Hello,
My ISP is providing ethernet cable to me with /29 public ipv4 prefix to my ether1 port (wan).
Is there any standard or best practice, should I enable RSTP and send bpdu packages on RouterOS bridge1 for this ether1 which is added as interface bridge port?
If not, how to not send and ignore any incoming bpdu packages?
RouterOS 7.1.2 (stable) on CRS router
I think is good to not use bpdu guard on wan port since there is possibility to shutdown the port. I also think that bridge root port should not be anyhow on WAN interface.
So, what is best practice?
I need to put public WAN Layer2 into our local network switch and vlan, so other local servers can have direct public ip address in same layer2 domain and public ipv4 subnet.
First, RTSP and RSTP are different things 
Other than that, RSTP is a Layer 2 Protocol…
More information here https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol
Although i see no topology diagram, the ethernet cable from your ISP must be connected to one of the Ports of your CRS device ( model ? ).
That WAN Port, must not be in the same Layer2 Broadcast domain with your Local Network, in simple words, your WAN port must not be a member of your Local Network ( Bridge Interface ).
So the WAN port must not be a member of Bridge Interface ports…
RSTP runs on Bridge Interfaces and Bridge member ports… Since your WAN is not a member of the Bridge ( or is it ? ) no BPDUs exist there…
Hello,
Thank you, I am talking about RSTP (it was tipfeler). I have updated original post.
I need to have public ipv4 subnet and same layer2 domain passed to local switch / vlan, so some local servers can have direct public ipv4 address.
Therefore I do have only one “bridge1” and using “bridge ports” for configuration.
So the question about using and best practices about RSTP on that WAN remains..
Here is partial config
/interface list
add name=bridge1-lan1
add name=bridge1-wan1
add name=bridge1-trunk1
/interface list member
add interface=bonding-ToSwitch list=bridge1-trunk1
add interface=ether1 list=bridge1-wan1
add interface=ether13 list=bridge1-lan1
/interface bridge
add dhcp-snooping=yes frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=lan1 vlan-id=1000
add interface=bridge1 name=wan1 vlan-id=1002
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=bridge1-wan1 pvid=1002
add bridge=bridge1 bpdu-guard=yes edge=yes-discover frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=bridge1-lan1 pvid=1000
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bridge1-trunk1
/interface bridge vlan
add bridge=bridge1 comment=lan1 tagged=bridge1,bonding-ToSwitch vlan-ids=1000
add bridge=bridge1 comment=wan1 tagged=bridge1,bonding-ToSwitch vlan-ids=1002
Maybe I can somehow specify on /interface bridge port, to not send any BPDU out, how to achieve this?
Yes you can set a Bridge port as Edge port, thus it will not send any BPDUs and will ignore the received ones…
But again, we are talking about Bridge Ports, ports that are inside the Bridge Interface…
https://help.mikrotik.com/docs/display/ROS/Bridge#Bridge-Per-portSTP
Also depending on your hardware you can drop the received BPDUs on certain ports using switch ACL rules…
Ok, so you saying that specifying edge=yes, will not send out any RSTP ?
/interface bridge port
add bridge=bridge1 edge=yes frame-types=admit-only-untagged-and-priority-tagged interface=bridge1-wan1 pvid=1002
While still having the bpdu-guard=no ?
(In case, that ISP sends me RSTP and I also want to ignore?)
Will edge=yes, work even if there is possible switch with other hosts?
I do not want to implement layer2 filtering rules to avoid performance issues.
Thank you for reference link, now I am confused 
While still having the bpdu-guard=no ?
Yes.
BPDU Guard helps to prevent BPDU related attacks and will actually disable the port if it detects a BPDU.
An example of an edge port, is a port connecting an end station, e.g. a computer. If you set as Edge a port that connects to a switch, then BPDUs wont pass to that switch and so on…