Hi!
I’m a newbie in network and MikroTik world.
I’ve setted up 2 vlans with bridge VLAN filtering, setting the PVID and frame types on “admit all”, in bridge settings “use IP firewall” and “use IP firewall for VLAN”.
With the bridge interfaces untagged it works, but it doesn’t seems right to me. In my head in the bridge all the packets must be tagged… Or am I missing something?
Do all untagged ports tag every packet in input or not?
Thanks a lot!
Unlike switch chips, which typically apply the PVID tag to untagged packets on ingress and remove it on egress, bridges can handle both tagged and untagged packets.
The bridge settings “use IP firewall” and “use IP firewall for VLAN” are only required if you want packets travelling directly between bridge ports to be subjected to the IP firewall rules - this is only required if you wish to apply more complex rules which are not possible in bridge filter & NAT rules, but will increase CPU utilisation.
Note traffic between differing VLANs will be handled by the IP firewall without these settings as they are routed VLAN A → ether interface → bridge → vlan interface A → routing & IP firewall → vlan interface B → bridge → ether interface → VLAN B
Ok, I know bridges can handle both tagged and untagged, I can’t understand why if I block untagged traffic it stops work.
In my case I simply have untagged ports from /interface bridge vlan, so I was thinking that all the ingress traffic to bridges was tagged.
I uses IP firewall for VLAN because was the only way to firewalling between different VLANs, I haven’t found other methods.
One stupid question: when a packet tagged A pass through the IP firewall and go on a diffrent VLAN the router replace the VLAN tag? I’m starting to think this is the problem.
IP routing knows nothing about VLANs, they are an ethernet (layer 2) construct. Your rules may have a wider scope then you expect, post the output of /export hide-sensitive after redacting any other identifying material (e.g. public addresses)
I use vlans in my bridge (use-ip-firewall-for-vlan is disabled) and these are the rules to prevent vlans from talking to each other. Allows first then a drop all at the bottom.
I am not sure if rule 29,32,35 are necessary. I don’t think traffic within the same subnet and vlan goes through the ip firewall (routing) but I haven’t tested. Those items in column 4 and 5 are Address-List items.
I am not sure what is the use case of enabling use-ip-firewall-for-vlan.
I also have use-ip-firewall enabled, but I’m not even sure I need it enabled.
Update: to answer dave’s question below (I do not wish to hijack the thread), My router has multiple vlans in one bridge. The router has an address and dhcp server in each vlan. Eth1 is connected to my core LAN switch. Eth5 is my WAN port. Eth2-4 is disabled.
Do you use more vlans on one bridge? I made one bridge for each vlan. This is probably why I used IP firewall for VLAN.
This is my configuration:
/interface bridge
add name=bdg-vlan5 pvid=5 vlan-filtering=yes
add disabled=yes name=bdg-vlan7 pvid=7 vlan-filtering=yes
add name=bdg-vlan10 pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
/interface list
add name=list-WAN
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool-vlan5 ranges=10.1.5.20-10.1.5.254
add name=pool-vlan10 ranges=10.1.10.20-10.1.10.254
/ip dhcp-server
add address-pool=pool-vlan5 disabled=no interface=bdg-vlan5 name=
dhcpserv-vlan5
add address-pool=pool-vlan10 disabled=no interface=bdg-vlan10 name=
dhcpserv-vlan10
/interface bridge filter
add action=drop chain=input comment=“**** phone block”
src-mac-address=00:87:01:E7:5E:74/FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bdg-vlan5 interface=ether3 pvid=5
add bridge=bdg-vlan10 interface=ether4 pvid=10
add bridge=bdg-vlan5 interface=wlan1 pvid=5
add bridge=bdg-vlan5 interface=ether5 pvid=5
add bridge=bdg-vlan5 interface=ether2 pvid=5
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bdg-vlan5 untagged=ether3,ether2,ether5,wlan1,bdg-vlan5 vlan-ids=5
add bridge=bdg-vlan10 untagged=ether4,*B vlan-ids=10
add bridge=bdg-vlan7 untagged=bdg-vlan7 vlan-ids=7
/interface detect-internet
set wan-interface-list=list-WAN
/interface ethernet switch vlan
add ports=ether2,ether3 switch=switch1 vlan-id=5
add ports=ether2,ether4 switch=switch1 vlan-id=10
/interface list member
add interface=ether1-wan list=list-WAN
/interface wireless cap
set bridge=bdg-vlan5 caps-man-addresses=10.1.5.1 discovery-interfaces=
bdg-vlan5 interfaces=wlan1
/ip address
add address=10.1.5.1/24 interface=bdg-vlan5 network=10.1.5.0
add address=10.1.10.1/24 interface=bdg-vlan10 network=10.1.10.0
/ip dhcp-client
add dhcp-options=clientid_duid,clientid,hostname disabled=no interface=
ether1-wan
/ip dhcp-server lease
add address=10.1.10.254 client-id=1:30:85:a9:97:1e:13 mac-address=
30:85:A9:97:1E:13 server=dhcpserv-vlan10
/ip dhcp-server network
add address=10.1.5.0/24 dns-server=192.168.1.1 gateway=10.1.5.1 netmask=24
add address=10.1.10.0/24 dns-server=192.168.1.1 gateway=10.1.10.1 netmask=32
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=10.1.10.0/24 list=support
add address=0.0.0.0/8 comment=“Self-Identification [RFC 3330]” list=bogons
add address=127.0.0.0/8 comment=“Loopback [RFC 3330]” list=bogons
add address=169.254.0.0/16 comment=“Link Local [RFC 3330]” list=bogons
add address=192.0.2.0/24 comment=“Reserved - IANA - TestNet1” list=bogons
add address=192.88.99.0/24 comment=“6to4 Relay Anycast [RFC 3068]” list=
bogons
add address=198.18.0.0/15 comment=“NIDB Testing” list=bogons
add address=198.51.100.0/24 comment=“Reserved - IANA - TestNet2” list=bogons
add address=203.0.113.0/24 comment=“Reserved - IANA - TestNet3” list=bogons
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder
address-list-timeout=30m chain=input comment=
“001 Add Syn Flood IP to the list” connection-limit=30,32 protocol=tcp
tcp-flags=syn
add action=drop chain=input comment=“002 Drop to syn flood list”
src-address-list=Syn_Flooder
add action=drop chain=input comment=“003 Drop to port scan list”
src-address-list=Port_Scanner
add action=jump chain=input comment=“004 Jump for icmp input flow”
jump-target=ICMP protocol=icmp
add action=drop chain=input comment=
“005 Block all access to the winbox - except to support list” disabled=
yes dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment=“006 Jump for icmp forward flow”
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=“007 Drop to bogon list”
dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers
address-list-timeout=3h chain=forward comment=
“008 Add Spammers to the list for 3 hours” connection-limit=30,32
dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment=“009 Avoid spammers action” dst-port=
25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment=“010 Accept DNS - UDP” port=53
protocol=udp
add action=accept chain=input comment=“011 Accept DNS - TCP” port=53
protocol=tcp
add action=accept chain=input comment=“012 Accept to established connections”
connection-state=established
add action=accept chain=input comment=“013 Accept to related connections”
connection-state=related
add action=accept chain=input comment=
“014 Full access to SUPPORT address list” src-address-list=support
add action=accept chain=ICMP comment=“016 Echo request - Avoiding Ping Flood”
icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment=“017 Echo reply” icmp-options=0:0
protocol=icmp
add action=accept chain=ICMP comment=“018 Time Exceeded” icmp-options=11:0
protocol=icmp
add action=accept chain=ICMP comment=“019 Destination unreachable”
icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=“020 PMTUD” icmp-options=3:4 protocol=
icmp
add action=drop chain=ICMP comment=“021 Drop to the other ICMPs” protocol=
icmp
add action=jump chain=output comment=“022 Jump for icmp output” jump-target=
ICMP protocol=icmp
add action=accept chain=forward comment=A0X disabled=yes in-interface=
ether1-wan out-interface=bdg-vlan10 protocol=udp
add action=accept chain=forward comment=A0X disabled=yes in-interface=
bdg-vlan10 out-interface=ether1-wan protocol=udp
add action=accept chain=forward comment=
“A1-VLAN10 [FUTURA VLAN5] accept DHT UDP from WAN for uTorrent traffic”
in-interface=ether1-wan out-interface=bdg-vlan10 protocol=udp src-port=
6881-6889
add action=accept chain=forward comment=
“A1-VLAN10 [FUTURA VLAN5] accept DHT UDP to WAN for uTorrent traffic”
dst-port=6881-6889 in-interface=bdg-vlan10 out-interface=ether1-wan
protocol=udp
add action=accept chain=forward comment=
“A1-VLAN10 accept DNS, HTTP, HTTPs, XMPP TCP from WAN” in-interface=
ether1-wan out-interface=bdg-vlan10 protocol=tcp src-port=53,80,443,5222
add action=accept chain=forward comment=
“A1-VLAN10 accept DNS, HTTP, HTTPs, XMPP TCP to WAN” dst-port=
53,80,443,5222 in-interface=bdg-vlan10 out-interface=ether1-wan protocol=
tcp
add action=accept chain=forward comment=
“A1-VLAN10 accept DNS, HTTP, HTTPs UDP from WAN” in-interface=ether1-wan
out-interface=bdg-vlan10 protocol=udp src-port=53,80,443
add action=accept chain=forward comment=
“A1-VLAN10 accept DNS, HTTP, HTTPs UDP to WAN” dst-port=53,80,443
in-interface=bdg-vlan10 out-interface=ether1-wan protocol=udp
add action=accept chain=input comment=“D0X-VLAN5 permit CAPsMAN ports”
dst-port=5246,5247 in-interface=bdg-vlan5 protocol=udp
add action=accept chain=forward comment=
“D1-VLAN5 accept DNS, HTTP, HTTPs, RDP, XMPP TCP from WAN” in-interface=
ether1-wan out-interface=bdg-vlan5 protocol=tcp src-port=
53,80,443,3389,5222
add action=accept chain=forward comment=
“D1-VLAN5 accept DNS, HTTP, HTTPs RDP, XMPP TCP to WAN” dst-port=
53,80,443,3389,5222 in-interface=bdg-vlan5 out-interface=ether1-wan
protocol=tcp
add action=accept chain=forward comment=
“D1-VLAN5 accept DNS, HTTP, HTTPs RDP UDP from WAN” in-interface=
ether1-wan out-interface=bdg-vlan5 protocol=udp src-port=53,80,443,3389
add action=accept chain=forward comment=
“D1-VLAN5 accept DNS, HTTP, HTTPs RDP UDP to WAN” dst-port=53,80,443,3389
in-interface=bdg-vlan5 out-interface=ether1-wan protocol=udp
add action=accept chain=forward comment=
“R1-INTER accept printer TCP from vlan5 to vlan10” in-interface=bdg-vlan5
out-interface=bdg-vlan10 protocol=tcp src-address=10.1.5.19 src-port=9100
add action=accept chain=forward comment=
“R1-INTER accept printer TCP from vlan10 to vlan5” dst-address=10.1.5.19
dst-port=9100 in-interface=bdg-vlan10 out-interface=bdg-vlan5 protocol=
tcp
add action=drop chain=forward comment=“Z1-INTER drop from vlan10 to vlan5”
in-interface=bdg-vlan10 out-interface=bdg-vlan5
add action=drop chain=forward comment=“Z1-INTER drop from vlan5 to vlan10”
in-interface=bdg-vlan5 out-interface=bdg-vlan10
add action=drop chain=input comment=“Z9 drop everything from WAN”
in-interface=ether1-wan
add action=drop chain=output comment=“Z9 drop everything to WAN”
out-interface=ether1-wan
add action=drop chain=input comment=“Z9 drop anything else!”
/ip firewall nat
add action=masquerade chain=srcnat
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MainMTK-router-firewall
I cutted wifi configs and other needless stuffs.
The rules 29,32,35 are unnecessary, they would only have an effect if both use-ip-firewall=yes and use-ip-firewall-for-vlan=yes
The Wiki explains the bridge firewall settings https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Settings together with the diagram https://wiki.mikrotik.com/wiki/Manual:Packet_Flow#Bridging_Diagram
[Config cut]
There is no point in having multiple VLAN-aware bridges with a single VLAN in each. Either use a single VLAN-aware bridge (the “new” way, recommended unless you require ethernet port hardware offloading), or multiple non-VLAN-aware bridges (the “old” way, has many traps for the unwary https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration)
[quote=dadi01 post_id=755925 time=1571572401 user_id=149864]Do all untagged ports tag every packet in input or not?[/quote]
That’s one of my doubt. Probably they don’t tag it at all.
I will try another configuration and I’ll be back.
Thanks to all!
[quote=dadi01 post_id=755925 time=1571572401 user_id=149864]
Do all untagged ports tag every packet in input or not?
[/quote]
[attachment=0]zz1.png[/attachment]
Clearly I am not saying your config is not working, I’m just trying to understand.
I tried to make a sniff and the packets wasn’t tagged…
I imagine your screens is your router so you don’t use the hw switch, you’re using only the bridge to route traffic. Where did you set up dhcp and IP addresses in your case?
@ashpri: your settings are … bluntly said … invalid. While multiple VLANs can get untagged on egress, untagged packets can get tagged to only single VLAN on ingress. So basically your screenshot shows that ether5 will carry packets of VLAN 999 untagged on port side and tagged on bridge side (according to PVID setting) … the rest of enumerated VLANs (3, 15, 20, 35, 997 and 998) might leak some packets on ether5 port and will get untagged on port side. The amount of leaked packets will not be huge, probably some broadcasts (depends on ARP table).
And to answer @dadi01 about untagged ports tagging frames on ingress: depends on settings … they will either get tagged with PVID or they will get dropped (depending on ingress-filtering setting). When bridge interface has set the same PVID, those packets might appear as if they were untagged on bridge (the switch-like personality), but actually they were tagged.
So basically: when bridge (the switch-like personality) has vlan-filtering set to yes, all packets get tagged on ingress (and pvid has implicit default setting to pvid=1). When bridge (the switch-like personality) has vlan-filtrring set to no, VLAN header is not checked and is left as-is … both on ingress and egress. Mind that vlan interfaces inside ROS (those that are created in /interface vlan section) still interact with VLANs, only bridge (the switch-like personality) doesn’t do anything about VLANs (no port isolation according to VLAN membership, no tagging/untagging, …).
@dave this is how I have my bridge setup including DHCP Server.
/interface vlan
add interface=bridge1 name="VL 201 Guest" vlan-id=201
add interface=bridge1 name="VL 202 Fam" vlan-id=202
add interface=bridge1 name="VL 203 Kids" vlan-id=203
add interface=bridge1 name="VL 204 Office" vlan-id=204
add interface=bridge1 name="VL 205 Staff" vlan-id=205
/interface bridge
add admin-mac="your-device-mac" auto-mac=no name=bridge1 vlan-filtering=yes
/interface bridge settings
set use-ip-firewall=yes
#NOTE: After the discussions here, it seems this doesn't need to be enabled.
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3 pvid=203
add bridge=bridge1 interface=ether4 pvid=204
add bridge=bridge1 interface=ether5 pvid=205
#NOTE: eth1=WAN, eth2-5=SWITCH (2=TRUNK,3=VL203,4=VL204,5=VL205)
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether2 vlan-ids=201,202
add bridge=bridge1 tagged=bridge1,ether2 untagged=ether3 vlan-ids=203
add bridge=bridge1 tagged=bridge1,ether2 untagged=ether4 vlan-ids=204
add bridge=bridge1 tagged=bridge1,ether2 untagged=ether5 vlan-ids=205
#BELOW IS THE DHCP SETUP
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=192.168.201.1/24 interface="VL 201 Guest" network=192.168.201.0
add address=192.168.202.1/24 interface="VL 202 Fam" network=192.168.202.0
add address=192.168.203.1/24 interface="VL 203 Kids" network=192.168.203.0
add address=192.168.204.1/24 interface="VL 204 Office" network=192.168.204.0
add address=192.168.205.1/24 interface="VL 205 Staff" network=192.168.205.0
/ip pool
add name="Pool - Default" ranges=192.168.88.100-192.168.88.199
add name="Pool - 201 Guest" ranges=192.168.201.100-192.168.201.199
add name="Pool - 202 Fam" ranges=192.168.202.100-192.168.202.199
add name="Pool - 203 Kids" ranges=192.168.203.100-192.168.203.199
add name="Pool - 204 Office" ranges=192.168.204.100-192.168.204.199
add name="Pool - 205 Staff" ranges=192.168.205.100-192.168.205.199
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
add address=192.168.201.0/24 gateway=192.168.201.1 netmask=24
add address=192.168.202.0/24 gateway=192.168.202.1 netmask=24
add address=192.168.203.0/24 gateway=192.168.203.1 netmask=24
add address=192.168.204.0/24 gateway=192.168.204.1 netmask=24
add address=192.168.205.0/24 gateway=192.168.205.1 netmask=24
/ip dhcp-server
add address-pool="Pool - Default" disabled=no interface=bridge1 name="DHCP Server 1 - Default"
add address-pool="Pool - 202 Fam" disabled=no interface="VL 202 Fam" name="DHCP Server 2 - Fam"
add address-pool="Pool - 201 Guest" disabled=no interface="VL 201 Guest" name="DHCP Server 3 - Guest"
add address-pool="Pool - 203 Kids" disabled=no interface="VL 203 Kids" name="DHCP Server 4 - Kids"
add address-pool="Pool - 204 Office" disabled=no interface="VL 204 Office" name="DHCP Server 5 - Office"
add address-pool="Pool - 205 Staff" disabled=no interface="VL 205 Staff" name="DHCP Server 7 - Staff"
The following is the same setup, using switch chip instead of bridge.
/interface vlan
add interface=bridge1 name="VL 201 Guest" vlan-id=201
add interface=bridge1 name="VL 202 Fam" vlan-id=202
add interface=bridge1 name="VL 203 Kids" vlan-id=203
add interface=bridge1 name="VL 204 Office" vlan-id=204
add interface=bridge1 name="VL 205 Staff" vlan-id=205
/interface bridge
add admin-mac="your-device-mac" auto-mac=no name=bridge1
/interface bridge settings
set use-ip-firewall=yes
#NOTE: After the discussions here, it seems this doesn't need to be enabled.
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
#NOTE: eth1=WAN, eth2-5=SWITCH (2=TRUNK,3=VL203,4=VL204,5=VL205)
/interface ethernet switch port
set 0 vlan-mode=disabled
set 1 vlan-mode=secure
set 2 vlan-mode=secure default-vlan-id=203 vlan-header=always-strip
set 3 vlan-mode=secure default-vlan-id=204 vlan-header=always-strip
set 4 vlan-mode=secure default-vlan-id=205 vlan-header=always-strip
set 5 vlan-mode=secure
# Note: 0=eth1wan, 1-4=eth2-5, 5=switch-chip-cpu
/interface ethernet switch vlan
add independent-learning=no ports=ether2 switch=switch1 vlan-id=201
add independent-learning=no ports=ether2 switch=switch1 vlan-id=202
add independent-learning=no ports=ether2,ether3 switch=switch1 vlan-id=203
add independent-learning=no ports=ether2,ether4,switch1-cpu switch=switch1 vlan-id=204
add independent-learning=no ports=ether2,ether5 switch=switch1 vlan-id=205
#BELOW IS THE DHCP SETUP
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=192.168.201.1/24 interface="VL 201 Guest" network=192.168.201.0
add address=192.168.202.1/24 interface="VL 202 Fam" network=192.168.202.0
add address=192.168.203.1/24 interface="VL 203 Kids" network=192.168.203.0
add address=192.168.204.1/24 interface="VL 204 Office" network=192.168.204.0
add address=192.168.205.1/24 interface="VL 205 Staff" network=192.168.205.0
/ip pool
add name="Pool - Default" ranges=192.168.88.100-192.168.88.199
add name="Pool - 201 Guest" ranges=192.168.201.100-192.168.201.199
add name="Pool - 202 Fam" ranges=192.168.202.100-192.168.202.199
add name="Pool - 203 Kids" ranges=192.168.203.100-192.168.203.199
add name="Pool - 204 Office" ranges=192.168.204.100-192.168.204.199
add name="Pool - 205 Staff" ranges=192.168.205.100-192.168.205.199
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24
add address=192.168.201.0/24 gateway=192.168.201.1 netmask=24
add address=192.168.202.0/24 gateway=192.168.202.1 netmask=24
add address=192.168.203.0/24 gateway=192.168.203.1 netmask=24
add address=192.168.204.0/24 gateway=192.168.204.1 netmask=24
add address=192.168.205.0/24 gateway=192.168.205.1 netmask=24
/ip dhcp-server
add address-pool="Pool - Default" disabled=no interface=bridge1 name="DHCP Server 1 - Default"
add address-pool="Pool - 202 Fam" disabled=no interface="VL 202 Fam" name="DHCP Server 2 - Fam"
add address-pool="Pool - 201 Guest" disabled=no interface="VL 201 Guest" name="DHCP Server 3 - Guest"
add address-pool="Pool - 203 Kids" disabled=no interface="VL 203 Kids" name="DHCP Server 4 - Kids"
add address-pool="Pool - 204 Office" disabled=no interface="VL 204 Office" name="DHCP Server 5 - Office"
add address-pool="Pool - 205 Staff" disabled=no interface="VL 205 Staff" name="DHCP Server 7 - Staff"
Associated equipmet is a HEX.
With this config it works…
@mkx but if in /interface bridge vlan I check VLAN Filtering, Ingress Filtering and set “admit only VLAN tagged” it drop untagged packets in ingress and admit only tagged traffic, is it correct?
It affects only bridge interface, not the rest of bridge members. This behaviour is configured individually for each bridge member interface and no, bridge interface setting is not default nor overriding individual interface settings.
Of course, vlan-filtering is bridge (the switch like personality) setting and thus affects all bridge member interfaces.
Ok, thanks for your explanation!
At the moment I’m using the last upper config (no switch chip, it doesn’t want to work, I’m working on that) but I’m in the @ashpri situation: /bridge settings use-ip-firewall disabled but it works. There’s no changes between enabled or disabled. Looking the packet flow diagram it seems strange to me.
Inter-VLAN communication always flows through L3 interfaces of router (e.g. the ones that have IP address configured) and in that case the IP firewall is always consulted. The only reason to enable use-ip-firewall on bridge is to mess with traffic which is intra-subnet and would be switched if a switch was used instead of routerboard device. And that is quite rare …