Bridge VLAN Filtering: Preserving Management Access
Bridge VLAN Filtering: Preserving Management Access
Section titled “Bridge VLAN Filtering: Preserving Management Access”Overview
Section titled “Overview”Enabling vlan-filtering=yes on a RouterOS bridge immediately enforces VLAN membership rules on all bridge ports. If the management path is not registered in the bridge VLAN table before filtering is enabled, the router drops management traffic and you lose WinBox, SSH, and WebFig access.
This happens because the router CPU is reached through the bridge interface itself — a logical “CPU port” inside the bridge. For management traffic to reach the CPU over a specific VLAN, the bridge interface must be explicitly listed as a tagged member in that VLAN’s /interface bridge vlan entry. Without this entry, the CPU port has no membership in the management VLAN and all management packets are silently discarded.
The fix is a deliberate sequence: build the complete bridge VLAN table and management VLAN interface before enabling vlan-filtering=yes.
Prerequisites
Section titled “Prerequisites”- RouterOS 7.x (bridge VLAN filtering is the recommended path for RouterOS 7)
- A bridge already created or being created from scratch
- Physical console access (serial or local keyboard) during initial configuration, or an out-of-band path such as a second management interface not part of the bridge
Configuration
Section titled “Configuration”Determine your management VLAN
Section titled “Determine your management VLAN”Assign a dedicated VLAN ID for management traffic. This example uses VLAN 99 on the 192.168.99.0/24 network. The management workstation connects via a trunk port (ether1) or an access port (ether2).
Step 1: Create the bridge with filtering disabled
Section titled “Step 1: Create the bridge with filtering disabled”Create the bridge with vlan-filtering=no (the default). This allows you to configure ports and VLAN entries without disrupting access.
/interface bridgeadd name=br1 vlan-filtering=noStep 2: Add ports to the bridge
Section titled “Step 2: Add ports to the bridge”Add all ports that will participate in VLAN switching. Designate one or more trunk ports for tagged frames and access ports for untagged devices.
/interface bridge port# Trunk port — carries tagged frames for multiple VLANsadd bridge=br1 interface=ether1 \ frame-types=admit-only-vlan-tagged \ ingress-filtering=yes
# Access port for management workstation — VLAN 99 untaggedadd bridge=br1 interface=ether2 \ pvid=99 \ frame-types=admit-only-untagged-and-priority-tagged \ ingress-filtering=yesStep 3: Populate the bridge VLAN table, including the bridge as tagged
Section titled “Step 3: Populate the bridge VLAN table, including the bridge as tagged”Add VLAN table entries for every VLAN that must pass through the bridge. For the management VLAN, the bridge interface (br1) must appear in the tagged list. This registers the CPU port as a member of that VLAN and allows management traffic to reach the router.
/interface bridge vlan
# Management VLAN 99# - ether1 carries it tagged (trunk)# - ether2 carries it untagged (access)# - br1 is tagged so the CPU can send/receive management trafficadd bridge=br1 vlan-ids=99 tagged=br1,ether1 untagged=ether2
# Data VLAN 10 — no CPU membership needed (no management on this VLAN)add bridge=br1 vlan-ids=10 tagged=br1,ether1 untagged=ether3Step 4: Create the management VLAN interface and assign an IP
Section titled “Step 4: Create the management VLAN interface and assign an IP”Create a VLAN sub-interface on top of the bridge (not on a physical port) for L3 termination of the management VLAN:
/interface vlanadd name=mgmt interface=br1 vlan-id=99
/ip addressadd address=192.168.99.1/24 interface=mgmtStep 5: Enable VLAN filtering
Section titled “Step 5: Enable VLAN filtering”Once the VLAN table is complete and the management interface has an IP, enable filtering:
/interface bridge set br1 vlan-filtering=yesManagement access via the mgmt VLAN interface at 192.168.99.1 should remain uninterrupted.
Complete example
Section titled “Complete example”# 1. Create bridge (filtering disabled)/interface bridgeadd name=br1 vlan-filtering=no
# 2. Bridge ports/interface bridge portadd bridge=br1 interface=ether1 frame-types=admit-only-vlan-tagged ingress-filtering=yesadd bridge=br1 interface=ether2 pvid=99 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yesadd bridge=br1 interface=ether3 pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes
# 3. VLAN table — br1 tagged in management VLAN 99/interface bridge vlanadd bridge=br1 vlan-ids=99 tagged=br1,ether1 untagged=ether2add bridge=br1 vlan-ids=10 tagged=br1,ether1 untagged=ether3
# 4. Management VLAN interface and IP/interface vlanadd name=mgmt interface=br1 vlan-id=99
/ip addressadd address=192.168.99.1/24 interface=mgmt
# 5. Enable filtering — management access preserved/interface bridge set br1 vlan-filtering=yesVerification
Section titled “Verification”After enabling filtering, confirm that management access and VLAN membership are correct:
# Confirm br1 is in the tagged list for VLAN 99/interface bridge vlan print detail
# Check the management VLAN interface exists and has an IP/interface vlan print/ip address print
# Verify the bridge port PVID and frame-types settings/interface bridge port print detail
# Confirm you can reach the router at the management IP/ping 192.168.99.1The VLAN print output should show br1 under TAGGED for VLAN 99. If br1 is absent, the CPU port is not a member and management access on that VLAN will not work.
Troubleshooting
Section titled “Troubleshooting”Management access lost after enabling vlan-filtering
Section titled “Management access lost after enabling vlan-filtering”Symptom: WinBox, SSH, or WebFig no longer respond after running /interface bridge set br1 vlan-filtering=yes.
Cause: The bridge interface (br1) was not listed in tagged= for the management VLAN, so the CPU port has no membership and management traffic is dropped.
Fix using console or serial access:
# Disable filtering to restore access immediately/interface bridge set br1 vlan-filtering=no
# Add br1 to the tagged list for the management VLAN/interface bridge vlan set [find vlan-ids=99] tagged=br1,ether1
# Verify br1 now appears in tagged/interface bridge vlan print detail
# Re-enable filtering/interface bridge set br1 vlan-filtering=yesFix from Netinstall or reset: If console access is unavailable, use Netinstall to recover the device, or hold the reset button to return to defaults, then reconfigure from scratch following the safe sequence above.
Management works before vlan-filtering but not after
Section titled “Management works before vlan-filtering but not after”The IP address is on the bridge (br1) rather than on a VLAN sub-interface. When filtering is enabled, the bridge interface no longer forwards untagged frames to the CPU unless you configure the management access port as a tagged port for the bridge interface itself.
Fix: Move the management IP from the bridge to a VLAN sub-interface:
# Remove IP from bridge/ip address remove [find interface=br1]
# Create VLAN interface if it does not exist/interface vlan add name=mgmt interface=br1 vlan-id=99
# Add IP to VLAN interface/ip address add address=192.168.99.1/24 interface=mgmtEnsure the management port’s PVID matches the management VLAN ID (99 in this example).
Traffic passes between access ports but management is still unreachable
Section titled “Traffic passes between access ports but management is still unreachable”The PVID on the management port does not match the management VLAN ID, or ingress-filtering=yes is dropping frames before they reach the VLAN table.
Check the port’s PVID:
/interface bridge port print detail where interface=ether2The pvid field must match the management VLAN ID. If it does not:
/interface bridge port set [find interface=ether2] pvid=99After using safe-mode, config reverted but management is gone
Section titled “After using safe-mode, config reverted but management is gone”If you enabled vlan-filtering=yes inside a safe-mode session and the session timed out before you confirmed, RouterOS reverted the change. Verify the current state:
/interface bridge print detail where name=br1The vlan-filtering field should show no after a safe-mode rollback. Re-enable following the safe sequence above.
See Also
Section titled “See Also”- Bridge VLAN Filtering — VLAN table, port types, hardware offloading
- RouterOS VLAN: 802.1Q Trunk and Access Port Configuration — full trunk/access setup
- Inter-VLAN Routing — L3 routing between VLANs
- CRS3xx, CRS5xx, CCR2116, CCR2216 Switch Chip Features — hardware offloading for VLAN-aware bridging