Ok I analyzed your answer very carefully. There are some misunderstanding which I wanted to clear so we both be on the same page here.
So my concern regarding what you had in mind when saying that the switch should be a gateway for some devices in the VLAN remains - a gateway is an L3 term, meaning that there should be an IP address in each VLAN already on the external switch,
It is. Starting from beginning:
Here is a schema
This is a software vlan configuration on MikroTik. By "software" I mean all vlans are attached on bond device and bond device has two interfaces of course attached in LACP mode.
Some of the vlans are set on MikroTik but some of them aren't. For example the user vlan 131 10.13.1.0/24
Both , MikroTik and Switch are connected with bond. This bond is for trunk capability and it pushes those vlans which are created on Switch and MikroTik is also participating in those vlans with ip address in each vlan which ends with .1
as it is in the picture. So when I said that about gateway I don't mean that switch is a gateway. What I said was that the end user in the user vlan 131 (10.13.1.0/24) has a DHCP server from Switch (switch is a DHCP server) and also for that user switch is a default gateway. So for 10.13.1.0/24 access to 0.0.0.0/0 is provided via 10.13.1.1 (switch dhcp server). On that switch there is a route entry which says 0.0.0.0/0 goes via 10.13.60.1 (which is the InterLink VLAN between switch and mikrotik). On MikroTik there has to be a static route entry ponting to network 10.13.1.0/24 via 10.13.60.2 (Switch IP on the Interlink vlan). So this configuration works on software vlans.
add mode=802.3ad name="LACP to Core" slaves=ether3,ether4 transmit-hash-policy=layer-2-and-3
add interface="LACP to Core" name=Azure vlan-id=1000
add interface="LACP to Core" name=CCTV vlan-id=1313
add interface="LACP to Core" name=DMZ vlan-id=1351
add interface="LACP to Core" name=Guest_Wifi vlan-id=1680
add interface="LACP to Core" name=Interlink-to-core vlan-id=1360
add interface="LACP to Core" name=Management vlan-id=254
add interface="LACP to Core" name=TV vlan-id=1322
add interface="LACP to Core" name=Voice vlan-id=1323
add interface=Interlink-to-core name=vrrp-core preemption-mode=no priority=254
/ip address pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.13.60.1/29 10.13.60.0 Interlink-to-core
1 10.13.13.1/27 10.13.13.0 CCTV
2 10.255.254.254/24 10.255.254.0 Management
3 10.13.22.1/28 10.13.22.0 TV
4 10.100.0.1/24 10.100.0.0 Azure
5 10.13.51.1/24 10.13.51.0 DMZ
6 10.13.22.1/28 10.13.22.0 Voice
7 192.168.50.1/23 192.168.50.0 Guest_Wifi
9 10.13.69.1/24 10.13.69.0 bridge
10 10.13.60.3/32 10.13.60.3 vrrp-core
add distance=1 dst-address=10.13.1.0/24 gateway=10.13.60.2
So this is trivial vlan configuration.
This configuration works. So you see about that vrrp I've just added one vrrp and the vlan itself is the carrier. That works. Tested.
Now back to that https://wiki.mikrotik.com/wiki/Manual:I ... Offloading
RB4011 is the section described in "Other devices without a built-in switch chip". So this method suits for RB4011 devices.
You said that in that case carrier needs to
or you make /interface vrrp, /interface ethernet, or /interface bonding a port of a bridge, but in that case, the carrier interfaca for /interface vlan must be the bridge.
And it was. I showed you that already
/interface bridge port
add bridge=BR_TRUNK hw=no interface=bond_core
Only that I had bond_core which stands for = LACP to Core in current configuration
add disabled=yes interface=BR_TRUNK name=Azure vlan-id=1000
add interface=BR_TRUNK name=CCTV_1313 vlan-id=1313
add interface=BR_TRUNK name=DMZ_1351 vlan-id=1351
add interface=BR_TRUNK name=Guest_1680 vlan-id=1680
add interface=BR_TRUNK name=MGMT_254 vlan-id=254
add interface=BR_TRUNK name=SRV_1350 vlan-id=1350
add interface=BR_TRUNK name=TV_1322 vlan-id=1322
add interface=BR_TRUNK name=Voice_1323 vlan-id=1323
/interface bridge vlan
add bridge=BR_TRUNK tagged=vrrp-lan,BR_TRUNK vlan-ids=\
So bond_core was a port of a bridge and carrier for vlans where that BR_TRUNK which is the bridge. Then that case with 10.13.1.0/24 didn't worked. I could only ping 10.13.1.1 (switch) but a DHCP client with ip 10.13.1.11 had timeouts on mikrotik and traceroute from client to internet didn't even go passed switch.
At the end about vrrp again
so you can use the /interface bonding as a carrier for the /interface vrrp, and in turn use the /interface vrrp as a carrier interface for all the /interface vlan, and the single instance of vrrp protocol will control the up/down state of the /interface vrrp and through it also of all the /interface vlan which use it as their underlying carrier
Yeah That didn't worked either when I had those vlans on the bridge. Like we said above I moved VRRP only to that interlink vlan so if the vlan connectivity fails it means that everything fails because user -> DHCP Switch -> 0.0.0.0/0 via 10.13.60.1 -> Mikrotik -> Internet. If 10.13.60.0/29 goes off it needs to switch traffic to backup MikroTik. Is it a bad configuration?
But having vlan-filtering=yes with VRRP in that case as you mention below will not work
if you'd want to use a single bridge for all VLANs (and this is the only scenario where use of vlan-filtering=yes makes sense), you'd have to make that bridge a carrier interface of all those /interface vlans, and in that case, they would be unable to track the up/down state of the /interface vrrp.
So it means I should resign from vlan-filtering=yes and stay with the configuration I showed.