[VLAN] Set a port to untagged using switch chip

Hi everyone.
I’m trying to understand switch chip functions (https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features) and now i got:

RB3011 IP 172.16.10.1 as a CAP MANAGER with a “management bridge” and 4 VLANs (11,12,13,14) and DHCP Server
ETH10 is the uplink to an hAPac2

/interface bridge
add name="Bridge1 Management" vlan-filtering=yes
/interface bridge port
add bridge="Bridge1 Management" interface=ETH10

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/interface vlan
add interface="Bridge1 Management" name=VLAN11 vlan-id=11
add interface="Bridge1 Management" name=VLAN12 vlan-id=12
add interface="Bridge1 Management" name=VLAN13 vlan-id=13
add interface="Bridge1 Management" name=VLAN14 vlan-id=14

/interface bridge vlan
add bridge="Bridge1 Management" tagged="Bridge1 Management" vlan-ids=11
add bridge="Bridge1 Management" tagged="Bridge1 Management" vlan-ids=12
add bridge="Bridge1 Management" tagged="Bridge1 Management" vlan-ids=13
add bridge="Bridge1 Management" tagged="Bridge1 Management" vlan-ids=14

/ip address
add address=172.16.10.1/24 interface="Bridge1 Management" network=172.16.10.0
add address=172.16.11.1/24 interface=VLAN11 network=172.16.11.0
add address=172.16.12.1/24 interface=VLAN12 network=172.16.12.0
add address=172.16.13.1/24 interface=VLAN13 network=172.16.13.0
add address=172.16.14.1/24 interface=VLAN14 network=172.16.14.0

hAP ac2 IP 172.16.10.11 managed by RB3011 with 4 SSID attacched to 4 VLANs (works well!)
hAPac2 ETH1 is the downlink to RB3011 EHT10 and it’s inside a bridge with others 4 ETH ports

/interface bridge
add fast-forward=no name=Bridge1
/interface bridge port
add bridge=Bridge1 hw=no interface=ether1
add bridge=Bridge1 interface=ether2
add bridge=Bridge1 interface=ether3
add bridge=Bridge1 interface=ether4
add bridge=Bridge1 interface=ether5

/ip address
add address=172.16.10.11/24 interface=Bridge1 network=172.16.10.0

/interface ethernet switch port
set 0 vlan-mode=disabled
set 1 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=11

Now i’m trying to setup hAPac2 ETH2 as “access port / untagged port” for VLAN 11 using switch chip.. but something goes wrong (fail to get a valid IP address from VLAN 11 DHCP server on RB)
Another question: Is necessary to create and tag VLAN1 (default management) to uplink?

I have some doubts about:

/interface ethernet switch port
set 0 vlan-mode=disabled

If i set vlan-mode=secure and vlan-header=add_if_missing on ETH1 (uplink port) i lost the access on hAPac2 , because now it’s filtering only VLAN tag!
What is going wrong?

Thank you very much. Feels free to ask additional info or pieces of code!
Davide from Verona (Italy)

There’s another port on the switch “chip” (actually, the switch module within the SoC), called switch1-cpu (in case of hAP ac², on the 3011 you also have switch2-cpu). Since all the handling in the switch chip is done as the frame is processed on ingress, the switch forwards a frame which came from the wire to a port with vlan-mode=secure only to ports on which the VLAN of the frame is enabled. So the fact that vlan-mode=none on the CPU-facing port doesn’t matter for frames which have to egress via that port, and you have to add that port to the list of ports on which VLAN 11 is enabled as well.

To the second question - VLAN 1 is just an ordinary VLAN like any other, but many vendors (including Mikrotik) hide configuration items with default value. So it seems that frames in VLAN 1 are automatically tagless, but that’s not the case. Indeed, the switch (or bridge) does also the tagging/untagging on ingress, so if the ingress port with native VLAN A receives a frame tagged with VLAN B and the egress port is an access one to VLAN B (so the connected device expects frames of VLAN B to come tagless), the frame gets untagged already at the ingress port. So it is not a law that VLAN 1 must always be there, or must always be tagless. It’s just that the default value of pvid on the rows of /interface bridge port is 1, so it is not shown in /export unless you use the verbose modifier, and so is the pvid of the “CPU port” of the bridge (the parameters on the /interface bridge row actually relate to two distinct objects, to the bridge itself (a software model of a switch chip) and to its “CPU facing port” (a virtual L2 interface connecting the bridge to the upper layers of the networking kernel). The pvid is a property of this virtual port.

Thanks for the reply.

If i not misunderstood.. must i only add switch1-cpu as tag port on hAPac2 ?

/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=11

No need to set something for switch1-cpu in

/interface ethernet switch port

??
Something change.. DHCP server “offer” the lease but not become “bound” for client..

It seems I’ve completely misunderstood you yesterday, sorry for that.

1. where is the DHCP server running, on the 3011 or on the hAP ac²? A “RB” may mean any of them, hAP ac²’s other name is RBD52-5HacD2HnD-TC. Only VLANs which need to be accessible by the hAP ac²’s CPU need to be permitted on the switch1-cpu port, so if the DHCP server is running on the 3011 and the client on some device connected to hAP ac²’s ether2..ether5, there is no need to permit VLAN11 on switch1-cpu on the hAP ac².

2. in order not to lose the management access to the hAP ac² from the 3011, you do have to make the path from ether1 to switch1-cpu transparent for the tagless frames, which means their defaut-vlan-id must be the same, and they must be the same like the pvid of the bridge if their vlan-mode is set to secure. And that VLAN must be permitted on both ports:

/interface ethernet switch vlan add vlan-id=1 ports=ether1,switch1-cpu switch=switch1 (this one is harmless until you change the vlan-mode)
/interface ethernet switch port set ether1 vlan-mode=secure default-vlan-id=1 vlan-header=leave-as-is ; /interface ethernet switch port set switch1-cpu vlan-mode=secure default-vlan-id=1 vlan-header=leave-as-is (these two must be on a common line so that both were changed simultaneously, otherwise you’ll lock yourself out).

The above is true if the management IP address of the hAP ac² is attached to the “virtual L2 port named bridge, which is the implicit member port of the bridge named bridge” with pvid=1, and if ether1 is also a member port of the bridge named bridge.

yes right, RB3011 works as DHCP server for all VLANs

2. in order not to lose the management access to the hAP ac² from the 3011, you do have to make the path from ether1 to switch1-cpu transparent for the tagless frames, which means their defaut-vlan-id must be the same, and they must be the same like the pvid of the bridge if their vlan-mode is set to secure. And that VLAN must be permitted on both ports:

default-vlan-id and PVID are same (1), but is not clear where do the changes you wrote: on RB3011 switch and on hAPac2 switch? right? CAP manager for WIFIs will continue to work regularly?

At this point, only do any changes on the hAP ac² one. And yes, the cAP on the hAP ac² will continue talking to the CAPsMAN on the 3011 like it did before.

Still working for hours..
With setup of switch1-cpu in

/interface ethernet switch port

something goes wrong and every time lost access to AP.. so i decided to follow this guide: https://www.youtube.com/watch?v=Rj9aPoyZOPo
Now works.. but:

• no mention about switch1-cpu, but DHCP server now bounds a different IP to any VLANs
• works only if i attach VLANs to an ETH port on RB3011, not to a bridge.. why? VLAN filtering is activated on bridge because it is used also for CAP Manager and all SSIDs are bound to 4 VLANs
• not able to reach local IP of AP or from the RB3011

If needed i will posting both exports.
Many many thanks.

Please do. No way I’d be watching a 20 minutes video explaining what should be done rather than seeing in 3 minutes what you’ve actually done.

But that’s normal that each VLAN is used to host another subnet, hence each DHCP server leases out from a different pool matching that subnet. What other behaviour do you expect and why you need it?

Need to see the configuration of the 3011 to answer that. It sounds weird.

That may be linked to the previous point. From my past experience the handling of tagless packets was different than how it is described in the manual for vlan-mode=secure, but I may remember it wrong and right now I don’t have any spare device with the 8327 chip in my reach to re-check that.

Thanks for your patience, below a resume.

Available devices:

1x RB3011 → it will have to do: cAP Manager for 4 VLANs (11,12,13,14) SSIDs + DHCP server for same VLANs
4x hAPac2 → they will have to do: AP with multiple SSIDs + switch for local ethernet connectivity

Connections:

RB3011: from ETH7 to ETH10 for 4x hAPs (need a bridge) + ETH1 for WAN
hAPs: EHT1 form trunk port coming from RB3011, from ETH2 to ETH5 for local ethernet connectivity (first hAP VLAN11, second hAP VLAN11 and so on..)

RB3011

# Bridge creation + VLAN filtering active (PVID default = 1)
/interface bridge
add name="Bridge Management" vlan-filtering=yes

# VLANs creations under Bridge Management (VLAN1 is hidden, right?)
/interface vlan
add interface="Bridge Management" name=VLAN11 vlan-id=11
add interface="Bridge Management" name=VLAN12 vlan-id=12
add interface="Bridge Management" name=VLAN13 vlan-id=13
add interface="Bridge Management" name=VLAN14 vlan-id=14

# Adding 4 ports directly connected to hAPac2s ETH1
/interface bridge port
add bridge="Bridge Management" interface=ETH7
add bridge="Bridge Management" interface=ETH8
add bridge="Bridge Management" interface=ETH9
add bridge="Bridge Management" interface=ETH10

# Manual VLAN tag for Management
/interface bridge vlan
add bridge="Bridge Management" tagged="Bridge Management" vlan-ids=11
add bridge="Bridge Management" tagged="Bridge Management" vlan-ids=12
add bridge="Bridge Management" tagged="Bridge Management" vlan-ids=13
add bridge="Bridge Management" tagged="Bridge Management" vlan-ids=14

# WAN route
/ip route
add distance=1 gateway=192.168.1.1

# IP address on WAN, on Management and on 4x VLANs
/ip address
add address=192.168.1.254/24 interface="ETH1 Internet" network=192.168.1.0
add address=172.16.10.1/24 interface="Bridge Management" network=172.16.10.0
add address=172.16.11.1/24 interface=VLAN11 network=172.16.11.0
add address=172.16.12.1/24 interface=VLAN12 network=172.16.12.0
add address=172.16.13.1/24 interface=VLAN13 network=172.16.13.0
add address=172.16.14.1/24 interface=VLAN14 network=172.16.14.0

# Preparing DHCP pool
/ip pool
add name="POOL Management" ranges=172.16.10.100-172.16.10.200
add name="POOL VLAN11" ranges=172.16.11.100-172.16.11.200
add name="POOL VLAN12" ranges=172.16.12.100-172.16.12.200
add name="POOL VLAN13" ranges=172.16.13.100-172.16.13.200
add name="POOL VLAN14" ranges=172.16.14.100-172.16.14.200

# DHCP server settings for 4x VLANs (please let me know if i can setup a DHCP for Bridge Man on VLAN1)
/ip dhcp-server
add address-pool="POOL Management" disabled=no interface="Bridge Management" lease-time=8h name="DHCP Management"
add address-pool="POOL VLAN11" disabled=no interface=VLAN11 lease-time=8h name="DHCP VLAN11"
add address-pool="POOL VLAN12" disabled=no interface=VLAN12 lease-time=8h name="DHCP VLAN12"
add address-pool="POOL VLAN13" disabled=no interface=VLAN13 lease-time=8h name="DHCP VLAN13"
add address-pool="POOL VLAN14" disabled=no interface=VLAN14 lease-time=8h name="DHCP VLAN14"

# DHCP networks
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=172.16.10.1
add address=172.16.11.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=172.16.11.1
add address=172.16.12.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=172.16.12.1
add address=172.16.13.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=172.16.13.1
add address=172.16.14.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=172.16.14.1

# Enable masquerading
/ip firewall filter
add action=masquerade chain=srcnat out-interface="ETH1 Internet"

# -------> Starting to configurare CAP&MAN: now this is working fine!
/caps-man manager
set enabled=yes

# Discovery interface
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface="Bridge Management"

# Setting up datapaths for 4x VLANs
/caps-man datapath
add bridge="Bridge Management" client-to-client-forwarding=yes local-forwarding=no name="Datapath VLAN11" vlan-id=11 vlan-mode=use-tag
add bridge="Bridge Management" client-to-client-forwarding=yes local-forwarding=no name="Datapath VLAN12" vlan-id=12 vlan-mode=use-tag
add bridge="Bridge Management" client-to-client-forwarding=yes local-forwarding=no name="Datapath VLAN13" vlan-id=13 vlan-mode=use-tag
add bridge="Bridge Management" client-to-client-forwarding=yes local-forwarding=no name="Datapath VLAN14" vlan-id=14 vlan-mode=use-tag

# SSIDs security
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name="Key VLAN11"
add authentication-types=wpa2-psk encryption=aes-ccm name="key VLAN12"
add authentication-types=wpa2-psk encryption=aes-ccm name="Key VLAN14"
add authentication-types=wpa2-psk encryption=aes-ccm name="Key VLAN13"

# And confgiurations, differente for 2,4GHz and 5GHz bands
/caps-man configuration
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz country=italy datapath="Datapath VLAN11" mode=ap name="Config VLAN11 2.4GHz" security="Key VLAN11" ssid="SSID VLAN11 2.4GHz"
add channel.band=5ghz-a/n/ac country=italy datapath="Datapath VLAN11" mode=ap name="Config VLAN11 5GHz" security="Key VLAN11" ssid="SSID VLAN11 5GHz"

add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz country=italy datapath="Datapath VLAN12" mode=ap name="Config VLAN12 2.4GHz" security="Key VLAN12" ssid="SSID VLAN12 2.4GHz"
add channel.band=5ghz-a/n/ac country=italy datapath="Datapath VLAN12" mode=ap name="Config VLAN12 5GHz" security="Key VLAN12" ssid="SSID VLAN12 5GHz"

add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz country=italy datapath="Datapath VLAN13" mode=ap name="Config VLAN13 2.4GHz" security="Key VLAN13" ssid="SSID VLAN13 2.4GHz"
add channel.band=5ghz-a/n/ac country=italy datapath="Datapath VLAN13" mode=ap name="Config VLAN13 5GHz" security="Key VLAN13" ssid="SSID VLAN13 5GHz"

add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz country=italy datapath="Datapath VLAN14" mode=ap name="Config VLAN14 2.4GHz" security="Key VLAN14" ssid="SSID VLAN14 2.4GHz"
add channel.band=5ghz-a/n/ac country=italy datapath="Datapath VLAN14" mode=ap name="Config VLAN14 5GHz" security="Key VLAN14" ssid="SSID VLAN14 5GHz"

# Setting up provisioning
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,g,gn identity-regexp=VLAN11 master-configuration="Config VLAN11 2.4GHz" name-format=prefix-identity name-prefix=2.4G
add action=create-dynamic-enabled hw-supported-modes=a,an,ac identity-regexp=VLAN11 master-configuration="Config VLAN11 5GHz" name-format=prefix-identity name-prefix=5G

add action=create-dynamic-enabled hw-supported-modes=b,g,gn identity-regexp=VLAN12 master-configuration="Config VLAN12 2.4GHz" name-format=prefix-identity name-prefix=2.4G
add action=create-dynamic-enabled hw-supported-modes=a,an,ac identity-regexp=VLAN12 master-configuration="Config VLAN12 5GHz" name-format=prefix-identity name-prefix=5G

add action=create-dynamic-enabled hw-supported-modes=b,g,gn identity-regexp=VLAN13 master-configuration="Config VLAN13 2.4GHz" name-format=prefix-identity name-prefix=2.4G
add action=create-dynamic-enabled hw-supported-modes=a,an,ac identity-regexp=VLAN13 master-configuration="Config VLAN13 5GHz" name-format=prefix-identity name-prefix=5G

add action=create-dynamic-enabled hw-supported-modes=b,g,gn identity-regexp=VLAN14 master-configuration="Config VLAN14 2.4GHz" name-format=prefix-identity name-prefix=2.4G
add action=create-dynamic-enabled hw-supported-modes=a,an,ac identity-regexp=VLAN14 master-configuration="Config VLAN14 5GHz" name-format=prefix-identity name-prefix=5G

First hAPac2 designated for switching VLAN11

# Preparing bridge
/interface bridge
add fast-forward=no name=Bridge1

# Adding all ports to bridge, right?
/interface bridge port
add bridge=Bridge1 hw=no interface=ether1
add bridge=Bridge1 interface=ether2 pvid=11
add bridge=Bridge1 interface=ether3 pvid=11
add bridge=Bridge1 interface=ether4 pvid=11
add bridge=Bridge1 interface=ether5 pvid=11

# Setup IP address for reach this AP by RB3011 Management
/ip address
add address=172.16.10.11/24 interface=Bridge1 network=172.16.10.0
/ip dns
set servers=8.8.8.8
/ip route
add distance=1 gateway=172.16.10.1

# Default wireless conf.,
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(20dBm), SSID: SSID VLAN11 2.4GHz, CAPsMAN forwarding
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=no_country_set frequency-mode=manual-txpower rx-chains=0 ssid=MikroTik tx-chains=0 wireless-protocol=nv2-nstreme-802.11
# managed by CAPsMAN
# channel: 5560/20-eeCe/ac/DP(24dBm), SSID: SSID VLAN11 5GHz, CAPsMAN, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik

# Setup discovery
/interface wireless cap
set discovery-interfaces=Bridge1 enabled=yes interfaces=wlan1,wlan2

# ----------> NOW it's time to prepare the switching for VLAN11

# this one is harmless until i change the vlan-mode, as you describe
/interface ethernet switch vlan
# VLAN 1 on management and CPU
add vlan-id=1 ports=ether1,switch1-cpu switch=switch1
# VLAN 11 on others 4 ports
add vlan-id=11 ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1

# Setting up VLAN IDs for ETH2, ETH3, ETH4, ETH5 (not for ETH1 as trunk port)
/interface ethernet switch port
set 1 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=11 vlan-header=always-strip vlan-mode=secure

# Most important and PROBLEMATIC common line!
/interface ethernet switch port set 0 vlan-mode=secure default-vlan-id=1 vlan-header=leave-as-is ; /interface ethernet switch port set 5 vlan-mode=secure default-vlan-id=1 vlan-header=leave-as-is

Now i’m still stopping here.. lost connection from RB3011 and no DHCP for VLAN11 on hAPac2 ETH2-ETH5 .
Thank you very much.

VLANs creations under Bridge Management (VLAN1 is hidden, right?)

Sort of. A bridge has two roles, one switch-like connecting interfaces together, the other an interface-like one to access services within the Mikrotik (routing, DHCP, etc.). Whilst VLAN ID 1 is used within the switch-like part it is removed on egress from / added on ingress to the interface-like part due to
/interface bridge add name=“Bridge Management” vlan-filtering=yes pvid=1

DHCP server settings for 4x VLANs (please let me know if i can setup a DHCP for Bridge Man on VLAN1)

The DHCP setup is appears fine, however you have not enabled VLAN11/12/13/14 to be available tagged on any ports, so wired connections accessing these VLANs will not work. Wireless connections will work as you have used CAPsMAN forwarding which encapsulates the traffic and passes it over the CAPsMAN management connection - this uses CPU resources on both the APs and controller.
To make the VLANs available you probably want
/interface bridge vlan
add bridge=“Bridge Management” tagged=“Bridge Management”,ETH7,ETH8,ETH9,ETH10 vlan-ids=11
add bridge=“Bridge Management” tagged=“Bridge Management”,ETH7,ETH8,ETH9,ETH10 vlan-ids=12
add bridge=“Bridge Management” tagged=“Bridge Management”,ETH7,ETH8,ETH9,ETH10 vlan-ids=13
add bridge=“Bridge Management” tagged=“Bridge Management”,ETH7,ETH8,ETH9,ETH10 vlan-ids=14

On the hAP not enabling hardware acceleration of ether1 could well be breaking things when the switch chip VLAN filtering is enabled
/interface bridge port
add bridge=Bridge1 hw=noyes interface=ether1

I don’t get the difference.

On my hAP ac², I’ve got the following:

/interface bridge
add name=bridge … vlan-filtering=yes pvid=3 …

/interface bridge port
add bridge=bridge interface=ether1 pvid=3 hw=no

/interface ethernet switch vlan
…
add independent-learning=yes ports=switch1-cpu,ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=3
…

/interface ethernet switch port
set ether1 default-vlan-id=3 vlan-mode=secure
set switch1-cpu default-vlan-id=3 vlan-mode=secure

And with these settings, the hAP ac² can normally talk to devices that are connected tagless to ether1. So vlan-mode=secure does not block delivery of tagless frames between ports if default-vlan-id on both the ingress and egress ports matches a vlan-id which is permitted at both of them (so the wording on the manual wiki is confusing).

I’m running 6.45.9, but it should not make such a difference.

Leaving aside that hw=no on the /interface bridge port row breaks hardware forwarding between ether1 and the other ports as @tdw has properly stated, the thing which I don’t get is why in your case, setting vlan-mode=secure at both switch ports (ether1 and switch1-cpu) cuts your management access to the hAP ac² when it doesn’t in my case. Yes, I do have
/interface bridge vlan
…
add vlan-ids=3 bridge=bridge untagged=ether1,bridge tagged=ether4
…
But if not for the tagged ether4, this row would not be necessary as untagged member ports are being added automatically.

So do you use safe mode when entering the last command, and the device becomes inaccessible after that, and the safe mode restores the previous configuration?

In my hAPac2 i did not enable vlan-filtering (for PVID=1) as you see.. is it necessary?

So do you use safe mode when entering the last command, and the device becomes inaccessible after that, and the safe mode restores the previous configuration?

yes, exactly

Let me do others test, because i did not add tag on

/interface bridge vlan

as @tdw described.
Thanks for now.

I got slightly lost in this thread, so I’ll just emphasize two things:

1. don’t mix VLAN configs in /interface bridge and /interface ethernet switch. Setting things in both sections messes things, might cancel out each other or bite your pet. In short: both sections are exclusive even if ROS doesn’t make that clear.
   If you want HW offloaded operations, use bridge as dumb switch without any relation with VLANs.
2. after you change things under /interface ethernet switch (and specially if things seem to work funny), cold boot the device (after having it powered off for a few minutes). If you’re 100% sure config and behaviour don’t corrrespond, export config (to text file), reset device (to no config) and re-apply exported config.
   There have been cases where some piece of old config somehow stuck while it was not shown in export and the described procedure cleared it.

Hi guys, finally resolved but with VLANs on bridges, not with switch chip..

Now i got another problem: APs, and clients connected on their WiFi, do not ping hosts directly wired connected to the RB3011 and hosts on same wifi!
Remember that APs is managed by RB3011.

RB3011 bridging:

/interface vlan
add interface="Bridge1 Management" name=VLAN11 vlan-id=11
add interface="Bridge1 Management" name=VLAN12 vlan-id=12
add interface="Bridge1 Management" name=VLAN13 vlan-id=13
add interface="Bridge1 Management" name=VLAN14 vlan-id=14

/interface bridge port
add bridge="Bridge1 Management" interface="ETH6" pvid=11
add bridge="Bridge1 Management" interface="ETH7"
add bridge="Bridge1 Management" interface="ETH8"
add bridge="Bridge1 Management" interface="ETH9"
add bridge="Bridge1 Management" interface="ETH10"

/interface bridge vlan
add bridge="Bridge1 Management" tagged="Bridge1 Management,ETH10" untagged="ETH6" vlan-ids=11 vlan-ids=11 
add bridge="Bridge1 Management" tagged="Bridge1 Management,ETH7" vlan-ids=12
add bridge="Bridge1 Management" tagged="Bridge1 Management,ETH8" vlan-ids=13
add bridge="Bridge1 Management" tagged="Bridge1 Management,ETH9" vlan-ids=14

hAPac2 bridging:

/interface vlan
# empty, not configured, must i ?

/interface bridge port
add bridge="Bridge Trunk" hw=no interface=ether1
add bridge="Bridge Trunk" interface=ether2 pvid=11
add bridge="Bridge Trunk" interface=ether3 pvid=11
add bridge="Bridge Trunk" interface=ether4 pvid=11
add bridge="Bridge Trunk" interface=ether5 pvid=11

/interface bridge vlan
add bridge="Bridge Trunk" tagged="Bridge Trunk,ether1" untagged=ether2,ether3,ether4,ether5 vlan-ids=11

RB3011 ETH6 is connected to a NAS with IP 172.16.11.2 (untagged VLAN 11) with firewall disable.
If i try access to first hAPac via Winbox , lauch terminal and:

• ping 172.16.11.1 is reachable (IP address of VLAN11 on RB3011)
• ping 172.16.11.2 is not reachable (NAS on RB3011 ETH6)
• ping 172.16.11.3 is not reachable (Raspberry on same WiFi SSID - VLAN11)

No firewall rules configured.
what is happening?

Thank you very much.

To clarify, CAPsMAN datapath are NOT in local-forwarding, so the routing is managed by RB3011.
A traceroute from hAPac2 to NAS on RB3011 ETH6 reply as:

 /tool traceroute 
address: 172.16.11.2
 # ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST
 1 172.16.10.1                        0%    1   0.3ms     0.3     0.3     0.3
 2                                  100%    1 timeout
 3                                  100%    1 timeout
 4                                  100%    1 timeout
 5                                  100%    1 timeout
 6                                    0%    1     0ms

This is the route on hAPac2:

 /ip route> print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          172.16.10.1               1
 1 ADC  172.16.10.0/24     172.16.10.11    Bridge Trunk              0

The subnets assigned and IP route config are missing in the posts.

But it seems that you want to have a connection from 172.16.10.11/24 to 172.16.11.2/24. In the forward direction, then 172.16.10.1 is the gateway. (RB3011 as router)
Did you define 172.16.11.1 as gateway in the NAS 172.16.11.2 ??

Just guessing what might be wrong/forgotten.

" lauch terminal and:" … your start point is hApac2. hApac2 cannot use VLAN11 as it is not defined there. (No IP address, no connected subnet)

yes

I’m not sure I understand how works CAPsMAN on RB3011: it’s working fine with multiple SSIDs and VLANs defined only in RB3011.. but clients connected to the hAPac2 cannot reach each other (even if client-to-client forwarding is checked in datapath) and cannot reach the NAS on RB3011 ETH6.

I think i should open a new post, original title is not the actual problem..