Hello there,

I'm new to RouterOS, but I'm a Junos OS / Cisco IOS engineer, so feel free to talk tech to me.

I'm attempting to design a simple way to provide an IP gateway to clients that connect to Ubiquiti APs off of several RB4011's while also separating ('separate' as in at a layer 2 perspective, I'll worry about layer 3 isolation later) them from the management subnet of those same APs. The setup I have is attached in this post.

Effectively, I have a router that has three physical connections to 3 access points. Those APs have several clients naturally sending untagged frames. I want those clients to have a default gateway that lives on the router, and I want just 1 subnet for all clients across 3 APs. Also, each AP has a management IP that I want in a separate subnet, separate from the client gateway. I figure I ought to tag the frames, so I can do that at the AP level (the router would receive a tag of, say, VLAN100 ingress on each port).

I would like to know how to configure a MikroTik RB4011 for this scenario so that:

- All three physical interfaces are bridged so they act as layer 2 ports.
- A layer 3 IP gateway for client connections exists (untagged on ingress and egress from the router perspective).
- A layer 3 IP gateway for the AP management exists (tagged for VLAN100 on ingress and egress from the router perspective).

From searching and trying things out, I sense that I need... 1 bridge that binds the physical interfaces together, 2 vlan interfaces that act as the IP gateways, and a merging of those VLANs into the bridge. Is there an ideal way to configure this, or better yet, is there a smarter design from a RouterOS perspective to do this? This design is simple to me in a Junos OS and IOS world, but this is the MikroTik world, so I'm open to new designs.

Thanks in advance, folks!

If you want to use vlans, then go all vlans and learn how to use them. Allows for future growth.
thus one bridge all subnets as vlans. And dont touch the default vlan1 on the bridge leave as is. Use other vlans for all your subnets carrying actual data.
this is a good starter.........viewtopic.php?t=143620

Thank you for the link and the response! I'm not sure I understand some of your suggestions. Can you clarify these for me?

"then go all vlans"
- Are you saying to effectively turn the connections to trunks that allow all VLANs?

"Use other vlans for all your subnets carrying actual data."
- Are you saying to VLAN tag all traffic (in my scenario, that'd be VLAN100 for AP management tagged at the AP level, and, for example, tag VLAN200 for customer traffic at the router level)?

In either case, I'm wondering how to accomplish that in the RouterOS CLI itself-- the separation of bridging and VLAN forwarding, in the style RouterOS does it, is a bit novel to me, so that's a point of my ignorance I'm trying to seek help on.

Basically ones defines the vlans, with parent interface the bridge.
each vlan gets ip pool, dhcp server, dhcp server network and IP address.

Assign interface bridge ports
Assign interface bridge vlans

adjust default rules as necessary
adjust routes as necessary
turn bridge vlan filtering on

bridge ports can be:
trunk ports ( format: add bridge=bridgename interface=etherport(or wlan) ingress-filtering=yes frame-types=admit-only-vlan-tagged )
access ports ( format: add bridge=bridgename interface=etherport(or wlan) ingress-filtering=yes frame-types=admit-priority-and-untagged pvid=XX )
hybrid ports ( format: add bridge=bridgename interface=etherport(or wlan) pvid=YY )

An access or hybrid port can only have ONE untagged vlan.
A trunk port can have one or more tagged vlans
A hybrid port can have one or more tagged vlans

untagged ports are used for dumb devices that cannot read vlans
tagged ports are for smart devices that can read vlans

Read para C. viewtopic.php?t=182373

Also suggest doing the configuring off bridge if you have a spare port see para A.

Thank you. That was very informative.

I got my particular setup to work in a weird way... this is what I did:
Testing through a Cisco switch, I've been able to observe that I get the desired outcome of having an IP gateway [bridge80] that's only responding to untagged traffic from those three ports (and able to pop the VLAN on egress), and an IP gateway [vlan80] for the tagged management traffic from the Ubiquiti sectors (and able to push the VLAN on egress). CAM and ARP tables on all sides seem to portray the desired output.

I do have a concern about using bridge interfaces as IP gateways with MikroTik, as I hear that traffic is or may be CPU processed. I will ask about that for the RB4011 in a separate article. Thank you very much for the help and resources!

/interface bridge
add name=braidge80 vlan-filtering=yes

Was this typo introduced when editing for posting?

Your config (with typo fixed) and comments in blue. I would expect ether1 to have untagged on the default vlan 1 (with RB4100 bridge ip 10.0.0.1/24 in 10.0.0.0/24), and vlan80 (i.e. ether1.80) tagged with vlan 80 with ip 10.0.80.1/24 in 10.0.80.0/24. ether2 and ether3 would be vlan 1 access ports in subnet 10.0.0.0/24.

/interface bridge
add name=bridge80 vlan-filtering=yes (implicit pvid=1)

/interface bridge port
add bridge=bridge80 interface=ether1 (implicit pvid=1)
add bridge=bridge80 interface=ether2 (implicit pvid=1)
add bridge=bridge80 interface=ether3 (implicit pvid=1)

/interface vlan
add interface=bridge80 name=vlan80 vlan-id=80 (this creates the CPU's VLAN subinterface "shim" and the CPU's end of the "CPU to Switch ASIC" end of the trunk link for vlan 80)

/interface bridge vlan
add bridge=bridge80 tagged=ether1,bridge80 vlan-ids=80 (what about ether2 and ether3? The tagged bridge80 is the switch chips end of the "CPU to Switch ASIC" end of the trunk link for vlan 80)

/ip address
add address=10.0.80.1/24 interface=vlan80 network=10.0.80.0 (this will be tagged vlan 80)
add address=10.0.0.1/24 interface=bridge80 network=10.0.0.0 (this is the native vlan i.e. pvid 1)

If my comments are incorrect, hopefully someone will correct me.

/interface bridge
add name=braidge80 vlan-filtering=yes

Was this typo introduced when editing for posting?

It's just a typo in the post, not in my lab environment. My apologies; it's corrected now.

Your config (with typo fixed) and comments in blue. I would expect ether1 to have untagged on the default vlan 1 (with RB4100 bridge ip 10.0.0.1/24 in 10.0.0.0/24), and vlan80 (i.e. ether1.80) tagged with vlan 80 with ip 10.0.80.1/24 in 10.0.80.0/24. ether2 and ether3 would be vlan 1 access ports in subnet 10.0.0.0/24.

/interface bridge
add name=bridge80 vlan-filtering=yes (implicit pvid=1)

/interface bridge port
add bridge=bridge80 interface=ether1 (implicit pvid=1)
add bridge=bridge80 interface=ether2 (implicit pvid=1)
add bridge=bridge80 interface=ether3 (implicit pvid=1)

/interface vlan
add interface=bridge80 name=vlan80 vlan-id=80 (this creates the CPU's VLAN subinterface "shim" and the CPU's end of the "CPU to Switch ASIC" end of the trunk link for vlan 80)

/interface bridge vlan
add bridge=bridge80 tagged=ether1,bridge80 vlan-ids=80 (what about ether2 and ether3? The tagged bridge80 is the switch chips end of the "CPU to Switch ASIC" end of the trunk link for vlan 80)

/ip address
add address=10.0.80.1/24 interface=vlan80 network=10.0.80.0 (this will be tagged vlan 80)
add address=10.0.0.1/24 interface=bridge80 network=10.0.0.0 (this is the native vlan i.e. pvid 1)

If my comments are incorrect, hopefully someone will correct me.

Thank you for this breakdown! Yes, I did eventually include the other ethernet interfaces to that list in 'interface bridge vlan'.

In your opinion, is there a better way to accomplish my goal (if I've communicated that clearly enough) of having a single IP gateway for untagged traffic from these three ports within bridge80, and simultaneously having a single IP gateway for tagged traffic (VLAN 80) from the same three ports?

I do have a concern about using bridge interfaces as IP gateways with MikroTik, as I hear that traffic is or may be CPU processed. I will ask about that for the RB4011 in a separate article.

In your case the only time that the CPU could be avoided is if you have wifi clients connected to the same SSID to be communicating directly with each other (and you are not using the UniFi guest profile to provide client isolation/access control). Everything else is going to need to be routed, and that is done by the CPU. So if the clients are connecting to some host upstream of the RB4011, or even to a wifi client connected to a different SSID, the CPU is still going to be in the path.

See the RB4011 block diagram.

And if you haven't at least skimmed the ROS documentation for Bridging and Switching, it is well worth your time.

Since the RB4011 uses the the RTL8367, and that has Bridge HW vlan-filtering since RouterOS 7.1rc1, as long as all the ports in the bridge are on the same switch chip (RTL8367), then the heavy lifting (vlan awareness, tagging/untagging) will all be handled on the switch ASIC without any CPU intervention (other than setup). Because I am learning ROS (got my first MikroTik router in Mar 2022, an RB760iGS), the first thing I did was upgraded to the latest testing version since I was only using it in a lab situation, and I wanted to use vlans. I would recommend upgrading to a stable version of v7 if you plan to have a lot of intra-vlan communication, and in fact if you don't have a good reason to run v6, it would probably be easiest to just start learning on v7.