All physical interfaces (except WAN) are contained within one bridge, why?

homerouter · July 27, 2022, 5:34pm

All physical interfaces (except WAN) are contained within one bridge, why?
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

ex1:I have this working setup

WAN
…|5.x.x.x
—±–
WAN_Router
—±–
|192.168.10.1/24
+
|
p1|192.168.10.5/24
—±–
MT Router
—±–
||||
p2..p5 4xTrunk

All my VALNs are located one one Bridge just as in the forum:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

But, MT p1 serve as VLAN_10 and WAN at the same time! MT p1 is a untagged port to VLAN_10
-DefaultRoute & DNS: 192.168.10.1

In my firewall i use this (!ProtectedAddr is the 192.168.10.0/24 net) to prevent other VLAN to access VLAN_10 when they want WAN access.
/ip firewall filter add action=accept chain=forward comment=“no custom dns & no protectedIP”
dst-address-list=!ProtectedAddr dst-port=!53 in-interface-list=GuestLAN out-interface-list=BASE_WAN protocol=tcp

ex2:I consider to change the above to this

Then it will follow the, All physical interfaces (except WAN) are contained within one bridge.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
But will it work?

WAN
|5.x.x.x
—±–
WAN_Router
—±–
|192.168.1.1/30 (only 2 real ip)
+
|
p1|192.168.1.2/30 (only 2 real ip)
—±–
MT Router
—±–
||||
p2..p5 4xTrunk

-DefaultRoute & DNS: 192.168.1.1

Then VLAN_10 is now like all the other VALNs and i put a new ip/segment at MT p1 and the other router.
I have also removed MT p1 from the bridge, and assigned port p1 the ip 192.168.1.2/30 (only 2 real ip).
To protect the WAN_Router & MT p1 in segment 192.168.1.1 & 192.168.1.2 i think i still need the same firewall item?

Now to my question, what is the difference in the two setup? And what is the preferred one?
(Dont suggest i remove the WAN_Router, i wont)

anav · July 27, 2022, 5:42pm

Network diagram
Complete config /export

Dont really care about the unreadable attempt to explain anything,
Express yourself in terms of requirements.
Identify users/devices and groups of users/device (including the admin) and express

what they should be able to do
what they should NOT be able to do

Then a rational config can be prescribed.

Zacharias · July 27, 2022, 6:04pm

All physical interfaces (except WAN) are contained within one bridge, why?

A bridge is a virtual interface used to switch traffic between hosts.
So all member ports of a bridge are capable of communicating with each other in Layer 2…

anav · July 27, 2022, 6:08pm

http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1

Zacharias · July 27, 2022, 6:14pm

That is a complicated explanation for otherwise a simple answer…

homerouter · July 27, 2022, 8:12pm

Yes i have read the link posted, but still see any problem in doing as i do in the first setup i running. As in the next setup i isolated the WAN port in then MT as p1.
Still i dont see any main difference when using the firewall as i show in ex1 and want to reuse in ex2
-Now to my question, what is the difference in the two setup? And what is the preferred one?

anav · July 27, 2022, 9:28pm

You will have to take that up with the author as I don’t think he was answering the same angle of question but I am supposing the ‘article’ could be expanded to be more encompassing.