RouterOS bridge mysteries discussed - incl. diagrams

Like so many others I have struggled to make sense of the mysteries of setting up RouterOS with vlans for a SOHO. Mikrotik documentation is less than ideal. This post and the one by @pcunite Using RouterOS to VLAN your network have been very helpful. I think better with pictures so following the abstraction of @sindy I have diagrammed a vlan setup and noted the CLI commands that affect each element. My hope is that this will be useful to others. I think I have this right. Please correct me, if not.

Addendum: I've made a correction to the diagram. Adding a trunk between BR1 and the virtual switch block.

1. Create Bridge
   • Creates a virtual router interface with same name
   • That interface accepts frames with or without a vlan-id
   • vlan interface behaviors are turned on with 'vlan-filtering=yes'

   /interface bridge
   add name=BR1 vlan-filtering=yes

2. Create VLANs
   • Create a virtual switch vlan interface and a path to a virtual router interface

   /interface vlan
   add interface=BR1 name=VLAN10 vlan-id=10
   add interface=BR1 name=VLAN20 vlan-id=20

3. Create Physical Interface
   • Associates a pvid with a physical port
   • Specify ingress behavior (access vs trunk)
   • Trunk default: Reject on entry a frame without a vlan-id
      or with a vlan-id not associated with the trunk interface.
      Can explicitly set this with 'ingress-filtering=yes/no'

   /interface bridge port
   # access
   add bridge=BR1 interface=ether2 frame-types=admit-only-untagged-and-priority-tagged pvid=10
   
   add bridge=BR1 interface=ether4 frame-types=admit-only-untagged-and-priority-tagged pvid=20
   
   # trunk (defaults to pvid=1)
   add bridge=BR1 interface=sfp1 frame-types=admit-only-vlan-tagged

4. Trunk egress behavior
   • The tagged interfaces drop frames without a vlan-id
   • Frames with a vlan_id associated with the interface are allowed through
   • The BR1 interface combines features of trunk and access interfaces

   /interface bridge vlan
   add bridge=BR1 tagged=spf,BR1 vlan-ids=10
   add bridge=BR1 tagged=spf vlan-ids=20

5. Addresses
   • Add IP addresses to interfaces for IP routing (L3)

   /ip address
   add interface=VLAN10 address=10.10.0.1/24 network=10.10.0.0
   add interface=VLAN20 address=10.20.0.1/24 network=10.20.0.0
   add interface=BR1 address=192.168.88.1/24 network=192.168.88.0

@DocPneumo, the /interface vlan is misplaced on your diagram. It is a part of the virtual router - it is attached to the "switch-facing interface of the router", not to the "router-facing port of the bridge". Think about the case when there is no bridge and the /interface vlan is attached directly to an Ethernet or L2 tunnel interface.

Also, you are mixing multiple perspectives in a single drawing. As soon as you start thinking of a VLAN as of a collection of ports and visualise that using separate "bubbles" for VLAN 10 and VLAN 20, you have to extend those bubbles also to the router part as an overlay layer.

I'm confused. This is my visual representation of my understanding of your reply:

My intent was to build on your abstraction in the original post. To understand setting up vlans on my network, I need a visual map to understand what the RouterOS cli commands are doing. Let me walk through my thought process.

When a VLAN is not present the virtual switch block handles most communication between devices connected to the physical ports and passes frames it cannot handle to the virtual router block for L3 handling. The communication with the router is via the “router-facing port of the bridge” connected to the “switch-facing interface of the router”.

The intent of a VLAN is to provide useful segregation of elements of a LAN. But in principle handling of data between VLAN members and to the outside world is parallel to the handling of data for the LAN without VLANs.

With that in mind I think of VLANs as grouping the handling of frames based on physical interface characteristics:
• Access interfaces have an assigned pvid and set the incoming frame vid value to match and unset the vid when the frame exits in the opposite direction.
• Trunk interfaces require incoming frames to have the vid to be set to one of the vlan-ids associated with that interface. The vid is not changed as the frame is passed on to handling by the virtual switch body.
• A frame arriving via a trunk port is grouped with frames with the same vid for handling

Frames that cannot be forwarded to a destination within the vlan-id group are passed to the virtual router block. I visualize that path as provided by the bridge. A virtual router-facing switch port (connected logically with the vlan-id group to which the frame belongs) sends the frame to a virtual switch-facing interface on the router block.

On my diagram the upper and lower green bubbles simply represent the vlan-id groupings of frames. The central bubble represents the frames as they arrive via the trunk before being distributed to the vlan-id bubbles. But these bubbles are “contained” within the virtual switch block.

Creation of the bridge, BR1, also creates a virtual switch-facing interface that is, unfortunately, also named BR1. In this abstraction that interface needs to communicate with the vlan-id groups via ports associated with the groups. I have named these VLAN10 & VLAN20 in this diagram. They are part of the bridge but I think they should be associated with the appropriate vlan-id bubbles for the visual abstraction to work.

I understand that the code beneath the covers of this abstraction may be up to something quite different than the abstraction’s description. However, the point of an abstraction is to simplify the view of the particular world to allow us to function successfully within it the vast majority of the time. When the abstraction fails then it is time to look deeper.

While I admire and am grateful to sindy and DocPneumo and everyone else on this thread and elsewhere, this is just more evidence that these concepts are either unbearably incomprehensible or we are in desperate need of a new way to think about (conceptualize), explain, and discuss them.

I don't have the solution, and I can't say I fully understand the problem, but I know there is a (huge) problem.

Maybe skim this Question related to “RouterOS bridge mysteries explained”

I would respectfully disagree. There is a long history behind the Linux bridge concept, and it does deviate from most other vendors' similar constructs.

The concept itself however is not illogical or particularly complex.

I detect a huge amount of learned helplessness around the topic, which is more related to the sheer number of tutorials and amount of cautionary advice given to newcomers than to any inherent difficulty.

I am cautious in saying this, but in my estimation, even this forum - despite everyone's best intentions - seems to further perpetuate this.

Wow! "Learned helpnesses" is the (partial) explanation for so very many people, myself included, having an extremely difficult time learning a concept?

I know your intention is honorable (i.e., to clarify the situation and help people understand this), but now it's my time to respectfully disagree: I would love to understand the bridge concept and VLANs as well as you and some other here understand them, and I have indeed tried, and have deeply learned a tremendously broad array of things in my lifetime, so I wonder if that which you are perceiving as learned helplessness is actually an expected and reasonable level of confusion and frustration related to learning this (what I confidently believe is an) extremely difficult concept.

Hence my conclusion that we need another way to conceive of, think about, explain, and discuss these concepts.

And, yes, I have read so much and watched so many videos. And each author/presenter very confidently explains things in a way that sends the message that it is easy and simple to understand if the reader/viewer just pays attention. Well, the volume of articles, threads, and videos is solid proof that the previous body of articles, threads, and videos were not sufficient.

@sindy Does this correctly depict what you are describing?

That is much closer, nil meaning untagged. There is some multiplexing/demultiplexing done at the junction. Traditionally it would show BR1 as the parent of VLAN10 and VLAN20.

Note that this is showing what happens when vlan-filtering is active. vlan-filtering affects the "green" righthand side, and when not active, makes the switch part behave differently. It becomes vlan-transparent; when vlan-filtering=off the switch part just ignores the contents of the ethertype field; it doesn't process frames with ethertype 0x8100 any differently than it does frames with ethertype 0x0800. When vlan-filtering is inactive, the switch essentially treats every port identically, and does not modify any frames; if an ethernet frame is received tagged, the frame will egress from the switch-port tagged (on all ports).

Depending how detailed you want to get, it can get very messy. For example, this does not indicate the pvid of the two "Hybrid Interfaces", it shows it as if they are 1 (which is the default). It is probably best to start with less details and then let people grasp the main concept first (what Mikrotik uses for defaults). Then possibly cover what happens when frames-types, ingress-filtering, pvid, etc, are changed.

I think the key is understanding how vlans are processed in general, since that also applies to the "special" bridge interface (that also does more than a single ethernet port does). The vlan interfaces are there to "normalize" the traffic so the IP stack doesn't need to; the IP stack can treat VLAN10 just like it does ether5 (not in bridge) or BR1. I would have drawn it with BR1 closest to the "virtual trunk link" between the left "router" side and the right "switch" side. But I think that your diagram shows conceptually what things do, and it may be easier to understand because from the IP stack's point of view, BR1, VLAN10 and VLAN20 are all the same. The demultiplexing may not really be done by the switch-facing interface of the router personality of the BR1 device anyway. BR1 is tightly coupled to any of its subinterfaces, but I am not sure exactly how the flow works under the covers. Maybe @sindy does know.

https://developers.redhat.com/blog/2018/10/22/introduction-to-linux-interfaces-for-virtual-networking#vlan

The IP stack itself doesn't know about MAC addresses; it is at a higher layer that deals with ip addresses.

The google query what happens when an ethernet frame arrives at a device in linux? How does it demultiplex vlans

Following is what I got today (2025-09-18), and in my opinion, it is a reasonably good description. Some details are left out, but they aren't important for conceptual understanding; e.g. it leaves out details like the offloading done in most ethernet adapters. e.g. unless promiscuous mode is active, the ethernet adapter hardware usually discards received unicast frames that don't match its own MAC, so it never interrupts the CPU to process them. But the AI overview did a reasonably good job here in my opinion.

image672×728 52.1 KB

image677×670 44 KB

The above doesn't cover what happens when there is no tag. But the following example does.

Oddly, asking the same question multiple times doesn't get the same AI Overview.

image653×362 25.2 KB

So I would put VLAN10 and VLAN20 as "subinterfaces" to the BR1 device. The primary thing the subinterfaces do is add a tag on egress, and remove it on ingress. But there is extra "protocol demultiplexing" processing on ingress that looks at the ethertype on the frame. See above.

Thanks. That really helps. I will fiddle the diagram to shift the bridge interface but I agree this is reaching the limits of useful visual detail. I will post if it seems useful.

Convention:

1. Create Bridge

   • creates a virtual router interface with same name (BR1)
   • That interface accepts frames with or without a vlan-id
   • vlan interface behaviors are turned on with vlan-filtering=yes

   /interface bridge
   add name=BR1 vlan-filtering=yes

2. Create VLANs

   • Create ‘sub’ interface on the switch-facing router interface associated with a vlan-id
   • The switch-facing router interface becomes a ‘hybrid’ interface

   /interface vlan
   add interface=BR1 name=VLAN10 vlan-id=10
   add interface=BR1 name=VLAN20 vlan-id=20

3. Set Physical Port relationship to vlans

   • Access ports have an associated pvid
   • Specify ingress behavior (access vs trunk)
   • Trunk default behavior:
     • Reject on ingress a frame without a vlan-id
     • ingress-filtering defaults to yes. This rejects frames tagged with vlan-id
       not associated with a vlan sub-interface on the switch facing router interface.
   • Anonymous sub-ports are created on the router-facing switch port

   /interface bridge port
   # access
   add bridge=BR1 interface=ether2 frame-types=admit-only-untagged-and-priority-tagged pvid=10
   add bridge=BR1 interface=ether4 frame-types=admit-only-untagged-and-priority-tagged pvid=20
   #trunk (defaults to pvid=1)
   add bridge=BR1 interface=sfp1 frame-types=admit-only-vlan-tagged

4. Trunk egress behavior

   • The tagged interfaces drop frames without a vlan-id
   • Frames with a vlan_id associated with the interface are allowed through

   /interface bridge vlan
   add bridge=BR1 tagged=spf,BR1 vlan-ids=10
   add bridge=BR1 tagged=spf vlan-ids=20

5. Addresses

   • Add IP addresses to interfaces for IP routing (L3)

   /ip address
   add interface=VLAN10 address=10.10.0.1/24 network=10.10.0.0
   add interface=VLAN20 address=10.20.0.1/24 network=10.20.0.0
   add interface=BR1 address=192.168.88.1/24 network=192.168.88.0

Maybe it is time to create a discussion topic for vlan-aware bridge mysteries discussed (some may think "disgust" would be a better word than "discussed")

This topic is already quite long.

After things are discussed and there is some consensus, then we can put the final result here, or have @sindy add to an existing post near the top of this thread.

Few people will get through the whole thread. And there will probably be a lot of back and forth in the discussion before consensus is reached.

I can shift my last reply to a new topic if you think that would be a good start.

I would start with the post right after Josephny's post.

I don't know if it is possible for a moderator to move posts or not.

Otherwise, we can repost them in the other thread, then after we are sure they are there, we could delete from here.

Or start with the last diagram and a link to this thread and post where the discussion started.

e.g. RouterOS bridge mysteries explained - #95

I have copied my last reply to Vlan-aware bridge mysteries.

15 posts split coming from RouterOS bridge mysteries explained - #95

The diagram is much closer now, but let me repeat that an /interface vlan belongs to the router part of the configuration, not to the bridge one, and the diagram should reflect that.

An abstraction can be simplifying but it must not be misleading.

Elaboration: You can attach an /interface vlan not only to a "bridge-the-switch-facing-interface-of-a-router" but to any L2 interface, physical or virtual (tunnel, bond, ...), that is not a member of any bridge (and even must not be if you want to attach an /interface vlan to it). So even though the "bridge-the-switch-facing-interface-of-a-router" itself belongs to the bridge configuration, the eventual /interface vlan attached to it do not.

BTW:

• with the additional set of of configuration elements that RouterOS has recently started to add dynamically, this distinction became even more blurry because attaching an /interface vlan to a bridge interface in the router-related configuration now dynamically creates a row in /interface bridge vlan, so in the bridge-related configuration (but it only happens if a corresponding configuration hasn't been added manually). This is definitely both a simplification of routine configuration tasks as well as as a reduction of space for mistakes, since less manual settings are required to obtain a working configuration, but on the other hand it further hardens understanding the concept.
• I haven't mentioned more than the bare minimum of VLAN related stuff in the original post of the original topic on purpose - in my view it is an independent can of worms one should only open once they grasp the "bridgely trinity" thing completely.

I think we passed each other in the dark! I didn't see your post about splitting these into a new topic. I made my own: vlan-aware-bridge-mysteries.

The two new topics should be combined, but I am not certain how to do that other than a lot of cut and paste work followed by deletion of one of the two topics. Suggestions, guidance or help would be appreciated.

Not only I (still respectfully) disagree with your disagreement, but I can prove (remember the number of iterations, changes, refining and what not needed for the IP tables flowchart?:
The ultimate Mikrotik iptables flowchart ) that until clear, definite, simple visual maps are provided, these concepts will remain something that only a few members (like you, sindy, CGGXANNX, etc.) actually fully understand, for all other people it is either a "perceived understanding" (they think they have understood It but in reality they only can solve some specific problems) or a "suspended not-understanding" (my case, but I doubt I am alone).

So, this attempt by DocPneumo Is IMHO very useful and also "needed".

I actually (for a change) agree with your and @Josephny's observation in that more and importantly, much higher quality information is needed, because misunderstandings and misapplications are widespread - one only has to look at posts on this forum.

I maintain, however, that much of the confusion on the topic is due to some sort of misplaced fear or apprehension. I did not make this observation lightly. And as you put it well, much of this is due to a false "perceived understanding", that is, simply incorrect beliefs that are strongly maintained as certainties.

I would like to take the chance to give a bit of perspective around this. Make of it what you will; this is explicitly not intended as some sort of tutorial, but what I in turn strongly believe is that there are certain insights that have to be accepted (assimilated) in order to be able to gain a solid understanding.

The Mikrotik way. Every week there are posts that say that Mikrotik does vlans in some strange and incomprehensible way. This is true to the extent that Mikrotik does it differently than other major vendors. This is because they expose the way it is implemented and exposed by the Linux kernel. This is not at all surprising: they do the same with how addresses are assigned, routing is performed, firewalling is done - so basically with everything else. Sure there were (and will be) certain bugs in the implementation, but these are readily fixed. Also, there were a huge number of little attempts to make things easier to configure, such as automatic membership assignments or error messages given for common misconfigurations. The basic concept however is not broken, and from its first appearance works well. And so we come to...

The Linux way. Linux abstracts the internally implemented switch concept as bridges. For me this abstraction makes very much sense. It was, however, conceived of before managed switches (or in fact switched at all) were a common feature or networks everywhere. (Yes, I'm referring to the time when things like "thinnet" were in use.) The bridge concept dating back to this era basically denoted the software version of what we today call "dumb switches."

Next in line of the concepts is the vlan interface. These simply allow us to separate vlan tagged (with the specific tag) traffic from untagged (which appears directly on the interface) on ethernet type interfaces; also they take care of injecting them. Again, a fairly simple concept.

And now we arrive at the complication of...

VLAN-filtering. Through many years of development, industry decided on the concept of "managed switches" and formed a more-or-less universally accepted concept of what these devices so. The problem was that the Linux bridge concept didn't fit in very well with this. There were workarounds, such as attaching vlan interfaces to the ethernet ports and then bridging these. (This enabled a few features appropriately, such as independent vlan learning, but some issues were particularly nasty, such as the fact that if stp was then enabled on these bridges, stp frames actually went out tagged and per-vlan, which is not what "normal" managed switches did.) A need for a networking concept that would represent a virtual managed switch came was clear and several attempts were made to address this, such as OpenVSwitch, and many others.

The one that way the most Linuxy was the vlan-filtered bridge. Remember that Linux attempts to "never break userspace," that is: whatever came to be relied on by users (and software) should be backwards compatible. This was again kept in mind when introducing vlan filtering.

But it is very important to realize that vlan-filtered bridges bare little resemblance to the older (non-vlan-filtered) bridge concept. In fact, when it was originally introduced, almost no code was actually shared between the implementations. This makes "vlan filtering," in my eyes, one of the most misnamed features in software development, because it makes it seem like some additional feature is enabled by this setting; this is not the case, in fact an entirely different thing is brought into existence.

The concept of switch in a router. This is how it comes about that we must recognize something that we could somewhat ignore with the previous bridge concept: that there is actually a virtual switch living inside out router. There is not much to configure about a non-vlan-filtered bridge other than what ports we attach to it, but a managed switch has many more settings. In fact it is widely established that a managed switch not only can be configured, but in fact to do anything useful it must be configured.

This must lead to the recognition that in fact we have a different entity living inside the router that is separately configured and is only attached to the router proper by one of its ports (convenient called by the same name) that presents the traffic which is intended for the router itself on an interface, again conveniently called by the same name. (Together with the fact that the bridge entity is also referred to by the same name is what leads to what is commonly referred to on this forum as the "trinity of personality.")

This is what most of the colorful diagrams floating around try to capture. Usually in a slightly wrong way. This is why I think @jaclaz's reference of "perceived understanding" is spot on.

I actually plan on creating my own explanation and diagram. As usual, when I get around to it.

Hopefully this rant helps someone, even if only a bit. Sorry for the long rant.