have you already referenced the
official resources? if so what specifically do you need help with?
Yes, i looked at those. In the meantime i somehow managed to separate ports into VLANs in Bridge - VLAN, so that ether1 and SFP2 are uplink ports, and then VLAN90 for ether 24,23, VLAN80 for ether 22,21 etc... Then i added PVID to each port in Bridge - Ports and enabled VLAN filtering on Bridge. I think that this is all i need to set up on switch (running RouterOS), if i'm wrong, please correct me.
add admin-mac=18:FD:74:9C:AE:C8 auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 pvid=20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12 pvid=30
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13 pvid=40
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14 pvid=40
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15 pvid=50
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16 pvid=50
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17 pvid=60
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18 pvid=60
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19 pvid=70
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20 pvid=70
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21 pvid=80
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22 pvid=80
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23 pvid=90
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24 pvid=90
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2
and
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether24,ether23 vlan-ids=90
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether22,ether21 vlan-ids=80
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether20,ether19 vlan-ids=70
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether18,ether17 vlan-ids=60
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether16,ether15 vlan-ids=50
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether14,ether13 vlan-ids=40
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether12,ether11 vlan-ids=30
add bridge=bridge tagged=ether1,sfp-sfpplus2 untagged=ether10,ether9 vlan-ids=20
Then i added VLANs on ether4 port on router, set IP adresses and DHCP server on VLANs. Added VLANs to LAN list, so that internet started working and blocked acess to my main bridge in Firewall. Now i must find a way to separate those VLANs between themselves, without adding Firewall rule for each VLAN against others, because that would make a lot of rules.
Also, is it normal, that even if i drop traffic to main bridge, i can still acess my router on his main IP adress, but not any other device behind my home bridge? I'm guessing this is normal behaviour.
Quees on VLANs (set on main router) work without problems when i disable Fasttrack.
So this now works in direct connection. In reality main router will be on one location, then internet and VLANs must pass two wireless bridges (SXTsq 5 ac) with dumb switch in between to get to the CRS326-24G-2S+IN. I'm hoping, that no additional configuration is needed on wirelss bridges for VLANs.
EDIT: So i added this to firewall rules:
add action=drop chain=forward comment="Drop traffic between VLANs and Bridge" in-interface-list=VLANs_Firewall_drop \
out-interface=bridge
add action=drop chain=forward comment="Drop traffic between VLANs" in-interface-list=VLANs_Firewall_drop out-interface-list=\
VLANs_Firewall_drop
and this to Interface list:
add interface=vlan30 list=VLANs_Firewall_drop
add interface=vlan40 list=VLANs_Firewall_drop
add interface=vlan50 list=VLANs_Firewall_drop
add interface=vlan60 list=VLANs_Firewall_drop
add interface=vlan70 list=VLANs_Firewall_drop
add interface=vlan80 list=VLANs_Firewall_drop
add interface=vlan90 list=VLANs_Firewall_drop
Will this be OK?