Hi,

I need some inputs regarding where to place your vlan interfaces, what is best,

1. bridge all interface and create vlan interface under bridge

bridge
- vlan 1
- vlan 2

or

2. dont create bridge and create vlan interface under physical interface

ether1
- vlan 1
- vlan 2

Would You please give us more information about your task?
In most causes, imho, bridge is a bad idea.

Regards,
Boris

my goal is to create multiple vlans for my multiple hotspot and pppoe clients, meaning i will be having a lot of vlans

As as usual there are many ways.... and depends on your L2 equipment.
I prefer LACP (bonding) and Q-in-Q. May be Q-in-Q will be not suitable for You and even LACP too.
To advise something to You please be more specific. For example:
1) I have Mikrotik model XXX
2) It will be used as router / bras / hotspot or all-in-one?
3) How many vlans do You want to terminate?
and so on... for someone 20 vlans are a lot, and for other - 8k

Regards,
Boris

To possibly answer your question with simplicity. A VLAN interface is generally used to send traffic tagged down an interface. You wouldn't want to add multiple VLAN interfaces to the same bridge interface. For example. The VLAN interface would tell it to send traffic directed to it out a particular interface, let's say for sake of argument ether5. You also assign the VLAN ID to be used. Great, for those Cisco folks this sounds like a way to trunk a VLAN to another device. Awesome. You have bridges. Simply put it is a mechanism to send traffic to all ports assigned to it. So let's say you have 2 VLAN interfaces, ether5-vlan11 and ether5-vlan21, they do what they sound like, apply the VLAN tags 11 and 21 respectively out interface ether5. If you add both VLAN interfaces to the same bridge, all traffic that hits that bridge gets sent out ether5 encapsulated in VLANs 11 and 21. Generally not desirably.

So to keep things simple, if you want to create a "trunk" port, you create a VLAN interface for each VLAN and assign each of these VLAN interfaces to the appropriate real interface. You can use bridges to make that VLAN available in multiple places for example, maybe 2 trunk links or 1 link where that VLAN is the native "access" VLAN and one that is the "trunk" VLAN.

I'm not aware of a way to allow all VLANs or by range like we can do in Cisco equipment. The CCR or other hardware that support hardware Ethernet switches and VLANs may have more efficient ways to do it.

Here's the difference between your examples:

In the first example, the vlan interfaces being on the bridge means that The Mikrotik will place tagged frames onto the bridge which will forward them as tagged ethernet to any ports (interfaces) connected to the bridge. For example, say that you put IP address 192.168.50.1/24 onto interface vlan50 and put interface vlan50 onto bridge1. Bridge1 has interfaces ether1 - ether5 connected to it as ports. What this means is that whenever you try to ping something in the 50.x network, the ping will go out interface vlan50, which puts an 802.1q vlan header with tag = 50. This tagged ethernet frame will be able to go to any device connected to any of the 5 physical interfaces. NOTE: The devices attached to these interfaces must be able to understand the vlan tag.

Then there's your other case:
If you put interface vlan50 directly on ether1, then this means that the tagged frames will be sent directly out on ether1, and none of the other bridge ports will be able to access vlan 50. In fact, I'd say that it's bad practice to put vlan interfaces onto physical etherX interfaces which are also connected to bridges. This second method is more like a standard router, basically. So if you have a single vlan-aware switch, you would just put the vlanXX interfaces directly onto ether1, and connect ether1 to the switch. The switch's port which is connected to the router must be configured to accept tagged traffic (Cisco switches refer to these as "trunks" - i.e. "switchport mode trunk").

If you have multiple vlan-aware switches, and wish to use the Mikrotik as your root switch, this is the scenario where you would bridge the ports and put the vlan interfaces onto the bridge.

A third, more complicated but flexible method is to create one bridge per VLAN in the Mikrotik. So suppose you want vlan50 to be on ports ether1 and ether2, but you want vlan60 to be on ports ether2 and ether3 - you would make some vlan interfaces: e1v50, e2v50, e2v60, and e3v60. Then you would make two bridges "bridge50" and "bridge60" - for the ports on this bridge, you would not connect the physical interfaces ether1, etc - you would connect the vlan interfaces instead. So you would then add e1v50 and e2v50 to bridge50, and you would add e2v60 and e3v60 to bridge60.

When you just put the vlan interfaces onto a single bridge and connect the physical ports to the bridge, this means that all interfaces will carry all vlans. You can then limit vlans to certain ports using bridge firewall rules, but I think this would much less efficient than the above method of bridging the vlan interfaces directly.

Nice, lots of good insight Zero. Honestly I've never thought of adding the VLAN interface directly to a bridge. It makes perfect sense that it would result in the bridge transmitting frames as tagged packets.

My translation of how I do VLANs comes just from my logic. Likely as a Cisco guy first. I create a bridge for each VLAN, say br11 for VLAN11. I then create VLAN interfaces for VLAN ID 11 for Ethernet interfaces I need to tag the VLAN on (trunks). I then turn around add that newly created VLAN interface as a bridge port to br11. This keeps all the ports that are using VLAN11 in sync. I can also just add an Interface like ether2 as a bridge port and it will transmit frames for VLAN11 untagged out that port. Just the way I processed how to use VLANs when I started buying MikroTik gear. The knock-on effect is that to create a "trunk" port I have to add a VLAN interface for each VLAN I want to send down that link.

I'm a Cisco guy too, Idlemind, and it took me a while to really wrap my head around the possibilities / behaviors of MT's bridging/vlan infrastructure.

The way I ended up thinking about the vlan interfaces which made it all click for me is that they're like interfaces with a "front" and a "back"
Traffic that goes in the back comes out the front with a tag on it.
Traffic that comes in the front with the matching tag will be picked up, and the (outermost) tag gets stripped and sent out the back.

The back leads to either the CPU, or else a bridge (if the vlan is added to the bridge as a port)
Associating the vlan virtual interface with any other interface is connecting the "front" of the vlan interface to the "back" of the other interface, be it a physical ethernet interface, wlan interface, or even another vlan interface.

And if you want to get really crazy with it, you can put your vlans onto a bridge and have a set of trunks. You can then create a second bridge which you connect to one of the vlans and some other interface. That's how you drop out an "access" port for that particular VLAN if you're primarily bridging trunks. Of course if the Mikrotik needs to have layer3 in that vlan, then you need to put the IP/DHCP/whatever onto the "access vlan" bridge.

At the end of the day, I don't find either method to be "better" than the other - it just depends on what you're doing with the box. If more vlans and trunking with consistent ports, I put the vlans on the bridge, and if just a few that I want more control over, then I bridge the vlan subinterfaces individually.

One thing that tends to jump up and bite our junior techs with all of this is if they bridge two vlan subinterfaces together, but the subIf's are on the same physical port - this has ... interesting ... results.

hi all, Thanks for the inputs. I guess i will stick to my current setup that my multiple vlans will be on single bridge. Im just thinking since i know that bridges uses CPU, thats why im planning to move my vlans directly on physical interfaces.

hi all, Thanks for the inputs. I guess i will stick to my current setup that my multiple vlans will be on single bridge. Im just thinking since i know that bridges uses CPU, thats why im planning to move my vlans directly on physical interfaces.

It sounds like you're using the Mikrotik strictly for routing and no switching - in which case I agree with your decision.