Hi there,

I'm still trying to figure out how to correctly set up VLANs in RouterOS. I did a project last year ago where I basically followed this tutorial (https://administrator.de/tutorial/mikro ... 67186.html), but with a less detailed configuration, as routing and administration from every VLAN wasn't necessary.

I started from the standard configuration of the two CRS328-24P-4S+RM in the setup. Goal was to have Ports 1-16 in the native VLAN 1 (untagged on my trunk ports SFP1 + SFP2) and ports 17-24 in VLAN 100 (tagged on trunks).

So the only thing I did was to set up the PVIDs of the ethernet interfaces in bridge port settings, assigned the SFP ports as "tagged" to the VLAN 100 under Bridge -> VLANs and enabled Bridge VLAN filtering. Management IP still assigned to the bridge. Bridge itself was an untagged member of VLAN 1. That's it. This worked as expected. Web interface was reachable only from VLAN 1, also as expected.

I didn't create any VLANs under "Interfaces".

Now, we have a new project were a colleague of mine started to setup VLANs, also following the tutorial more strictly, including setting up the VLAN interfaces, but ended up locking himself out from WebFig (IPs not reachable anymore).

So I took a deeper look at what's the idea behind the method of the tutorial, tried some things out and it got more and more confusing for me. Seems I had a bit of luck that my setup in the other projekt even worked correctly.

At the moment I have a CRS112-8G-4S-IN in my test setup.
What I tried to achieve: Ports 1-4 VLAN1, Ports 5-6 VLAN2, Ports 7-8 Trunk with VLAN1 untagged and VLAN2 tagged BUT management interface reachable from both VLANs.

So here comes the first thing which confuses me: What exactly is the purpose of the interfaces "vlan1" and "vlan2" that I have to create? Does this really have something to do with the actual terminus "VLAN" as a virtual network consisting of logical ports, or is this just a virtual internal interface (like a virtual ethernet port) that I create to be able to assign a management IP to it and add it to a bridge? I believe the latter, but what confused me here is that the interface itself already gets set a VLAN ID on creation. Other ports get the PVID set up when added as a bridge port, which seems absolutely logically to me. Also, why is there a drop down menu where I assign the "vlan" to an interface, when it is handled as an interface itself and added to a bridge in a later step, like the ethernet ports? What exactly do I set with this? Maybe VLAN ID has not the same purpose as PVID?

I assigned one managment IP to vlan1 and another to vlan2. That's the next point where I get lost. Do I need to add everything as tagged under "Bridge -> VLANs"? Shouldn't it also work if I assign vlan1 and the bridge itself as untagged members of VLAN 1? In my understanding, this is the obvious way to handle it as the native VLAN.
Does the vlan-adapter itself add a vlan tag, even if it is an untagged member (I hope you understand what confuses me here)?

I tried several constellations and never was able to reach the switch from every port under the expected IPs corresponding to the VLANs. But I will try this another time from scratch.

As it didn't work as expected with the management IPs bound to vlan1 and vlan2, i tried to recreate the configuration from my other project, but with a second IP that was assigned directly to ethernet5 which has the PVID 100. Again I didn't create any vlan interfaces. Bridge has PVID 1 and is an untagged member of VLAN1. As expected, the management IP assigned to the bridge wasn't reachable from ethernet5. But neither was the address assigned directly to ethernet5. Both were reachable from the ports that had the same PVID as the bridge! How is this possible? Because ethernet5 is also a member of the bridge? So the PVID is ignored here when the management IP is bound to any port that is a bridge member?

I know by myself that I have massive problems of understanding how all of this is handled in RouterOS, but still looking for the best tutorial which explains the background to get rid of them...

I think the main source of confusion is that there are two different layers mixed together. You have vlans in bridge config and they are used to configure hardware switch or bridge as software variant. It's low level stuff, like on a regular managed switch. If you have only these vlans, they are not enough to access any service on router from them (and also anything in them from router). Then you have vlan interfaces and they are like other interfaces (e.g. ethernet) that you can use for routing, give them IP addresses, etc. And to make it even more confusing for beginners, bridge interface itself can also work as such interface.

I personally like examples in manual, they are simple and IMHO easy to undestand (at least first four, before they get to combining more tags). Or there's this popular thread with examples and explanations.

I just read through the Interface/VLAN manual again. As assumed, sending traffic to the "vlan" interfaces adds a VLAN-tag to the packet.

This clears things up a bit. Another very helpful post was this one:
viewtopic.php?t=143620#p707067

I played around with the settings and now I think that I understand most of it. The key was to see the bridge interface vs. the bridge acting as the actual switch for processing the traffic as mentioned in that post.

I created two scenarios: First was IP 192.168.88.1/24 bound to interface vlan1 (now I also understand why this vlan-interface has to be assigned to another interface and why it hasn't to be a bridge member himself then) and vlan2 bound to 192.168.89.1/24. By accessing them through vlan-adapters, they get a vlan tag, so the bridge interface (again important to understand that we talk about an interface now!) has to be added as tagged to both VLANs as the packets come in tagged.

Then I edited the scenario and set the interface of IP 192.168.88.1/24 directly to bridge. Now packets from this management IP have no VLAN tag, so I have to set the bridge interface on VLAN1 as untagged to match this. Altough the packets on the actual bridge which does the processing still run "internally" with VLAN-Tag "1" as the PVID of the bridge interface is set to 1, right? My ports ether1-ether4 also run "externally" untagged but "internally" with vlan-tag 1, so that is how we get connected here.

Other things I found out:
1. Not everytime changing those settings a reboot is necessary, but sometimes I wondered "Shouldn't this work now?" and the reboot did the game then.
2. You should avoid setting two addresses in the same network (my first experiments were with 192.168.88.1/24 and 192.168.88.2/24), at least in this constellation with VLANs...

1) Reboot shouldn't be necessary. The only thing in RouterOS which I'm sure has problems with online changes is RP filter in IP setting. On the other hand, I haven't tried everything, so it's not impossible that something with vlans could get stuck too.
2) If you mean on different interfaces, you should avoid that in any case, not only with vlans.