Bridge filter rules : set-priority for VLAN non functional

Hello Mikrotik,

Consider following setup to set VLAN 802.1Q priority (PCP) = 6 for DHCP outbound packets.

/interface vlan add interface=ether1 name=ether1.832 vlan-id=832
/interface bridge add fast-forward=no name=orange-832 protocol-mode=none
/interface bridge filter add action=set-priority chain=output dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-interface=ether1.832 src-port=68
/interface bridge filter add action=set-priority chain=output dst-port=547 ip-protocol=udp mac-protocol=ipv6 new-priority=6 out-interface=ether1.832 src-port=546
/interface bridge port add bridge=orange-832 interface=ether1.832

/ip dhcp-client add disabled=no interface=orange-832
/ipv6 dhcp-client add add-default-route=yes interface=orange-832 pool-name=pool_orange6 request=prefix

It doesn’t work using v7.1beta2 but works fine using v.6.47.4

Even simpler setup to force VLAN PCP at 6 for all traffic :

/interface vlan add interface=ether1 name=ether1.832 vlan-id=832
/interface bridge add fast-forward=no name=orange-832 protocol-mode=none
/interface bridge filter add action=set-priority chain=output new-priority=6 out-interface=ether1.832
/interface bridge port add bridge=orange-832 interface=ether1.832

doesn’t work any better under v7.1beta2

Thanks in advance for investigation !

Same on v7.1beta5. See above.

With some interesting fact,
Configuration similar to above defined under ROSv6 stays functional after upgrade to ROSv7.
However, after /system reset-configuration, identical configuration (typed or restored from a working /export) is non functional.

Might be related to this one ?
http://forum.mikrotik.com/t/v7-1beta2-bridge-vlan-filtering-unable-to-get-ip-via-dhcp-on-vlan/142394/1

Seems fixed in v7.1beta6.
After multiple restores from /export output, bridge filter rules are correctly applied.

Despite being fixed for RB4011 (arm),

That very issue is still occuring using 7.1.1 on RB5009 (arm64).
VLAN PCP/802.1p is not properly set through bridge filter rule.

Same problem on CCR2004-16G-2S+

That very issue is still occuring using 7.1.1 on RB5009 (arm64).
VLAN PCP/802.1p is not properly set through bridge filter rule.

In my experience, bridge filter rules do not work on RB5009 for bridges with L2 hw offload enabled.
But adding PCP/802.1p priorites works for me on RB5009 using interface/ethernet/switch/rule with action new-vlan-priority.
Special attention has to be paid to keep switch rules and bridge config in sync in case of member port changes.

While ROS 7.1.1 translates bridge VLAN filters into 88E6393X HW VLAN configs, it seems not to do it for bridge filters (yet?).

L2 hw offload is not currently enabled on any bridge interface as :

• there’s only one member interface (ether8) under WAN bridge (the one we want to set PCP/802.1p prio)
• all ports (ether1-7) under LAN bridge are actively set to horizon=1 (port isolation)

Besides, in any circumstances I’m getting

new-vlan-priority not supported for this switch

while trying to apply switch-rules on Marvell-88E6393X

Am I missing something ?

Besides, in any circumstances I’m getting new-vlan-priority not supported for this switch while trying to apply switch-rules on Marvell-88E6393X

[admin@RB5009] /interface/ethernet/switch> rule add switch=switch1 ports=ether2,ether8 vlan-id=100 new-vlan-id=101
[admin@RB5009] /interface/ethernet/switch> rule add switch=switch1 ports=ether2,ether8 vlan-id=100 new-vlan-priority=6
failure: new-vlan-priority not supported for this switch

Hmm.. your right. On RB5009 only new-vlan-id is supported so far, new-vlan-priority is not. Altough the 88E6393X would support it.
Sorry, I mixed that up with the CRS Models where this works fine.

In my experiences, on RB5009 bridge rules only works reliable if using L2 HW offload and switch rules as far as supported.
/interface/bridge rules often just refuse to work without any further indication.
This indeed seems to be a bug.

The 88E6393X is a very powerful switch chip. Support in ROS for some of its features and bridges on top of it is broken or not yet complete.

From support ticket #[SUP-71491], priority has been raised regarding bridge filter rules.
First, may they just work, even being CPU bound (like RB4011), it doesn’t introduce a large performance cost.

Now, if eventually bridge filter rules transparently trigger hardware capabilities when available, it would be great, but that’s another story…

Hi all,
Same problem here on a CCR2004-1G-12S+2XS.
Thanks for these great equipments, and for your work harvesting this regrettable regression.

What’s new in 7.2rc3 (2022-Jan-28 16:33):
*) bridge - fixed filter and NAT “set-priority” action;

Seems like this got fixed with 7.2rc3

Still doesn’t work with above configuration (first post).

Probably you should report this via their support system. In the meantime, you can probably work around this with a mangle rule to get the same result.

SUP-71491 on Mikrotik jira.
Unfortunately DHCP client make use of raw sockets (at least for DHCPv4) and therefore bypasses IP firewall.
Marking packets through an external device (cisco switch, bridged RB4011…) is the only workaround now.

Confirmed fix on ROS v.7.1.3 for RB5009 (arm64).

Hi all!

Hope you are doing fine,

Im trying to figure out how to configure VLAN 802.1Q priority on a 3011 with a QCA 8337 switch chip. According to the help documentation:

For VLAN related matchers or VLAN related action parameters to work, you need to enable vlan-filtering on the bridge interface and make sure that hardware offloading is enabled on those ports, otherwise, these parameters will not have any effect.

I understand that enabling vlan-filtering on QCA 8337 will disable HW offload. So, is it possible to set up vlan priority on 8337? If i enable vlan-filtering, knowing this will have a cost on CPU and use bridge filters, will this work?

Also, i need to apply same config on a Marvell 98DX3236 and im little confused about where to apply the rule, if is on bridge filters or on switch rules?