RouterOS VLAN trunk + access. The eternal problem?

1. The cheapest managed switch with the letter "D". (Looking ahead: change to HP, but didn't help)

2. Mikrotik 951Ui-2HnD. RuterOS 6.46.1. Reset to defaults. 3 minutes vlanы configured, the circuit in the picture. In ether1 is Internet comes via DHCP. VLAN10, VLAN20 somewhere to a computer via ascene ports switch, MGMT99 - upravleni (also in assay). These Vilani put on the default bridge. They hung a DHCP. Firewall - default and other rules. Clients get the right IP net works, the Internet is, all gorgeous, bags run.
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 is hw=yes
add bridge=bridge comment=defconf interface=ether2 hw=yes
add bridge=bridge comment=defconf interface=ether3 hw=yes
add bridge=bridge comment=defconf interface=ether4 hw=yes
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=mgmt99 vlan-id=99

What do you want: In the switches ran out of holes, it is necessary to use a pair of holes from the router. Ie 3 and 4 to make access ports in VLAN20. Once I make the official Manu grid is falling, and nothing ever goes out and the router is not pinged anything, the client doesn't see the router:
/interface ethernet switch vlan
add ports=ether2 switch=switch1 vlan-id=10
add ports=ether2 switch=switch1 vlan-id=99 
add ports=ether2,ether3,ether4 switch=switch1 vlan-id=20

/interface ethernet switch port
set ether2 vlan-header=add-if-missing vlan-mode=secure
set ether3 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
set ether4 default-vlan-id=20 vlan-header=always-strip vlan-mode=secure
April 3rd 20 at 18:38
1 answer
April 3rd 20 at 18:40
Simple. Need Vilani bridge ports microta need to do. And all fly.
@paxlo, They must not be in default bridge. But only need. The easiest way of access port is the creation of the bridge where you will need Vilan and the right port. All. - modesto_Feest commented on April 3rd 20 at 18:43
@modesto_Feest, Okay, thank you. Don't quite understand the logic of configuring VLANs on Mikrotik is some kind of hell compared to other brands.

1. Really each time you create accessnova/trunk port at the very microtime, I have to create more and extra essence in the form of a bridge (which in theory will give more pressure on the CPU). Right?

2. Where do I configure default behavior of a bridge when working with filename, hung on him? Ie where determined that ports in a single bridge are all in the same trankovye vilano?

3. Why the need for a bridge vlan filtering? - connor51 commented on April 3rd 20 at 18:46
1. Any load on the CPU will not be from breeches. It's just the simplest way to get accessy port on migrate. Times ports you have only 4, at best 5, then nothing bad will from a couple of "extra" breeches.

2 - it is better to ask the developers RouterOS. Sane manual in Russian with the description of all these features I have not yet found.

3. Filtering is most likely to crop villany which come to the physical eth1 that they were not in tagirovna on other devices that are part of this bridge. But this is not accurate. - modesto_Feest commented on April 3rd 20 at 18:49

