How to hide a bridge?

RN3QTB · September 24, 2019, 9:55am

Please advise
There is a network
Untitled Diagram1.jpg
a network bridge is created by points, the point is 192.168.1.100 3 interfaces, eth1 cable, wlan1 is the radio channel, bridge1 – bridge between eth1 and wlan1. And the same scheme in the second point 192.168.1.100.101. Each interface has its own MAC address. The bridge0 interface is selected as the main interfaces of the points creating the bridge. Addresses of points are static.

The problem is that the Central router 192.168.1.1 somehow inexplicably finds MAC addresses of other interfaces (eth1 and wlan1) persistently tries to issue them IP addresses, but at it is impossible since the pool of addresses outside addresses of the bridge, but it does it very often, several times a second that very strongly loads the processor:
Screenshot_2019-09-24-12-27-42-187_com.keenetic.kn.png
WDS on the bridge is enabled in dynamic bridge mode.
ARP tried to include and disable for all interfaces in a row and differently-there is no effect.
You will not prompt that it is possible to make with them that dhcp did not go mad?
Can the points forming the bridge to clean in other subnet or to create for them VLAN?

pe1chl · September 24, 2019, 11:13am

make sure you have a fixed admin mac address on your bridge! (copy the ether1 or wlan1 MAC to it and save it)
make sure you have a DHCP client only on your bridge, not on the ether1 or wlan1 interface (although there should be an error when you try)

muetzekoeln · September 24, 2019, 11:30am

Disable DHCP-client on your Mikrotik devices. They have static IPs already.
Also, check that DHCP-Relay is disabled.

RN3QTB · September 24, 2019, 1:20pm

Both DHCP client and DHCP server and DHCP relay are disabled, marked with the x flag.

pe1chl · September 24, 2019, 1:28pm

Maybe your wifi link is not transparent? Then the devices at one side get the MAC address of the wlan.

RN3QTB · September 24, 2019, 1:38pm

Not quite sure what to do… Did you mean to set the MAC addresses the same for all interfaces? At the moment, bridge and wlan have the same MAC address, it is specified in the screenshot above (zyxel is trying to give him the IP). but eth has a different mac.

Static IP addresses are used for the access points forming the bridge. Why do I need a DHCP client?

RN3QTB · September 24, 2019, 1:48pm

That’s possible. But link works in bridge mode… why the Central router tries to give IP to all mac addresses of a point-it isn’t clear to me… It seems to me that the problem in ARP when I disconnect it on all interfaces, the problem disappears, but because of it the access point from a network disappears and I cannot come on it on IP (only on MAC) and it is not convenient to me since the equipment of the admin remotely through NAT

tdw · September 24, 2019, 5:12pm

post the output of /export hide-sensitive for both devices

RN3QTB · September 24, 2019, 6:16pm

export hide-sensitive

sep/24/2019 20:35:42 by RouterOS 6.45.6

software id = 5UEX-MSAK

model = 433

serial number = 1996063BF467

/interface bridge
add fast-forward=no mtu=1500 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode country=russia default-authentication=no default-forwarding=no
disabled=no frequency=5240 frequency-mode=superchannel mode=bridge multicast-helper=full ssid=Xline wds-default-bridge=bridge1 wds-mode=
dynamic wireless-protocol=nv2
set [ find default-name=wlan2 ] default-authentication=no frequency-mode=regulatory-domain mode=ap-bridge ssid=Xline tx-power=20
tx-power-mode=all-rates-fixed wds-default-bridge=bridge1 wds-mode=static wireless-protocol=nv2
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface wireless nstreme
set wlan1 enable-nstreme=yes framer-policy=dynamic-size
set wlan2 enable-nstreme=yes
/interface list
add exclude=dynamic name=discover
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] group-ciphers=tkip,aes-ccm supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods=“” mode=dynamic-keys name=profile1 static-algo-0=40bit-wep supplicant-identity=“”
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” name=profile2 supplicant-identity=“”
/ip dhcp-server
add authoritative=after-2sec-delay interface=ether1 lease-time=3d name=dhcp1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=200
set 1 disk-lines-per-file=100
/interface bridge filter
add action=drop chain=input dst-port=68 in-interface=ether1 ip-protocol=udp mac-protocol=ip
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=ether1 list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=bridge1 list=discover
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireless access-list
add comment=JD interface=wlan1 mac-address=D4:CA:6D:FF:B5:82 vlan-mode=no-tag
/interface wireless cap
set bridge=bridge1 discovery-interfaces=ether1,ether2,ether3,wlan2 interfaces=wlan1
/ip address
add address=192.168.1.100/24 comment=“default configuration” interface=bridge1 network=192.168.1.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip dns static
add address=192.168.1.100 name=router
/ip firewall nat
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=192.168.89.0/24
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=JH

/export hide-sensitive

sep/24/2019 20:43:06 by RouterOS 6.45.5

software id = 637Z-QL88

model = SXT 5nD r2

serial number = 4681027491BA

/interface bridge
add fast-forward=no mtu=1500 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode country=russia disabled=no frequency=auto frequency-mode=
regulatory-domain mode=station-bridge ssid=Xline wds-default-bridge=bridge1 wds-mode=dynamic wireless-protocol=nv2
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless nstreme
set wlan1 enable-nstreme=yes
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=pool1 ranges=10.0.0.10,10.0.0.100
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=discover
add interface=bridge1 list=discover
/ip address
add address=192.168.1.101/24 interface=bridge1 network=192.168.1.0
/ip dns
set servers=192.168.1.1
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=JD
/system leds
set 0 interface=wlan1
/system logging
set 0 disabled=yes

muetzekoeln · September 26, 2019, 6:30am

What about this?

/ip dhcp-server
add authoritative=after-2sec-delay interface=ether1 lease-time=3d name=dhcp1

RN3QTB · September 26, 2019, 7:06am

he is not running.
Screenshot_2019-09-26-09-59-42-427_com.mikrotik.android.tikapp[1].png

tdw · September 26, 2019, 8:13pm

Nothing obvious jumps out, although what is

/interface bridge filter
add action=drop chain=input dst-port=68 in-interface=ether1 ip-protocol=udp mac-protocol=ip

for?

The only thing which comes to mind is that the wireless link isn’t operating transparently so a device connected at the remote end has its MAC address replaced by one on the SXT Lite so the DHCP offer is sent to the wrong address, although I would expect none of the remote devices to be able to obtain an address if this were the case

mkx · September 27, 2019, 5:27am

This one blocks DHCP offers and DHCP acknowledgements traveling from ether1 towards anywhere else. See description of DHCP operations. Which means that any potential DHCP offers that DHCP server might issue can’t reach clients beyond ether1 of this RB.

My guess: it’s the WDS which screws things (I’m not sure that WDS link is truly transparent on L2). As both devices are Mikrotiks and they are already set up as bridge and bridge-station, the WDS mode shouldn’t be necessary and would be best to switch it off.