Hi, I have a question regarding bridged mode for the Mikrotik ATL LTE18 but I have a question regarding VLANs when in bridged mode.

I have a second firewall as my primary gateway, this in in a different area on a different switch, on a separate VLAN.

My question is will this setup work when in bridged mode? Will the device in bridged mode work over VLAN?

Thanks.

Sure. A few options depending on what you mean by "bridge mode".

By default, ATL comes with router network of 192.168.188.0/24 to LTE. So you just tag the port going to the ATL as an access port VLAN 301, and the other switch using 301 will get an routed IP from the default DHCP of ATL and be routed to LTE via ATL's router. If that works for you, you're done. You should just need to make the ATL an access port & perhaps set the APN for your carrier on the ATL.

All other options involve setting up vlan-filtering=yes in /interface/bridge. Docs explain it, but kinda complex if this is your first rodeo with Mikrotik. Basically you'd can easily lose access to ATL in middle of config, unless using Layer2/MAC in winbox to configure – why I say this get's tricky to setup the VLANs. It's not a lot of config - just error prone.
see Bridge VLAN config: https://help.mikrotik.com/docs/display/ ... VLAN+Table

Anyway, with a vlan-filtering=yes, you can use tag Mikrotik same default network (192.168.188.0/24) on the ATL, and then be trunk port to first switch... You can do this by just setting pvid=301 on the bridge interface and on all the port in /interface/bridge/port's set pvid=301 and frame-types=allow-untagged-and-priority-tagged-only on those ports. But if you setting an "access port" on your switch be a lot easier if you just want the ATL's network to flow through your switches.

Last option is "passthrough LTE" - this bridges the actually LTE IP from modem someplace else, like another router. The ATL no longer be a router to LTE since the IP address directly from LTE modem goes out an another interface when using "passthough". In /interface/lte/apn profile's there is a passthrough-interface= that can be /interface/vlan for 301 (and add to /interface/bridge/vlan, see note above bridging). Or, you just remove the etherX ethernet port from the /interface/bridge/port, and assign it directly to the passthrough-interface= in LTE.
See LTE docs on passthrough: https://help.mikrotik.com/docs/display/ ... ughExample
Mikrotik also has some videos on passthrough LTE if you search YouTube.

If by "bridge" you mean "pass-through" then yes, you can do it. Please remember that in pass-through mode the Mikrotik LTE device won't be reachable by an IP address on the interface used as pass-through target. One easy way to make it work is to use the non-tagged ethernet interface of the Mikrotik LTE device for management and create another VLAN for LTE pass-through. You can then make the untagged management traffic tagged on the switch to which the Mikrotik LTE device is connected. Or even disregard the untagged ethernet and make tagged VLANs both for management and LTE pass-through.

None of this is really Mikrotik-specific. It's just a device or a server with 2 VLANs, with all the proper subnets, maybe some static routing (to reach back to other subnets of your LAN), static or DHCP (static seems more reliable in this case, but you can make it dynamic if you wish) and so on being configured just one one of those VLANs.

Yes, just to confirm I mean FULL transparent bridged mode.

I should be fine with the VLAN configuration,

Its more how to setup the transparent bridge

So, something like this,

2 bridge ports,
one with the LTE and the eth1 port with a VLAN tag or vlanx, no ip address?

1 bridge port, with eth1
also with a vlan assigned say vlanxx, and with a IP address.

Switchport setup as a trunk with both vlans allowed on trunk.

Something like that?

What makes it a "transparent" bridge or passthrough?

Thanks

I should be fine with the VLAN configuration,

That makes this easier - explaining vlan-filtering=yes is not easy in a forum post.

This is central question:

What makes it a "transparent" bridge or passthrough?

There are two operational mode of LTE on RouterOS.
1. One, is that's it's a local interface, and the LTE carrier-assigned IP address from their network get's assigned to the ATL. And the ATL acts like any home router with LAN+DHCP+NAT, except instead of ether1 it's lte1 that's the WAN. This is the default mode.
2. The other is LTE Passthrough, where the IP address from LTE gets assigned to another device. Since the LTE IP is "passthrough" the router, the ATL no longer has internet via LTE – since its interface is going somewhere else (i.e. as 2nd WAN on a main router). ATL still has it's LAN IP etc., but it need a new default gateway to the route where the LTE is going.

2 bridge ports,
one with the LTE and the eth1 port with a VLAN tag or vlanx, no ip address?

You cannot NOT bridge /interface/lte via the /interface/bridge/port, directly. So that's not how it's done.

If you want to "bridge" the LTE interface (option 2 above) you need to set the passthrough interface in APN Profile for the LTE interface. You'd want to do this only if there is some single main router that you want to get the LTE network-assigned IP address (i.e. LTE is a 2nd WAN on it). Instead of /interface/bridge/port, you assign a VLAN (or VXLAN/EoIP/etc) via /interface/lte/apn's passthrough-interface= to "bridge LTE". Something like (just example from head): Since the VLAN301 has the real LTE IP address on it, the router cannot have the LTE IP. You also need some management subnet to be able to access the router for configuration. So the native VLAN on the bridge, in defaults, have 192.168.188.1/24 address & be untagged on bridge.

How you'd want to deal with the management network is up to you. But likely re-assigning 192.168.188.0/24 stuff on ATL to some existing management network is what's you want. For simplicity, if we assume the untagged ether1 as management to the device (i.e. first switch in a hybrid port, with 301 for LTE passthrough, and untagged ether1 is management. You can undo the defaults with something like: It could be a VXLAN or 2nd VLAN on ATL with more config.

There should NO IP address on the LTE interface nor whatever passthrough-interface= used on ATL (in example "vlan301"). Only one, and only one (i.e. the first, or the MAC address configured in /interface/lte/apn) & it will can DHCP to get it directly from LTE network.

1 bridge port, with eth1
also with a vlan assigned say vlanxx, and with a IP address.

If you want IP address and routing, whole different story. But another mode is can just leave the ATL as router, and add static routes (or use OSPF/BGP/RIP/etc) to your network. So your VLAN 301 is the 192.168.188.0/24 (or whatever LAN is assigned to ATL), and your other routes just send traffic to 192.168.188.1. You have to be careful no additional NAT's get in the way.

Basically it whether you want Layer2 bridge to LTE, or you want a routable subnet to LTE. Kinda your choices. The underlying VLANs can be used for either.

I kinda forget but Mikrotik has YouTube videos, if that's your thing:

LTE passthrough: PART 2, advanced - https://www.youtube.com/watch?v=IZFAeLbujso
LTE passthrough - empowering rural internet!: https://www.youtube.com/watch?v=8cD1cGH0e3Y