My recent VLAN fiasco

I attempted adding VLANs to a perfectly working network, centered on a RB5009 router. My goal is to add two additional “zones” as DMZ and for testing non-trusted devices (cheap wifi IoT gadgets).

I tried following the guides and reading the mikrotik doc and produced the config below. If I set vlan_filtering=yes the network becomes unreliable AND I am not able to access the internet. If I set vlan_filtering=no, the network is just unreliable but the outside world works well. By unreliable I mean: weird time-outs, connection fail randomly, some certificates are no more accessible, etc.

Here is the config (expunged from static DHCP leases and static DNS entries:

# 2025-03-19 11:39:56 by RouterOS 7.17.2
# software id = THI6-PU2R
#
# model = RB5009UPr+S+
# serial number = HG909SZ149B
/interface bridge
add admin-mac=D4:01:C3:5E:BC:A3 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] l2mtu=1500 poe-out=off
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge mtu=1496 name=BASE vlan-id=10
add interface=bridge mtu=1496 name=DMZ vlan-id=42
add interface=bridge mtu=1496 name=JAIL vlan-id=66
/interface list
add name=WAN
add name=LAN
/ip pool
add name=BASE_POOL ranges=10.9.9.100-10.9.9.254
add name=DMZ_POOL ranges=10.9.42.2-10.9.42.254
add name=JAIL_POOL ranges=10.9.66.2-10.9.66.254
/ip dhcp-server
add address-pool=BASE_POOL interface=BASE lease-time=1d name=BASE_DHCP
add address-pool=DMZ_POOL interface=DMZ name=DMZ_DHCP
add address-pool=JAIL_POOL interface=JAIL name=JAIL_DHCP
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 internal-path-cost=10 path-cost=10 pvid=42
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 internal-path-cost=10 path-cost=10 pvid=42
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=Base tagged=bridge,ether1,ether6 untagged=\
    ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge comment=DMZ tagged=bridge,ether1,ether6 untagged=\
    ether7,ether8 vlan-ids=42
add bridge=bridge comment=Jail tagged=bridge,ether1 vlan-ids=66
/interface list member
add interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=wireguard1 list=LAN
add interface=BASE list=LAN
/interface wireguard peers
add allowed-address=10.10.10.2/32 comment="XYZ" interface=\
    wireguard1 name=XYZ public-key=\
    "XYZ"
/ip address
add address=10.9.8.1/22 interface=bridge network=10.9.8.0
add address=10.10.10.1/24 comment=VPN interface=wireguard1 network=10.10.10.0
add address=10.9.8.1/22 interface=BASE network=10.9.8.0
add address=10.9.40.1/22 interface=DMZ network=10.9.40.0
add address=10.9.64.1/22 interface=JAIL network=10.9.64.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server network
add address=10.9.8.0/22 dns-server=10.9.8.1 gateway=10.9.8.1
add address=10.9.40.0/22 dns-server=10.9.40.1 gateway=10.9.40.1
add address=10.9.64.0/22 dns-server=10.9.64.1 gateway=10.9.64.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB
/ip dns adlist
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept incoming wireguard" dst-port=\
    13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "Accept all wireguard incoming traffic" disabled=yes in-interface=\
    wireguard1 src-address=10.9.8.224/27
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface-list=\
    WAN protocol=tcp to-addresses=10.9.11.3 to-ports=5060
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 address
add address=::1 from-pool=general-pool6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=sfp-sfpplus1 pool-name=general-pool6 \
    request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] interface=bridge ra-interval=20s-1m
/system clock
set time-zone-name=Europe/Zurich
/system leds
set 0 leds=user-led type=off
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

What did I do wrong ? What could I improve ? Still new at RouterOS, so any criticism/help would be welcome. Thanks

You’ve got the right idea, and are very close.

1. Don’t manually set “untagged” ports on your bridge VLANs. When you set a bridge port member PVID, it automatically/dynamically gets added as “untagged”. Manually setting “untagged” just lets you force a VLAN to egress a port without tags even if it isn’t the PVID for that port, and 99% of the time is the wrong choice for majority of people and use-cases.
2. Definitely don’t set a bridge port PVID to also be the same as one of the tagged VLANs you want to trunk on that port! I’m sure this would result in undefined (and likely very bad) behavior. You did this twice: ether1 and ether6 are trunk ports, and you included VLAN 10 in the “tagged” list, but ALSO set VLAN 10 as the PVID for ports 1 and 6. Don’t! Just leave PVID at 1, or at the VERY least make it an ID that you are NOT trying to trunk through that same port (use a junk VLAN-ID, though if you do that then you should also tag that junk/throwaway VLAN on ‘bridge’ as well, so that you can actually talk to the CPU/RouterOS/management over a port that has that set as PVID).

In short / in summary, the basic rule of thumb is: for any given port, a tagged VLAN should only be set by adding that port as “tagged” under Bridge > VLANs, but the one and only UNtagged VLAN for any given port should only be set by manipulating the PVID for that port under Bridge > Ports.

Also as an aside, there is absolutely no reason to set the MTU of your VLANs to 1496. Don’t do that, either. The L2MTU of the ethernet interfaces can more than handle the additional 4 bytes for the VLAN tag / ethertype prefixed to each tagged frame.

Thanks for your quick and clear answer ! I will correct my config and give it a try as soon as possible.

I am pretty sure, I did not manually set those MTU. Is it possible that the value was adapted by RouterOS ? Should I explicitely set an MTU of 1500 ?

This is the source of your problem:

/interface ethernet
set [ find default-name=ether2 ] > l2mtu=1500 > poe-out=off

Unless there are very specific needs, it should not be necessary ever to change l2mtu settings on any of ports/interfaces.

Well either you did monkey with the MTUs, and have forgotten OR someone else configured the router.

Indeed, I did some experiments on changing an MTU value and I forgot to remove the setting. I was not suspecting it could have such an influence on other ports and other settings. Thank you for spotting it.

The chain of dependencies goes like this: L3MTU has to be lower than L2MTU with maximum possible size (L2MTU - additional L2 overhead). With plain ethernet, there’s no additional L2 overhead and with standard IP MTU of 1500 bytes (which includes L3 headers), setting L2MTU to 1500 works.
If you add VLANs which introduce additional L2 overhead of 4 bytes (802.1Q header) things change. If you want to maintain L3MTU at 1500 bytes, then L2MTU has to increase by at least 4 bytes to 1504. If it’s not increased, then L3MTU gets decreased to maximum possible value, in your (flawed) case that’s 1500-4=1496 bytes.

Next: in bridged/switched environment all collaborating devices have to use same L3 MTU … so that largest packets can be received by any device. If your bridged port is capable of supporting L3MTU of 1496, then bridge interface (the interface which allows ROS to communicate with devices in same IP subnet) can only have as big L3MTU. And ROS does set it automatically (as it should).

As I wrote in my previous post: one should mess with MTU values unless the need for it is clear and obvious. And that’s true for both L2MTU and L3MTU. Further more, switch chips use available memory (most often part of ASIC itself, so it’s not expandable) in certain optimally-sized chunks and size of those chunks differ between different switch chips. So it’s generally best to leave setting at factory-default as long as it’s large enough to support required L3MTU (even if it seems too big, like 1598 for plain VLANs with L3MTU of 1500).

I corrected my config as suggested by NathanA and mkx (copied below), but I am still experiencing a lot of issues: some internet adresses are not reachable anymore. The effect seems to be random. For example google search is still accessible, but not the mikrotik forum.

I dont think is is a DNS issue. When pinging around, the DNS resolution is correct but all packet are lost. When forcing IPv6 the issues are worst.

I tried using a machine directly connected to a trunk port (since I still admit untagged packets) and most issues did not appear. Could it be a firewall problem ?

In the config I noticed something weird (at least for a beginner as myself). The bridge and the vlan BASE have the same IP. Is this expected ?

What step should I take to isolate the cause of the problem (instead of just whining in this nice forum) ?

# 2025-03-24 12:28:51 by RouterOS 7.17.2
#
# model = RB5009UPr+S+
/interface bridge
add admin-mac=D4:01:C3:5E:BC:A3 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
/interface wireguard
add comment="Roadwarrior VPN to LAN" listen-port=13231 mtu=1420 name=\
    wireguard1
/interface vlan
add interface=bridge name=BASE vlan-id=10
add interface=bridge name=DMZ vlan-id=42
add interface=bridge name=JAIL vlan-id=66
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=BASE_POOL ranges=10.9.9.100-10.9.9.254
add name=DMZ_POOL ranges=10.9.42.2-10.9.42.254
add name=JAIL_POOL ranges=10.9.66.2-10.9.66.254
/ip dhcp-server
add address-pool=BASE_POOL interface=BASE lease-time=1d name=LAN_DHCP
add address-pool=DMZ_POOL interface=DMZ name=DMZ_DHCP
add address-pool=JAIL_POOL interface=JAIL name=JAIL_DHCP
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether7 internal-path-cost=10 path-cost=10 pvid=42
add bridge=bridge interface=ether8 internal-path-cost=10 path-cost=10 pvid=42
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether6 vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether6 vlan-ids=42
add bridge=bridge tagged=bridge,ether1 vlan-ids=66
/interface list member
add interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=wireguard1 list=LAN
add interface=BASE list=LAN
/interface ovpn-server server
add mac-address=FE:78:80:A8:78:03 name=ovpn-server1
/interface wireguard peers
add allowed-address=10.10.10.2/32  interface=\
    wireguard1 name=XYZ public-key=XYZ
/ip address
add address=10.9.8.1/22 interface=bridge network=10.9.8.0
add address=10.10.10.1/24 comment=VPN interface=wireguard1 network=10.10.10.0
add address=10.9.8.1/22 interface=BASE network=10.9.8.0
add address=10.9.40.1/22 interface=DMZ network=10.9.40.0
add address=10.9.64.1/22 interface=JAIL network=10.9.64.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip dhcp-server lease
add address=10.9.8.2 comment=WifiAP mac-address=XYZ server=LAN_DHCP
# Other static leases removed
/ip dhcp-server network
add address=10.9.8.0/22 dns-server=10.9.8.1 gateway=10.9.8.1
add address=10.9.40.0/22 dns-server=10.9.40.1 gateway=10.9.40.1
add address=10.9.64.0/22 dns-server=10.9.64.1 gateway=10.9.64.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB
/ip dns adlist
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept incoming wireguard" dst-port=\
    13231 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "Accept all wireguard incoming traffic" disabled=yes in-interface=\
    wireguard1 src-address=10.9.8.224/27
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 in-interface-list=\
    WAN protocol=tcp to-addresses=10.9.11.3 to-ports=5060
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 address
add address=::1 from-pool=general-pool6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=sfp-sfpplus1 pool-name=general-pool6 \
    request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] interface=bridge ra-interval=20s-1m
/system clock
set time-zone-name=Europe/Zurich
/system leds
set 0 leds=user-led type=off
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

In a VLAN world your bridge shouldn’t have an IP Address.

Also, bridge shouldn’t be part of an interface list:

/interface list member
add interface=bridge list=LAN

You use both IPv4 and IPv6, you might want to check how non-working (as well as working websites) resolve.

Update:
Thanks for clarifying my statement, @sindy! I tried to be as @anav as possible

Since there are /interface/bridge/port rows with the default value of pvid (1) and bridge-the-port also has pvid set to the default value 1, there is nothing wrong about having an IP address attached to bridge-the-router-interface directly. If you wanted to use bridge (the port) as a 100% trunk one (i.e. not a hybrid one), you would have to set ingress-filtering to yes (the default in ROS 7.x) and frame-types to admit-only-vlan-tagged (the default is admit-all), and attach an /interface/vlan for VLAN 1 to bridge-the-router-interface. Or instead replace VLAN ID 1 by some other one everywhere except bridge-the-port's pvid and attach an /interface/vlan for that other VLAN ID to bridge-the-router-interface.

@sindy @erlinden I thought I were starting to understand, but I am lost again

I am not sure about the difference between a purely trunk bridge-the-port or an hybrid bridge-the-port. Why would I chose one configuration over the other ?

In my case, I am willing to remove the bridge IP address, to keep only the VLAN one. But I am not sure about the order of config modification I should perform to avoid locking myself out… (again)

What is the simpler action I could take, to get something working ?

I am not sindy or erlinden but…

You should realize that the switching/bridging and the routing parts of the configuration are done separately. The bridge as an interface is simply the CPU facing port of the switch/bridge. Other than that the Linux guys decided to overload the name of the bridge with this port (which you just have to learn to accept), there is no additional magic going on. (Ok, there are some edge cases, but probably those will not bite you just yet.)

Therefore it is totally fine to configure the bridge interface (as a bridge port itself) to be either an access port, a trunk port or hybrid.

I usually configure it as purely trunk. That is, set ingress filtering to yes, allow-only-vlan-tagged and add vlans to the bridge interface. And this is what I will suggest to you as well. (This is actually the config that most managed switches with easier to use config interfaces do implicitly.)

The usual suggestion is to remove a port from the bridge and enable whatever access you need from that port. This allows you to configure all things bridge-related without locking yourself out, even is you mess up any part of your configuration. After you have configured everything to your liking - and verified it -, what you do with that port (leave it as-is, or use it as part of your bridge) is totally up to you.

I think that having a well understood and later easily extendable configuration is more important than doing it as quickly as possible

Bridges and the associated VLAN behavior is not that complicated, and once it “clicks” it will seem quite natural going forward. However to gain such understanding you have to suffer a bit.

Sorry for blurring the picture for you, my response was mainly triggered by @erlinden as I am kind of tired of everyone treating VLAN 1 as black magic that has to be avoided by all means, hence that approach spreads as a meme (in the meaning of a “human software” virus, not the funny picture with a caption), becoming a self-fulfilling prophecy. There is no magic - it’s just that many vendors think it is a good idea not to show default values in the configuration export unless you explicitly ask for them to be shown, so VLAN ID 1, being the default value for pvid on all switch ports probably for all vendors, stays out of the mind map until you start thinking about VLANs as a whole. And once you start, “hidden” easily transforms into “missing”.

Otherwise, @lurker888 has said it all.

Many thanks to all. I managed to get every VLANs and the IPv4 stack running. The instability came from the fact I started with a working config and tried to modified, introducing contradictions (and several node with the same IP address). I finished by implementing all your advices in freshly reset router. Still struggling to get the IPv6 stack running, but that will be my next challenge.

If you don’t mind me hijacking the thread a bit about vlan 1. I fully agree with @sindy, that “don’t use vlan 1” has become somewhat of a meme on this forum, and I also agree that memes in and of themselves are often not very useful.

However this does have some basis in reality. In most switches that are VLAN aware all packets are internally VLAN tagged, and in fact this is exactly how bridges with VLAN filtering enabled work in Mikrotiks as well. That means that if you want to handle bridging between untagged ports, you have to assign a VLAN to them internally (possibly with only access ports attached). It is customary to reserve vlan 1 for this purpose. (I believe this comes from the first Catalyst switches, which basically defined what we mean by managed switches today.)

On Mikrotiks any vlan id can be used for this purpose, but on many switches, especially the so-called smart (or easy smart, etc.) switches vlan 1 is sort of hard coded, so if you have to interoperate with these, vlan 1 should be handled with care. As a bonus, many of them do not differentiate vlan 1 tagged and untagged traffic correctly.

Something like this:

/interface/bridge
add name=bridge vlan-filtering=yes frame-types=admit-all  pvid=1 
/interface/bridge/port
add bridge=bridge interface=ether1 frame-types=admit-all pvid=1
add bridge=bridge interface=ether2 frame-types=admit-all pvid=1
/interface/bridge/vlan
add bridge=bridge untagged=bridge,ether1,ether2 vlan-ids=1

So when a frame, tagged with VID=1, ingresses through a bridge port (e.g. ether1), it’s admitted due to frame-types setting (and setting of ingress filtering doesn’t matter because ether1 is member of VLAN 1). And on egress (e.g. through ether2) VLAN header gets stripped because ether2 is set as untagged member of VLAN 1 … making the frame untagged.
And same happens in the opposite direction.

Oh wait … apart from vlan-filtering=yes setting on bridge that’s actually default setup of ROS devices. So while an, e.g., CRS with default config won’t mess with VID 1 (because it won’t process VLAN headers), it’ll mess with VID 1 if vlan-filtering is enabled and the rest of configuration is not adjusted to care about tagged frames with VID 1.

Don’t get me wrong, VLAN ID 1 is as valid VID as any other (in range 2-4094) … but as explained many times before, there’s just too much of (hidden) default config floating around that has big potential to screw the unexpecting one. So it’s better to avoid VID 1 … because there are 4093 other VIDs to choose from.

Perhaps this is what you are getting at, but most of these aforementioned switches will reserve VID 1 as an “untagged” VLAN, and likely will either not accept (or egress) tags on a trunk port with VID=1 (because it won’t allow you to configure that as a valid trunk tagged ID to begin with), and/or receiving a packet tagged with VID=1 on a trunk port may result in undefined (possibly bad) behavior. The only real “interoperational” consideration you should need to make, therefore, is simply don’t utilize VID of 1 in any of your switches for anything other than the common untagged VLAN that exists between trunk ports.

And on MTs specifically, because VID 1 is by default attached (untagged) to the CPU-facing switch port, best practice is to leave it as PVID for any trunk port, if only so that when you %#@#$ something up and forgot to set Safe Mode, you don’t have to worry about whether you happened to remember to trunk whatever your trunk port(s)’ PVIDs are to the CPU or not, allowing you to MAC-Winbox back in to fix your mistake.

You have stated exactly the interoperability concern I was talking about

How is it “reserved”? Or, how is “bridging between access ports to VLAN XYZ” different from “bridging between untagged ports”? What would be the purpose of a managed switch if you could not make an “untagged port” (= access one) a member of whatever VLAN you want?

I was a little confused by the wording, too, because of course you can set any access port to be a member of whatever VLAN-ID you want. But I think all he was possibly trying to communicate was that on not a few managed switches, it’s simply impossible to get it to tag anything from VLAN-ID 1 on egress, or to accept any packets tagged with VLAN-ID 1 on ingress. So VID 1 is effectively only able to be used on such switches either as the default access port VLAN, or as the untagged VLAN on a trunk port. That being the case, if you are going to include such switches in your mix, you might as well just treat VLAN 1 across all of your switches as “THE untagged VLAN on trunk ports”, for the sake of consistency.