Bridge VLAN Filtering
Bridge VLAN Filtering
Section titled “Bridge VLAN Filtering”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”Create a VLAN-aware bridge with one trunk port (ether1) and two access ports (ether2=VLAN10, ether3=VLAN20):
/interface bridge add name=bridge1 vlan-filtering=no/interface bridge port add bridge=bridge1 interface=ether1/interface bridge port add bridge=bridge1 interface=ether2 pvid=10/interface bridge port add bridge=bridge1 interface=ether3 pvid=20/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=10/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=20/interface bridge set bridge1 vlan-filtering=yesAlways configure VLAN table entries BEFORE enabling vlan-filtering=yes. Enabling filtering without proper configuration will block all traffic and may lock you out.
Overview
Section titled “Overview”Bridge VLAN Filtering provides IEEE 802.1Q-compliant VLAN-aware Layer 2 forwarding within RouterOS bridges. When enabled, the bridge operates like a managed Ethernet switch, enforcing VLAN membership at both ingress and egress.
What this does:
- Segments network traffic into isolated VLANs at Layer 2
- Controls which VLANs are allowed on each port (tagged or untagged)
- Provides trunk ports (carry multiple VLANs tagged) and access ports (single VLAN untagged)
- Enables inter-VLAN routing when combined with VLAN interfaces
When to use Bridge VLAN Filtering:
- Network segmentation requiring STP/RSTP/MSTP compliance
- Connecting wireless or tunnel interfaces to VLANs (switch chip method doesn’t support these)
- Security-conscious environments requiring strict VLAN isolation
- When you need the router to route between VLANs (inter-VLAN routing)
When NOT to use it:
- Simple switching without VLANs (use basic bridge)
- Maximum performance on non-CRS3xx devices (use switch chip VLAN configuration instead)
Prerequisites
Section titled “Prerequisites”- A MikroTik router running RouterOS 6.41 or later (7.x recommended)
- Multiple Ethernet interfaces available for bridging
- Understanding of VLAN concepts (tagged/trunk vs untagged/access ports)
- Access to the router via SSH, WinBox, or WebFig
Hardware Offload Support:
- Full support: CRS3xx, CRS5xx series, CCR2116, CCR2216
- Limited support (v7+): RTL8367, MT7621, MT7531, EN7523 chips
- No hardware offload: CRS1xx/2xx, non-CRS RouterBOARDs (CPU processed)
Configuration Steps
Section titled “Configuration Steps”Step 1: Create the Bridge
Section titled “Step 1: Create the Bridge”Create a bridge with VLAN filtering initially disabled. This allows you to configure everything safely before enabling filtering.
/interface bridge add name=bridge1 protocol-mode=rstp vlan-filtering=noprotocol-mode=rstpenables Rapid Spanning Tree Protocol for loop preventionvlan-filtering=nokeeps filtering disabled during setup
Step 2: Add Ports to the Bridge
Section titled “Step 2: Add Ports to the Bridge”Add ports to the bridge with PVID (Port VLAN ID) settings for access ports:
/interface bridge port add bridge=bridge1 interface=ether1 comment="Trunk to switch"/interface bridge port add bridge=bridge1 interface=ether2 pvid=10 comment="VLAN10 access"/interface bridge port add bridge=bridge1 interface=ether3 pvid=20 comment="VLAN20 access"- ether1: Trunk port (will carry tagged traffic for multiple VLANs)
- ether2: Access port for VLAN 10 (PVID tags untagged ingress with VLAN 10)
- ether3: Access port for VLAN 20 (PVID tags untagged ingress with VLAN 20)
Step 3: Configure the VLAN Table
Section titled “Step 3: Configure the VLAN Table”Define which ports are tagged (trunk) and untagged (access) for each VLAN:
/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=10/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=20Critical: Separate VLAN Entries
Create separate entries for each VLAN. Do NOT combine VLANs like vlan-ids=10,20 with multiple untagged ports - this causes VLAN leakage where broadcast traffic from one VLAN reaches the other.
Step 4: Enable VLAN Filtering
Section titled “Step 4: Enable VLAN Filtering”Use Safe Mode before this step (Ctrl+X in terminal). If you lose access, safe mode will revert the changes after timeout.
/interface bridge set bridge1 vlan-filtering=yesCommon Scenarios
Section titled “Common Scenarios”Scenario 1: Add Management VLAN
Section titled “Scenario 1: Add Management VLAN”To maintain router access after enabling VLAN filtering, configure a management VLAN. The bridge interface must be added to the tagged list.
# Add bridge to tagged ports for management VLAN/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=99
# Create VLAN interface on bridge/interface vlan add interface=bridge1 name=vlan-mgmt vlan-id=99
# Assign IP to VLAN interface/ip address add address=192.168.99.1/24 interface=vlan-mgmtThe key point: tagged=bridge1 allows the router CPU to participate in VLAN 99.
Scenario 2: Inter-VLAN Routing
Section titled “Scenario 2: Inter-VLAN Routing”Enable routing between VLANs by creating VLAN interfaces and assigning IP addresses:
# Ensure bridge is tagged for all VLANs needing L3 connectivity/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether1 untagged=ether2 vlan-ids=10/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether1 untagged=ether3 vlan-ids=20
# Create VLAN interfaces/interface vlan add interface=bridge1 name=vlan10 vlan-id=10/interface vlan add interface=bridge1 name=vlan20 vlan-id=20
# Assign gateway IPs/ip address add address=192.168.10.1/24 interface=vlan10/ip address add address=192.168.20.1/24 interface=vlan20
# Enable VLAN filtering/interface bridge set bridge1 vlan-filtering=yesClients on VLAN 10 use 192.168.10.1 as their gateway; VLAN 20 clients use 192.168.20.1.
Scenario 3: Strict Trunk and Access Ports
Section titled “Scenario 3: Strict Trunk and Access Ports”For enhanced security, configure strict port types:
Trunk port (tagged only):
/interface bridge port set [find interface=ether1] \ frame-types=admit-only-vlan-tagged \ ingress-filtering=yesAccess port (untagged only):
/interface bridge port set [find interface=ether2] \ pvid=10 \ frame-types=admit-only-untagged-and-priority-tagged \ ingress-filtering=yesScenario 4: DHCP with VLAN Filtering
Section titled “Scenario 4: DHCP with VLAN Filtering”If DHCP stops working after enabling VLAN filtering (common with hardware offloading), enable DHCP snooping:
/interface bridge set bridge1 dhcp-snooping=yes/interface bridge port set [find interface=ether1] trusted=yesSet trusted=yes on the port where your DHCP server connects.
Verification
Section titled “Verification”Check 1: Verify VLAN Filtering is Enabled
Section titled “Check 1: Verify VLAN Filtering is Enabled”/interface bridge print where vlan-filtering=yesExpected Output:
# NAME VLAN-FILTERING 0 bridge1 yesCheck 2: Check Hardware Offload Status
Section titled “Check 2: Check Hardware Offload Status”/interface bridge port printExpected Output:
Flags: H - hw-offload # INTERFACE BRIDGE HW PVID 0 H ether1 bridge1 yes 1 1 H ether2 bridge1 yes 10 2 H ether3 bridge1 yes 20The “H” flag indicates hardware offloading is active. If missing, traffic is CPU-processed.
Check 3: Verify VLAN Table Configuration
Section titled “Check 3: Verify VLAN Table Configuration”/interface bridge vlan printExpected Output:
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED 0 bridge1 10 ether1 ether2 1 bridge1 20 ether1 ether3Check 4: Test Connectivity
Section titled “Check 4: Test Connectivity”From a device on VLAN 10 (connected to ether2):
/ping 192.168.10.1 count=3Expected: Successful replies from the gateway.
Troubleshooting
Section titled “Troubleshooting”Problem: Lost management access after enabling VLAN filtering
Section titled “Problem: Lost management access after enabling VLAN filtering”Cause: Bridge interface not added to tagged ports for management VLAN.
Solution:
- Connect via MAC-Telnet or serial console
- Add bridge to tagged list:
/interface bridge vlan set [find vlan-ids=99] tagged=bridge1,ether1 - Or disable filtering temporarily:
/interface bridge set bridge1 vlan-filtering=no
Problem: Traffic stops when VLAN filtering is enabled
Section titled “Problem: Traffic stops when VLAN filtering is enabled”Cause: Bridge interface missing from tagged ports list for VLANs needing L3 connectivity.
Solution: Include bridge1 in the tagged list for every VLAN where the router participates:
/interface bridge vlan set [find vlan-ids=10] tagged=bridge1,ether1Problem: VLAN leakage - broadcast traffic appears on wrong ports
Section titled “Problem: VLAN leakage - broadcast traffic appears on wrong ports”Cause: Using combined VLAN IDs with multiple untagged ports in a single entry.
Solution: Create separate VLAN table entries:
# Wrong:/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether2,ether3 vlan-ids=10,20# Correct:/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether2 vlan-ids=10/interface bridge vlan add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=20Problem: Hardware offload lost (“H” flag missing)
Section titled “Problem: Hardware offload lost (“H” flag missing)”Cause: Device doesn’t support VLAN filtering with hardware offload.
Solution: Only CRS3xx/5xx, CCR2116/2216, and specific switch chips support this. For other devices, use switch chip VLAN configuration or accept CPU processing.
Problem: DHCP not working across VLANs
Section titled “Problem: DHCP not working across VLANs”Cause: Hardware offload bypasses CPU for DHCP offer frames.
Solution: Enable DHCP snooping:
/interface bridge set bridge1 dhcp-snooping=yes/interface bridge port set [find interface=<dhcp-server-port>] trusted=yesProblem: PVID setting has no effect
Section titled “Problem: PVID setting has no effect”Cause: Port configured with frame-types=admit-only-vlan-tagged ignores PVID.
Solution: Use frame-types=admit-all or admit-only-untagged-and-priority-tagged for PVID to apply.
Problem: RSTP interoperability issues with other switches
Section titled “Problem: RSTP interoperability issues with other switches”Cause: Bridge protocol-mode=none forwards BPDUs instead of processing them.
Solution: Use protocol-mode=rstp with VLAN filtering enabled:
/interface bridge set bridge1 protocol-mode=rstp vlan-filtering=yesRelated Topics
Section titled “Related Topics”Prerequisites
Section titled “Prerequisites”- Bridge Configuration - basic bridge setup
- VLAN Configuration - VLAN interface fundamentals
Next Steps
Section titled “Next Steps”- IP Address Configuration - assign IPs to VLAN interfaces
- DHCP Server - per-VLAN DHCP distribution
- DHCP Relay - centralized DHCP for multiple VLANs
- Firewall Basics - inter-VLAN access control
Wireless VLANs
Section titled “Wireless VLANs”- CAPsMAN - multi-SSID with VLAN tagging
- WiFi Basic Setup - VLAN-tagged wireless
Related Topics
Section titled “Related Topics”- Bonding/LACP - VLANs on bonded interfaces
- Switch Ports - hardware switch VLAN configuration