Hi peoples,
So since my ISP requires now VLAN tagging (ID 10), I want to configure the switch RB260GS (which will sit behind the ISP modem and before the firewalls). The goal is, that on the wan port (port1) it accepts traffic with vlan ID 10 and adds the tag for egress. Port 2&3 (firewalls) should untag the traffic.
My test setup is a laptop configured with vlan id 10 connected to wan port and another laptop connected to port2.
With my current configuration, I can ping the untagged laptop with my tagged laptop, but not the other way around.
What do I need to change, so both laptops see each other?

I think that in VLANs tab it needs to be the other way around: WAN needs to be "leave as is" because ISP expects VLAN tags. And firewallX needs "add if missing" because it'll deal with untagged frames.

Similarly in VLAN tab: for WAN set VLAN header to "leave as is", firewallX needs "always strip". And set VLAN mode to "enabled" for firewallX.
After you get things running, you'll want to setn"VLAN receive" on WAN port to "only tagged" (whatever exact wording) and on firewallX to "only untagged and priority tagged". And I guess you don't need "force VLAN ID" enabled (but I'm not sure about this).

The reasoning: inside switch, all frames are tagged (or at least you can think this way). And then it's logical that all the settings are about frame headers on the outer side of switch port (on the cable).

Agree with mkx.
Here are the VLAN and VLANs tabs for one of my CSS106-5G-1S (RB260GS) switches. Note that I do not use Optional, but rather "Strict" on the VLAN mode and "Only tagged" or "Only Untagged" on the VLAN Receive mode - UNLESS it is a Hybrid port (as the two Open Mesh WiFi Access Points ports are). In my case, the SFP (Trunk to F.R.) is the VLAN tagged port.






Hope this helps.

Thanks for the replies.
I'm not sure I explained correctly. I guess my ISP now sends and wants to receive tagged traffic. Which in turn means I have to add a tag to all frames that leave port "WAN" (which in my mind means "Egress" = "add if missing") and since he sends me tagged frames and I don't want any vlan tags coming to my firewalls I put the Egress of "Firewall" to "always strip". With this config I could only ping the other laptop when I set the laptops vlan id to 10, which I think is almost successful? But I couldn't ping from my untagged laptop to my tagged one.
Sorry for my noob problems, it's my first mikrotik switch.

Make sure that the laptop that can't be pinged has it's Windows Firewall set to allow ICMP traffic. Default is to not allow ICMP traffic.