I read carefully new feature of bridge vlan filtering in version 6.40 and later including examples, and I am trying to make a such approach I think is often required.
It is a mixing of bridging and routing, eg:
Link from ISP has two services in ether1:
vlan 401 internet, public ip 172.16.10.10/24 gw 172.16.10.1
vlan 501 something else without ip, it is needed to pass to local net as it is
Local network ether2:
vlan 1501(this is my vlan I can choose it), ip dhcp 10.10.10.1/24
vlan 501 without ip, it must pass through tagged from ether1 to ether2
As you can see, my local network connected to ether2 must route to internet masqueradeing through ISP public ip and its gateway,
while vlan 501 must bridge from ether1 though ether2
Can any help me for a correct configuration ?
Is the case to use thew new brdge vlan filtering feature ?
My solution for similar task (ISP delivers PPPoE untagged and IPTV multicast tagged with VID=3999) is as follows:
first of all, I joined all ethernet ports to one bridge (difference from default is that I added ether1 to the default bridge)
I set up VLANs in /interface ethernet switch port and /interface ethernet switch vlan .
In your case I’d do the following:
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 vlan-mode=secure
set 2 vlan-mode=secure
set 3 vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=fallback
# N.b.: interface with index 5 is switch1-cpu pseudo-interface, which connets RBs man CPU with switch chip
/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether1 switch=switch1 vlan-id=401
add independent-learning=no ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=501
add independent-learning=no ports=switch1-cpu,ether2,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=1501
and then use ether1 (former WAN) port to connect towards ISP, while other ports (2-5) are all intended for LAN, all carrying VLANs 501 and 1501.
Set up appropriate router interfaces/addresses for internet stuff:
In that case, both physical interfaces will be member ports of the same bridge. Until you activate vlan-filtering, all VLANs will be transparently forwarded between the physical interfaces.
/interface bridge add my-bridge vlan-filtering=no
/interface bridge port add bridge=my-bridge interface=ether1
/interface bridge port add bridge=my-bridge interface=ether2
Then, you configure VLAN interfaces for WAN and LAN:
Now you can attach IP configuration to the vlan interfaces (static address or dhcp client for WAN, static address and dhcp server to LAN), create the firewall rules etc.
At this moment, the VLAN 501 is transparently forwarded between ether1 and ether2, and both VLAN 401 and 1501 are available at both ether1 and ether2 as well.
To enforce a different behaviour, you have to configure the vlan-filtering first
It unfortunately does. The thing is that on models with a switch chip there is a port of that chip which is only mentioned as “switchN cpu” in ****
/interface ethernet switch
configuration subtree. And in the
/interface bridge vlan
configuration, the name of the bridge itself in the list of member ports of the VLAN actually substitutes the name of the CPU port - if it is not mentioned, the CPU port is not made a member of the VLAN, so the CPU does not get the packets. You didn’t need that the router had an IP interface in that VLAN so it seemed appropriate not to list the bridge name (= the CPU) among VLAN members However, it seems that even on models without a switch chip, you still have to mention the bridge name although there is no other way how the frames could get from one port to another than via the CPU.
I would expect that future software releases will eventually hide this from the user and automatically set the configuration depending on model and on whether anything in the configuration (IP address, dhcp client, PPPoE client) indicates that a given VLAN must be extended to the CPU, but right now you have to indicate it the way you did.