Hello.
I tried also to search but did not find an answer to my specific issue.
I am configuring RB1100AHx4 (ROS 7.8 ) for home usage and I am trying to replace my ISP's router.
I have configured Ethernet1 port as WAN and bridged ports Ethernet2-12 for LAN usage. Port 13 is reserved for management only.

There are 2 different types of data coming in to WAN port:
1) internet- RB will get address with DHCP and then does masquerading/NAT between WAN and LAN bridge (no problem here)
2) DigitalTV service on VLAN4 that would need to passthrough (and remain tagged) to Ethernet2 port that is attached to LAN Bridge

Ethernet2 would need to have normal untagged LAN traffic + VLAN4 digitalTV signal passed through, tagged. This is my problem, how to achieve that.
Any instruction or link to the solution would be appreciated. Thanks.

(Later VLAN4 will be routed to appropriate port in another switch (RB260, SwOS 1.17) and untagged but this I have under control.)

I dug into Mikrotik Support site's documentation and the ROS packet flow diagram tells me that what I need to do cannot be done in L2.
Decapsulation-routing decisions-encapsulation seems to be the way and this brings it to the L3.
To keep it on L2 I could of course make a bridge also on WAN side with 2 ports and then use a cable to transfer VLAN4 from WAN bridge to the bridge on LAN side. Have done this before also but this solution seems silly. As I read on a few forum posts- connecting VLANs between two bridges is not possible. Am I wrong here?

Luckily 1100 has 13-port switch and I have 4 ports unused so with bridge vlan filtering and cable between appropriate ports would still do the trick on L2. DigitalTV tv signal is low bandwith so it is nowhere near saturating the 1Gbps cable connection.
On the other hand- I have also more than enough CPU overhead on RB1100AHx4 for home usage so the routing option is also ok.

I dug into Mikrotik Support site's documentation and the ROS packet flow diagram tells me that what I need to do cannot be done in L2.
Decapsulation-routing decisions-encapsulation seems to be the way and this brings it to the L3.
To keep it on L2 I could of course make a bridge also on WAN side with 2 ports and then use a cable to transfer VLAN4 from WAN bridge to the bridge on LAN side. Have done this before also but this solution seems silly. As I read on a few forum posts- connecting VLANs between two bridges is not possible. Am I wrong here?

Luckily 1100 has 13-port switch and I have 4 ports unused so with bridge vlan filtering and cable between appropriate ports would still do the trick on L2. DigitalTV tv signal is low bandwith so it is nowhere near saturating the 1Gbps cable connection.
On the other hand- I have also more than enough CPU overhead on RB1100AHx4 for home usage so the routing option is also ok.

I am not sure what you read, but to do what you want to do should be possible by using a bridge port for the WAN connection. v7.8 claims to support the RTL8367
switch chip for hardware bridge offloading. See https://help.mikrotik.com/docs/display/ ... p+Features footnote 3.

3 Bridge HW vlan-filtering was added in the RouterOS 7.1rc1 (for RTL8367) and 7.1rc5 (for MT7621) versions. The switch does not support other ether-type 0x88a8 or 0x9100 (only 0x8100 is supported) and no tag-stacking. Using these features will disable HW offload.

My question to you is why does ethernet port two, need to have the tagged vlan traffic for TV (understood as perhaps a set top box requirement) BUT WHY does it also need the normal LAN traffic...............

I am not sure if the RB1100 supports HW bridging when you are bridging multiple switch chips all in the same bridge. It would seem the CPU would be required for bridging any traffic between the switch chips.

I have only the RB760iGS and RB5009, and both of those have only a single switch ASIC.

@anav has a good question about why you need both the "trusted" LAN and the "unfiltered" TV vlan on the same port.

Its a good question because, whenever an OP says "I need to this on the config", I really dont care!
What is important is the why, the use case, what does the user or device need for traffic flow, that will eventually point to a config entry or more likely entries as many items are related and need to have an integrated approach. Many times yes, the config wont change but more often the OP has made an incorrect assumption of what he needs to do on the config. Our job is to extract truth based on requirements and not work from assumptions...................... no fun!!

Thanks for answering and my apologies for not being clear enough.
I try to leave all assumptions behind and just try to describe what I try to achieve.
1) my ISP sends out untagged internet traffic and encapsulated digital tv signal (VLAN4)
2) RB1100AHx4 would need to do the normal internet routing and also bridging VLAN4 signal from ISP between TV Digibox and ISP.
3) TV Signal needs to get to another part of the building in the same cable with internet signal. RB260GS IS st that end and will assign internet and tv Signal to appropriate ports.

I also read "Layer 2 misconfiguration" chapter from MT help and found out that 3 switch chips will provide an additional challenge with bridge VLAN filtering. Found that out the hard way and read later of course...
My main trouble is/was how to make RB1100Ahx4 to route the internet traffic and bridge VLAN4 at the same time.
I wrote WAS because I also did find out that the issue is also solvable another way- buying a Chromecast dongle and installing my ISP's app. The result would be the same.
But the question still stands is bridging VLAN doable in that case.

Do you have a preference on having to use your ISP App to control the Chromecast or would you rather use the set top box?

How much do you want to learn about configuring vlans on the RB1100? If that is a goal then it may be worth pursuing, but if you don't want to learn (it will take a while, in all likelyhood well over 1 hour unless you are already proficient with ROS, and even then if you have never used vlans the vlan-aware bridge (vlan-filtering bridge), and your time is valuable, it may be easier to get an additional RB260GS to put between the ISP and the ether1 interface (to split out tagged vlan 4 and untagged WAN and then combine tagged vlan 4 and untagged LAN on the "hybrid" link going to the second RB260GS where you would split out into two ports (one access for Internet, one with only vlan 4 tagged) for the set top box. But this assumes you already know how to configure the RB260 vlans (but you will need to learn to do this either way, if that is how you plan to split the vlans in the TV room).

If you want to pursue the RB1000 + ROS solution, read this thread for some ideas. Of course that thread has no multiple switch chips to complicate things.

In either case if you use a bridge or switch for the WAN connection, be sure you take steps to protect the management to trusted devices (I would not allow access from either vlan you are connecting to the WAN port).

I would also use a vlan that you would not normally use for the WAN untagged vlan (e.g. vlan 666)

Thank you for answering.
Learning is always a good thing, that is why I try not to ask / blindly follow detailed instuctions and copy-paste terminal commans. That is a dead end.

I am interested in the principle/scheme, how to bridge VLANs that should not enter the routing process.

So my initial idea is:
1) create a bridge also for WAN interface and attach WAN ethernet port to it. (HW offloading should be disabled for that bridge to allow another ports of the same switch chip to be added to LAN bridge with HW offloading)
2) create 2 VLAN4 interfaces. One interface on LAN bridge and one on WAN bridge
3) create a 3rd bridge and bind those two VLAN interfaces with that bridge

Then apply correct VLAN filtering to bridges.

Am I totally going to wrong direction with my thoughts here?

Why not single VLAN aware bridge with VLANs properly configured?

Why not single VLAN aware bridge with VLANs properly configured?

That would be indeed nicer but I fail to understand how can I bridge VLAN4 that comes in from ISP on WAN side to LAN with one bridge and have all untagged traffic routed at the same time.

The way I would approach is one bridge. No vlan 4 interface, you don't want the connection to the "routing engine" for the TV vlan.

Something like (not tested) (this is "internal wiring" only, firewall, interface lists, etc. not covered here). You will need to add ip addresses to the LAN_vlan213 (and WAN_vlan666 will get its ip via DHCP from the ISP)

vlan 4 IPTV (connected tagged to ether1 and ether2, no connection to bridge (CPU/routing_engine) - note: there is no vlan interace associated with vlan 4, it is only configured for the bridge ports ether1 and ether2
vlan 666 internet (connected Untagged to ether1, tagged to bridge (CPU/routing_engine) There is also a vlan interface WAN_vlan666 associated with this vlan, it's the "connection" to the routing engine.
vlan 213 LAN (connected Untagged to ether2, tagged to bridge (CPU/routing_engine) There is also a vlan interface LAN_vlan213 associated with this vlan, it's the "connection" to the routing engine.

---------

Thank you, Buckeye!
This is a very nice solution and logically thinking I should have also gotten to this (maybe in year or so :8 ) but I am just at the beginning of the path of trying to understand a bit how RouterOS works. I can even understand how your solution could work and that is a good start.

If you haven't started work, and possibly locked yourself out, I would suggest configuring one of the ether ports on a different switch chip to do your configuration from. At a minimum the port you are working on should not be a member of the bridge that is associated with the RTL8367 that ether1-ether5 are connected to.

I also don't know how the default config configures multi-switch devices, e.g. whether all ports except the WAN are configured into on bridge (and a single broadcast domain in a single 192.168.88.0/24 subnet) or it if does something different.

The important point is to do the configuration from an ether port that is not configured as part of the bridge you are working on, especially if you are not intimately familiar with how the device works, and have the ability to use tagged interfaces from a vlan-aware device.

Here's a post that explains how to remove a port from the bridge using WinBox. It can also be done with the command line, but it requires you know what the port is called (I recommend using tab completion when using the command line interface, as it can give you a list of what your valid options are, and fill in the rest once you have typed enough to make it unique among the choices).
/interface bridge port remove [ find interface=ether5 ]

Here's a good "starting point" for learning about configuring ROS New User Pathway To Config Success

Locking oneself out- been there, done that. This happened when I was not aware of specific Layer 2 misconfiguration issue connected to bridges and multiple switch chips specifically. The issue was sneaky because the port I connected to had proper leds on as if it was working. All I needed to do was after restart pull the plug out and put it in again. With that Layer 2 misconfigure issue when the cable was already in and device restarted- no connection.

I have already isolated one port that is dedicated to management only, that port is not on a brige, has individual ip-address range and address assigned and also input rule configured in firewall. In addition- make frequent backups.

I am not totally new with MT, been using them since RB750GL was fairly new on the market, my first device. Somehow now I got interested in learning RouterOS beyond a simple initial configuration so I started with trying to understan packet flow as a basis. Thanks for assistance!

I forgot that the RB1100AHx4 has a serial console build in. That's the ultimate "get out of jail free" card, as long as you have an old school DB9 RS232 connector. The picture of the RB100AHx4 appears to have a old "PC" compatible DB9 with male pins, probably configured as DTE. Those are not as easy to find as the "USB to Cisco RJ45 rollover console cables".

A console port is one thing I really wish the RB5009 had.

Must search here, if anyone has tested the serial connection to Mikrotik with Apple Silicon Mac and new OS.
The Serial > USB adapter cables are available and cheap but I wonder if there will be any driver issues.

Must search here, if anyone has tested the serial connection to Mikrotik with Apple Silicon Mac and new OS.
The Serial > USB adapter cables are available and cheap but I wonder if there will be any driver issues.

It looks like @normis uses an Apple laptop. Maybe he could tell you.