How to bridge 2 bridges ?

CsXen · September 4, 2018, 6:46pm

Hi.
In an old days, I made two switched group (eth2-eth5 and eth6-eth9) on my RB2011. After this, I put the master ports (eth2 and eth6) into bridge.
At this point, I could define some filtering between the two master port in the bridge.

Nowadays I made two bridge, which contains eth2-5 and eth6-9 respectively, and marked to hardware offload them. But I can’t put this two bridge into a master bridge… why ?
And how to resolve this bug feature ?

CZFan · September 4, 2018, 9:13pm

Not sure I understand correctly, but now the new way you create one bridge with all ports in the bridge, i.e. Ports 2 to 10 and leave port one out of bridge which will become your internet connection and traffic routed out via ether 1

CsXen · September 4, 2018, 9:41pm

HI.

And how to filter traffic, which belongs to one side (eth6-9) not to reach the eth2-5 side, if these are in one big bridge ? In old days, before “bridge with hardware offloading”, I can did it, because these two group was on different switch chips. (master and slave ports… but it vanished since 6.41)

Best regards: CsXen

ADahi · September 5, 2018, 2:14am

turn off hardware offloading, then you can filter the traffic

nescafe2002 · September 5, 2018, 7:09am

With master ports, it was possible to hw offload traffic betheen eth2-5 and eth6-9 and filter between both switch groups (via cpu).

Without hw offloading, you could join eth2-5 into interface list ‘switch1’ and eth6-9 into interface list ‘switch2’ and use these interface lists in bridge filter to simplify configuration.

With hw offloading, I’ve tried the following:

Create vlan 10 on bridge1 with untagged member ports eth2-5
Create vlan 20 on bridge1 with untagged member ports eth6-9
Set pvid for each bridge port member
Create vlan interface bridge1-vlan10 on bridge1
Create vlan interface bridge1-vlan20 on bridge1
Create bridge2
Add bridge2 port members bridge1-vlan10 and bridge1-vlan20
Enable bridge1 vlan filtering (*)
Move configuration items (ip address, filter rules, etc.) to bridge2
Apply bridge filtering on bridge2

But as soon as I enable vlan filtering (*), hw offload is deactivated, which is to be expected seeing https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

The question is: can you filter traffic between switch groups while still offloading traffic in the same switch group. This was possible in master port configuration.

sid5632 · September 5, 2018, 6:31pm

Don’t create bridge2. Put everything on bridge1. The VLAN setup should be all you need to segregate traffic at L2.
Don’t use VLAN filtering on the bridge. VLANs have to be done on the switch chips on the 2011.
If you want segregation at L3 then use firewall rules.

CsXen · September 9, 2018, 4:24am

Hi.
I simply downgraded to 6.40.9. This version still supports master/slave switch groups, and I can bridge the two groups then.

Best regards: CsXen

Jotne · September 9, 2018, 6:09am

No need to downgrade.
Why do you need two bridges?
You can always use multiple VLAN within one Bridge
Add some interface to one VLAN and some to another VLAN

CsXen · September 12, 2018, 4:31am

Hi.

Because one group is for 1G ports, and another is 100M ports. If they are in the same bridge, the slowest will be the overall bridging speed.

Best regards: CsXen