraft
address-list-timeout=none-dynamic chain=prerouting content=
add action=mark-packet chain=prerouting connection-mark="PRIO 1"
new-packet-mark="PRIO 1" passthrough=no
add action=mark-connection chain=prerouting comment="PRIORIDAD 2 VOIP"
disabled=yes new-connection-mark="PRIO 2" port=5060-5061 protocol=tcp
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=
"PRIO 2" port=10000-20000 protocol=udp
add action=mark-packet chain=prerouting connection-mark="PRIO 2" disabled=yes
new-packet-mark="PRIO 2" passthrough=no
add action=mark-connection chain=prerouting comment=
"PRIORIDAD 5 NETFLIX YOUTUBE" content=youtube.com dst-port=80,443
new-connection-mark="PRIO 5" protocol=tcp
add action=mark-connection chain=prerouting content=googlevideo.com dst-port=
80,443 new-connection-mark="PRIO 5" protocol=tcp
add action=mark-connection chain=prerouting content=nflxvideo.net dst-port=
80,443 new-connection-mark="PRIO 5" protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PRIO 5"
new-packet-mark="PRIO 5" passthrough=no
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=
30m chain=prerouting content=youtube.com
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=
30m chain=prerouting content=youtu.be
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=
30m chain=prerouting content=googlevideo.com
add action=mark-packet chain=forward new-packet-mark="PRIO 5" passthrough=no
src-address-list=Youtube
add action=add-dst-to-address-list address-list=Netflix address-list-timeout=
30m chain=prerouting content=nflxvideo.net
add action=mark-packet chain=forward new-packet-mark="PRIO 5" passthrough=no
src-address-list=Netflix
add action=mark-connection chain=prerouting comment="PRIORIDAD 3 NAVEGACION"
dst-port=80,443 new-connection-mark="PRIO 3" protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PRIO 3"
new-packet-mark="PRIO 3" passthrough=no
add action=mark-connection chain=prerouting comment=
"PRIORIDAD 4 PUERTOS LABORALES" dst-port=
25,110,587,465,143,3389,1723,21-23,3306 new-connection-mark="PRIO 4"
protocol=tcp
add action=mark-packet chain=prerouting connection-mark="PRIO 4"
new-packet-mark="PRIO 4" passthrough=no
add action=mark-connection chain=prerouting comment="PRIORIDAD 6 RESTO"
new-connection-mark="PRIO 6"
add action=mark-packet chain=prerouting connection-mark="PRIO 6"
new-packet-mark="PRIO 6" passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat comment=
"Pihole Redirect bridge except pi hole" dst-address=!10.20.30.200
dst-port=53 in-interface=bridge protocol=udp src-address-list=
"!Excempt from Pihole" to-addresses=10.20.30.200
add action=dst-nat chain=dstnat dst-address=!10.20.30.200 dst-port=53
in-interface=bridge protocol=tcp src-address-list="!Excempt from Pihole"
to-addresses=10.20.30.200
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set rtsp disabled=no
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set www-ssl disabled=no
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/ppp secret
add name=Cliente-OVPN profile=OVPN service=ovpn
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=America/La_Paz
/system identity
set name="MikroTik Rack1"
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.0
/system routerboard settings
set auto-upgrade=yes

If you are able to get a DHCP address on the right subnet, that suggests you have a working VLAN. If you are able to ping the bridge, it suggests you have a routing issue.

Things to look at [in WinBox or Webfig]

1. Is Your VLAN [Interfaces -> VLANs] correctly located on your bridge
2. Have you defined the network on the VLAN correctly in [IP -> DHCP Server -> Networks]? Routeros generally sorts out a routing table for you, but does need this network defined.

You can check your routes under [IP -> Routes]

what is connected to ether5? Is it vlan aware? In other words, is it expecting the traffic to be tagged with IEEE 802.1Q tags?

It appears you are configuring 2 bridges, bridge and bridge10. Using more than one bridge usually isn't the best approach. If you can't explain why you need two bridges, you probably don't.

When you say "I am able to ping from the vlan computer to the bridge and the router." what exactly do you mean? what ip addresses are you pinging from and what ip addresses are you pinging?

eth 5 has a MacBook, the MacBook on eth 5 gets a 10.10.0.x address, and from this Mac I am able to ping basically anywhere, I can ping to the 10.10.0.1 bridge and to the 10.20.30.1 bridge and to my nas on the 10.20.30 network.
I assumed adding a second bridge would make it easier to make intervlan rules.

after some playing around, if I disable the “drop all not incoming from lan“ firewall rule, I can access the internet. but obviously this is not the right move.

this is just a first dab o mine into vlans. I eventually want to set up a trunk port on eth5 connected to a switch with some iot devices.

It appears you have ether5 as a member of bridge, not bridge10 (but that is a good thing). It appears the only thing in bridge10 is ether6 (not ether5 as your second sentence states).

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=bridge10 comment=defconf ingress-filtering=no interface=ether6
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
internal-path-cost=10 path-cost=10

So I am not sure how you are connecting to bridge10.

It appears to me that everything other than ether1 and ether6 is in a "flat" network that is your "LAN".

What is the purpose of vlan 10? Do you want to keep things separated?

You don't have bridge10 in any interace list, that's my guess as to why you can't access the internet from ether6 (vlan 10). If you add interface=bridge10 to the LAN list e.g. /interface list member add comment="add vlan 10 to LAN" list=LAN then you would probably be able to access the internet from bridge10.

Before changing anything, make backup and export and save off your router as a way back in case something doesn't work as planned.

But the better way would be to connect to the bridge from a bridge port (not ether1 or ether6 and not ether5 if you plan to add ether5 to vlan10) and then turn on vlan filtering. This shouldn't disconnect you, since everything by default will be in vlan 1 and without tagging. Then move the vlan10 interface from bridge10 to bridge, and move ether6 from bridge10 to bridge, and finally set pvid of ether6 to 10. That will make ether6 an "access port" for vlan 10 (as long as you are using a recent version of ROS).

BTW what device and ROS version are you using?

Thanks for the feedback, you were right, adding the vlan to the lan interface list did the trick. yes, vlan10 will be used to separate a dvr recorder. I will try your second suggestion, and delete the second bridge I have.

by doing this, I assume the entire bridge would work as a “trunked bridge“ and by setting only the pvid of ether6 I would make that an access port correct?

also this would allow for me to set up a vlan interface on my Mac on the bridge and still access the vlan?

im running a rb4011 with ros 7.21.2

thanks again for taking the time to teach me something new.

Is there a reason to have the dvr on a separate vlan than the cameras? If the cameras are on the same vlan, then no routing is needed. Do you have a PoE switch that the cameras are connected to? Then all you would need is a single port from the 4011 to the PoE switch with all cameras an the DVR connected. Then if you want to review recording, you would connect to the DVR, and you could limit access via the firewall.

When the bridge has vlan-filtering enabled, it is behaves like a vlan-aware switch, so tagging/untagging on individual bridge-ports can be done by the integrated switch chip(s). When vlan-filtering is off, then the bridge just forwards ethernet frames as is. If they were received by the integrated switch with a tag, they will leave with a tag; the ethernet frame is not modified. The only untagged frame will be coming from the bridge interface i.e. the interface with the named bridge in you posted config. All traffic from vlan interfaces (attached to the bridge) will have tags (that were inserted by the linux kernel driver). Turning on vlan-filtering doesn't change that, but it does allow frames that were sent from a vlan interface to exit the bridge ports untagged if the port is configured to send a specified vlan as untagged (using the /interface bridge vlan section). When vlan-filtering is enabled, the bridge ports are much more flexible.

I want a separate vlan for the cameras and dvd mainly because it is a no-name brand dvr.

the final setup will be: a trunk port from the router to a managed switch. managed switch to a poe switch, all cameras and dvr will be on this poe switch. the cameras and dvd will be on the same vlan.

the managed switch will only tag vlan10 on this access port.

on the remaining ports of the managed switch I will have some access points and computers.

since the managed switch would be in charge of adding and removing the vlan tags, I would need filtering off?

No. Having vlan-filtering enabled on the RB4011 just gives you the flexibility to have the members of the bridge to be configured individually, just like your external managed switch. You can configure some ports of the RB4011 as access ports (each for a specific vlan). Then you could for example configure one of the ports on the RB4011 to be a member of vlan 10, and a device that had no concept of vlans could then connect to that vlan 10 access port on the RB4011, and it would have access to the devices in vlan 10 on the external switch.

If you want to understand this in more detail, I recommend reading RouterOS bridge mysteries explained and Vlan-aware bridge mysteries and at least a skim through MikroTik's documenation Bridging and Switching - RouterOS - MikroTik Documentation with emphasis on the following parts
Switch Chip Features - RouterOS - MikroTik Documentation
VLAN - RouterOS - MikroTik Documentation
Basic VLAN switching - RouterOS - MikroTik Documentation
Bridge VLAN Table - RouterOS - MikroTik Documentation
Layer2 misconfiguration - RouterOS - MikroTik Documentation

Vlans are free and easy to use, once you opt for vlan bridge filtering. In this case, it always best to not use the bridge to provide any subnet, just create another vlan, modify the associated IP dhcp server stuff as required, and also the appropriate /interface bridge&vlan settings.

I always recommend when doing vlan bridge filtering to use one port to access the router for config purposes and emergency access purposes, so that if anything untoward happens while frigging with vlans, access will not be interrupted. Really nasty to have to start from scratch.

Steps

• take a port lets say ether5 off the bridge ports!!

/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
```

- Give the interface an IP address and add the interface to the LAN, and if existing, any trusted/base/management interface.

/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
/interface list members
add interface=OffBridge5 list=LAN
add interface=OffBridge5 list=MGMT

Action: Plug your pc into ether5, change the ipv4 settings on the PC to 192.168.77.2 and with username and password (in winbox) you should be able to gain access.

Thanks @anav and @Buckeye. the resources you sent were really useful. I used a small hap mini as a lab and test bed. vlans do have a learning curve, and after quite a few misses, it finally clicked! All vlans on bridge, vlans with proper ip address, ports with correct ids on bridge, and the trickiest part, bridge-vlans table.

it all now works. I got so carried away I made 4 vlans, 1 trunk port and 1 access port. I went vlans all the way on my network, and disabled vlan1 access. inter vlan rules for isolating and routing are a piece of cake with lists and vlans.

at first this seemed daunting. once you get the hang of it. its a walk in the park.

thanks again.

Not sure what you mean about disabling??
There should not be a need to disable anything.
Just ensure on the bridge ports ingress filtering is enabled for trunk ports and access ports.
Just ensure on the bridge ports frame-types are set appropriately, access=priority and untagged,
and trunk=only vlan tagged, hybrid=admit all.
++++++++++++++++++++++++++++++++++
Once done and all working you can take the bridge and make that vlan tagged only.

would have to see full LATEST config to comment further
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys, dchp lease lists)

To anyone reading this who is just starting on vLANs, just do a single vLAN to start with!

To anyone reading this, starting out in vlans, config the router from an offbridge port.