How can i add interface to two bridge?

mikruser · April 8, 2016, 2:36pm

Hello,

I have ether1 and ether2 as two providers links, and ether3 and ether4 as two esxi hosts.
I need create bridge1 (ether1, ether3, ether4) with IP1 and bridge2 (ether2, ether3, ether4) with IP2, but i cannot add interface to two bridge.

samsung172 · April 8, 2016, 3:06pm

You need to put a vlan in each bridge - and bridge this with the third bridge.

mikruser · April 8, 2016, 3:23pm

How can i add bridge to other bridge?
In Winbox i can add only Interfaces.

pe1chl · April 8, 2016, 4:03pm

It is probably better to first re-think your setup…
What do you want to accomplish? Can’t you make separate VLANs on the ESXi hosts for each provider?

mikruser · April 8, 2016, 4:26pm

I cant touch esxi settings. I must do it with Mikrotik settings.
Currently i have very simple setup: two providers links and two esxi hosts (with vm router) connected to one switch.
I need replace vm router to Mikrotik router.
Why i cannot simply set IP-addresses to ether1 and ether2, add eth1//2/3/4 to bridge, and use it???
Why i get error message
“in/out-interface matcher not possible when interface (ether-gw) is slave - use master instead (bridge-gw)”

pe1chl · April 8, 2016, 5:41pm

Of course you can use one bridge! That will be similar to a switch.
However, you stated you wanted two bridges. That is a different story.
Of course when you want filtering with a bridge you must use it as a bridge
filter, not a firewall filter.

mikruser · April 8, 2016, 5:59pm

>>Of course you can use one bridge! That will be similar to a switch.
cannot.
Mikrotik cannot use individual IP on individual interfaces, when these interfaces in bridge. See error:
“in/out-interface matcher not possible when interface (ether-gw) is slave - use master instead (bridge-gw)”.
I am very disappointed by the RouterOS…

ZeroByte · April 8, 2016, 9:44pm

I think your fundamental understanding of networking is probably not correct.
Your desired configuration doesn’t make sense to me - why are you trying to bridge things in this way?
What ethernet-layer behavior are you working towards / working around?

In very general terms, state your goal:
ex: “I want two servers to be protected from a LAN, but have access to two different ISPs”
or
“I want servers to have a public IP address from each of my ISPs”

etc -

Mikrotik/RouterOS lets you do a lot of things, many of which are “strange”/“mad science” solutions that don’t strictly adhere to “best practice…”

BartoszP · April 8, 2016, 9:59pm

Are You sure ? It works for me

/interface bridge port
add bridge=BRIDGE interface=ETH1
add bridge=BRIDGE interface=ETH2-TV
add bridge=BRIDGE interface=ETH3-SAT
add bridge=BRIDGE interface=WIFI
add bridge=BRIDGE interface=VIRTUALWIFI
/ip address
add address=10.10.10.17/24 interface=ETH2-TV network=10.10.10.0
add address=10.10.10.18/24 interface=ETH3-SAT network=10.10.10.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=BRIDGE

Is it message from firewall ?
Interfaces in the bridge are slaves and you cannot use them at regular firewall level. If you wish, then there is filter section at bridge level
so you can filter traffice insde bridges.

“The hardest thing in the world to understand is the income tax.” (c) A. Einstein
So start with simple things : http://forum.mikrotik.com/viewtopic.php?f=2&t=72736&start=50#p418055

mikruser · April 9, 2016, 8:01am

>>Is it message from firewall ?

This error message from Mangle rules

mikruser · April 9, 2016, 8:17am

>>In very general terms, state your goal:

I already describe my current configuration: Currently i have very simple setup: two providers links and two esxi hosts (with vm router) connected to one external switch.
I need replace vm router to Mikrotik router (also it is necessary to remove the external switch).
Mikrotik should have IP1 on eth1 and IP2 on eth2. Esxi hosts connect to eth3 and eth4 (VMs should have IP3/4/5… from both providers)

pe1chl · April 9, 2016, 8:33am

Why would you want to put an IP address on the bridge?
When it is a bridge, it does not need an IP address to make packets flow through!
An address is only required for traffic that flows into or out of the bridge (to the router itself)

mikruser · April 9, 2016, 8:43am

>>Why would you want to put an IP address on the bridge?
I no need IP on bridge!
I need IPs on eth1, eth2, and on VMs. (All VMs shoud have access to both provider)

pe1chl · April 9, 2016, 9:13am

No you don’t need those either.
The bridge will just pass traffic based on MAC address.

samsung172 · April 9, 2016, 11:21pm

still - my first post. to bridge bridges - add some vlan to the bridges you want to bridge. And bridge the vlan in a new bridge. This is a bit off box thingking, compared to cisco etc - but soooooooooo much more managable. if you add a vlan. a vlan is just a vlan. And can be the same vlan manny times. The macic just happen when vlan is bridged. In other system. Once you add a vlan. you add a vlan… and its like "ah. you add the same… we automaticly bridge… even if thats not what you want.

mikruser · April 10, 2016, 8:48am

>>to bridge bridges - add some vlan to the bridges you want to bridge.

ok. but i no need tagged traffic. how can i create virtual interface without tagging?

ZeroByte · April 11, 2016, 3:06pm

okay - this is getting somewhere.

Now - first off, you do not want to do this by bridging the two providers together. It’s bad design to do so.
You have three options:
1)
Use a single internal IP range for your server network and assign just one private IP to each server
Then use dstnat from ISP1 address X → server-in-ether3 / and ISP2 address X → server-in-ether3
and use dstnat from ISP1 address Y → server-in-ether4 / and ISP2 address Y → server-in-ether4
Finally, use policy routing to mark connections based on which ISP is used and stick the routing to the correct ISP

this is very doable but involves a lot of settings in the mangle table and extra routing tables, and isn’t that straightforward in my opinion. However,
if you’re going to be using dual-ISP configuration for other devices, then doing the same for the servers isn’t going to add much complexity to this and you’re going to need to do it anyway, so why not?

Use a VLAN tag on the servers to make them aware of the two ISP networks and that way, on the server side, you have two discreet interfaces that each one can know exactly what its supposed to do. Then on the Mikrotik, use two WAN bridges (named wanbridge1 wanbridge2 for instance) and connect ether1, ether3.vlan100, and ether4.vlan100 to wanbridge1, and connect ether2, ether3.vlan200, and ether4.vlan200 to wanbridge2.
You then put the Mikrotik’s own two ISP addresses on wanbridge1 and wanbridge2.

3) - less clean solution but easy enough to do and would be the most similar to what you were doing before:
Use a single WAN bridge, and connect ports ether1, ether2, ether3, and ether4 to the one bridge (just call it WAN).
Then in the bridge > ports menu, set horizon=1 on ports ether1 and ether2. This way, the ISP circuits won’t see each other, but the Mikrotik and servers will be able to use both. You’d assign two IP addresses to the WAN interface and to the servers just as you did before.

mikruser · April 12, 2016, 10:35am

>>3) - less clean solution but easy enough to do and would be the most similar to what you were doing before:
Use a single WAN bridge, and connect ports ether1, ether2, ether3, and ether4 to the one bridge (just call it WAN).
Then in the bridge > ports menu, set horizon=1 on ports ether1 and ether2. This way, the ISP circuits won’t see each other, but the Mikrotik and servers will be able to use both. You’d assign two IP addresses to the WAN interface and to the servers just as you did before.

Thanks, a variant 3) is acceptable.
But, when i set:
set “Use IP Firewall” on bridge
set IP1 to ether1
set Out.BridgePort=ether1 on Firewall Filter Rules forward rule
set Out.BridgePort=ether1 on Firewall NAT masquerade rule

i cannot communicate from LAN to Internet!

(communication work only when i set IP1 to bridge_wan and change Out.BridgePort=ether1 to OutInterface=bridge_wan, but i need IP1/IP2 on ether1/ether2)

Sob · April 12, 2016, 3:30pm

If you bridge some interfaces together, they no longer behave as separate interfaces. It’s like regular ethernet switch, everything is connected with everything. On IP level, router does not care if something came from one interface or the other, from its point of view it came from bridge interface. Period. Therefore assigning IP address to bridged interface does not make sense.

One more thing, can you write more about your addresses? Because I can’t see anything about it in this thread and it’s important too. Specifically, from ISP1 you have:

a) Just one public address.
b) Several public addresses, but you have to use ISP’s gw. E.g. you’d have 1.2.3.0/24 for your use, but with gw 1.2.3.1 assigned to ISP’s router.
c) Routed public subnet, completely yours. E.g. ISP’s router has 1.2.3.1/30 and yours 1.2.3.2/30 to talk to each other. And on top of that you have another 1.2.10.0/24 routed to you.

And then the same question for ISP2.

mikruser · April 12, 2016, 3:56pm

_>>If you bridge some interfaces together, they no longer behave as separate interfaces.

Therefore assigning IP address to bridged interface does not make sense._

Are you sure? I can ping IP1 from internet and can ping internet resources from Mikrotik, but i cannot communicate from LAN to Internet!
And if “they no longer behave as separate interfaces” why Mikrotik allows you to assign addresses to them?

>>One more thing, can you write more about your addresses?
variant b) for both ISP.