New Bridge/Vlan leakage

RouterOS Forwarding Protocols
1

Hi,

configured a RB450Gx4 with the new bridge/vlan scheme (ROS 6.47).

https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table#heading-TrunkAccessportsetup

Looks normal despite I could access the router with the Ethernet address of the raw ethernet port on a port configured as plain access port. So it is accessable with the configured vlan/ip on this port and additional I see discovery packets from the mac of the ethernet port. Doing mac-ping on bridge mac or ethernet mac I get double packets answered. Could login on both MAC-Adresses.

Expected behavior I have to work around with Layer2 filtering?

2

The expected behavior all depends on how you did the configuration and without seeing this makes it impossible to comment.
I do suspect that you stopped halfway, if you read further in the quoted URL, you will see where it talks about “Unintentionally allowed management access…” And explains how to correct this

3

Did read the section but may miss a point. Reduced the config to the bridge/vlan part:

/system identity set name=gwleak

/interface bridge
add ingress-filtering=yes name=bridge1 vlan-filtering=yes

/interface vlan
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan2 vlan-id=2
add interface=bridge1 name=vlan4 vlan-id=4
add interface=bridge1 name=vlan11 vlan-id=11

/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=ether2
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=2
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=2

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=1
add bridge=bridge1 tagged=ether2,bridge1 untagged=vplsTunnelXXX vlan-ids=4
add bridge=bridge1 tagged=ether2,bridge1 vlan-ids=11
add bridge=bridge1 tagged=bridge1 untagged=ether3,ether4 vlan-ids=2
/ip address
add address=192.168.50.201/28 interface=vlan11 network=192.168.50.192
add address=213.185.129.178/29 interface=vlan11 network=213.185.129.176
add address=192.168.52.209/28 interface=vlan1 network=192.168.52.208





This is neighbor discovery from another MT box reachable via ether3. 48:8F:5A:11:F1:C2 is MAC of ether3, 48:8F:5A:11:F1:C1 is MAC of ether2/bridge interface.


1 interface=ether2,bridge-local mac-address=48:8F:5A:11:F1:C2 identity=gwleak platform=MikroTik version=6.47 (stable) unpack=none age=35s interface-name=bridge1/ether3 system-descript
ion=MikroTik RouterOS 6.47 (stable) RB450Gx4 system-caps=bridge,router system-caps-enabled=bridge,router
2 interface=ether2,bridge-local address=192.168.180.19 address4=192.168.180.19 mac-address=48:8F:5A:11:F1:C1 identity=gwleak platform=MikroTik version=6.47 (stable) unpack=none age=35
s uptime=7m18s software-id=NK1R-I2VX board=RB450Gx4 ipv6=no interface-name=vlan2 system-description=MikroTik RouterOS 6.47 (stable) RB450Gx4 system-caps=bridge,router system-caps-enab
led=bridge,router

I could login with winbox on both MAC Adresses.

4

Reason for tagged and untagged access to device is your bridge vlan configuration, currently it is on default which is “Admit all” frame types
The “bridge” interface provides access to the CPU, i.e. the Mikrotik itself. As per the artile you quoted in OP, if you change the setting to the below it will correct this.

add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge1 vlan-filtering=yes

Above explained here in article you quoted / followed
bridge frame type.JPG
Before making this config change, read below suggestion, especially point 2, depending on your config, you can lose access to the device if you don’t have a management vlan

2 suggestions:

  1. Stay away from using vlan id “1”, not saying it cant be used, but this is the “native” vlan id and can confuse matters.
  2. Not a suggestion, more a really MUST do, create a management vlan and access device using that to manage the device and prevent unauthorized access

Read the article you quoted again to make sure you understand it, if more questions, welcome to ask here

5

Thanks for your help.

Did just/only this and nothing changed:

add frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge1 vlan-filtering=yes

6

The bridge config seems to let the ethernet port itself work additional/as before without beeing part of the bridge.

7

As I said in my post, the “bridge” interface provides access to the CPU, i.e. the device itself, you have:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=1
add bridge=bridge1 tagged=ether2,bridge1 untagged=vplsTunnelXXX vlan-ids=4
add bridge=bridge1 tagged=ether2,bridge1 vlan-ids=11
add bridge=bridge1 tagged=bridge1 untagged=ether3,ether4 vlan-ids=2

So all these vlans have access to the device itself. If these vlans need access to the “Bridge”, for i.e. pppoe termination, or DHCP, etc, only you can tell.

So if above is the case, then you must create a “Management Vlan” and add “Management Access Limits” using Discovery, Mac-Tel, Firewall rules, etc

8

Yes. I want to do routing between vlans. So it should be reachable. My problem is to see the bridge mac and the Ethernet MAC.

9

Sorry, then I misunderstood your question in OP.

In default config, MNDP broadcasts on all interfaces except dynamic ones, so in this case, the ether interface as well as the “bridge interface”, so yes, you will see both