V7.20.7 [long-term] is released!

Internally, other vendors add a port called "CPU" to the bridge. And this "CPU" port can have as many tagged VLANs as needed.

I don't know exactly how things work under the hood in RouterOS, but I assume that the VLAN interfaces are directly linked to the Bridge in Linux.

I'm not an expert, but I'm sure that replicating this model exactly for Hardware Offload, or even for containers, must go against what is a de facto standard when talking about SwitchChips SDKs.

Perhaps this is a point that should be given primary attention by the MikroTik team.

P.S.: I'm not a programmer and I'm not a SwitchChips expert either, just a curious guy who follows the issues and pushes on the SOniC GitHub and, to a lesser extent, OpenWRT as well.

Back in the days we used to only have switch menu where one of the port per switch was named CPU where you could define as many VLANs (depending on the chip) as you wished because it actually is an Ethernet port connecting switch chip to CPU and then VLAN processing would be HW offloaded.
In V7 you still have the switch menu but for some (other) chips VLANs (and STP, RSTP, MSTP, Bonding...) HW offloading is supported in the bridge menu but the working is more or less analogue to what we used to have with a bridge actually representing CPU Ethernet port where for example bridge PVID would be untagged traffic going to CPU, and to access tagged VLANs from CPU (whether you define them in switch or bridge menu) you must define software VLAN interface...

They work exactly as you describe. The only difference is that the "cpu" port is called "the bridge". (In the switch menu it's coincidentally called "cpu".)

So there is no difference. And, as you can readily see, you can assign as many vlans to this "bridge" port as you want. When you add a vlan interface, the system does this for you automatically, and you can see the result in the vlan table.

Yep I understand…
But, guessing from outside, I bet under the hood this “Bridge” on L3-aspects overlaps the “Bridge” on L2-Aspects.
And(guessing again) that is obstacle to transcribe this to hardware off–load in SDKs of switch chips.

Other vendors deal with this having “switchport mode” and “routed mode” of ports.

• Switchport Mode operating on Bridges inside the SwitchChips.
  • And using “VlanIF” as a mapping point to CPU..
• Routed Mode operating with Interfaces and sub-interfaces.
  • And, if needed, using bridge-domain to link tagged sub-if to vlans o other ifs and sub-ifs.

If I understood correctly…
Historically, not having this distinction between portswitch and routed mode, is onde of the biggest motives MikroTik RouterOS+WinBox has become popular with network operators.

But I don’t see a way of using merchant silicon(Marvell, Broadcom, or even the more recent Intels.) and not separating this two concepts.

Looking from the outside, and again in the realm of speculation, it is precisely by insisting on maintaining this abstraction that attempts to make everything "magically simple" that:

• It is not possible to bring things like VRF to Hardware Off-Load.

• Or that it is not possible to perform hardware-offload in MPLS, whether L2VPN or L3VPN.

Again, the distinction is only in nomenclature. Much of it is historical (on both sides btw.), Mikrotik and Linux come from a traditionally pure software past, while many other manufacturers come from the hardware forwarding plane aspect. Let me attempt to clarify.

They don't. The bridge is a pure L2 construct. What is a bit confusing for people who are not intimately familiar with the respective parts of the networking stack is that the bridge (the L2 entity) and, the internal CPU port and a routed interface that connects to the "native" VLAN (that is, again a bit confusingly, specified as the bridge's PVID) is called the same. They are only called the same - they are different entities and there is no co-mingling.

On the contrary, what makes this name overloading possible is that it is always clear from the context which meaning we are referring to, because in each context only one makes sense. Whether it was a good idea to name things so... that's a valid question.

For the above reason, it isn't. The port setting (pvid, ingress filtering) and the vlan table directly 1:1 correspond to hardware functionlity.

In the world that Mikrotik chose to implement, it is also very simple. Your case 1: the port is part of a bridge. Case 2: the port is not part of a bridge.

In the first case the port is "consumed" by the bridge, in the second, it can be used as a routed interface.

I think you're onto something here. I don't really think the lack of distinction is the key. Rather, the fact that when you're dealing with a software implementation, you can create arbitrarily complex setups and implement advanced features, and it only costs you a few hundred KB of software. Having all that in silicon is expensive. Of course, speed and efficiency suffer.

One of the areas where I routinely deploy Mikrotiks is in industrial automation networks where bandwidth doesn't really matter, however flexibility and advanced features are necessary.

Again, Mikrotik uses the Marvell implementation natively. (The while modern vlan filtering approach to bridges and its offloading were developed hand-in-hand and funded by Marvell.)

I think it's coming. Really slowly... I think the issue is that VRFs must fit in with the rest of the routing system. And that's a lot of work, of which we're seeing pieces of with each release.

Again, you can see work being done around it.

Most manufacturers push out what the manufacturer SDKs are natively capable of. (And often a product lines will have exactly the feature set of the underlying SDK, with some features or modes of configuration never to be seen again.) Mikrotik's philosophy seems to be to integrate it into their system. This has the benefit that new features can be integrated with the previously established capabilities. Of course this is slow.

It also has to be admitted that the Marvell chips that Mikrotik uses (they're absolutely not top of the line) are infinitely more primitive than e.g. Broadcom's designs, which, again, are dwarfed by the capabilities of Juniper's custom chips.

Where you're absolutely spot on is here:

It should be normalized to have all ports that are connected to the switch chip be configured as part of a single bridge. It is not only possible but very easy to do, and I start out my configurations is this way. It's a way more natural way to look at the hardware as it actually is.

I think here he big obstacle is that people have a hard time getting used to this sort of configuration after seeing the other one for years and it seems unfamiliar. Also, there's a mistaken assumption that "fewer lines" of configuration means simpler, which is clearly very far from being true.

While i partly agree that ideally the software abstractions (and by consequence the "idealized internal network topology ") should track the hardware implementation,
we currently lack some functionality to make "both forms" of configuration trully functionally equivalent.

let's take a RB5009 for example (SoHo device where all ports are equally (hardware)-routed trough the "switch-chip"

typically, one would have one or more ports designated as "WAN" , and a "vlan-aware-bridge" with the rest

in this scenario, if one WAN interface goes physically down, all associated L3 /ip and /route entities go down with them.

if we abstract that with an all-port-bridge, and pvid="$wan-vlan" on the "WAN" ports, the L3 entities will be always UP, causing problems in some scenarios
(BFD for route-checking is still not fully implemented as of 7.22, and the local-address would still be present even on "down" interfaces)

we lack some form of "/bridge/vlan/set 1 track-physical-layer=ether123" functionality to make the typical config "portable" between both configuration "schools of tought"

Another issue with the 7.20.7 upgrade but it’s a very particular scenario.

I have a bunch of IP Phones (Polycom SoundPoint IP 320 and Grandstream GXP1400) behind NAT that connect to an external public IP SIP server. Everything works just fine on 6.49.19 with only one modifcation

/ip firewall service-port set sip sip-direct-media=no

After the upgrade I’ve found out that any two GrandStream GXP1400 phones could not initiate calls between them, but any other calls work just fine. When a call is initiated between GS phones, the phone rings but the call cannot be picked, the phone rings and gets stuck and cannot be used until the other caller drops the call. It doesn’t matter if I set the phones to be NAT aware or not, but if I disable the helper the calls can be picked but there is no voice. I had to rollback to 6.49.19 and the issue is gone. I’ll open a ticket and did a packet capture when the issue happened and let’s hope it gets fixed.

PS: All phones have the latest firmware and are pretty close to their default config, no fancy stuff on the sip and networking side.

Wow, now the conversation has gotten deep!

Thanks, @lurker888 and @guipoletto .

I still believe that the problems with Hardware-Offload with VRF, MPLS Encapsulation, and QinQ all stem from the same cause:

How the RouterOS Packet Flow decides how many times the packet has to go through the Offload Engine.

One of the characteristics that is somewhat horizontal to almost all SwitchChips is that in any situation the packet should only go through the SwitchChip processing once (in specific cases twice, but consuming twice the resources).

And the RouterOS packet flow design can cause the packet to take several turns to be able to do everything it needs to.

But we are clearly owning the topic.
I believe we could discuss issues like this in another specific topic.
P.S.: The sad part is that this conversation, if held elsewhere, will likely result in an /ignore from the MikroTik team.

thank you I’m so happy that RouterOS v7 has long-term channel too

Version 7.20.8 has been released:

What's new in 7.20.8 (2026-Jan-30 11:17)

What's new in 7.20.7 (2026-Jan-08 11:40):

22 days.

A very short-lived long-term release.

Poor little thing.

Yep. Poor little bugs, gone too soon. I will miss them.

I agree with you! 7.20.7 was not mature enough to go to LTS.

ㅤ

But on the level “long-term”, there is no alternative to correct the things beyond a newer LTS release.

If they already knew the bugs or issues, it was the right choice!

Obs.: Unless MikroTik start to add patches+hotfix numbering, like: 7.20.7.001.

ㅤ

Better a newer LTS release in less than 22 days than a RC that goes to stable with less then 10 Business Hours.
ㅤ

P.S.: Just highlighting an interesting fact that I think we should pay some attention to:

• V7.20.7 [long-term] is released! - Thursday - Jan 8, 11:18 AM (Latvia)

• Newsletter #131 | January 2026 - Tuesday - Jan 13 11:31 AM (Latvia)