Feature Request: Bridge Joiner

rplant · January 16, 2021, 10:07pm

Hi,
Could you perhaps implement a ethernet joiner object to join 2 separate bridges together.
Object has 2 interfaces (similar but different to a vlan object)
Ideally its only option would be maximum frame size.
With bridge filtering being used to limit what is allowed between the 2 lan segments.

Sometimes (not very often thankfully) I would like to partially join two networks together.
Old common use case would be PPPoE passthrough.

I can do this currently, by using a cable between 2 interfaces. Which is ugly and uses 2 ports
and breaks when someone unplugs the lead, but is fairly fast.

Thanks

mkx · January 17, 2021, 9:19am

You can already do it … using another bridge.

rplant · January 17, 2021, 10:14pm

Cool, I hope…

Though I have now attempted to do this, and it is not obvious how I can join them.
Do you have an example?

Thanks

Sob · January 17, 2021, 10:46pm

The idea is that instead of joining two bridges, you take all ports from both and add them to one common bridge. Which will give you the same result as joining two bridges would, therefore you don’t need to join bridges.

If you can explain how joining bridges would be different and better, it would be a good first step to eventually get it implemented.

bpwl · January 18, 2021, 10:45am

I understand the need for 2 or more bridges. One can set many different things in the two bridges. The separation is clean, and the link can be specific for protocol or speed.

I know we moved away from this multi-bridge model for VLAN separation, as the bridge/switch handles the VLAN now. But there is more than VLAN to separate.

I used to do this often in a Fortigate with “VDOM”. Separate firewall’s with virtual interfaces between them. Actually this is possible in RouterOS with MetaRouter. But the MetaRouter is too big to have multiple. (It’s like having virtual machines in Windows (Virtualbox, VMware, …) where you actually would like to see virtual application in one OS (like APP-V (Softgrid), or VMware ThinApp), that is more what VDOM in the Fortigate does.) There are really multiple cases for this multiple “VDOM”/“MetaRouter” design, but MetaRouter requires too many resources.

But here the question is just multiple bridges (only one can be HW offloaded per switch chipset) , with virtual interfaces between them. Would also be nice to connect to HW offloaded bridges, without losing HW ethernet interfaces.

I just tred to do it with “virtual ethernet” but found no way to connect any virtual interface to 2 bridges at the same time. If we have such virtual interface it could be done.
Or should we use a tunnel. What would be the better choice? EoIP, MPLS/VPLS, VxLAN, SSTP tunnel, PPtP tunnel, and other ways to directly connect the 2 LAN’s ?

mkx · January 18, 2021, 9:11pm

Something in line of this:

/interface bridge
add name=bridge_left
add name=bridge_right
add name=bridge_top

/interface bridge port
add bridge=bridge_left interface=ether1
add bridge=bridge_left interface=ether2
add bridge=bridge_left interface=ether3
#
add bridge=bridge_right interface=ether8
add bridge=bridge_right interface=ether9
add bridge=bridge_right interface=ether10
#
# bridge both bridges
add bridge=bridge_top interface=bridge_left
add bridge=bridge_top interface=bridge_right

Now it’s possible to use e.g. bridge filtering on bridge_top to control traffic between left and right bridge.

It is important to keep in mind that every bridge has associated interface (with the same name) which is usually used for higher-layer configuration (e.g. IP config) but they are L2 interfaces never the less, similarly to ether or wlan interfaces.

Sob · January 18, 2021, 9:36pm

@mkx: What RouterOS do you have that it lets you do that?

rplant · January 18, 2021, 10:41pm

One use case, pppoe pass through, previously a common option on consumer home routers,
probably less so now when pppoe is less used.
Nice when your ISP would allow you to connect more than once using your credentials.

Your PC could (when necessary) get a routable IP on it directly, just by firing up a pppoe connection.

Filtering rules:

/interface bridge filter
add action=accept chain=forward in-interface=ether2 mac-protocol=
pppoe-discovery
add action=accept chain=forward in-interface=ether3 mac-protocol=
pppoe-discovery
add action=accept chain=forward in-interface=ether2 mac-protocol=pppoe
add action=accept chain=forward in-interface=ether3 mac-protocol=pppoe
add action=drop chain=forward in-interface=ether2
add action=drop chain=forward in-interface=ether3

I have another use case, trying to hide a bit from a bunch of IOT stuff, with
the IOT stuff likely having a different default gateway/dhcp server. I can see and connect to it
(It has more difficulty connecting to me) Though this still needs more thought, and maybe igmp proxy
would be an (better??) alternative to this.

I tried to join bridges as per @mkx, but it wouldn’t let me

Sob · January 18, 2021, 11:58pm

You could as well bridge all ether1, ether4 and ether5 together, add filters between ether1 and ether4/5, and it would work too. But I do agree that having only one interface instead of separate WAN and LAN would complicate things, it would need additional filters to separate router’s own communication with WAN and LAN.

bpwl · January 19, 2021, 9:27am

Didn’t see the hierarchical bridge solution as I only tried with the GUI. There, interfaces are a drop-down list , and the bridges are not in that list. Maybe making a interface list with the lower bridges would make it GUI configurable.

Hmmm all 3 remain “root” in STP ???

Sob · January 19, 2021, 11:14am

Nope, interface list doesn’t help:

/interface list
add name=bridge-port-test
/interface list member
add interface=bridge1 list=bridge-port-test
add interface=ether3 list=bridge-port-test
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge2 interface=bridge-port-test

/interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                      BRIDGE                     HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0     ether2                         bridge1                    yes    1     0x80         10                 10       none
 1     bridge-port-test               bridge2                    yes    1     0x80         10                 10       none
 2  D  ether3                         bridge2                    yes    1     0x80         10                 10       none

mducharme · January 30, 2021, 1:28am

I have a similar use case that this would work for. We do rate limiting for VPLS tunnels with interface attached queue trees on the bridge ports, which only shape egress. If a multiple outbound VPLS tunnels are connecting to a single bridge at a customer location in PtMP fashion, I would like to be able to rate limit the total of all VPLS tunnels rather than assigning a rate per tunnel. With something like a “bridge joiner”, this might be possible. You could connect the VPLS tunnels to one bridge and rate limit the egress on the “bridge joiner” which would impact all of the VPLS tunnels as a whole. I do see some use cases for such an option.

This feature is already in Linux apparently as a “veth” interface: https://linux-blog.anracom.com/tag/linux-bridge-linking/

So MikroTik may not have to build such an option from the ground up.