I'm trying to find a solution to this strange network setup I've inherited from a managed wireless provider that is on their way out the door.

I've gotten almost everything working, except one vlan. I've attached a ms-paint mock up of the network layout.

Basically I have a fiber "wan" with some vlans attached, coming into a hEX S running ROS 7.5 in the SFP port.
This "wan" is on this port, untagged.
It also has 5 vlans tagged: 2, 36, 41, 200, 1061


The outcome is that we want ports 1, 2, 3 to be untagged traffic for some of these vlans, and ports 5-6 to be the community network.
This is where it gets weird, and I know its strange but I don't really want to change it, it works. there's lots of crazy configuration that I barely can decipher which seems to talk to a ruckus gateway and give out a specific subnet depending on the mac address connecting to the wap. Essentially there's about 888 vlans passed thru to the waps, all generated within the mikrotik on a bridge, with dhcp, nat rules, firewall rules, scripts, etc, containing those two ports (4, 5) and the 888 vlans.

I've achieved everything so far except getting one vlan (1061) from the fiber onto the wap, and routing access into the voip vlan when a specific IP is attempted to be accessed from anywhere on the 888 vlans on the community network side. I can actually ping everything from all vlans from the mikrotik terminal, its so tantalizingly close.

Here's what I've done so far:
The device was preconfigured with Wan on eth1 from a cable modem, ports 2, 3 inactive, and ports 4,5 + the 888 local vlans on a Bridge

I removed the wan configuration for eth 1, got rid of the modem, connected the newly installed fiber to sfp
I created a bridge, put the SFP and copper ports 1,2,3 + the vlans I want on this bridge. This is all working after vlan filtering, tagging, untagging, changing rules to use the bridge, etc.
Here's what I have working:
vlan 2 on the fiber comes out untagged on eth1
I can manage the mtk remotely from a machine on Vlan 2 on the other side of the fiber
vlan 36 on the fiber comes out untagged on eth2
vlan 41 on the fiber comes out untagged on eth3

I've left the existing bridge that was already configured for ports 4,5, and the 888 internal vlans.
I've adjusted the firewall rules and nat rules to use the SFPwan bridge, and the wap and its strange configuration is working and is online. All virtual ssids, and mac address registration based routing is functional.

Here's where I'm stuck:
I want to ONLY pass through vlan 1061 from the fiber into the bridge running the WAP ports. (Aka, tagged on ports 4,5). I dont want any of those other vlans on this wap bridge back feeding.
I want to re-route traffic to a specific IP on vlan 200 when a device on the internal vlans 2-888 requests that IP (almost treating it like a transparent VPN, maybe mangle and routing mark?)

I've recently discovered that you can't send a vlan across two bridges, so I'm stumped. I don't have enough ports free to make a loop cable to physically bridge 1061 across the two - it was the only idea I had.
I cannot have all ports on one bridge, it needs to be separate to prevent conflicting vlans from back feeding into the fiber.
Maybe it can be done but all the strange internal config would need to be re-engineered.

Any suggestions? We're expecting very little traffic on 1061 and 200, it'd be idle most of the time. I'm ok with any dirty hacks that hurt performance on those vlans

Just to understand why is the ISP feeding you a bunch of VLANS?
They should only be providing internet and hopefully with a public IP.
It is not unusual for an ISP to provide different services using vlans over that ethernet or wireless link (such as voip, tv, and internet), in this case it seems less clear.

Just to understand why is the ISP feeding you a bunch of VLANS?

The ISP is providing a CG-Nat with DHCP. We're injecting tagged vlans via a smart switch at the dmarc in between the ISP and the fiber distribution switches

There is only one pair of fiber to the 52 cottages, we're trying to borrow the existing wiring.

Thanks, above my level of knowledge and just wanted to make sure, before I wasted your time LOL. Others will chime in I hope.

You could send a VLAN between two bridges, but that would involve bridge stacking, something like this:
Mind that this is really messing up with readability of config and is killing performance (only one bridge can be HW offloaded, the others do everything in software). So you may want to redesign L2 stuff in your hEX S to only have single bridge spanning all the ports.

You could send a VLAN between two bridges, but that would involve bridge stacking...

Great that worked!

Ran a speed test on the community network side - Performance is still at least 100mbps, which is what the WAN is capped to - so I think its fast enough.

Thank you!

You could send a VLAN between two bridges, but that would involve bridge stacking, something like this:

I just know this is possible. Thanks.