The Bridge Wiki doesn’t mention anything one way or the other with VLAN filtering and using more than one bridge.
Can a router have some tagged and untagged ports on one bridge and some other tagged and untagged ports on the other?
You can decide yourself if you want to use:
1 - one bridge with VLAN filtering in the bridge and VLAN subinterfaces on top of the bridge
2 - VLAN subinterfaces on the ethernet ports where you want them and putting the VLAN subinterfaces in several bridges
3 - using switch configuration menu to configure VLAN handling of the ports, and using a single bridge without VLAN filtering
Each of them has different advantages and disadvantages, and what you select depends on your requirements.
When you want spanning tree support, you probably need 1.
When you want maximum flexibility (including having different VLAN tags for the same VLAN on different ports) you need 2.
When you want maximum performance on traffic between the ports (hardware switching), you need 3.
pe1chl I was looking for exact this answer, so thank you. But what if I want also run DHCP server on ALL (two) VLANs. Does it disqualify some of the options or can use any of 1-3?
Right. I figure that apart from the CRS3xx switches that can do VLAN filtering in hardware mode every other device has to do it in software (unless you can manually configure the switch chip in the Switch menu) - so you can set up VLANs any way you like - to use or not use the VLAN filtering either way is going to use the CPU for all the work.
I had tried VLAN filtering with the RB4011 - I had a main bridge the tagged VLANs and VLAN interfaces connected to via the SFP+ port and two other bridges with VLAN ports on them that the CAPSMan sent encapsulated Wifi traffic to. This did work but I noticed the VLAN interface only seemed to register RX packets, not TX packets even though the Wifi was working and data was flowing though that VLAN. I opted to go back to a non-VLAN-filtered way and I could then see all the traffic flowing on the VLAN interface. More bugs?
So I think where there is no advantage in hardware offloading for VLAN filtering you can probably take or leave it.
As I wrote above, each solution has their pros and cons.
The bridge VLAN filtering was added because this was the only possible solution to get STP (and in particular MSTP) working correctly.
People as asking for that in mixed manufacturer networks where they need a compatible MSTP.
When you have no such requirement, you can just as well use the hardware switch configuration.
That used to be more clear when the ethernet devices had a “master port” config item where you could tie a number of switchports together, configure the VLANs on the master port, and configure the tagging details in the switch menu.
This still works, although now you need to have a bridge on top of the whole thing, and instead of master port you add the ports to the switch with hw accel.
Aside from the overhead of the bridge (only in the path between the group of ports and the router) there is no change.
In this config you can do wirespeed traffic between ports even on low-end routers, even with VLAN.
(but not all routers support this, e.g. not the RB750Gr3)