Hello,
Router (RB4011) is handling two LAN subnets as bridges : Desired ports setup :

• 192.168.1.0/24 untagged on ports 1-4

• 192.168.33.0/24 on port 1 only, tagged as vlan-id=33

What I did :
And it seems to be working good so far, with no (apparent) side effects.
But after reading :
https://wiki.mikrotik.com/wiki/Manual:L ... figuration
I thought that may be i did it all wrong ?

If so, what would be the optimal config for this exact setup ?

Thanks in advance.

Yes, what you did is "all wrong", but it does work.
The correct way would be to have only one bridge, create the VLAN interface on the bridge and configure port1 to have vlan 33 tagged.
However what you have now is slightly more efficient as it allows hardware switching for the main network.
As soon as you configure the "preferred way" that will disappear and everything will be software switched...

Thank you for the prompt answer !
May i ask when you say :

The correct way would be to have only one bridge, create the VLAN interface on the bridge and configure port1 to have vlan 33 tagged.

how would i do this the preferred way ?

I'm a bit confused by /interface bridge vlan section, don't know which combination would be ok as i only want guest network tagged on port1 + not attached to any other port
(and also concerned as a wrong config could lock myself out...)

As soon as you configure the "preferred way" that will disappear and everything will be software switched...

ROS v7 brings HW accelerated VLAN bridge operations to RB4011 ... just wanted to mention it

I'm a bit confused by /interface bridge vlan section ...

Did you have a chance to study this fine tutorial?

Thank you for the link,
assuming there's only one bridge so : would do "by the rules" for my two subnets (main + guest)
however my guest network is now available on all ports (tagged vlan 33).

Would this do the restriction I need ? (guest tagged only on ether 1, nowhere else)

correct............
The other way to do it is create a vlan for all the other traffic call it vlan 20

/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 pvid=20 ingress-filtering=yes
add bridge=bridge interface=ether2 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge interface=ether3 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge interface=ether4 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
/interface vlan
add interface=bridge name=bridge.33 vlan-id=33
add interface=bridge name=homelan vlan-id=20
/ip address
add address=192.168.1.1/24 interface=homevlan network=192.168.1.0
add address=192.168.33.1/24 interface=bridge.33 network=192.168.33.

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=33
add bridge=bridge untagged=ether1,ether2,ether3,ether4 vlan-ids=20

In this way the bridge just does bridging and not involved in DHCP etc.......
The question I have is, what is on the other end of ether1, that can read both tagged and untagged traffic???

Thank you for the explanation, things are becoming a bit clearer !
Plus, I now understand your solution is even more "logic" as soon as there are VLANs involved in the bridge.

To your end question, attached to ether1 there is a switch, and as non-expert configured that way :

• port 1 (attached to ether1) : VLAN1 untagged + VLAN 33 tagged (trunk with a native vlan, semitrunk ?)
• ports 23-24 VLAN1 untagged + VLAN 33 tagged (same as 1, for wireless APs configured with 2 SSIDs)
• all other ports, access to VLAN 1

i'd like to keep it that way instead of redesigning whole network as "tagged-only" except for access ports.
May be that's stupid, but i feel more comfortable for now by introducing "advanced things" aside of simple things remaining simple (main network).

Yes it is non-standard.
There is no reason to carry untagged traffic to a managed switch.

It should be like so.
Router
interface bridge port
add bridge=bridge interface=ether1 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=bridge interface=ether2 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge interface=ether3 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged
add bridge=bridge interface=ether4 pvid=20 ingress-filtering=yes frame-types=admit-only-priority-and-untagged

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=33
add bridge=bridge tagged=bridge,ether1 untagged=ether2,ether3,ether4 vlan-ids=20

On the switch, for 99% of brands.
Basically ALL port that are trunk ports the default pvid of 1 is not changed.
All ports that are access ports, the PVID is changed to the tagged traffic that will be stripped when leaving that port and tags added for incoming traffic to that port.
Thus typically the trunk port is
a. the incoming port from the router
b. to any Access point that can read tags (and will have one or more vlans sent to it)
c. to any other managed switch

so in your case,
PORT 1, TRUNK PORT - default pvid of 1 remains.
Tagged vlans associated with ether 1 are 20 and 33

PORT 23-24 , TRUNK Ports, default pvid of 1 remains
Tagged vlans associated with ether 23, 24 are 20 and 33 (assuming to an AP that can read vlans, 20 for home wifi, 33 for guest wifi)

Ports 2-22 are Access ports, with pVID changed to 20 (assuming homelan devices)
Untagged for vlan 20

i'd like to keep it that way instead of redesigning whole network as "tagged-only" except for access ports.
May be that's stupid, but i feel more comfortable for now by introducing "advanced things" aside of simple things remaining simple (main network).

Yes it is perfectly possible to keep using vlan1 as untagged and on the default bridge, the use of a specific vlan and untagged config for
that vlan is only to solve some specific issues that you probably will not run in to.
When you have an external switch it could be an advantage to use a clean trunk, but only when you can easily (and comfortably for you) change the
management network from "untagged vlan 1" to "tagged vlan X" without locking yourself out.

Also be aware that you should never connect Windows machines that are configured without VLAN to an interface that has the expected network untagged and some other network tagged on the port where the Windows PC is connected.
Windows cannot handle that! It will strip the VLAN tag from all incoming traffic and mix everything together, until you configure VLAN on the network interface.
(which is only possible when the network card manufacturer has declared in its driver that its card provides VLAN support, which almost never is done in stock Windows drivers, only in "enterprise-grade" drivers you can download from the manufacturer site)

So make sure you do not connect a PC to that port 1.

Thank you for all helpful answers.
Now I clearly understand how : has to be used the "right way".

Will eventually redesign our configuration when chance comes!