Also my personal opinion, but with the current version von RouterOS 7, I don’t really see the appeal of moving a port out of the bridge for management anymore. It’s not more complicated or error prone to keep the management port in the bridge at all.
Let’s look at the starting point of the defconf configuration where most the ports are in the default bridge bridge and some other port are WAN port. Instead of moving a port out of the bridge, my “guide” would be the following, based on your guide:
-
Add a VLAN 999 interface as management interface
/interface vlan add interface=bridge name=vlan-mgmt vlan-id=999 -
Configure stuffs for
vlan-mgmtsimilar to your guide (/ip address, optionally/ip pool,/ip dhcp-server,/ip dhcp-server network), addvlan-mgmttoLANorMGMT(again, exactly like your guide) -
Now is the step that differs from yours: Set PVID of
ether5to 999 and make sureframe-typesis the defaultadmit-all(no need to change if starting from defconf) oradmit-only-untagged-and-priority-tagged:/interface bridge port set [find interface=ether5] frame-types=admit-all pvid=999I prefer
admit-allso that in the future I can use this management port as hybrid port and test multiple VLANs with my PC plugged to this port (Windows and Linux all support tagged VLANs).
Now you can do whatever other setups as you wish. As long as the bridge still has vlan-filtering=no as the starting value, the behavior of this port has not changed (still in the IP subnet of the original bridge interface). Once you turn on vlan-filtering=yes, this port behaves exactly the same as the port that you’ve taken out of the bridge from your guide. But with the following advantages:
-
It’s in the bridge so can have hardware offload with most of MikroTik devices with support for Bridge VLAN Filtering HW offload.
-
You don’t have to play DJ with your cable and ports while doing the configuration move, the PC used for configuration can be plugged to that same port from the beginning. If you use MAC WinBox to connect to the router then you don’t even have to do anything when switching from
vlan-filtering=notovlan-filtering=yes, WinBox will be shortly disconnected and will reconnect automatically. This is useful if your device is in a cabinet or in another room. -
You have also already created your management VLAN, ready to be moved to other ports / switches.
-
You can use the port to test the other VLANs (or have quick access to other VLANs) in the future, as hybrid port. Also, in case you run out of ports in the future and no longer have the luxury of a dedicated port for management, then the config change is much easier. You don’t need to hunt your config and remove the added entries that directly reference
ether5at all.
Again, the difference in the steps required to be taken is instead of removing a port from the bridge, we add an entry under /interface vlan and change the pvid value of a port.