Hi,
I have already Management Vlan placed on my ETH1 lan interface, now I need to have the same VLAN on ETH5 DMZ interface.
Vlans should talk to each other, but ETH1 and ETH5 should not. How to achieve this?
Now I have MGMT Vlan just put on ETH1 interface without using bridge.

Well since I magically can divine what device you have and what your configuration is, the answer is simple.
Hopefully you too are blessed with a crystal ball to figure out what the answer is.

ah sorry, CCR1009 on 6.44.6
I just have configured tagged MGMT Vlan on interface LAN and on firewall side I have rule to allow new and established connections from Ether1 to DMZ:
and this is working I have access to ether5 DMZ network, and DMZ network do not have access to my ether1 LAN.
But now I need to configure on DMZ ESXi host with IP from my MGMT network, this VLAN should be tagged like on ether1,
That's all.

Put the VLAN interface in a bridge together with ether5 and put the IP config you now have on ether5 on that bridge instead.
In fact I recommend to always put a bridge on each used port in the CCR1009, with only 1 port as a member, and put all config on those bridges.
That allows you the flexibility of later adding another port or VLAN into that bridge, or to move ports around without having to reconfig everything (e.g. when you want to move some port to the SFP), or to have bridge filtering when required, or to move the whole config to another type of router with different port layout, or... many other advantages.

If I put MGMT Vlan with Ether5 interface in the same bridge, will not the unsecure DMZ subnet get access to my MGMT Vlan?

Only when you have untrusted hosts in the DMZ that can tag their traffic with the MGMT Vlan tag.
When you want to guard against the possibility that someone hacks one of your DMZ hosts to get root access and is able to add VLAN interfaces, you should not do that config.
But that is a result of your "need" to access MGMT vlan from a host on the DMZ. Of course you should not want that, but you do.

Put the VLAN interface in a bridge together with ether5 and put the IP config you now have on ether5 on that bridge instead.

One should avoid bridging physical ports with vlan interfaces:
https://wiki.mikrotik.com/wiki/Manual:L ... _interface
Creating a proper vlan-aware bridge is not as complicated as it may seem, so there are no reasons not to do it.

Note that the vlan-aware bridge is less versatile than the general solution of putting vlan interfaces in a bridge.
For example, it is not possible to have different tags on different ports (tag translation). Of course it should not be used in environments with STP.
It also does not solve the issue that he is afraid of: that it would be possible to access the MGMT vlan from the DMZ.

I find it very confusing that for this vlan-aware bridge configuration you both need to specify which port(s) you want to be untagged on each VLAN, and ALSO which VLAN you want to be on those PORTS: That "pvid=99" parameter is just silly.
Just yesterday I configured a router temporarily as a VLAN switch (it replaced a switch, but is to become a router later) and I got bitten by this again...

Note that the vlan-aware bridge is less versatile than the general solution of putting vlan interfaces in a bridge.
For example, it is not possible to have different tags on different ports (tag translation).

True. But when talking about tag translation between two ports, the bridge will contain two vlan interfaces and no physical ports, so no questions in that case.
Of course it can be more ports and some mixture of physical and virtual interfaces, but when this become complicated enough one should begin to think about getting a proper switch. :)

I find it very confusing that for this vlan-aware bridge configuration you both need to specify which port(s) you want to be untagged on each VLAN, and ALSO which VLAN you want to be on those PORTS:

True again. That is overcomplicated indeed.

I find it very confusing that for this vlan-aware bridge configuration you both need to specify which port(s) you want to be untagged on each VLAN, and ALSO which VLAN you want to be on those PORTS:

Code: Select all

/interface bridge port
add bridge=bridge1 interface=ether1 pvid=99
/interface bridge vlan
add bridge=bridge1 untagged=ether1 vlan-ids=99

That "pvid=99" parameter is just silly.
Just yesterday I configured a router temporarily as a VLAN switch (it replaced a switch, but is to become a router later) and I got bitten by this again...

I don't know if it has always been the case with VLAN-aware bridges, or something which has been added since they were originally introduced, but it is only necessary to specify pvid= parameter under /interface bridge port, the untagged= under /interface bridge vlan is not required as the untagged memberships are created dynamically from the port PVID. Something was added to this effect in the wiki recently at the end of https://wiki.mikrotik.com/wiki/Manual:I ... d_Ports.29 section.

This seems a logical mechanism as a port can only have one PVID under /interface bridge port, but it could be accidentally specified as an untagged member of more than one VLAN under /interface bridge vlan.

Not sure what is being discussed here but
assigning vlans to a bridge and then assigning the bridge port settings and the bridge vlan settings properly is easy and it works.
Best reference is here....
viewtopic.php?f=13&t=143620

So if xvo-whiskey is stating this is what you do, then I roll with him, high five and give pikachu the cold shoulder
If pikachu. is stating this is what you should then he is my bested bud, and dont even look at xvo-whisky.
See I don't play favourtes (fair and just)

Only when you have untrusted hosts in the DMZ that can tag their traffic with the MGMT Vlan tag.
When you want to guard against the possibility that someone hacks one of your DMZ hosts to get root access and is able to add VLAN interfaces, you should not do that config.
But that is a result of your "need" to access MGMT vlan from a host on the DMZ. Of course you should not want that, but you do.

@pe1chl
so how you manage hosts in DMZ zone, do I have any other alternatives?

When you have an ESXi host that you want to manage, of course you can put the management on another ethernet port.
Or you could make both DMZ and MGMT a tagged VLAN, connect it to the virtual switch and make separate portgroups on each VLAN, connect the MGMT to the ESXi kernel and put all DMZ hosts on the DMZ portgroup.
When your DMZ hosts can break out of the virtual machine and access the ESXi host they could still access your MGMT network, but the chance of that happening is less than that your hosts itself are hacked (at least when ESXi is kept uptodate).

Unfortunately I don't have no more free ethernet ports on server, and I would like to divide network traffic on dmz side to another ethernet port as on my LAN I have already other VLANS and quite high network traffic. OK will try with creating bridge in your way.

I have problem accessing MGMT devices that are on my DMZ network.
First I added bridge: and disabled filtering at the end of my firewall rules, to be sure that nothing is filtered:
Now on TP-LINK switch connected to mikrotik ether5 DMZ port I configured vlan trunk with tagged MGMT VLAN15, and also did it the same on the port connected to ESXi host.
On ESXI host in management network I configured MGMT Vlan as 15, and configured corresponding ip address.

The results are that I cannot from ESXI host ping MGMT gateway, from my LAN side I cannot ping ESXI MGMT vlan IP.
Could anyone help me with that?