VLANs with tagged and untagged ports

Buckeye · November 30, 2025, 2:06am

You have no infomation about switch2.

Are ports 1-12 currently working for 10.0.0.0/24? This assumes it will accept traffic for 10.0.0.0/24 as untagged into some vlan on the switch. Ideally you would use the same vlan on the CCR2216 bridge as the pvid on the external switch, this will avoid confusion. See https://www.practicalnetworking.net/stand-alone/vlans/#challenge for why you want to avoid mismatched vlans when connecting switches over the native untagged vlan.

If that's working, then you can turn on vlan-filtering on ther bridge, and it should change nothing visible to you as long as a single vlan is in use.

To add vlan 10 you will need a vlan interface for it and provide a name, ip address, and add an /interface/bridge/vlan entry for vlan 10 containing at least the hybrid trunk port connecting to the external switch2 as a tagged member. ROS will already have vlan1 untagged dynamically (for all ports in the bridge that don't explicitly set a pvid, pvid=1 will be used and this dynamically adds an untagged connection to vlan specified by the pvid, and vlan10 tagged dynamically (when you add the vlan10 interface).

If you enter the command /interface/bridge/vlan/print you will see the vlans and ports for which they are tagged and untagged. For example on my RB760iGS

[demo@MikroTik] > /interface/bridge/vlan/print 
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge                                            
;;; added by pvid
1 D bridge  1                         bridge          
                                      ether5          
;;; added by vlan on bridge
2 D bridge  199-200   bridge                          
            210                                       
            999                                       
;;; added by pvid
3 D bridge  200                       ether2          
[demo@MikroTik] >

Create vlan 10 interface under bridge1 (give it a name, like vlan10)
Add ip address 10.0.10.1/24 to vlan10 interface.
Add dhcp server for vlan10 ( ip dhcp-server add address-pool... , ip dhcp-server network...)
Add vlan10 to address list LAN
Add new List names LAN1 for vlan1 and LAN10 for vlan10 so they can be used in firewall.

See this for the one-way firewall, which uses firewall state to allow return traffic - in forward chain, accept established,related)

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

@anav will probably chime in with the rest, it is outlined in the referenced thread.