I tested this on Cloud Hosted Router. It seems to work. VLANs are routed through the router, and I didn’t use a bridge. If this is the case, is there a need for a bridge for this case? Will this be hardware offloaded on the real device?
reducted
You only need a bridge if you need to forward L2 traffic between interfaces. In your setup, this is handled by the external switches, so you indeed do not need a bridge on the CHR.
In RouterOS 7, some of the physical Mikrotik devices do support hardware routing including VLAN tagging/untagging, some don’t - it depends on the capabilities of the switch chips they are built with and on the development stage.
On CHR, firewall rules are applied without any additional change.
I have a rb5009., will it be the same? Or Will it require some extra “redirect to cpu” etc to be able to apply rules to block some vlan accessing other vlan
I’m no expert on this, but I doubt that there will be any significant difference thanks to HW offloading on RB5009, if any at all. It doesn’t have L3 Hardware Offloading, only HW offloaded vlan-filtering, i.e. if you’d have some VLAN on multiple ports, then L2 traffic between connected devices would be handled by switch. But you have just VLANs on single port, so any traffic passing through router will use routing, i.e. software processing. Anyone please correct me, if I missed something.