I currently have the following working topology:

- ONT with 10gbps output (unfortunatly no bridge mode)
-> CCR2004 (SFP28-1: WAN), SFP-plus1 to 12 are added to a LAN bridge
-> CSS610 (connected via trunk to CCR2004) in homeoffice room

Internet traffic flows like this:
ONT -> CCR2004 (untagged) -> trunk -> CSS610


Except the WAN interface, everything is put into VLANs.
I would like to move the "loud" CCR2004 to the homeoffice and put the switch at the other place.

Internet traffic would flow like this:
ONT -> CSS610 (untagged) -> trunk -> CCR2004 -> out of ports of back via other VLANs to the CSS610

Requirements:
-> CSS610 WAN port shall receive untagged traffic from ONT, add a VLAN tag (10)
-> CSS610 trunk port shall forward the following tagged VLANs to the CCR2004 router (10, 50, 90, 100, 200)
-> some CSS610 ports are used to connect devices that won't send vlan tagged traffic (untagged ports, assigned to VLANs 50 or others listed above)

The above is easy to configure, the question comes with how to best setup the CCR2004:

- add all ports to a single bridge? and then assign the VLANs?
or
- use the SFP28 as trunk and add a VLAN there for the WAN traffic, that comes in as VLAN50 traffic (get a DHCP IP from the ONT - tested and that works as well)
- keep the other ports in the "LAN" bridge

The second option does seem to come with some downsides, as through the port on the CCR2004 that is used for the WAN traffic, some of the internal VLANs should flow as well back to the CSS610. Where do I add the VLANs there in the CCR2004 config?

Single bridge with vlan-filtering enabled.

Performance wise all options are similar, CPU will have to deal with VLAN tags in any case.

But: configuration of single bridge is more compact, more elegant and (to me) easier to read ... all of it means lesser probability to make an error in config.

Best to listen to mkx the first time, will save you lots of grief LOL.

Single bridge with vlan-filtering enabled.

Performance wise all options are similar, CPU will have to deal with VLAN tags in any case.

But: configuration of single bridge is more compact, more elegant and (to me) easier to read ... all of it means lesser probability to make an error in config.

Thanks. Works flawless now!

Next step, doing advanced CapsMAN config similar to the VLAN example here: https://help.mikrotik.com/docs/display/ ... ionexample:

Difference: management interface is on a vlan as well.