Problem with port isolation on crs326-24g-2s+rm

RouterOS Beginner Basics
1

This is my crs326-24g-2s+rm config

/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=s_b12
/system routerboard settings
set boot-os=router-os
/system identity
set name=s_b12
/interface bridge
add name=bridge_net
port add bridge=bridge_net interface=sfp-sfpplus1
port add bridge=bridge_net interface=sfp-sfpplus2
add name=bridge_pracownia
port add bridge=bridge_pracownia interface=ether1
port add bridge=bridge_pracownia interface=ether2
port add bridge=bridge_pracownia interface=ether3
port add bridge=bridge_pracownia interface=ether4
port add bridge=bridge_pracownia interface=ether5
port add bridge=bridge_pracownia interface=ether6
port add bridge=bridge_pracownia interface=ether7
port add bridge=bridge_pracownia interface=ether8
port add bridge=bridge_pracownia interface=ether9
port add bridge=bridge_pracownia interface=ether10
port add bridge=bridge_pracownia interface=ether11
port add bridge=bridge_pracownia interface=ether12
port add bridge=bridge_pracownia interface=ether13
port add bridge=bridge_pracownia interface=ether14
port add bridge=bridge_pracownia interface=ether15
port add bridge=bridge_pracownia interface=ether16
port add bridge=bridge_pracownia interface=ether17
port add bridge=bridge_pracownia interface=ether18
port add bridge=bridge_pracownia interface=ether19
port add bridge=bridge_pracownia interface=ether20
port add bridge=bridge_pracownia interface=ether21
port add bridge=bridge_pracownia interface=ether22
port add bridge=bridge_pracownia interface=ether23
port add bridge=bridge_pracownia interface=ether24
/interface vlan
add interface=bridge_net name=vlan_z_ose vlan-id=500
/ip dhcp-client
add disabled=no interface=vlan_z_ose
/ip address
add interface=bridge_pracownia address=192.168.12.1/24
/ip pool
add name=pula_pracowni ranges=192.168.12.2-192.168.12.100
/ip dhcp-server network
add address=192.168.12.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.12.1
/ip dhcp-server
add address-pool=pula_pracowni disabled=no interface=bridge_pracownia name=DHCP_pracownia
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan_z_ose src-address=192.168.12.0/24

However, I turn on the insulation like this

/interface ethernet switch port-isolation
set ether1 forwarding-override=ether17
set ether2 forwarding-override=ether17
set ether3 forwarding-override=ether17
set ether4 forwarding-override=ether17
set ether5 forwarding-override=ether17
set ether6 forwarding-override=ether17
set ether7 forwarding-override=ether17
set ether8 forwarding-override=ether17
set ether9 forwarding-override=ether17
set ether10 forwarding-override=ether17
set ether11 forwarding-override=ether17
set ether12 forwarding-override=ether17
set ether13 forwarding-override=ether17
set ether14 forwarding-override=ether17
set ether15 forwarding-override=ether17
set ether16 forwarding-override=ether17
set ether17 forwarding-override=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16

273 / 5000
Wyniki tłumaczenia
As you can see, I want to isolate ports 1-16 from each other, but that each of them can see port 17. Port 17 should see ports 1-16.
With bridge_net on, the isolation doesn’t work. With the bridge_net off, the isolation works. Completely not knowing why?

2

I would start by only using one bridge and making sure all ports are hardware offloaded.

Normally by just having one bridge and all ports assigned to it will take care of it.

3

Only one Bridge Interface can be Hardware Offloaded…
Most probably that is your problem .

4

nov/16/2021 14:56:21 by RouterOS 6.49

software id = BPA9-BKLZ

Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload

INTERFACE BRIDGE HW PVID PR PATH-COST INTERNA... HORIZON

0 H sfp-sfpplus1 bridge_net yes 1 0x 10 10 none
1 H sfp-sfpplus2 bridge_net yes 1 0x 10 10 none
2 ether1 bridge_pra... no 1 0x 10 10 none
3 ether2 bridge_pra... no 1 0x 10 10 none
4 ether3 bridge_pra... no 1 0x 10 10 none
5 ether4 bridge_pra... no 1 0x 10 10 none
6 ether5 bridge_pra... no 1 0x 10 10 none
7 ether6 bridge_pra... no 1 0x 10 10 none
8 ether7 bridge_pra... no 1 0x 10 10 none
9 ether8 bridge_pra... no 1 0x 10 10 none
10 ether9 bridge_pra... no 1 0x 10 10 none
11 ether10 bridge_pra... no 1 0x 10 10 none
12 I ether11 bridge_pra... no 1 0x 10 10 none
13 I ether12 bridge_pra... no 1 0x 10 10 none
14 I ether13 bridge_pra... no 1 0x 10 10 none
15 I ether14 bridge_pra... no 1 0x 10 10 none
16 I ether15 bridge_pra... no 1 0x 10 10 none
17 ether16 bridge_pra... no 1 0x 10 10 none
18 I ether17 bridge_pra... no 1 0x 10 10 none
19 I ether18 bridge_pra... no 1 0x 10 10 none
20 I ether19 bridge_pra... no 1 0x 10 10 none
21 I ether20 bridge_pra... no 1 0x 10 10 none
22 I ether21 bridge_pra... no 1 0x 10 10 none
23 ether22 bridge_pra... no 1 0x 10 10 none
24 I ether23 bridge_pra... no 1 0x 10 10 none
25 I ether24 bridge_pra... no 1 0x 10 10 none


I think that it's ok. Onlly one bridge has H ports.

5

For /interface ethernet switch port-isolation rules to have effect, the bridge spanning those ports should be HW-offloaded. It’s not in your case.

You better use single bridge with proper port isolation done (another group of isolation rules for sfp-sfpplus1 and sfp-sfpplus2).

6

Ok, thx. This working.

7

Answering the question - I cannot create one bridge because my switch connect two optical fibers with its internal bridge.

That’s why I create two bridges. One - bridge_net - links sfp1 and 2 and DHCP client
The second brdge is HDCP server, and lab computers for which I create NAT.

One more problem.
When I run a console script by simply adding a script, it doesn’t add all the ports to the bridge and the script stops.
On the other hand, when I type these commands manually in the console, all of them are performed correctly.
What could be wrong? I need delays?

8

So you have to partition switch to two parts. Using two bridges is the most straight-forward way and the least resource friendly way at the same time.

The other two ways (from the top of my head) are:


  1. already mentioned port isolation (if sfp-sfpplus1 is only allowed to talk to sfp-sfpplus2 and vice versa this means sort of partitikn of switch regardless tge fact there are other ports on same bridge)
  2. use VLANs to partition switch … those VLANs would be entirely internal to switch, all ports would be access ports to different VLANs, each VLAN representing one switch partition

Which option to use depends on other factors, but use case where most ports can talk to one port but not to each other (bridge_pracownia in your case) can only be done using option #1. It also depends on whether seitch needs to communicate with those networks … if it has to communicate with more than one of them, you have to use option #2.

And you can combine both options actually.

And the good thing: both options (and combination of them) are HW offloaded.

9

Thx for You help.

I have a problem because sfp1 is the light input and sfp2 is the light output which goes to the next devices.

net (with VLAN500) ----> ----- (sfp1) crs326 (sfp2) -----> ---- other devices

So I have to bridge sfp1 and sfp2. This is one bridge already.
The second bridge connects ether1-ether24.
I have the impression that with this light configuration I have no choice and I have to use two bridges and lose hardware support. Unless I’m wrong.

10

You are wrong and I explained it in my previous post.

Move sfp-sfpplus1 and sfp-sfpplus2 to bridge bridge_pracownia, add port-isolation directives, remove bridge bridge_net and you’re done.

11

Ok, I understand, but tell me how, according to your configuration, with one bridge and all interfaces in it, I will do NAT and masquerade on ether1-24 with sfp1, sfp2?

12

To give you useful advice, I’d have to know full context. CRS is a switch and I didn’t expect you to use it as router.

Alas, as I hinted: you can combine port filtering with VLANs, in this case you would have VLAN interfaces on bridge.