Due to physical constraints I can have only one cable going from my Mikrotik RB to where most of the office equipment is. I have this plugged into ether2 configured with several VLANs. One of the VLANs (VLAN11) is on 192.168.1.x. I'd like to have either3 on the same subnet, with devices on VLAN11 talking to devices on ether3.

What's the correct way to configure this? I created a bridge called "office," assigned it two ports (ether3 and VLAN11), and gave IP address 192.168.1.1 to the bridge "office" with a corresponding DHCP pool and server. When I connect to ether3 I get a valid 1.x IP address from DHCP, but cannot ping the RB or access the web admin panel. Am I missing a step?

I created a bridge called "office," assigned it two ports (ether3 and VLAN11)

That is not the correct way.
Bridging VLAN interfaces with physical ports is a misconfiguration.

You should add both ethernet ports to the same bridge and then setup a proper vlan filtering.
Depending on the RB model, it can be either using bridge vlan filtering or switch chip vlan filtering.

That is not the correct way.
Bridging VLAN interfaces with physical ports is a misconfiguration.

You should add both ethernet ports to the same bridge and then setup a proper vlan filtering.
Depending on the RB model, it can be either using bridge vlan filtering or switch chip vlan filtering.

Thanks. This is the man page, then? https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

Is there another way to have VLAN11 and ether3 on the same subnet? Or is it better to just put them on separate subnets and use NAT/firewall rules?

Thanks. This is the man page, then? https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

Yes, that's it.
But keep in mind that, despite the fact, that all mikrotik devices can be configured this way, in high-load scenarios this approach it the best option only for CRS3XX switches (that can benefit from HW-offloading when configured this way), or devices with no switch chip, or a switch chip, that can't do vlans in hardware at all (for them it is the only way).
For all other devices that have a vlan-capable switch chip, the recommended way is to configure vlans in switch menu.
Because with "bridge vlan filtering" their performance will be significantly reduced in comparison with "switch chip vlan filtering".

Is there another way to have VLAN11 and ether3 on the same subnet? Or is it better to just put them on separate subnets and use NAT/firewall rules?

Well, one can possibly invent some workarounds, but that is not the situation that has to be worked around in the first place.
If you need them in one subnet - do it properly. If not really: ok, separate subnets are also fine. It's an easier approach, but not performance-wise.

If you need them in one subnet - do it properly.
If not really: ok, separate subnets are also fine. It's an easier approach, but not performance-wise.

Thank you. By "do it properly" you mean bridge vlan filtering, correct?
And are you saying that to have them on separate subnets will be a performance loss? Or that finding a workaround is not a good idea?

Thank you. By "do it properly" you mean bridge vlan filtering, correct?

Depending on what exact Mikrotik device we are talking about.

And are you saying that to have them on separate subnets will be a performance loss? Or that finding a workaround is not a good idea?

Traffic between subnets will be handled by CPU.
Traffic inside one subnet won't, in most of the cases (and if configured right).
And yes, some workaround will most likely end up using CPU too.

However, all this can be negligible, if the amount of traffic is relatively low.

Traffic between subnets will be handled by CPU.
Traffic inside one subnet won't, in most of the cases (and if configured right).
And yes, some workaround will most likely end up using CPU too.

However, all this can be negligible, if the amount of traffic is relatively low.

Thank you so much!

Do you know if it's possible to have the VLAN's interface set to 192.168.1.1, and the ethernet port's interface set to 192.168.1.2? Same subnet, same IP pool, but different IP addresses?

Do you know if it's possible to have the VLAN's interface set to 192.168.1.1, and the ethernet port's interface set to 192.168.1.2? Same subnet, same IP pool, but different IP addresses?

Assigning an address to a slave interface (and ethernet interface will be a slave to a bridge in your config) is not something you would want to have - can lead to unexpected behaviour.
But you can assign as much addresses as you need to a VLAN interface, that will be on top of the bridge.

Assigning an address to a slave interface (and ethernet interface will be a slave to a bridge in your config) is not something you would want to have - can lead to unexpected behaviour.
But you can assign as much addresses as you need to a VLAN interface, that will be on top of the bridge.

Per your advice earlier, I got rid of the bridge. Now that there is no bridge, can I go ahead and assign same-subnet different-IPs to the VLAN and ethernet interface?

Per your advice earlier, I got rid of the bridge. Now that there is no bridge, can I go ahead and assign same-subnet different-IPs to the VLAN and ethernet interface?

That is not, what I meant: two ethernet ports should be bridged, not ethernet port and vlan.

But if you don't want to go that way: you can now assign different IPs from one subnet (you can even assign the same IP), but there will be no connection between hosts on your VLAN and ethernet interface this way.
To make them able to connect to each other you need to change arp mode to proxy-arp on both ethernet and vlan interface (that would be one of the possible workarounds mentioned earlier).

That makes sense. Thanks so much for your help! большое спасибо!

That makes sense. Thanks so much for your help! большое спасибо!

You are welcome! :)

viewtopic.php?f=13&t=143620

Is your best reference, there should be no issues with
what you desire using the above information unless xvo, I missed something in translation??

viewtopic.php?f=13&t=143620
Is your best reference, there should be no issues with
what you desire using the above information

Thanks. That's a very useful explanation of VLANs. That doc also confirms what XVO said. The interfaces must be on separate subnets.

Thanks. That's a very useful explanation of VLANs. That doc also confirms what XVO said. The interfaces must be on separate subnets.

I'm still not 100% sure that you got me right: both approaches are possible.
If you want them to be in one subnet - then you need to bridge two ethernet interfaces together and add vlan filtering configuration (either on the bridge itself or on the switch chip).
If you are ok on different subnets - no need for all that, you can have one ethernet port with all vlan-interfaces on top of it (like you have it now), and additionaly a separate subnet on the second ethernet port.

I'm still not 100% sure that you got me right: both approaches are possible.
If you want them to be in one subnet - then you need to bridge two ethernet interfaces together and add vlan filtering configuration (either on the bridge itself or on the switch chip).
If you are ok on different subnets - no need for all that, you can have one ethernet port with all vlan-interfaces on top of it (like you have it now), and additionaly a separate subnet on the second ethernet port.

Yes, I think I understood. I'm okay with separate subnets.

Yes, I think I understood. I'm okay with separate subnets.

Ok! :)