USE ONE BRIDGE ALL VLANS
VLAN10 for first group of ports
VLAN20 for second group of ports
/interface bridge ports
add bridge=bridge interface=ether[b]1 i[/b]ngress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge interface=ether[b]2[/b] ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
......
add bridge=bridge interface=ether[color=#0000FF][b]15[/b][/color] ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=10
add bridge=bridge interface=ether[b]16[/b] ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=20
add bridge=bridge interface=ether[b]17[/b] ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=20
......
add bridge=bridge interface=ether[color=#0000FF][b]24 [/b][/color]ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=20
...............
/interface bridge vlans
add bridge=bridge tagged=bridge untagged=ether2,ether3,........ether15 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether16,ether17,........ether24 vlan-ids=20
where bridge does NO DHCP
Define vlans
vlan10 interface=bridge
vlan20 interface=bridge
Give vlan IP address, ip pool, dhcp server, dhcp server network.
/interface list members
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
Firewall rules.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
DONE, vlan10 and vlan20 cannot see each other at L2 and the router will not route traffic between them at L3.