Hello, a stupid beginner question:

I have hEX PoE (6.45.1) configured w/ three VLANs (3,4,9). Ports ether2 and ether5 are trunk ports (all VLANs tagged), while ports ether3 and ether4 are access ports (untagged VLAN 3 & VLAN 4 respectively).

Now I want to add a fiber SFP module to sfp1 and make it a trunk port as well.

How should I configure the device to achieve this?

I understand the SFP port is separate to HW switch, does this affect the config somehow?

I have added sfp1 to my bridge (bridge1):

/int bri po pri
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload

INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON

0 I ;;; defconf
sfp1 bridge1 no 1 0x80 10 10 none
1 H ether3 bridge1 yes 1 0x80 10 10 none
2 H ether2-master bridge1 yes 1 0x80 10 10 none
3 H ether4 bridge1 yes 1 0x80 10 10 none
4 H ether5 bridge1 yes 1 0x80 10 10 none

Command
/int eth swi port pri
does not show the sfp1 at all.
Currently shows this:

Flags: I - invalid

NAME SWITCH VLAN-MODE VLAN-HEADER DEFAULT-VLAN-ID

0 ether1 switch1 disabled leave-as-is auto
1 ether3 switch1 secure always-strip 3
2 ether4 switch1 secure always-strip 4
3 ether5 switch1 secure add-if-missing auto
4 ether2-master switch1 secure add-if-missing auto
5 switch1-cpu switch1 secure leave-as-is auto

Also, I can not add sfp1 to port lists on
/int ether swi vlan
Currently:

Flags: X - disabled, I - invalid

SWITCH VLAN-ID PORTS

0 switch1 3 ether2-master
ether3
ether5
switch1-cpu
1 switch1 4 ether2-master
ether4
ether5
switch1-cpu
2 switch1 9 ether2-master
ether5
switch1-cpu

So, in short, what am I doing wrong?

You can’t add the SFP to the switch as is connected directly to the CPU, see https://i.mt.lv/cdn/rb_files/RB960PGS-161220141841.png

You appear to have the SFP in the bridge and the switch VLANs configured on the CPU port (/export hide-sensitive is generally more useful than printing settings), so it should work with the traffic passing via the CPU.

The problem is that with your current setup, bridge is acting as dumb switch. Any vlan filtering should be done by other means. Those other means exist for ether ports and are being performed by switch chip. The other means don’t exist for SFP port, attached directly to bridge. If you simply join SFP port to bridge, then SFP port will carry all VLANs available at bridge (because switch1-cpu is member of that VLAN), currently that’s VIDs 3, 4 and 9.

If it’s fine with you to have VID=9 tagged on sfp1 interface as well, then just join interface sfp1 to bridge1 and you’re done. If you don’t want to have it like that, you’ll either have to give-up wirespeed VLAN switching by reconfiguring everything to the bridge vlan-filtering concept (single VLAN-aware bridge which includes all ether ports as well as SFP port).
Or you’ll have to go with additional bridges (one per VLAN) in a way similar to this:

# additional config
/interface bridge
add name=bridge-v3
add name=bridge-v4
/interface vlan
add name=vlan3_b1 interface=bridge1
add name=vlan4_b1 interface=bridge1
add name=vlan3_sfp interface=sfp1
add name=vlan4_sfp interface=sfp1
/interface bridge port
add bridge=bridge-v3 interface=vlan3_b1
add bridge=bridge-v3 interface=vlan3_sfp
add bridge=bridge-v4 interface=vlan4_b1
add bridge=bridge-v4 interface=vlan4_sfp

If you already are running some IP setup on RB working on top of one of these two VLANs (and thus having appropriate vlan interface already), you should move that IP config to appropriate bridge.

Thanks, it works now. Currently there is no need for more fine-grained filtering, I am fine with all of the VLANs going to the fiber.