Community discussions

MikroTik App
  4. RouterOS
  5. General

Interface list for multiple bridges?  [SOLVED]

Post Reply
 
diasdm
newbie
Topic Author
Posts: 30
Joined: Fri Sep 22, 2023 4:48 pm

Interface list for multiple bridges?

Fri Mar 15, 2024 4:53 am

* HAP AX3

I've added a new bridge for WiFi ports.
Code: Select all
[@MikroTik] > interface/bridge/export
/interface bridge
add comment=defconf name=bridge_LAN port-cost-mode=short
add comment=defconf name=bridge_WiFi port-cost-mode=short

/interface bridge port
add bridge=bridge_LAN comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge_LAN comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge_WiFi comment=defconf interface=wifi_5GHz internal-path-cost=10 path-cost=10
add bridge=bridge_WiFi comment=defconf interface=wifi_2GHz internal-path-cost=10 path-cost=10
add bridge=bridge_LAN interface=veth1

Then I've set up a network address for the WiFi bridge.
Code: Select all
[@MikroTik] > ip address/export
/ip address
add address=192.168.8.1/24 comment="defconf - LAN Bridge" interface=bridge_LAN network=192.168.8.0
add address=192.168.9.1/24 comment="WiFi Bridge" interface=bridge_WiFi network=192.168.9.0

I also added an interface list for the WiFi bridge.
Code: Select all
[@MikroTik] > interface/list/export
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Interface list for WiFi bridge" name=LAN_WiFi
/interface list member
add comment="defconf - LAN interface list for LAN bridge" interface=bridge_LAN list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add comment="WiFi interface list for WiFi bridge" interface=bridge_WiFi list=LAN_WiFi

Finally, some DHCP configurations and I thought I was done.
Code: Select all
[@MikroTik] > ip dhcp-server/export
/ip dhcp-server
add address-pool=dhcp_LAN interface=bridge_LAN lease-time=1d name=defconf_LAN
add address-pool=dhcp_WiFi interface=bridge_WiFi lease-time=1d name=WiFi_DHCP
/ip dhcp-server network
add address=192.168.8.0/24 comment="defconf - LAN DHCP Configuration" dns-server=192.168.8.1 gateway=192.168.8.1 netmask=24
add address=192.168.9.0/24 comment="WiFi DHCP configuration" dns-server=192.168.8.1 gateway=192.168.9.1 netmask=24

As it happens, there's a firewall rule that blocks all traffic that does not come from the LAN interface list.
Code: Select all
[@MikroTik] > ip firewall/filter/export
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

Unless I disable this rule, clients from the WiFi network cannot reach the Internet.
I could change the "not LAN" to "WAN", I guess...

Creating an interface list that includes both "bridge_LAN" and "bridge_WiFi" was my first idea.
However, even though it is called an interface "list", I could only set one interface.

So, is there a way to create such an interface list that includes both "bridge_LAN" and "bridge_WiFi", or "LAN" and "LAN_WiFi" lists?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11646
Joined: Thu Mar 03, 2016 10:23 pm

Re: Interface list for multiple bridges?

Fri Mar 15, 2024 9:22 am

Creating an interface list that includes both "bridge_LAN" and "bridge_WiFi" was my first idea.
However, even though it is called an interface "list", I could only set one interface.


Something like this:
Code: Select all
/interface list
add name=list1
add name=list2
add name=list3
/interface list member
add interface=ether1 list=list1
add interface=ether2 list=list2
add interface=ether3 list=list3

/interface list
add comment="aggregate list" name=list-agg include=list1,list3

So you add multiple lists to aggregation list by adding single line and the individual lists are coma-separated.
Top
 
jaclaz
Long time Member
Long time Member
Posts: 667
Joined: Tue Oct 03, 2023 4:21 pm

Re: Interface list for multiple bridges?  [SOLVED]

Fri Mar 15, 2024 11:56 am

More a question/doubt than anything else.
Isn't "philosophically" (or topologically) the WiFi bridge part of the Lan? (or a subset of it if you prefer)

I.e., would something *like*:
Code: Select all
[@MikroTik] > interface/list/export
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Interface list for WiFi bridge" name=LAN_WiFi
add comment="Interface list for cabled and wireless LAN" name=meta_LAN
/interface list member
add comment="defconf - LAN interface list for LAN bridge" interface=bridge_LAN list=LAN
add comment=defconf interface=ether1_WAN list=WAN
add comment="WiFi interface list for WiFi bridge" interface=bridge_WiFi list=LAN_WiFi
add comment="Interface list for cabled and wireless LAN" interface=bridge_LAN name=meta_LAN
add comment="Interface list for cabled and wireless LAN" interface=bridge_WiFi name=meta_LAN
And then change the firewall rule:
Code: Select all
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN disabled=yes
add action=drop chain=input comment="usermod: drop all not coming from meta_LAN" in-interface-list=!meta_LAN
Work?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19395
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Interface list for multiple bridges?

Fri Mar 15, 2024 12:44 pm

More efficient to use vlans and one bridge in most cases but concur with jaclaz's approach to fw rules, if sticking with two bridges......
KISS.
Top
 
diasdm
newbie
Topic Author
Posts: 30
Joined: Fri Sep 22, 2023 4:48 pm

Re: Interface list for multiple bridges?

Sat Mar 16, 2024 2:14 am

I get it now.
I didn't realize I could repeat the same interface list name.
It's works great now.
Code: Select all
[@MikroTik] /interface/list/member> print detail
 0   ;;; defconf - LAN interface list for LAN bridge
     list=LAN interface=bridge_LAN dynamic=no

 1   ;;; defconf - WAN interface list for WAN on ether1
     list=WAN interface=ether1_WAN dynamic=no

 2   ;;; WiFi interface list for WiFi bridge
     list=LAN_WiFi interface=bridge_WiFi dynamic=no

 3   ;;; Interface list for cabled and wireless LAN
     list=meta_LAN interface=bridge_LAN dynamic=no

 4   ;;; Interface list for cabled and wireless LAN
     list=meta_LAN interface=bridge_WiFi dynamic=no

[@MikroTik] /ip/firewall/filter> print detail
 8    ;;; defconf: drop all not coming from meta_LAN
      chain=input action=drop in-interface-list=!meta_LAN log=no log-prefix=""
---

More efficient to use vlans and one bridge in most cases but concur with jaclaz's approach to fw rules, if sticking with two bridges......
I'm mostly just experimenting and trying different approaches.
I'll get to VLANs later.

Appreciate all the valuable advice.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot], johnson73 and 32 guests
  4. RouterOS
  5. General