RouterOS 7.17 added a very nice manageability feature which is the ability to use interface lists in Bridge VLAN definitions. Between this and automatic entries based on PVIDs, you can greatly simplify configurations from the pre-7.17 world.

About Interface Lists

Interface lists are exactly what they sound like – a list of interfaces. However, in addition to manually adding interfaces to lists, you can also define list members based on other lists. For example, you can make a list that contains all of the members of multiple lists, or a list that contains the members of another list minus the members of a third list.

For example, let’s say you want most of your ports to be untagged (access) ports for VLAN 10 (we’ll call this “LAN”), but you want a few ports to be untagged on VLAN 20 (call it “DMZ”), and the rest to be tagged on both 10 and 20. You would start by creating an interface list (let’s call it allswitchports) and then manually add all of the ports you want to bridge. Then, create dmzports and manually add the ports that should be untagged on VLAN 20, then create trunkports and manually add the ports that should be tagged on both VLANs. Then, we make lanports which does not have any manually-added members, but instead includes allswitchports but excludes both dmzports and trunkports.

You may have noticed that RouterOS also gives you some built-in interface lists – such as the static interface list. This can be used in lieu of manually adding all of the bridge ports, but you need to be careful that it doesn’t contain any unwanted ports. For example, if your switch has a dedicated management port, then static will probably contain that, but you don’t want that to be part of your bridge. You can, however, make another list, which includes the static list, and excludes yet another list where you would manually add the unwanted ports.

Now, you can add the interface lists as bridge ports. DO NOT remove any individual ports yet – you don’t want to lock yourself out. Add lanports first, and configure it to be PVID 10, frame types “admit only untagged and priority tagged”, and enable ingress filtering. Do the same for dmzports with PVID 20. For the trunkports, you can use either VLAN as the PVID, but use “admit only VLAN tagged” as the frame types and enable VLAN filtering.

Over on the VLANs tab, you should see that both VLANs 10 and 20 have already been “added by pvid” as indicated by a comment on each entry. These entries are automatic – you cannot edit them. The untagged ports are automatic here (though they may not show up unless the port is actually active). You only need to create an entry for tagged ports, so go ahead and add a VLAN item with VLAN IDs 10 and 20, with trunkports tagged.

Finally – and this would be a good opportunity to enable safe mode in Winbox if you haven’t already – remove any leftover “Ports” and “VLANs” entries. Also, don’t forget to double check the VLAN configuration of the “bridge” port itself.

The end result should look something like this. Note that I am using VLANs 1 and 99 here, rather than 10 and 20, and I have trunkports on the entire 1-400 VLAN range so that they can pass traffic on VLANs other than 1 and 99.

Here are the relevant configuration excerpts:

# Create interface lists
/interface list
add name=trunkports
add name=mgmtports
add name=gigports
add exclude=mgmtports,trunkports include=gigports name=lanports

# Add members to interface lists
# Note that you can also use a loop to do this instead of adding everything manually
/interface list member
add interface=ether1 list=gigports
add interface=ether2 list=gigports
add interface=ether3 list=gigports
add interface=ether4 list=gigports
add interface=ether5 list=gigports
add interface=ether6 list=gigports
add interface=ether7 list=gigports
add interface=ether8 list=gigports
add interface=ether9 list=gigports
add interface=ether10 list=gigports
add interface=ether11 list=gigports
add interface=ether12 list=gigports
add interface=ether13 list=gigports
add interface=ether14 list=gigports
add interface=ether15 list=gigports
add interface=ether16 list=gigports
add interface=ether17 list=gigports
add interface=ether18 list=gigports
add interface=ether19 list=gigports
add interface=ether20 list=gigports
add interface=ether21 list=gigports
add interface=ether22 list=gigports
add interface=ether23 list=gigports
add interface=ether24 list=gigports
# Pick specific ports out of this list - everything else defaults to the lanports list
add interface=ether1 list=trunkports
add interface=ether2 list=trunkports
add interface=ether3 list=mgmtports
add interface=ether4 list=mgmtports
add interface=ether5 list=mgmtports
add interface=ether6 list=mgmtports
add interface=ether7 list=mgmtports
add interface=ether8 list=mgmtports

# Configure PVIDs
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=mgmtports pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=trunkports
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=lanports pvid=1

# Configure tagged ports
/interface bridge vlan
add bridge=bridge tagged=trunkports vlan-ids=1-400

Notice how reconfiguring a port to be on a different VLAN, or switching a port between untagged and trunk, requires only adding or removing it from interface lists.

There are other options as well – for example, you don’t need to have a “default” list like I’ve done with gigports in my example. If you want a more secure default, where only specific ports are enabled, you can just build each list up from zero, rather than subtracting from a larger list.

This entry was posted on Saturday, March 7th, 2026 at 12:44 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.