I have a little problem upgrading to 6.41 with the new bridge implementation, pre-6.41 I could use both master-slave and bridge configurations at the same time on the same ports, I let the master-slave configuration handles users traffic and let the bridge configuration handle my own monitoring traffic using just one port to monitor all other ports at the same time.
As you know after 6.41 the update eliminates the use of master-slave configuration and relies on only bridge with hw-offload, I like the idea but I don’t have an idea on how to apply my same idea post 6.41.
I’ve attached a simple picture to explain what I mean.
Ether1 and Ether2 are their own network using Master-Slave
Ether3 and Ether4 are their own network using Master-Slave
Ether1, Ether3 and Ether5 are all in one bridge with Ether1 and Ether3 are using a horizon value of 1 (making them not see each other), Ether5 uses a horizon of 2 (making it see both Ether1 and Ether3 groups and thus being used for monitoring and control from my side).
Upgrading to 6.41 will merge my configuration making all ports see each other.
I’m having a bit of a trouble thinking of a solution to have the same results using just bridges or vlans to acquire the same idea.
Sorry, maybe I wasn’t clear, I use the bridge to monitor clients devices and other Mikrotik devices in each network (Ether1,2,3 and 4). Ether5 is connected to an Access point that sends the traffic remotely to my computer in the office.
Wouldn’t using no horizon at all but using Bridge filters allow what you want (prevent ether1,2 to see ether3,4 and ether5)? You can use interface lists… Same goes for Switch > ACLs
Why the need to be in L2 to send traffic to monitor? IDS? Are you mirroring traffic and sending it towards your office? Wouldn’t IP > Traffic Flow be a better method?
This is helpful, I’ll try the bridge filters and report back, although I have no idea on how to use filters, that’s why we used that method in the first place.
If you want to isolate clients on the switching chip (which is my understanding of what you want to do) you need to use the port isolation feature on CRS switches. For routerboard devices I have no idea how to resolve this though…
Did you enable “Use IP Firewall” (on Bridge [Settings])? Filters won’t work otherwise AFAIK.
If you did, maybe (as I still don’t fully understand your requirements) is it possible that could be done as whitbread said, using Port Leakage and isolation or ACLs
Correction: if using L2 bridge filters, there’s no need to enable use ip firewall. Just tested on 6.41 (on a RB1100AHx2), and even with hw offload enabled, L2 filtering (.e.g manipulating priority, vlan, etc) does work fine too.
Ports will not have H in front, ROS will disable it.
