Hi.
I'm trying to set up a small Mikrotik network with some VLANS. The hardware is two HAP AC's, linked with a trunk from ETH5 to ETH1.

On Main HAP AC i get VLAN 101 (IPTV) and 102 (WAN) in on the SFP interface from ISP.
I also need an internal VLAN (250) for NATing to internet.
VLAN101 (IPTV) should be accessed directly on one port on each router, while 102 is WAN and will only be used for a WAN-interface on HAPAC1.
The WAN part is not a problem, since VLAN102 should only be used for WAN.

Since HAP AC doesn't have the SFP port in the same switch group as the Ethernet ports I have to do both both Software and hardware VLAN.

One solution is ofcourse to do software only VLAN on HAPAC1 - make a bridge-trunk with SFP and ETH5 in this, and then set up all VLAN (101+102+250) on this bridge.
The problem with this is
1 - I also expose internal vlan (250) to the ISP. (That might be bridge-firewalled through). and
2 - internal traffic on VLAN250 will be software-VLAN, therefore more CPU usage then necessary.

But there should be a way to do Software bridge on SFP (for getting vlan 101+102 from isp), and then get VLAN101 "forwarded" to hardware VLAN through switch chip?

What about making a VLAN101 interface on SFP, and then a VLAN101 against switch chip (ether1) , and then "bridge" those two - may this be the correct way to do it?

Don't try too hard to go for the ideal scenario you have in your head, approach the problem from a usefulness point of view. E.g. I don't think there is any real benefit from a performance point of view from having true wirespeed for anything else but vlan250.