I have an issue where LDP adjacency connects fine (port 646), but VPLS won’t come up unless I disable my drop rule in the firewall. Does VPLS use different ports? Any help would be appreciated.
You might need to allow input of ether-frames 0x8847 (mpls-unicast) somehow.
I see you can do a bridge filter for mac-protocol for mpls-unicast. Tried that, no change. I find it strange that LDP works, but VPLS doesn’t. It seems that I could add a /ip firewall rule to allow this somehow, since disabling the drop rule allows the VPLS to come up.
The output below allows VPLS to come up.
/ip firewall filter
add action=accept chain=input src-address=10.0.0.0/24 protocol=udp
add action=accept chain=input src-address=10.0.0.0/24 protocol=tcp
So there must be some port being blocked or a protocol that I’m unaware of.
LDP works with the below output. But VPLS does not come up unless I basically open up the whole subnet to anything tcp/udp as above.
/ip firewall filter
add action=accept chain=input protocol=udp dst-port=646
add action=accept chain=input protocol=tcp dst-port=646
add action=accept chain=output protocol=udp dst-port=646
add action=accept chain=output protocol=tcp dst-port=646
Interesting enough. I added the same input chain rule but added the source port 646 and destination port 646 and VPLS came up. So solved I guess…