issue with dhcp-server and vlans and console access

RouterOS Beginner Basics
1

I am trying to setup a RB5009UG+S+ to have the following:

  • 4 VLANs, each with a dedicated subnet, and dhcp-server pool etc.
  • ether1 is WAN
  • ether2,ether3,ether6 are trunks (wireless AP with ssid-per-vlan, switchs, etc.)
  • ether4,ether5,ether7 are fixed on vlan 110
  • ether7 is for now in the initial bridge, so I can still get access back to the console

What I have managed so far:

  • 4 VLans with an IP on each vlan interface, and dhcp-servers on each, all in a new bridge (bridge1)
  • bridge is the original setup of the mikrotik I am keeping until I can safely access the console through the wanted lans
  • I can get a dhcp client IP from wireless, internet access OK, but I cannot access the router web ui (either through 192.168.xx.1 or 192.168.88.1) all I get is a timeout
  • the fixed vlan ether ports don’t get any IP or anything
  • from an ethernet connection of port 7, access to web ui (192.168.88.1) is fine

Any ideas what I might have done wrong ?

# mar/05/2022 12:47:43 by RouterOS 7.2rc4
# software id = 4729-SAKB
#
# model = RB5009UG+S+
# serial number = EC190F8A276C
/interface bridge
add admin-mac=DC:2C:6E:43:C2:3B auto-mac=no comment=defconf name=bridge                                                                                                
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN                                                                                                                           
set [ find default-name=ether2 ] comment="Trunk cabane"
set [ find default-name=ether3 ] comment="Trunk Wifi"                                                                                                                  
set [ find default-name=ether4 ] comment="vlan 110 sds1104xe"                                                                                                          
set [ find default-name=ether5 ] comment="vlan 110 dect"                                                                                                               
set [ find default-name=ether6 ] comment="Trunk chambre"                                                                                                               
set [ find default-name=ether7 ] comment="Vlan 110 PC"                                                                                                                 
/interface vlan                                                                                                                                                        
add interface=bridge1 name=vlan-guest vlan-id=120                                                                                                                      
add interface=bridge1 name=vlan-iot vlan-id=130
add interface=bridge1 name=vlan-lan vlan-id=110
add interface=bridge1 name=vlan-mgmt vlan-id=140
/interface list
add comment=defconf name=WAN                                                                                                                                           
add comment=defconf name=LAN
add name=LAN1
add include=LAN,LAN1 name="All LAN"
/interface wireless security-profiles                                                                                                                                  
set [ find default=yes ] supplicant-identity=MikroTik                                                                                                                  
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254                                                                                                                      
add name=dhcp_pool_lan ranges=192.168.10.50-192.168.10.254
add name=dhcp_pool_guest ranges=192.168.20.50-192.168.20.254
add name=dhcp_pool_iot ranges=192.168.30.50-192.168.30.254
add name=dhcp_pool_mgmt ranges=192.168.40.50-192.168.40.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf                                                                                                                    
add address-pool=dhcp_pool_lan interface=vlan-lan lease-time=1d name=dhcp-lan
add address-pool=dhcp_pool_guest interface=vlan-guest lease-time=1d name=dhcp-guest
add address-pool=dhcp_pool_iot interface=vlan-iot lease-time=1d name=dhcp-iot
add address-pool=dhcp_pool_mgmt interface=vlan-mgmt lease-time=1d name=dhcp-mgmt
/interface bridge port
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether2                                                                                               
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether4 pvid=110
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether5 pvid=110
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge1 comment=defconf ingress-filtering=no interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list="All LAN"                                                                                                                                  
/ip settings                                                                                                                                                           
set max-neighbor-entries=8192                                                                                                                                          
/ipv6 settings
set max-neighbor-entries=8192                                                                                                                                          
/interface bridge vlan
add bridge=bridge1 tagged=ether2,ether3,ether6,sfp-sfpplus1 untagged=ether5,ether4 vlan-ids=110                                                                        
add bridge=bridge1 tagged=ether2,ether3,ether6 vlan-ids=120
add bridge=bridge1 tagged=ether2,ether3,ether6 vlan-ids=130
add bridge=bridge1 tagged=ether2,ether3,ether6 vlan-ids=140
/interface list member
add comment=defconf interface=bridge list=LAN                                                                                                                          
add comment=defconf interface=ether1 list=WAN
add interface=bridge1 list=LAN1
/interface ovpn-server server
set auth=sha1,md5                                                                                                                                                      
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0                                                                                      
add address=192.168.40.1/24 interface=vlan-mgmt network=192.168.40.0
add address=192.168.10.1/24 interface=vlan-lan network=192.168.10.0
add address=192.168.30.1/24 interface=vlan-iot network=192.168.30.0
add address=192.168.20.1/24 interface=vlan-guest network=192.168.20.0
/ip dhcp-client
add comment=defconf interface=ether1                                                                                                                                   
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.10.1                                                                                            
add address=192.168.20.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.40.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1                                                                                                                  
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan                                                                                                               
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked                                   
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list="!All LAN"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec                                                                        
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN                                                          
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.30.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.40.0/24
/ip service
set ftp disabled=yes                                                                                                                                                   
set ssh disabled=yes
/ip upnp
set enabled=yes                                                                                                                                                        
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6                                                                                                
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked                                   
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Paris                                                                                                                                        
/system identity
set name=rt-home-01                                                                                                                                                    
/tool mac-server
set allowed-interface-list="All LAN"                                                                                                                                   
/tool mac-server mac-winbox                                                                                                                                            
set allowed-interface-list="All LAN"
Virtual WLAN and VLAN's
VLANs on RB750GR3 - I'm stuck...
bridged vlan & leaking discovery question
Vlan question
Trying (and failing) to introduce VLAN
Setting up RouterOS as a switch with RoaS
2

I’ve not checked the entire configuration but the obvious omission is the bridge-to-CPU interface in the bridge VLAN settings:
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether6,sfp-sfpplus1 untagged=ether5,ether4 vlan-ids=110
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether6 vlan-ids=120
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether6 vlan-ids=130
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether6 vlan-ids=140

3

just tagged the bridge1 into the three vlan but the issues remains

4

Three? There are four VLANs.

Also
/interface bridge

add name=bridge1

should be
/interface bridge

add name=bridge1 vlan-filtering=yes

Without that the bridge behaves like an unmanaged switch passing any untagged or tagged traffic between all ports which explains the fixed vlan ether ports don’t get any IP or anything issue you have.

Neither of the config errors explain not being able to access the Mikrotik itself, check that the LAN, LAN1 and “All LAN” interface lists have been populated as expected.

5

yes sorry four vlans, made a typo.

thanks, adding vlan-filtering indeed fix the dhcp issue.

from the ‘old bridge’ (ether7) I can only access to 192.168.88.1, but not like 192.168.10.1.

from ethernet in vlan 110 I cannot access to either 192.168.88.1 or 192.168.10.1.

In Interfaces>Interfaces List I do see LAN/bridge and LAN1/bridge1, however the top-right selector, only list anything by using “all”, any other choice even “WAN” make the list empty.

6

Tdw should have reference this article for you…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Better than the extra bridge solution is what I call OFF BRIDGE ACCESS, very easy to do, and you could use etherport 8 for example
See the first item A here - https://forum.mikrotik.com/viewtopic.php?t=182373

Fixed below, and this assumes you have installed off bridge access on ether8 and ether7 is now another 110 Access port. (aka ONLY ONE BRIDGE)
Please read all comments added to the config at various parts…
Feel free to ask questions… but do read the links above, the questions should be informed ones!!


# model = RB5009UG+S+
/interface bridge                                                                                            
add name=bridge1 vlan-filtering=yes    { once your config is like below, then as last step change vlan filtering to yes, BUT ONLY AFTER you confirm your off bridge access works!}
/interface ethernet
set [ find default-name=ether1 ] comment=WAN                                                                                                                           
set [ find default-name=ether2 ] comment="Trunk cabane"
set [ find default-name=ether3 ] comment="Trunk Wifi"                                                                                                                  
set [ find default-name=ether4 ] comment="vlan 110 sds1104xe"                                                                                                          
set [ find default-name=ether5 ] comment="vlan 110 dect"                                                                                                               
set [ find default-name=ether6 ] comment="Trunk chambre"                                                                                                               
set [ find default-name=ether7 ] comment="Vlan 110 PC"  
set [ find default-name=ether8 ] name=ether8-offbridge comment="emergency access"                                                                                                           
/interface vlan                                                                                                                                                        
add interface=bridge1 name=vlan-guest vlan-id=120                                                                                                                      
add interface=bridge1 name=vlan-iot vlan-id=130
add interface=bridge1 name=vlan-lan vlan-id=110
add interface=bridge1 name=vlan-mgmt vlan-id=140
/interface list
add comment=defconf name=WAN                                                                                                                                           
add comment=defconf name=LAN
add name=MANAGE        { need to identify admin devices or network for these three items: neighbors discovery, router input chain access, and winmac server access }                                                                                                      
/ip pool                                                                                                                      
add name=dhcp_pool_lan ranges=192.168.10.50-192.168.10.254
add name=dhcp_pool_guest ranges=192.168.20.50-192.168.20.254
add name=dhcp_pool_iot ranges=192.168.30.50-192.168.30.254
add name=dhcp_pool_mgmt ranges=192.168.40.50-192.168.40.254
/ip dhcp-server                                                                                                                  
add address-pool=dhcp_pool_lan interface=vlan-lan lease-time=1d name=dhcp-lan
add address-pool=dhcp_pool_guest interface=vlan-guest lease-time=1d name=dhcp-guest
add address-pool=dhcp_pool_iot interface=vlan-iot lease-time=1d name=dhcp-iot
add address-pool=dhcp_pool_mgmt interface=vlan-mgmt lease-time=1d name=dhcp-mgmt
/interface bridge port  { all trunk and access ports should have ingress fiiltering enabled and the proper frame types identified}
add bridge=bridge1 comment=defconf ingress-filtering=yes interface=ether2  frame-types=admit-only-vlan-tagged                                                                                            
add bridge=bridge1 comment=defconf ingress-filtering=yes interface=ether3   frame-types=admit-only-vlan-tagged
add bridge=bridge1 comment=defconf ingress-filtering=yes interface=ether4 pvid=110  frame-types=admit-only-priority-and-untagged
add bridge=bridge1 comment=defconf ingress-filtering=yes interface=ether5 pvid=110  frame-types=admit-only-priority-and-untagged
add bridge=bridge1 comment=defconf ingress-filtering=yes interface=ether6   frame-types=admit-only-vlan-tagged
add bridge=bridge1 comment=defconf ingress-filtering=yes interface=ether7 pvid=110  frame-types=admin-only-priority-and-untagged
add bridge=bridge1 comment=defconf ingress-filtering=yes interface=sfp-sfpplus1  frame-types=admit-only-vlan-tagged
/ip neighbbor discovery-settings 
set discover-interface-list=MANAGE       { allows admin to find all the smart devices }                                                                                                                             
/ip settings                                                                                                                                                           
set max-neighbor-entries=8192                                                                                                                                          
/ipv6 settings
set max-neighbor-entries=8192                                                                                                                                          
/interface bridge vlan   
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether6,sfp-sfpplus1 untagged=ether4,ether5,ether7 vlan-ids=110                                                                        
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether6 vlan-ids=120
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether6 vlan-ids=130
add bridge=bridge1 tagged=bridge1,ether2,ether3,ether6,sfp-sfpplus1 vlan-ids=140  { all smart device (any trunk ports) must get their IP from the Management VLAN }
/interface list member                                                                                                                        
add comment=defconf interface=ether1 list=WAN
add interface=vlan-lan list=LAN 
add interface=vlan-guest list=LAN 
add interface=vlan-iot list=LAN 
add interface=vlan-mgmt list=LAN 
add interface=vlan-mgmt list=MANAGE
add interface=ether8-offbridge list=MANAGE
/interface ovpn-server server
set auth=sha1,md5                                                                                                                                                      
/ip address
add address=192.168.5.1/24 comment=defconf interface=ether8-offbridge network=192.168.5.0   { now any laptop plugged into ether8 with ipv4 address 192.168.5.5 can enter and config router }                                                                                   
add address=192.168.40.1/24 interface=vlan-mgmt network=192.168.40.0
add address=192.168.10.1/24 interface=vlan-lan network=192.168.10.0
add address=192.168.30.1/24 interface=vlan-iot network=192.168.30.0
add address=192.168.20.1/24 interface=vlan-guest network=192.168.20.0
/ip dhcp-client
add comment=defconf interface=ether1                                                                                                                                   
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1                                                                                                                                                                                                                                 
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked                                   
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1   {if you dont use capsman then remove}
add action=accept chain=input comment="admin access to router" in-interface-list=MANAGE dst-port=winbox port  {  put in actual winbox port and put this rule in here before the drop all rule}
add action=accept chain=input comment="LAN traffic for DNS" in-inteface-list=LAN dst-port=53
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec                                                                        
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding connection-nat-state=dstnat  { disable if not required}
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN  { only need the single source nat rule! }                                            
/ip service
set ftp disabled=yes                                                                                                                                                   
set ssh disabled=yes
/ip upnp           { WHY DO YOU NEED THIS ?? }
set enabled=yes                                                                                                                                                        
/system clock
set time-zone-name=Europe/Paris                                                                                                                                        
/system identity
set name=rt-home-01                                                                                                                                                    
/tool mac-server
set allowed-interface-list=NONE      { mac server UNLIKE mac-winbox is not encrypted and should be set to NONE }                                                                                                                            
/tool mac-server mac-winbox                                                                                                                                            
set allowed-interface-list=MANAGE    { only MANAGE interface should access winbox }
Once and for all COMPLETE Offbridge Port setup
7

thanks 404Network I wasn’t aware of the off-bridge access for recovery.

I will try that tomorrow, that will at least clean the bridge config.

8

Just ensure you understand all the lines in the config before proceeding…

9

I did reset the router and made first the offbridge setup, that was ok. then I re-applied the rest of the config with minor adjustment and everything works.

As for my last issue, not being able to access the router UI, I was missing a firewall rule for that.

Everything is now working as wanted.

10

Dont tell me it was this one! :wink:)
add action=accept chain=input comment=“admin access to router” in-interface-list=MANAGE dst-port=winbox port { put in actual winbox port and put this rule in here before the drop all rule}

11

For an overview of how the vlan-aware (vlan-filtering=yes) bridge works, there are two threads to start with:
RouterOS bridge mysteries explained This shows the logical equivalent (router, and switch connected with hybrid link)
Using RouterOS to VLAN your network This is the same as what 404Network posted as the “reference link”
These are both good, but you have to read many posts, but there are some extract .rsc files for specific applications.

If you really want to know how the vlan-aware bridge works, I recently found the official documentation, and I was quite impressed by the depth this topic is covered. I highly recommend reading these if you really want to understand what is happening. Kudos to the tech writer.

Bridge VLAN Filtering good overview
Bridge VLAN Table very detailed information, although there are some places where they don’t specify whether bridge vlan or bridge port command should be used, but you can determine this by trying and using tab completion to see possible completions.

But I think it is very good documentation, with multiple example cases, including using non-default management vlan with tagged access.

12

Make no mistake buckeye, all the good information in that Router OS site, on this topic, is based upon the authors gleaning information from existing threads and for a large part the user articles that relate. Before this new site, which is getting much better, the older WIKI was bare bones and from my perspective not all that useful for the untrained.

13

I didn’t mean to diminish anything in the forum, but as with all forums, some posts are more useful than others, and an uninitiated reader has to know enough to be able to tell which posts are correct, and which posts are diversions, or not correct. And this forum at least no longer has any indicators of trust-worthyness (no voting or kudos). And I do understand that votes are not a very accurate indication of anything, just like amazon reviews.

I also wouldn’t consider the help article to be a tutorial about what vlans are, and when they should be used. For that there are other web resources. For beginners, I like Ed Harmoush’s Practical Networking site, and his youtube videos. He has several videos on vlans that I recommend often. VLANs — Index

Too many people don’t really understand the fundamentals of networking, and without a good foundation, intelligent troubleshooting is impossible. I don’t consider making random changes to see if it solves the problem to be a good method; it’s what I call the Edison method.

The help articles do read more like a book or tutorial. I don’t know the source, maybe a lot was originally from the forum, but I found it was more organized than a bunch of individual posts by multiple authors, each responding to different parts of different posts in a thread. Each has its place, but I just wanted to let MiktroTik know that I did find the help articles to be a useful resource, and to thank them for updating the documentation with some new v7 information.

I was just noting that I found it reasonably easy to understand, and that I was able to map my previous knowledge about vlans to the way that MikroTik does vlans with the “new” Bridge method. But I had already read multiple posts in the forums, and had already formed most of my new mental model, so when I found the help articles, they were primarily reinforcement, and confirmation.

The other advantage of the help article is that they apparently are being updated to cover v7, and right now, there are not many other sources other than the forum.

Hex S + Ubiquiti - VLAN Tagging, DHCP, etc!
14

Well stated, thanks for the additional links!