I have set up some prerouting rules one of which matches the VLAN interface attached to my bridge.
It matches the packages as expected. However, if I use the bridge associated to the VLAN interface it does not match.
How come?
Shouldn't all traffic passing the VLAN interface also pass the VLAN interface, or am I missing some layer magic here?
Re: Bridge VLAN prerouting
The way I read your description ... are you using multiple bridges? The issue you're having may have to do with HW offload. But I'm really guessing here as you didn't show your configuration (so we can only guess as to what you actually have) nor you mentioned the exact device model (HW offload is used on some devices and not on the other). Nor you mentioned ROS version (things are changing and knowing exact ROS version is important as well).
So ... try again, harder this time
So ... try again, harder this time
Re: Bridge VLAN prerouting
No mkx, I demand that new posters continue to baffle us with minimalist approaches and lack of information. Why do you want to take the pain out of reading posts.
Remember, this is Normis' personal torture chamber for supporters !!!
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc.)
Remember, this is Normis' personal torture chamber for supporters !!!
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc.)
Re: Bridge VLAN prerouting
No mkx, I demand that new posters continue to baffle us with minimalist approaches and lack of information.
Oh my, Mr. Hyde is back
Re: Bridge VLAN prerouting
Its open season on orange tabbys 
Re: Bridge VLAN prerouting
Sorry for the minimalist approach, it is not really a question with regard to my own config, altough I reference it.
It was more a question with regard to how VLAN interfaces attached to bridges work.
As I was experimenting switching from the VLAN interface to the bridge attached to it in my RAW rules, and it broke my config.
So I am wondering how the bridges and VLAN interfaces relate to eachother.
If you believe it not to be that but rather something else I'll gladly pay the config tax so as not to be disrespectful of your time and support:
It was more a question with regard to how VLAN interfaces attached to bridges work.
As I was experimenting switching from the VLAN interface to the bridge attached to it in my RAW rules, and it broke my config.
So I am wondering how the bridges and VLAN interfaces relate to eachother.
If you believe it not to be that but rather something else I'll gladly pay the config tax so as not to be disrespectful of your time and support:
Code: Select all
# 2024-03-03 17:24:23 by RouterOS 7.14
# software id = 1P1E-2RD2
#
# model = RB952Ui-5ac2nD
# serial number = <obfuscated>
/interface bridge
add ingress-filtering=no name=MBR port-cost-mode=short pvid=24 \
vlan-filtering=yes
/interface wireless
set [ find default-name=wlan2 ] country=sweden disabled=no frequency=auto \
installation=indoor mode=ap-bridge ssid=Iovis
/interface vlan
add interface=MBR name=MVLAN vlan-id=24
/interface list
add name=LAN
add name=WLAN
add name=Master
add name=Upstream
add comment="Bridge/All Ports" name=APAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=IoTsec \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] country=sweden disabled=no frequency=auto \
installation=indoor mode=ap-bridge security-profile=IoTsec ssid=Vesta
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=MBR frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan2 internal-path-cost=10 path-cost=10 pvid=48
add bridge=MBR frame-types=admit-only-untagged-and-priority-tagged interface=\
wlan1 internal-path-cost=10 path-cost=10 pvid=66
add bridge=MBR frame-types=admit-only-untagged-and-priority-tagged interface=\
ether2 internal-path-cost=10 path-cost=10 pvid=69
add bridge=MBR frame-types=admit-only-vlan-tagged interface=ether1 \
internal-path-cost=10 path-cost=10 pvid=24
add bridge=MBR frame-types=admit-only-untagged-and-priority-tagged interface=\
LAN internal-path-cost=10 path-cost=10 pvid=69
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/interface bridge vlan
add bridge=MBR tagged=MBR,ether1 vlan-ids=24
add bridge=MBR tagged=ether1 untagged=wlan2 vlan-ids=48
add bridge=MBR tagged=ether1 untagged=wlan1 vlan-ids=66
add bridge=MBR tagged=ether1 untagged=ether2,ether3,ether4,ether5 vlan-ids=69
/interface list member
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=WLAN
add interface=wlan1 list=WLAN
add interface=MVLAN list=Master
add interface=MBR list=APAN
add interface=ether1 list=Upstream
/ip address
add address=192.168.7.13/24 interface=MVLAN network=192.168.7.0
/ip cloud
set update-time=no
/ip dns
set servers=10.0.69.10
/ip firewall address-list
add address=192.168.7.10-192.168.7.254 list=MAddrList
add address=192.168.7.0/24 list=LANAddrList
add address=10.0.48.0/24 list=LANAddrList
add address=10.0.66.0/24 list=LANAddrList
add address=10.0.69.0/24 list=LANAddrList
add address=192.168.7.10-192.168.7.254 list=VLAddrList
add address=10.0.48.10-10.0.48.254 list=VLAddrList
add address=10.0.66.10-10.0.66.254 list=VLAddrList
add address=10.0.69.10-10.0.69.254 list=VLAddrList
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
protocol=icmp
add action=accept chain=input comment=\
"Default Config::Established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment=Invalid connection-state=invalid log=yes \
log-prefix=Invalid
add action=drop chain=input comment=\
"Drop packets from LAN that do not have LAN IP" in-interface-list=APAN \
log=yes log-prefix=LAN!LAN src-address-list=!LANAddrList
add action=accept chain=input comment="Allow VLAN" in-interface-list=APAN \
src-address-list=LANAddrList
add action=accept chain=input in-interface=MVLAN src-address-list=MAddrList
add action=drop chain=input
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv4
add action=drop chain=forward comment=\
"Drop packets from LAN that do not have LAN IP" in-interface-list=APAN \
log=yes log-prefix=LAN!LAN src-address-list=!LANAddrList
add action=accept chain=forward comment="Allow All from MVLAN" in-interface=\
MVLAN src-address-list=MAddrList
add action=accept chain=forward comment="Allow Upstream" in-interface-list=\
APAN out-interface-list=Upstream src-address-list=VLAddrList
add action=drop chain=forward
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from Upstream" dst-address-list=\
!LANAddrList in-interface-list=Upstream
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=APAN \
src-address-list=!LANAddrList
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from VLAN" in-interface-list=Master
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.7.1 routing-table=main \
suppress-hw-offload=no
/ip service
set telnet address=192.168.7.0/24 disabled=yes
set ftp disabled=yes
set www address=192.168.7.0/24 disabled=yes
set ssh address=192.168.7.0/24
set api disabled=yes
set winbox address=192.168.7.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::1/128 comment="defconf: Io" list=bad_ipv6
add address=fec0::/10 comment="::defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="::defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="::defconf: ipv4 compat" list=bad_ipv6
add address=2001:db8::/32 comment="::defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="::defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="::defconf: 6bone" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"::defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="::drop invalid" connection-state=invalid \
log=yes log-prefix=ipv6,invalid
add action=drop chain=input log-prefix=IPV6
add action=accept chain=forward comment=\
"::defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=drop chain=forward
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
"defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
"defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=APAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \
hop-limit=not-equal:255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=accept chain=icmp6 comment=\
"defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
icmpv6
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=Helios
/system leds settings
set all-leds-off=after-1min
/system note
set note="A note for the mikrotik forums."
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Last edited by holvoetn on Wed Mar 06, 2024 2:48 pm, edited 1 time in total.
Reason: Removed serial
Reason: Removed serial
Re: Bridge VLAN prerouting
They don't relate directly. Did you happen to read this explanation of different bridge personalities?It was more a question with regard to how VLAN interfaces attached to bridges work.
VLAN interfaces relate to bridge interface (one of personalities), but only as much as any other (off bridge) interface they might be anchored to..