I am trying to figure out when multiple VLAN’s coming out of Mikrotik router (RouterBOARD M11G) and connecting to a D-Link DGS-1210-28 Managed Layer 2 Switch port,
are the VLAN’s tagged or untagged !
It depends on how you configure the interfaces on the devices. You can have all VLANs tagged only (sometimes referred to as a trunk interface or port), or one untagged and the remainder tagged (sometimes referred to as a hybrid interface or port).
Attach your configuration, and we can tell you.
Export with hide-sensitive, remove manually any more sensitive info and post that configuration inside code tags…
Here is a few vlan’s on the RBM11G which I create a bridge for each Ether + Wlan interfaces?
[admin@M11G] > interface vlan print
Flags: X - disabled, R - running
NAME MTU ARP VLAN-ID INTERFACE
0 R ;;; PPPoE_AP01
VLAN3500_Ether1 1500 enabled 3500 ether1
1 R ;;; PPPoE_AP01
VLAN3500_Wlan1 1500 enabled 3500 wlan1
2 R ;;; MGT_AP01
VLAN3508_Ether1 1500 enabled 3508 ether1
3 R ;;; MGT_AP01
VLAN3508_Wlan1 1500 enabled 3508 wlan1
4 R ;;; PPPoE_AP02
VLAN3510_Wlan1 1500 enabled 3510 wlan1
5 R ;;; PPPoE_AP02
VLAN3510_Ether1 1500 enabled 3510 ether1
6 R ;;; MGT_AP02
VLAN3518_Wlan1 1500 enabled 3518 wlan1
7 R ;;; MGT_AP02
VLAN3518_Ether1 1500 enabled 3518 ether1
That provides no useful information.
As other have said post the output of /export hide-sensitive (RouterOS 6) or /export (RouterOS 7) after redacting any other potentially sensitive information (serial number, public IP addresses, scripts containing credentials)
What egresses the above ports will have a Tag applied…
Hopefully this will provide more info on my VLAN config !
/interface bridge
add comment=“PPPoE_AP01” name=VLAN3500-Br protocol-mode=none
add comment=“MGT_AP01” name=VLAN3508_Br protocol-mode=none
add comment=“PPPoE_AP02” name=VLAN3510-Br protocol-mode=none
add comment=“MGT_AP02” name=VLAN3518_Br protocol-mode=none
add comment=“PPPoE_AP03” name=VLAN3520-Br protocol-mode=none
add comment=“MGT_AP03” name=VLAN3528_Br protocol-mode=none
/interface vlan
add comment=PPPoE_AP01 interface=ether1 name=VLAN3500_Ether1 vlan-id=3500
add comment=PPPoE_AP01 interface=wlan1 name=VLAN3500_Wlan1 vlan-id=3500
add comment=MGT_AP01 interface=ether1 name=VLAN3508_Ether1 vlan-id=3508
add comment=MGT_AP01 interface=wlan1 name=VLAN3508_Wlan1 vlan-id=3508
add comment=PPPoE_AP02 interface=ether1 name=VLAN3510_Ether1 vlan-id=3510
add comment=PPPoE_AP02 interface=wlan1 name=VLAN3510_Wlan1 vlan-id=3510
add comment=MGT_AP02 interface=ether1 name=VLAN3518_Ether1 vlan-id=3518
add comment=MGT_AP02 interface=wlan1 name=VLAN3518_Wlan1 vlan-id=3518
add comment=PPPoE_AP03 interface=ether1 name=VLAN3520_Ether1 vlan-id=3520
add comment=PPPoE_AP03 interface=wlan1 name=VLAN3520_Wlan1 vlan-id=3520
add comment=MGT_AP03 interface=ether1 name=VLAN3528_Ether1 vlan-id=3528
add comment=MGT_AP03 interface=wlan1 name=VLAN3528_Wlan1 vlan-id=3528
/interface bridge port
add bridge=VLAN3500_Br comment=PPPoE_AP01 interface=VLAN3508_Wlan1
add bridge=VLAN3500_Br comment=PPPoE_AP01 interface=VLAN3508_Ether1
add bridge=VLAN3508_Br comment=MGT_AP01 interface=VLAN3508_Wlan1
add bridge=VLAN3508_Br comment=MGT_AP01 interface=VLAN3508_Ether1
add bridge=VLAN3510-Br comment=PPPoE_AP02 interface=VLAN3510_Ether1
add bridge=VLAN3510-Br comment=PPPoE_AP02 interface=VLAN3510_Wlan1
add bridge=VLAN3518_Br comment=MGT_VLAN3508 interface=VLAN3518_Ether1
add bridge=VLAN3518_Br comment=MGT_VLAN3508 interface=VLAN3518_Wlan1
add bridge=VLAN3520-Br comment=PPPoE_AP03 interface=VLAN3520_Ether1
add bridge=VLAN3520-Br comment=PPPoE_AP03 interface=VLAN3520_Wlan1
add bridge=VLAN3528_Br comment=MGT_VLAN3508 interface=VLAN3528_Ether1
add bridge=VLAN3528_Br comment=MGT_VLAN3508 interface=VLAN3528_Wlan1
All of those VLANs (3500, 3508, 3510, 3518, 3520, 2528) will be tagged on egress/ingress on the physical interfaces. There are a number of issues with using multiple bridges with VLANs, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration, a single VLAN-aware bridge is the preferred setup.
as TDW says you must use bridge vlan filtering on a single bridge
if you are used to other vendor switch configuration, bridge vlan filtering will be easy to understand
https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching
follow only CRS3xx, CRS5xx guides, on CRS 1xx/2xx and other switch chips the info can refer to other ways specific for this devices
I must do some more reading and convert over to a single VLAN-aware bridge, strangely I have no issue when the RBM11G is connected to a TP-Link T2600G-28TS switch but
the D-Link DGS-1510-28X switch just does not accept my current Vlan configuration?
Many thanks to you both for this very helpful advice !
…for devices with switch chips. For the OP’s device, it looks like everything devolves to software bridging, so I’m not sure reconfiguring for a single bridge will provide any useful improvement. (Block diagram)
Performance wise single bridge will indeed be same as current config. Configuration readability wise it’ll be much cleaner setup. Bonus of converting config to single bridge wozld be knowledge, useful when configuring devices that support L2 HW offload.
This is the first time I have seen a mention of the RBM11G. But it is based on the same SoC MediaTek MT7621A as the RB750Gr3 and RB760iGS, but evidently no use of the switch ASIC that the MT7621A has built in.
I wonder why the MT7621A was chosen for the board, if they didn’t intend to use the switch?
I guess they used the SoC because they developed other devices around same SoC at the same time. Making design phase faster, possibly making production cheaper (if they selected different SoC, it might even be more expensive due to low volume purchases).
And switch chip is there, but it’s configuration interface is hidden because it’s useless: with only two ports (ether1 and switch1-cpu), frame ingressing through one of ports can only egress through other port. No switch chip logic is needed … so nothing to configure.
It’s possible the diagram is misleading, and the device really does have a 2-port hardware switch. The output of “/interface bridge port print” will tell.
No, there can be an number of issues when using switch chips or not. In this case the Bridged VLAN on physical interfaces scenario is likely to cause problems.
I suspect that’s a problem of RSTP not moving between hardware and software bridges properly.
If that’s what’s happening, it’ll show up in “/interface bridge port monitor [find]” output.
@Gombeen666, I’ve asked you now for two additional sets of output. We’ll remain stuck speculating like this until you provide the hard data for us to chew on. 
The Development release notes for 7.1rc5 has the following:
*) bridge - added HW offload support for vlan-filtering on MT7621 switch chip (hEX, hEX S, RBM33G, RBM11G, LtAP);
But is still seems unlikely (to me) that the miniPCIe slot is connected to the switch.
So my guess is that that reference in the release notes if basically that support was added for the MT7621 SOC, and they then listed the products that used that SOC.
The “switch ASIC” that is part of the MT7621A evidently behaves like the MT7530 switch chip (source: [PATCHv4,0/3] : net: dsa: mt7530: support MT7530 in the MT7621 SoC)
dlink switch logging does not show any useful?
did you verified dlink switch mac adress database for updates on interface connected to MikroTik Router?