I make a VLAN interface, I assign it to another interface/bridge.

What exactly is going on?

Is it tagging packets going in that interface/bridge? Coming out the VLAN/bridge?

I have a bunch of switches hooked up to my Mikrotik CCR and I want to 'trunk' management VLAN 10 to a specific/seperate bridge.

How the hell is this done?

Spcifically, I have a bunch of 260GS SWOS devices connected to switches which should pass through the VLAN tagged traffic.

But firstly, I am not exactly sure how to put the 260GS IP on management VLAN 10.
Is that just filling in the last page field under management IP that says VLAN and entering 10?
Or do I also have to change the VLAN page and the VLANs page as well?

Then when all that traffic gets aggregated to the bridge i created for all those devices, how do I create a VLAN 'access' in the CCR to get to the management?

It's all so easy using the standard switch syntax of VLAN tag/untagged/allow on my switches.

Mikrotik is like a whole other language when it comes to VLAN.

Please help!

it may help to read a bit about VLAN.

When you attach a vlan to an interface than that interface becomes a member of that vlan.
If you attach a vlan to a switch/bridge than all interfaces under that bridge becomes a member of that vlan.
tagging vlans are used for vlan communication between switches.

I'll translate mikrotik vlan from the usual switching. In switching if i want to make a port be a member of a vlan i just set it, in routerOS i attach a vlan interface to that port.

In switching if i want to attach a bunch of ports to a vlan the equivalent in mikrotik i create a bridge for those ports and attach a vlan to that bridge. For reverse, 1 port with multiple vlans you create multiple vlans in mikrotik and attach to the same port. In mikrotik you can create multiple vlan interfaces with the same vlan.

combining ports is easy really but i recommend you read mikrotik wiki about it. I use balance rr with a managed switch. If you are combining ports than dont address the ports individually, rather use the bonding interface when configuring rather than individual ports.

If i want to have 2 seperate switched vlans i.e. set of 5 ports and another set of 5 ports but i want some of those ports to also be connected to the other switch/bridge than i create another bridge interface and add the same physical port to both bridges. Anything that is applied to a bridge is applied to all ports under it. If i give the bridge a vlan than all ports under that bridge are part of that vlan. It may help if you had a network diagram of what you want to do.

Thanks, but that's not really very helpful.

On a switch port you assign it to a VLAN to pass a tagged packet, or not.
That port can be untagged and it will tag ingress packets with the VLAN ID and strip it when it egresses the port.

I don't see any of this in routerOS.

All I see is the ability to create a VLAN interface with an ID and assign it to another interface.

So where exactly do I define an untagged port egress/ingress that will add/strip the ID?
Where do I tell it the the ingress/egress should only allow ID 10 and filter the rest, including ID 1 out?

That is what I need to know, and the documentation is very lacking.

I need to map my understanding of VLAN to their VLAN methodology.

I understand VLAN very well, it's pretty simple.

Implementation on switches vary a bit, but are generally the same, mapping ports to VLAN ID and filtering rules.

Mikrotik doesn't seem to have the filtering rules part?

I have a bridge of interfaces with regular/general VLAN 1 traffic flowing through it.
I need packets tagged with VLAN 10 also flowing on that bridge to be allowed to and from a separate bridge, and not the VLAN 1/general traffic.

How exactly is this done?

I prefer winbox to telnet coding.

If someone has a winbox interface screenshot of this I would like to see it.
I assume it would be of the bridge page/screen with VLAN interfaces on the bridges.

I've attached a screenshot of my config. I use tagged vlans with ubuntu cluster to facilitate networking on the physical and virtual layer to accommodate VPN and other devices that i cannot physically connect to my ISP. I couldnt fully understand what you were asking but if you want tagged vlans than just tick use service tag. In your case if you have 2 different bridges and you want them to be able to communicate with each other and both have the same tagged VLANs than i would create 2 VLAN interfaces with the same VLAN ID and tagged and attach each of them to a bridge. I would than make sure that the physical ports are part of both bridges.

In the logic of routerOS you cant bridge 2 bridges, it makes no sense since you might as well just have 1 bridge with all those interfaces. a bridge is just like a switch but the ports still operate individually. If you want only some ports of a bridge to be in 1 vlan than you must make a vlan interface seperately for each port. If you want all ports in a bridge to be in the same vlan you can use the same way or just add a vlan interface to the bridge.

It took some effort at first since there was no one who answered my question about vlan but i worked it out myself. It is worth tinkering around to learn. RouterOS lets you do quite a lot of stuff.

That helps a little bit.

In the picture shown, I have a CCR router with customer traffic on the Customer bridge.
If you can imagine, I have lots of devices sitting behind interfaces connected to this bridge being routed out the internet.

However, these devices have management in band on VLAN 400.

I have another bridge named Devices with interfaces connected to stuff that don't use VLAN so they need to be tagged 400.

All of that 400 traffic needs to be accessable from my EoIP tunnel back to my cloud hosted servers.
So the EoIP tunnel needs to tag/untag VLAN ID 400 to talk to those units.

I have made a couple of VLAN interfaces with ID 400, but I'm at a loss of where to put them.

I'm guessing I need to select the Service Tag option in each one though...

Any ideas?

Ok, I did get it working using exactly the parameters you set EXCEPT setting the service tag box.

On the VLAN page of the VLAN 400 I set the interface to Customers.
Then I added the VLAN 400 interface to the Devices bridge.

Done.

I'm still not entirely sure how mikrotik filtering works, so that worries me, but it does seem to only allow VLAN 400 tagged traffic through to the Devices bridge.

So at least in this scenario I know that it is acting as a tagged port for ID 400 and filtering on ingress in from Customers to allow only 400, and its tagging egress to Customers with 400.

In this scenario it's treating its relation to Devices bridge interface as an untagged port VID 400.

"Use service tag" is for 802.1ad stacked vlans, and sets the outer tag ethertype to 0x88a8.

"Use service tag" is for 802.1ad stacked vlans, and sets the outer tag ethertype to 0x88a8.

Wow, another case where they use the most vague term possible for something.

Why can't it say 802.1ad? Or Stacked/QinQ VLAN enable etc?

Don't get me wrong, I love using and learning Mikrotik OS, but sometimes I wish they would stick with industry terminology more.

Or at least realize that there is a whole other 'standard' way of looking at things that applies to their OS/Hardware

Yeah, the web interface in particular is pretty starkly commented/annotated in a lot of places.

In this case (just to make it weirder?), if you want to do a qinq stack of VLANs with the outer ethertype of 0x8100, you don't use the "service tag" option--rather just add the inner VLAN as usual, specifying the outer vlan in the "interface" field.

Quirky, yes, but loveable.