Vlans can be slightly confusing, because it's both a way to have tagged packets (to carry multiple separate networks over same link) and a way to configure switch (or have switch-like behaviour using software bridge). If should help to understand which is which.
The first one is simple:
/interface vlan
add name=vlan10 vlan-id=10 interface=ether1
add name=vlan11 vlan-id=11 interface=ether1
It will give you two ethernet-like interfaces on top of ether1. You can connect e.g. managed switch and use it to connect devices to these two networks. Router should have IP addreses assigned to vlan10 and vlan11 to be able to communicate with devices in those networks.
Then there's the ether one, when you want same vlans on multiple physical interfaces. For start, assume that router is going to behave only as L2 switch and won't be communicating with devices in vlans. There will be uplink on ether1 with two tagged vlans and then one untagged port for each vlan. The config is still relatively simple:
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2 pvid=11
add bridge=bridge1 interface=ether3 pvid=12
/interface bridge vlan
add bridge=bridge1 vlan-ids=11 tagged=ether1 untagged=ether2
add bridge=bridge1 vlan-ids=12 tagged=ether1 untagged=ether3
For this, no "/interface vlan" is needed. Neither is bridge itself (bridge1) listed as tagged or untagged in "/interface bridge vlan".
Often you want to combine both, and that's where people get lost. But it's still not difficult, just remember few things:
- when router should participate in given vlan, it needs "/interface vlan" for it (*)
- once you have bridge, you no longer work with individual physical interfaces included in bridge, so vlan interface should use interface=bridge1 (and not interface=etherX, as you have in one config)
- because bridge itself now serves as switch port (sort of), for each such vlan interface you need tagged=bridge1 in "/interface bridge vlan" for given vlan id
(*) It's not entirely true, which can cause extra confusion. If you need the router to be part of only one vlan, you can add IP address directly to bridge1 and add untagged=bridge1 in "/interface bridge vlan". So you have two ways to get same result. Of course you can always add vlan interface anyway (on top of bridge1) and list it as tagged, and just forget about adding address directly to bridge1.