Move traffic between interfaces 1&3 and between 2&4

DouglasWolf · January 27, 2026, 9:22pm

I have what I hope is a simple question.

I have a Mikrotik CRS504-4XQ-IN. I have a very simple need:

I need to connect all traffic between interfaces qsfp28-1-1 and qsfp28-3-1
I need to connect all traffic between interfaces qsfp28-2-1 and qsfp28-4-1

That’s it. I need interfaces 1 and 3 connected and interfaces 2 and 4 connected. I need all traffic to be “on the hardware” and not offloaded to the CPU. I can not add VLAN tags to the packets (the FPGA on the receiving end won’t understand them and will barf)

I tried setting up two bridges, but WinBox wouldn’t let me do that.

Is there some straight-forward way to accomplish this, or do I have to buy two switches?

– Doug

ghostinthenet · January 27, 2026, 10:22pm

Single bridge with two VLANs, 100 and 200 for example. Configure qsfp28-1-1 and qsfp28-3-1 with the first VLAN as the PVID (it will automatically set that VLAN to untagged, assuming you're running a current RouterOS) and then qsfp28-2-1 and qsfp28-4-1 with the second VLAN as the PVID. The connected devices won't see VLAN tags because everything is running untagged, but they'll still be separated on the bridge and will hardware offload.

Something like this:

/bridge
  add name=switch1 vlan-filtering=yes
/bridge port
  add bridge=switch1 interface=qsfp28-1-1 \
    frame-types=admit-only-untagged-and-priority-tagged pvid=100
  add bridge=switch1 interface=qsfp28-3-1 \
    frame-types=admit-only-untagged-and-priority-tagged pvid=100
  add bridge=switch1 interface=qsfp28-2-1 \
    frame-types=admit-only-untagged-and-priority-tagged pvid=200
  add bridge=switch1 interface=qsfp28-4-1 \
    frame-types=admit-only-untagged-and-priority-tagged pvid=200

DouglasWolf · January 28, 2026, 1:55am

Friend,

I tried to do as you suggested, and it doesn’t work. My bridge consists of four interfaces (qsfp28-1-1 through qsfp28-4-1)

I’ve created two VLANs:

qsfp28-1-1 and qsfp28-3-1 have a PVID of 1.
qsfp28-2-1 and qsfp28-4-1 have a PVID of 2.

Broadcast traffic arriving on qsfp-1-1 is being broadcast to both qsfp28-3-1 and qsfp28-4-1.

Any thoughts on how to arrange it so that the two VLANs are completely isolated from each other?

CGGXANNX · January 28, 2026, 2:16am

You apparently did not do as @ghostinthenet suggested:

He didn't tell you to "create" any VLAN. Do not create anything under /interface vlan or /interface bridge vlan. Only set the pvid value of the ports under /interface bridge port.
He didn't tell you to use VLAN ID 1! Please give your ports pvid other than 1.
Are you sure you've turned on vlan-filtering=yes on the bridge interface?

DuctView · January 28, 2026, 6:01am

Just to add to what @CGGXANNX said: pvid 1 is the internal vLAN id for all traffic on the default untagged LAN. It takes this id for consistent handling of traffic within the switch Traffic on vLAN 1 will go everywhere by default. Don't ever do anything with vLAN 1 unless you know what you are doing and you actually want to mess with the default LAN.

DouglasWolf · January 29, 2026, 1:12am

CGGXANNX,

Just wanted to express my appreciation for the help… that worked!

I’m an FPGA engineer by trade, and this is exactly the first Ethernet switch I’ve ever had to configure. It’s been a learning curve.

I really appreciate both yourself and ghostinthenet for taking the time to help out and make this project successful!

— Doug