I’m still unable to have any IP traffic pass due to the VLAN 0 tagging. Nothing has changed for me, must be a configuration that is regional or something.
That said, since I was able to get it working in two phases, this time I automated it. The idea is to have a script monitor things and automatically take the interface in and out of the bridge based on the 802.1x status.
On my CCR1009-7G-1C-1S+ (passive cooled, 1200MHz), I barely break 6% overall CPU with quite a few rules (optimized though), fast path, etc at 1Gbps.
The entire setup is as follows:
Replace the following with your values:
- bridge-ont - the bridge that strips VLAN 0 tags, has one interface on it that connects to the ONT
- ether3-ont - the interface connected directly to the ONT
- 00:00:00:00:00:00 - the MAC address that matches the 802.1x cert bundle that you’ve uploaded
- name_of_cert - upload your cert bundle and select this in the dot1x settings
Set up the interfaces, bridge and dot1x:
/interface ethernet set [find name=ether3-ont] mac-address=00:00:00:00:00:00
/interface bridge add admin-mac=00:00:00:00:00:00 auto-mac=no name=bridge-ont protocol-mode=none vlan-filtering=yes
/interface bridge port add bridge=bridge-ont interface=ether3-ont
/interface dot1x client add anon-identity=00:00:00:00:00:00 certificate=name_of_cert eap-methods=eap-tls identity=00:00:00:00:00:00 interface=ether3-ont
/certificate settings set crl-use=no
This is the script that I run every 5 seconds, which is probably overkill, but it doesn’t write any config changes or log anything unless something changes so should be fine in terms of NAND wear, etc. I’ll probably tune it down to every minute later.
:local interfaceOnt "ether3-ont"
:local bridgeOnt "bridge-ont"
:local scriptName "CheckDot1x"
:local dot1xStatus [/interface dot1x client get [find interface=$interfaceOnt] status]
:local portDisabled [/interface bridge port get [find bridge=$bridgeOnt interface=$interfaceOnt] disabled]
#:log info "$scriptName: Checking, dot1xStatus=$dot1xStatus, portDisabled=$portDisabled"
:if ($dot1xStatus = "authenticated") do={
:if ($portDisabled) do={
:log warn "$scriptName: authenticated, enabling bridge"
/interface bridge port enable [find bridge=$bridgeOnt interface=$interfaceOnt]
}
} else={
:if (!$portDisabled) do={
:log warn "$scriptName: not authenticated ($dot1xStatus), disabling bridge"
/interface bridge port disable [find bridge=$bridgeOnt interface=$interfaceOnt]
}
}
For easy adding:
/system script add dont-require-permissions=no name=CheckDot1x owner=admin policy=read,write,policy,test source=":local interfaceOnt \
\"ether3-ont\"\
\n:local bridgeOnt \"bridge-ont\"\
\n\
\n:local scriptName \"CheckDot1x\"\
\n:local dot1xStatus [/interface dot1x client get [find interface=\$interfaceOnt] status]\
\n:local portDisabled [/interface bridge port get [find bridge=\$bridgeOnt interface=\$interfaceOnt] disabled]\
\n\
\n#:log info \"\$scriptName: Checking, dot1xStatus=\$dot1xStatus, portDisabled=\$portDisabled\"\
\n\
\n:if (\$dot1xStatus = \"authenticated\") do={\
\n :if (\$portDisabled) do={\
\n :log warn \"\$scriptName: authenticated, enabling bridge\"\
\n /interface bridge port enable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
\n }\
\n} else={\
\n :if (!\$portDisabled) do={\
\n :log warn \"\$scriptName: not authenticated (\$dot1xStatus), disabling bridge\"\
\n /interface bridge port disable [find bridge=\$bridgeOnt interface=\$interfaceOnt]\
\n }\
\n}"
/system scheduler add interval=5s name=CheckDot1x on-event=CheckDot1x policy=read,write,policy,test start-time=startup
Finally place your DHCP on the “bridge-ont” interface. I’m able to pull both IPv4 and a /60 of IPv6, which I’ve split up into three /64 subnets for my private network, IoT and guest networks.