Thanks @tdw.
If understood You properly, I have to:
Modify my single bridge (unfortunately named bridge) so that:
- the WAN port be part of it (You: Instead of having a WAN port separate from the bridge and bridge ports, all of the ports have to be in a single bridge.),
- the VoIP interface port be tagging ingress packets w/o tags with VLAN ID 26 (You: ...the VoIP interface port with VLAN ID 26 untagged..., I: but this is only ingress part of port setup!)
- all other ports except WAN port be tagging ingress packets w/o tags with VLAN ID 31 (You didn't mentioned it, but I suppose).
Configure the single bridge's VLAN settings so that:
- the WAN port be tagged with VLAN IDs 26 & 31 (You: ...configure the uplink port with VLAN IDs 26 & 31 tagged...),
- the bridge port be tagged with VLAN 31 (You: ...the bridge-to-CPU port with VLAN 31 tagged..., and I am aditionaly thankful for emphasizing bridge-to-CPU port of the bridge named bridge!!!).
- unmentioned ports in bridge's VLAN settings will be untagged ports on egress (Is this true?).
Create a vlan interface connected to the bridge. This will be my 'Internet WAN' connection holding static address AA.BB.CC.DD and will be the in-interface/out-interface in the ip firewall filters (You: ...This will be your 'Internet WAN' connection to which a DHCP client or PPPoE client can be attached...,).
/interface bridge port
# next line added
add bridge=bridge interface=ether1-WAN
#in next line added: pvid=26
add bridge=bridge interface=ether2-VoIP pvid=26
#in next four lines added: pvid=31
add bridge=bridge interface=ether3-Inet pvid=31
add bridge=bridge interface=ether4-Inet pvid=31
add bridge=bridge interface=ether5-Inet pvid=31
add bridge=bridge interface=wlan-Inet pvid=31
#next three lines added:
/interface bridge vlan
add bridge=bridge tagged=ether1-WAN vlan-ids=26,31
add bridge=bridge tagged=bridge vlan-ids=31
#next two lines added:
/interface vlan
add interface=bridge name=Internet_WAN vlan-id=31 #
/ip address
#in next line modified: interface=ether1-WAN to interface=Internet_WAN
add address=AA.BB.CC.DD/30 interface=Internet_WAN network=AA.BB.CC.DD-2
/ip firewall filter
#in next line modified: in-interface=ether1-WAN to: in-interface=Internet_WAN
add action=drop chain=input comment="WAN drop all" in-interface=Internet_WAN
#in next line modified: in-interface=ether1-WAN to: in-interface=Internet_WAN
add action=accept chain=forward comment="Drop WAN !dstnated" connection-nat-state=!dstnat connection-state=new in-interface=Internet_WAN
#in next line modified: out-interface=ether1-WAN to: out-interface=Internet_WAN
add action=masquerade chain=srcnat dst-address-list=!LAN out-interface=Internet_WAN src-address=192.168.1.0/24
Is this OK?
Are the next settings necessary:
/interface bridge set bridge vlan-filtering=no
/interface bridge port
set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged ... (all access ports)
set bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged ... (trunk port)
/interface bridge set bridge vlan-filtering=yes
Thanks,