Hi,

if i sniff all packets from my hEX (with the internal packet sniffer) with this simple configuration i see that the Mikrotik sent out packet with and without VLAN header (ICMP and TCP traffic from winbox) from 192.168.10.2/24:

/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan-10 vlan-id=10
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface bridge vlan
add bridge=bridge1 tagged=ether1,ether3,ether4,ether5,bridge1 untagged=ether2 vlan-ids=10
/ip address
add address=192.168.1.2/24 interface=bridge1 network=192.168.1.0
add address=192.168.10.2/24 interface=vlan-10 network=192.168.10.0

with wireshark i see huge amount of TCP Dup and Retrasmission becouse of this.
It is normal?

All ports except ether2 are configured as trunk ports... What goes out a trunk port will have a Tag applied, and what comes in must have a Tag...
Your ether2 is an access port, so what goes out an access port will have its Tag removed...

An exception of the above are the hybrid ports, but those do not apply in your example, where you can have both Tagged and Untagged frames flowing through...

So why its not normal to see tagged frames ?

I understand but i mean that, for example, i am 192.168.10.1 and i am connected to the eth2 port (the access port), i ping 192.168.10.2 and i recevice the response, but from the packer sniffer i see multiple packet from 192.168.10.2 with and without the VLAN tag (VLAN 10), i expect that all packets are without tag or at least with default vlan 1

All untagged packets entering port ether2 will get a Tag applied with VLAN id=10... So your computer becomes a member of Vlan 10.
All packets leaving port ether2 that match VID=10 will have the Tag stripped...

I know how VLAN works, i want to understand how packet sniffer work in this context, see the attached images, there is multiple responses for the SAME ICMP request (ICMP request sent by my PC on eth2), one packet has vlan and the other don't

If you run sniffer without setting filter-port property, then the very same packet will be captured multiple times, when ever it passes any of router's ports/interfaces: ether2, bridge1, vlan-10, ... sometimes it'll be tagged, sometimes not, depending on port/interface configuration. Vlan interfaces will always show packets untagged. Bridge interface in your case will show it tagged. I'm not entirely sure about ether2 as I don't know where sniffer captures frame, on the "wire side" of port (so frame will be untagged) or on the "bridge side" of port (so frame will be tagged).

Ok i see, i will start to use the filter-port