On the CRS326 loop-protection just doesnt do anything the moment a port is in a different PVID than 1 and VLAN filtering is enabled

The manual says it's recommended to use STP when the interfaces are added to a bridge but not that it wont work at all the moment VLANs come into play

I'm currently looking for loop protect in Mikrotik.
I'm using RouterOs v7.11.2 ; model RB1100AHx4

I have one bridge and 3 VLANs.
Loop protect in the /interface/vlan does not blocked or ...wrong blocked.
I plugged 1st LAN cable to switch and then 2nd to the same switch for VLAN 101. I have loop protect on for that VLAN but Mikrotik block all VLANs.
If I don't unplug it, I will not be able to access any website including here. Once unplugged, I can access sites but not Mikrotik.

It's look like there is no way to loop protect on VLAN like this (search but not found anything about this except this topic).
In that case, I have to use "Loopback Detection" on managed switch that is be able to block it perfectly.

So if you can make sure that you use the same pvid on all Ethernet ports belonging to the same bridge, you are fine to use loop-protect on those Ethernet ports. If you need to use the same VLAN tagged on some ports of a bridge and tagless on other ports of the same bridge, the loop-protect mechanism as currently implemented in RouterOS will not work properly.

Just bear in mind that the post you've quoted is more than 4 years old, so maybe RouterOS 7 has changed something about it. Not that I would give it too much chance.

Just bear in mind that the post you've quoted is more than 4 years old, so maybe RouterOS 7 has changed something about it. Not that I would give it too much chance.

:local loopMessage "probably a loop";
:local foundLogs [/log find message~"$loopMessage"];

# Loop through all found log entries
:foreach logId in=$foundLogs do={
    :local thisMessage [/log get $logId message];
    # Assume interface name follows immediately after "ether" and goes until the first space
    :local startIdx [:find $thisMessage "ether"];
    :local endIdx [:find $thisMessage " " startIdx];
    :local thisInterface "";

    # Check if "ether" is found and adjust endIdx if not found (i.e., end of message)
    if ($endIdx = -1) do={
        :set endIdx [:len $thisMessage];
    }
    :set thisInterface [:pick $thisMessage $startIdx $endIdx];

    # Check if the interface name is extracted correctly and exists
    :if ([:len [/interface find name=$thisInterface]] > 0) do={
        :log info ("Loop detected, shutting down interface: " . $thisInterface);
        /interface set [find name=$thisInterface] disabled=yes;
    }
}

Just bear in mind that the post you've quoted is more than 4 years old, so maybe RouterOS 7 has changed something about it. Not that I would give it too much chance.

Im still on 6.49 but we are going into an event right now so im nervous to make the change but my next event isnt until Mid march so maybe I can put in some bench time to try and get a few things understood..

Id like the CRS3X switches to..

Do loop-protect on ports on the bridge -- and storm control.. (because that doesnt seem to work either, because I figured it would stop the loop just the same way, and it doesnt)
Do a more accurate job of rate-limiting ports (especially on ingress.. the egress seems fine.. im talking about in the /interface/ethernet/switch/port section) I do not know how to do ingress ACLs so thats pretty much all I have right now to do that..
Id like to also see if there is a way to do port security similar to how the cisco switches do. limiting lets say 10 Macs per port..

Also this is more on me learning RSTP.. but I constantly give internet to areas when building out an event with a point to point but then move it to fiber, I want to be able to just leave the p2p up and connect the fiber and always select my root port as the fiber port.. ive been lucky and lately It just seems to pick it automatically but I read that, its not always the case..