Hi all, I've got some experience with Microtik but this is the first time I have played with a Microtik switch (CRS326-24g-2S+).

It currently has routerOS on it and it is working fine as a generic router - I'm using it now to post this.

Where i'm struggling is with the VLANS. I have:
VLAN 1 - Main Network
VLAN 20 - IP Cameras
VLAN 99 - Guest Wifi

VLAN 20 was easy - I created a new bridge for just the cameras, untagged 20, added an IP, some firewall rules, DHCP etc. That works fine.

What I can't seem to configure the AP ports as trunks for VLAN 99.

Initially I had:
Bridge1 = Ports 2-20
Bridge1 vlans 99 Tagged 2-6 (where the AP can be plugged in)

Works fine for anything on vlan 1 over wifi but not vlan 99

I don't need a real port to be active (untagged) for this VLAN as it is only used by wifi which is tagged at the ap (Unifi) but obviously I need an IP bound to it. I created a vlan interface and assigned an IP to it. I'm just completely confused on how best to get this to work and the Microtik way of doing things is not yet logical to me.

Just now, I thought perhaps I create a new bridge just for the trunk ports, Untagged 1, tagged 99 etc but that does not seem to work either. My logic says it should because the VLANS match, despite being on a different 'bridge' since it's still just layer 2 but It's doing my head in!

Please can someone explain this to me. I thought this would be just like a normal switch that I can set tagged/untagged/allowed/excluded but i'm confused by having to create bridge interfaces etc.

Thanks mkx, I'll review the configs - That was not something I came across when determining how to do the initial config.

I must say - I started out with a single bridge but the vlans did not seem to work at all, hence I split off the cameras to a separate bridge. Hopefully with that I should be able to understand it and get it to work. Perhaps deceptively the VLANs aren't working at all still, since the bridge is providing the isolation rather than VLAN.

So I've reviewed my current settings vs the 'switch' config and I've basically already at that config.

VLAN 1 being the default network VLAN for general network access.
VLAN 99 - Guest Wifi

If we ignore the camera bridge for the moment, I have: So that seems right.

I then have: So I think I was pretty on the mark for how it should be but I can't seem to get it to work.

Answering my own question:
Adding BR1 to the tagged statement

It's not overly logical to me why I need to add the bridge but it solved the issue

That actually really does clear it up. Completely makes sense when you consider it as two separate devices.

My initial internal logic was the opposite, in that the bridge was somehow overriding the port, but effectively the port is a child of the bridge so it needs to be included as well.