Hi,
I have my RB4011iGS+RM currently set up with three bridges for three subnets (management, LAN, IoT), each bridge has two physical ethernet ports. I need to have all three subnets on a Wi-Fi AP that will be connected on ether10 (the only PoE port), so I figured I'd create 3 VLANs corresponding to the subnets via /interface vlan, add them to their respective bridges and use ether10 as a trunk port with all three, but while reading through the wiki, I've found that this is one of the common misconfigurations and probably won't work - https://wiki.mikrotik.com/wiki/Manual:L ... _interface
Apparently the new way is to use Bridge VLAN Filtering, which if I understand correctly turns the bridge into a VLAN-aware virtual switch, creating something like a virtual router-on-a-stick setup.
I think I understand most of the principles of this setup from reading the wiki, but I still have a few questions:
- A physical interface (ether10 in my case) cannot be added to multiple bridges. Is the best practice to create one big bridge with all the VLANs and then separate the ports using PVIDs (set them as access ports), or can I keep the three separate bridges (I noticed you can add a tagged port under /interface bridge vlan even if the port wasn't added to the bridge using /interface bridge ports)?
- If I will have to create one big bridge for all the subnets, I will be left with only one L3 interface (the new bridge). How do I set up firewall between the subnets? The PVID field on the bridge itself can be used to allow all VLANs to the CPU for routing, but what would be the settings in /ip addresses and /ip firewall?
- are there any extra performance or security settings that I should be aware of?
I hope the description isn't too confusing :)