Hello there,

Iam currently in fight with internal switch of named device at RouterOS v6.45.6. For a lot of nights Iam trying to get working configuration involving VLANs. But result is still the same, no matter which way of configuration I choose. After switching ON VLAN ability of the Bridge, HW acceleration of all ports vanish. Even with the default config (with change vlan-mode).

Is this device even able to switch VLANs?

Is this device even able to switch VLANs?

It is (see this page in the wiki). However the Bridge VLAN Filtering is currently only supported on CRS3xx series devices, and on hAP ac you are limited to Basic VLAN switching.

However the Bridge VLAN Filtering is currently only supported on CRS3xx series devices ...

Small correction: above mentioned bridge VLAN filtering is supported across whole Routerboard device range ... but on all, except CRS3xx, functionality is implemented in software. Meaning that it's expected that HW acceleration gets lost in this use case and performance, consequentially, drops.
On hAP ac even SW-implemented bridging should allow throughputs a few hundred Mbps before CPU usage hits 100%. If that doesn't suffice, you'll have to go the switch-chip way as instructed by @andrys above.
Note that due to HW implementation, SFP1 port can not be switched in hardware in any kind of configuration (it is attached directly to device's CPU).

However the Bridge VLAN Filtering is currently only supported on CRS3xx series devices ...

Small correction: above mentioned bridge VLAN filtering is supported across whole Routerboard device range ... but on all, except CRS3xx, functionality is implemented in software. Meaning that it's expected that HW acceleration gets lost in this use case and performance, consequentially, drops.
On hAP ac even SW-implemented bridging should allow throughputs a few hundred Mbps before CPU usage hits 100%. If that doesn't suffice, you'll have to go the switch-chip way as instructed by @andrys above.
Note that due to HW implementation, SFP1 port can not be switched in hardware in any kind of configuration (it is attached directly to device's CPU).

Thank for those informations. Nowhere is written so explicitly.

Lets say the ethernet part is configurred correctly (I must found another ethernet connected device to verify) using Basic VLAN switching.
WiFi part remaining. It seems, all VLAN config under bridge port or WLAN device itself is ignored because of NO VLAN filtering on the bridge. As I understood, all VLAN settings done on bridgeports are ignored.

I have VLAN ID 201 interface on the top of bridge device with address asigned.
I have some physical ports with Native VLAN 201.
I have WLAN device as a bridge port and set to VLAN 201.
I have DHCP server at VLAN 201.

Wireless device is corectly connected and recieve an address. Can ping address on VLAN interface. Can even ping device default address od bridge itself (routed).

But on trunked ports (hybrid actually) containing VLAN 201, packets from those devices can be captured without VLAN tag.

Have anyone face situation like this?

But on trunked ports (hybrid actually) containing VLAN 201, packets from those devices can be captured without VLAN tag.

Please elaborate thos further ... how are you capturing packets and how in particular is the trunk configured?

Please elaborate thos further ... how are you capturing packets and how in particular is the trunk configured?

Configuration (I am not currently at the device):

Switch - switch all interfaces
VLAN 1 - port Eth1, Eth4, Eth5, SwitchCPU
VLAN 201 - port Eth1, Eth2, Eth3, SwitchCPU
VLAN 100 - port Eth1, Eth5
VLAN 101 - port Eth1, Eth5

Port Eth1 - PVID 1 - vlan secure, leave-as-is
Port Eth2 - PVID 201 - vlan secure, always-strip
Port Eth3 - PVID 201 - vlan secure, always-strip
Port Eth4 - PVID 1 - vlan secure, always-strip
Port Eth5 - PVID 1 - vlan secure, leave-as-is
SwichCPU - NO PVID - vlan secure, leave-as-is

interface Bridge - ip address 10.100.5.3/16. Containing all Eth interfaces + WLAN1 and WLAN2 interfaces.
Interface VLAN 201 (on the top of Bridge interface) - ip address 192.168.201.1/24 with DHCP active
WLAN1 and WLAN2 set to VLAN 201

I can connect with my cellphone via WiFi, I recieve address, can ping DHCP server address. This works flawlessly.
When I connect computer to Eth1 and start capturing (using wireshark) I can recieve packets from network 192.168.201.0/24, broadcasts, arps etc.. But frames not containing VLAN tag.
Packets from WiFi device from network 192.168.201.0/24 I can recieve also at interface Eth5, which is excluded from the VLAN 201 at all.

Today, Iam planning to connect another ethernet device to port Eth2 or Eth3 to check, if packets from the same network (192.168.201.0/24) as WiFi clients are leaving port Eth1 with Tags or not.

It is known that many windows NIC drivers strip off VLAN tags before processing packets. Hence sniffing using windows machine can not proove VLAN-related problems ...

It is known that many windows NIC drivers strip off VLAN tags before processing packets. Hence sniffing using windows machine can not proove VLAN-related problems ...

Maybe, but very wierd are those packets from VLAN 201 on Eth5, which is not at VLAN 201 at all.

Maybe, but very wierd are those packets from VLAN 201 on Eth5, which is not at VLAN 201 at all.

All right, I just had switched ON Independent Learning on VLANs in the switch and packets from VLAN 201 stops appear on Eth5. But are still capturable on interface Eth1 without VLAN header :-/.

I'll wait until you post output of command /export hide-sensitive (redact public IP address if there's one).

Yesterday, I have tested output of hybrid interfaces with Linux computer and when using detailed log with t-shark (command line wireshark utility), I can see 802.1q TAG ID 201 in packet. So it seems to be working. This evening I will connect it to the network, so I let you inform, if it is doing what it is configured to. And eventually will post related config for future searchers.

Thanks for your advices.