I just read through the Interface/VLAN manual again. As assumed, sending traffic to the “vlan” interfaces adds a VLAN-tag to the packet.
This clears things up a bit. Another very helpful post was this one:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
I played around with the settings and now I think that I understand most of it. The key was to see the bridge interface vs. the bridge acting as the actual switch for processing the traffic as mentioned in that post.
I created two scenarios: First was IP 192.168.88.1/24 bound to interface vlan1 (now I also understand why this vlan-interface has to be assigned to another interface and why it hasn’t to be a bridge member himself then) and vlan2 bound to 192.168.89.1/24. By accessing them through vlan-adapters, they get a vlan tag, so the bridge interface (again important to understand that we talk about an interface now!) has to be added as tagged to both VLANs as the packets come in tagged.
Then I edited the scenario and set the interface of IP 192.168.88.1/24 directly to bridge. Now packets from this management IP have no VLAN tag, so I have to set the bridge interface on VLAN1 as untagged to match this. Altough the packets on the actual bridge which does the processing still run “internally” with VLAN-Tag “1” as the PVID of the bridge interface is set to 1, right? My ports ether1-ether4 also run “externally” untagged but “internally” with vlan-tag 1, so that is how we get connected here.
Other things I found out:
- Not everytime changing those settings a reboot is necessary, but sometimes I wondered “Shouldn’t this work now?” and the reboot did the game then.
- You should avoid setting two addresses in the same network (my first experiments were with 192.168.88.1/24 and 192.168.88.2/24), at least in this constellation with VLANs…