Using RouterOS to VLAN your network

First of all, thank you for this awesome topic, it helped me a lot when trying to set up my Mikrotik router and APs.

I have a question about security or probably best practices when it comes to VLANs with WIFI:

In your examples, you set up the wireless interfaces without setting “vlan-id” and “vlan-mode” to “use-tag” but you set the PVID on the bridge port. Thus you can handle the wifi interfaces as access ports and set “admit-only-untagged-and-priority-tagged” as for the ethernet ports.

It took me quite a while to figure out why this didn’t work for me. It was because I used “vlan-mode=use-tag” in my CAPsMAN Datapath configuration (you can do it also on the wireless interface, without using CAPsMAN). In that case, the packets seem to enter the bridge already tagged, so I had to set “admit-only-vlan-tagged” on the bridge port, which makes it looks more like a trunk port.

Both configurations work, but I was wondering if there is a difference in how secure these two options are. Just from a readability point of view, I guess setting all access ports to “a_dmit-only-untagged-and-priority-tagged_” is clearer, but is there an actual impact on network security here, or are those just two ways to do the same thing?

Security is a topic I don’t feel qualified to speak on. Nevertheless, the way you handle frames, tagged or not, matters a great deal. The security mindset thinks about the packet flow and where can they all get to. The VLAN mindset, a lot of thinking is about the source of packets, where did they come from? So, it is not the same thing. Access ports (this is just terminology) are what the industry calls a port in which packets are arriving without a tag present. Trunk ports are therefore classified as being the source of packets in which tags are expected, indeed required.

Using settings admit-only-untagged-and-priority-tagged or admit-only-vlan-tagged ensure the port acts as you expect and thus drop packets that don’t comply. If you don’t enforce VLAN, then the security benefits, however small they may be, are removed all together.

This is NOT a wifi thread, nor a capsman thread, its a vlan thread and vlan security is covered in terms of best security practices which is the same as per any other vendor!
For WIFI, the standard is WPA2 (or whatever comes next) and if you want can add a radius server for additional security and finally do wifi over a VPN for example.

Noob alert…
Re the FirewallCustom.rsc file in Post#5

Lines 22 and 23 create new ‘list’ names of ‘WAN’ and ‘VLAN’
/interface list add name=WAN
/interface list add name=VLAN

I see these used in the next group under ‘/interface list member’ - makes sense so far.

However the last line (31) in this group shows:
add interface=BASE_VLAN list=BASE (my underlining)

Can you tell me where/when the ‘list’ item of ‘BASE’ was created?

Many thanks for your excellent tutorial material.

Interface VLAN simply replaces Interface LAN, he could have kept it at LAN which is usually used to describe all subnets behind the router.
I have used VLAN and LAN separately to separate subnets out on a config, similiary I have used VLANW1 and VLANW0 to distinguish subnets with internet access and those without.
So lets ignore the VLAN one.

The BASE interface list is normally used (could be any name) to identify the trusted subnet, could be the homelan or the managmentlan etc.
Its just a way of identifying the trusted subnets, although usually one, in the interface list set.
WHy, because we can then use that easily for multiple reasons such as for firewall rules but also in tools mac winmac server to identify which interface list has access to winbox via mac address!

By the way in the input chain rule for access to the router via base inteface list, I typically add a firewall address list to narrow down the trusted interfaces to trusted IPs…
source-address-list=adminaccess

where
add IPofadminDesktop list=adminaccess
add IPofadmingLaptop list=adminaccess
add IPofadminIpad list=adminaccess
add IPofadminSmartphone list=adminaccess

Am I missing something, or why in the switch.rsc file from the first post, the following does nothing:

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=sfp1,sfp2 [find vlan-ids=10]
set bridge=BR1 tagged=sfp1,sfp2 [find vlan-ids=20]
set bridge=BR1 tagged=sfp1,sfp2 [find vlan-ids=30]

also

/interface/bridge/vlan
:put [find vlan-ids=10]

outputs nothing.

Only the following line

add bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=99

adds a single entry under Bridge/VLANs tab.

I saw @DragonQ answer 6 post above which makes sense, however I have a feeling that example scripts shall work “out of the box”. What is the expected effect of these 3 lines in the very first switch.rsc?

Additionally, the file switch_hybrid.rsc from the same post contains the following:

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=10
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=20
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=30
add bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=99

which makes more sense.

Thank you

Hi @pcunite ! Thanks for this comprehensive guide. Really helped me a lot in order to understand vlans and also to correctly config my MT .

I have a question regarding VLAN security: There is also an ingress filtering/frame-type setting on the bridge itself, however it seems you did not configure this but only for the individual bridge ports. In my understanding the VLAN interface 99 for the router is bound to the bridge port (can you confirm?). If that is the case don’t we also need to set ingress filtering/admit frame-types for the bridge, which seems to act as a trunk port (since we had to add the bridge as tagged member for VLAN99 for the router)?

PS: I really wish Mikrotik wouldn’t have chosen the name bridge for the switch-like grouping of ports AND for the Layer 3 (CPU-Port) capabilities. It is very confusing. A different name in order to make things more clear would solve so many comprehension issues, especially for beginners.

Thank you all for your responses.

Thanks for the excellent guide.

I’ve posted a new topic about a problem I have but an admin didn’t get to approve it yet. I hope posting here doesn’t have the same restrictions.

Anything connected to the switch does not get an IP address from the router. I have looked at the leases and while the other networks (all connected through wifi) work fine, the devices connected to the switch are not.

Connecting to the wifi access point associated with the same VLAN as the ports on the switch works fine.

Router ehter1 is connected to the modem, ether2 connected to switch
Switch ether1 connected to the router, with clients on ether2 and ether4.

Scripts below.

Thank you!

Router (hap ac2):

###############################################################################
# Topic:		Using RouterOS to VLAN your network
# Example:		Switch with a separate router (RoaS)
# Web:			http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
# RouterOS:		6.43.12
# Date:			Mar 28, 2019
# Notes:		Start with a reset (/system reset-configuration no-defaults=yes skip-backup=yes run-after-reset=flash/router.rsc)
# Thanks:		mkx, sindy
###############################################################################

:delay 30s

#######################################
# Housekeeping
#######################################

# name the device being configured
/system identity set name="MainRouterSwitch"

/system clock set time-zone-name=Asia/Jerusalem


#######################################
# VLAN Overview
#######################################

# 60 = GUEST (GREEN)
# 70 = RED
# 80 = BLUE
# 99 = BASE (MGMT) VLAN


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no

#######################################
#
# WIFI Setup
#
#######################################

# BASE SSID, admin level access to Winbox the device. Use a local ethernet port if preferred.
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless set [ find default-name=wlan1 ] ssid=Home frequency=auto mode=ap-bridge disabled=no distance=indoors band=2ghz-b/g/n channel-width=20/40mhz-XX wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] ssid=Home frequency=auto mode=ap-bridge disabled=no distance=indoors band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX wireless-protocol=802.11

# GUEST SSID
/interface wireless security-profiles add name=HomeGuest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless add name=wlan3 ssid=HomeGuest master-interface=wlan1 security-profile=HomeGuest disabled=no
/interface wireless add name=wlan4 ssid=HomeGuest master-interface=wlan2 security-profile=HomeGuest disabled=no

# RED SSID
/interface wireless security-profiles add name=HomeUntrusted authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless add name=wlan5 ssid=HomeUntrusted master-interface=wlan1 security-profile=HomeUntrusted disabled=no
/interface wireless add name=wlan6 ssid=HomeUntrusted master-interface=wlan2 security-profile=HomeUntrusted disabled=no

# BLUE SSID
/interface wireless security-profiles add name=HomeSafe authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=""
/interface wireless add name=wlan7 ssid=HomeSafe hide-ssid=yes master-interface=wlan1 security-profile=HomeSafe disabled=no
/interface wireless add name=wlan8 ssid=HomeSafe hide-ssid=yes master-interface=wlan2 security-profile=HomeSafe disabled=no

#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# BASE VLAN
add bridge=BR1 interface=wlan1 pvid=99
add bridge=BR1 interface=wlan2 pvid=99

# GUEST
add bridge=BR1 interface=wlan3 pvid=60
add bridge=BR1 interface=wlan4 pvid=60

# RED
add bridge=BR1 interface=wlan5 pvid=70
add bridge=BR1 interface=wlan6 pvid=70

# BLUE
add bridge=BR1 interface=wlan7 pvid=80
add bridge=BR1 interface=wlan8 pvid=80

# egress behavior, handled automatically

#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether2
add bridge=BR1 interface=ether3
add bridge=BR1 interface=ether4
add bridge=BR1 interface=ether5

# egress behavior
/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=60
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=70
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=80
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="1.1.1.1,1.0.0.1"

# PPoE used instead of the config below
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=... use-peer-dns=no user=...

# WAN facing port with IP Address provided by ISP
# /ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0

# router's gateway provided by ISP
# /ip route add distance=1 gateway=b.b.b.b


#######################################
# IP Services
#######################################

# GUEST VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=GUEST_VLAN vlan-id=60
/ip address add interface=GUEST_VLAN address=10.0.60.1/24
/ip pool add name=GUEST_POOL ranges=10.0.60.2-10.0.60.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=10.0.60.0/24 dns-server=192.168.0.1 gateway=10.0.60.1

# RED VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=RED_VLAN vlan-id=70
/ip address add interface=RED_VLAN address=10.0.70.1/24
/ip pool add name=RED_POOL ranges=10.0.70.2-10.0.70.254
/ip dhcp-server add address-pool=RED_POOL interface=RED_VLAN name=RED_DHCP disabled=no
/ip dhcp-server network add address=10.0.70.0/24 dns-server=192.168.0.1 gateway=10.0.70.1

# BLUE VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=80
/ip address add interface=BLUE_VLAN address=10.0.80.1/24
/ip pool add name=BLUE_POOL ranges=10.0.80.2-10.0.80.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.80.0/24 dns-server=192.168.0.1 gateway=10.0.80.1
/ip dhcp-server lease add address=10.0.80.2 mac-address=... server=BLUE_DHCP

# Optional: Create a DHCP instance for BASE_VLAN. Convenience feature for an admin.
/ip pool add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=RED
/interface list add name=BLUE
/interface list add name=BASE

/interface list member
# WAN/internet (was ether1, but ISP uses pppoe)
add interface=pppoe-out1    list=WAN

# Access internet, RED from each other
add interface=BASE_VLAN     list=RED
add interface=GUEST_VLAN    list=RED
add interface=RED_VLAN  list=RED

# BLUE is REDd and has no internet access
add interface=BLUE_VLAN     list=BLUE

# Base can access everything
add interface=BASE_VLAN     list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow VLANs to access router services like DNS, Winbox.
add chain=input action=accept in-interface-list=RED comment="Allow VLAN"

# Allow BASE_VLAN full access to the device for Winbox, etc.
add chain=input action=accept in-interface=BASE_VLAN comment="Allow Base_Vlan Full Access"

# Allow server to access router services like DNS, Winbox.
add chain=input action=accept src-address=10.0.80.2 src-mac-address=... comment="Allow Server"

# Allow router services for BLUE
add chain=input action=accept in-interface-list=BLUE comment="Allow VLAN"

add chain=input action=drop comment="Drop"


##################
# FORWARD CHAIN
##################
add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related"

# Allow RED VLANs to access the Internet only, NOT each other
add chain=forward action=accept connection-state=new in-interface-list=RED out-interface-list=WAN comment="VLAN Internet Access only"

# Allow BASE VLAN to access everything
add chain=forward action=accept connection-state=new in-interface=BASE_VLAN comment="BASE VLAN all access"

# Allow server to access the Internet only, NOT other VLANs
add chain=forward action=accept connection-state=new src-address=10.0.80.2 src-mac-address=... out-interface-list=WAN comment="Allow Server"

add chain=forward action=drop comment="Drop"


##################
# NAT
##################
/ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade"


#######################################
# VLAN Security
#######################################

# Only allow packets with tags over the Trunk Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

Switch (CRS112-8P-4S-IN):

###############################################################################
# Topic:		Using RouterOS to VLAN your network
# Example:		Switch with a separate router (RoaS)
# Web:			http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
# RouterOS:		6.43.13
# Date:			April 15, 2021
# Notes:		Start with a reset (/system reset-configuration no-defaults=yes skip-backup=yes run-after-reset=flash/switch.rsc)
# Thanks:		mkx, sindy
###############################################################################

:delay 30s

#######################################
# Naming
#######################################

# name the device being configured
/system identity set name="CameraSwitch"

/system clock set time-zone-name=Asia/Jerusalem

#######################################
# VLAN Overview
#######################################

# 80 = BLUE
# 99 = BASE (MGMT) VLAN

# Other VLANS, not used here, may be defined elsewhere


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior
/interface bridge port

# BLUE VLAN
add bridge=BR1 interface=ether2 pvid=80
add bridge=BR1 interface=ether3 pvid=80
add bridge=BR1 interface=ether4 pvid=80
add bridge=BR1 interface=ether5 pvid=80
add bridge=BR1 interface=ether6 pvid=80
add bridge=BR1 interface=ether7 pvid=80
add bridge=BR1 interface=ether8 pvid=80

# egress behavior, handled automatically


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1
add bridge=BR1 interface=ether1
add bridge=BR1 interface=sfp9
add bridge=BR1 interface=sfp10
add bridge=BR1 interface=sfp11
add bridge=BR1 interface=sfp12

# egress behavior
/interface bridge vlan

# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN)
set bridge=BR1 tagged=ether1,sfp9,sfp10,sfp11,sfp12 [find vlan-ids=80]
add bridge=BR1 tagged=BR1,ether1,sfp9,sfp10,sfp11,sfp12 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing Switch's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.2/24 interface=BASE_VLAN

# The Router's IP this switch will use
/ip route add distance=1 gateway=192.168.0.1


#######################################
# IP Services
#######################################
# We have a router that will handle this. Nothing to set here.


#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether6]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether7]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether8]

# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp9]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp11]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=sfp12]


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/interface list add name=BASE
/interface list member add interface=BASE_VLAN list=BASE
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

Hi,

great guide to start understanding vlans!

My usual setup is:
routerOS (RoaS) ↔ unmanaged switch ↔ wifi access points (with vlan feature on every SSID)

How to build my setup in RouterOs in order the devices of wifi access points is getting ip address from the BASE_VLAN and the wifi will be able to have one SSID with BASE_VLAN and one SSID with GUESTS_VLAN? How to use bridge vlan filtering for the above configuration? My purpose is when plug a device on the RouterOS ethernets to connected to the BASE_VLAN and can managing all the access points connected to it and the same time the guests vlan will be able to pass on ssid.

Although I have understand how to create different access ports or trunk ports, I can’t completely understand how to make the setup I have just mentioned.

Kind Regards!

Please create a new topic for this, preferably in the General subforum.

Good question, I was told more than once, but one easily forgets things when older.
My understanding is as follows.
Setting ingress filtering on a bridge port is akin to saying, ONLY vlans assigned to the is port are allowed to ingress this port.
Setting ingress filtering on the bridge is less powerful and basically states allow only vlans that have been assigned to the router as a whole.

WIth that in mind. if you used ingress filtering on the bridge and not the ports, the result would be
a. any vlan that is identified on the bridge would be allowed to ingress on any bridge port.

b. You then can narrow down control of ports by stating the frame type…
So only tagged frames would be allowed to ingress the port or only untagged frames etc…

c. finally one can more surgically allow ONLY specific vlans to specific ports by using ingress filtering on the bridge port itself.

This is how I see it working, but I know that is not correct. I may even have it backwards.
Based on my less than stellar understanding of switches.

@iegg, please have a look at this post and tell me whether it helps remove some of that confusion.

Hello!
Think of the bridge itself as also a loopback interface.
You can assign an IP address to this loopback interface.

Thank you @sindy et al.. The bridge for myself is more or less clear now, however for beginners it is really hard to grasp the bridge concept.

@anav: I see the bridge also as a ‘connection’ between the vlan interface (not port) and the switch. So if i have a vlan interface i want to allow only tagged frames over the bridge ‘connection’ to the interface. Like that it would act as a trunk and in this case would disallow untagged frames to reach the vlan interface. Not sure if this is correct, but at least seems like a good idea;)

Does the Router-Switch-AP (all in one) example also exists for Other devices with built-in switch chip (e.g. RB2011) where the recommended configuration is using the switch chip instead of setting

vlan-filtering=yes

(ether5 and ether6 connected with cable)?

Does “Switch with Hybrid Ports” can be used at RB2011 ?
What with using ports from differ switch chips together ?
Maybe you can help answer at RB2011 How connect ports from differ HW switch ?

I’d like to also ask this question. I have an RB5009 running ROSv7 and have seen in comments that maybe having the bridge set in RSTP or MSTP is better? I am a beginner, could someone please explain how this affects things in layman terms, and if in my hardware situation that might be the case to run it in RTSP or MSTP? Please let me know which is best. Happy to provide more info if required.

Thanks!

A couple of things to consider here. How many switches do you have in your topology, how many vlans. Do you employ a topology that could possibly form a loop?
I.E.:

(@sindy, @pcunite @Chupaka @avnav @sob @mkx please feel free to interject here, but even with a topology like this you could in theory just disable a protocol-mode and suppress loops from forming by forcing ingress to tagged-only discarding any untagged frames and suppressing any outbound that do not match your bridge vlan policy, and only mapping vlans to traverse ports that are needed directly from one router to another through your switch-centric infrastructure, in essence point-to-point L2 pathways that aren’t freely flowing about your whole network, thus using some point to point IP space to configure a routing protocol, etc.) route all the time, switch when you have to.

Are you trying to integrate with Cisco, in particular, PVST+ is not operable with ROS, and you will need to use common protocol 802.1s (MST).

MST creates multiple instances of spanning tree and allows for multiple different topologies to inject where the break point is for loops in say a triangular or square network of bridges.
Here is a good link https://mum.mikrotik.com/presentations/FR19/presentation_6549_1557905587.pdf

RSTP is by default configured and should work fine in most cases. If you are trying to predict your traffic flow during failure or control it, I would suggest delving deeper into the fundamentals of the protocol. MST can be added complexity.

If not, and I would guess for most users here, they do not have a potential for forming a loop on their hub and spoke topologies, and it can safely be disabled, just don’t plug two ports between two bridges, unless you put them in a bond.
I.E.:

Also 88639X chipset on the 5009 is on of the more impressive chips out there with few limitations, and especially since ROS7 updates.

See the first few tables here
https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features

And the hardware offloading guide here
https://help.mikrotik.com/docs/display/ROS/Bridge#Bridge-BridgeHardwareOffloading

In general, I recommend MSTP when a loop prevention protocol is needed because it is the most interoperable and scales much larger than RSTP.

I would also add that you want to understand the layer you’re adding loop prevention for.

When you’re connecting routers, you don’t want to also be running spanning tree as you’ve not got two convergence domains - one for L2 and one for L3 dynamic routing protocols. I’ve worked on a lot of networks built like this and it often ends badly. Build PTP VLANs so that STP can be disabled.

When connecting hosts or other switches at L2, spanning tree makes more sense to prevent loops.

Not an engineer or IT trained but I like rule of thumbs and I thought it was —> use RTSP for MT devices, & use MTSP when using mixed devices???