reading the “Layer2 misconfiguration” paper, I understand that my configuration may lead to problems as I bridge VLAN interfaces instead of using the VLAN filter option.
May someone please translate my current configuration into a “new-style” VLAN filter configuration?
The problem I am running into is that I use one Ethernet interface (named SFP) as a trunk port which physically connects to my network. Therefore I can only attach this interface to one bridge. The examples in the above mentioned paper always use one physical interface for each bridge and VLAN id.
Here is my current configuration:
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=SFP
/interface vlan
add comment="SFP with VLAN ID 007 for FTTH modem" interface=SFP name=SFP-V007 vlan-id=7
add comment="SFP with VLAN ID 100 for DMZ bridge" interface=SFP name=SFP-V100 vlan-id=100
add comment="SFP with VLAN ID 200 for FFNK bridge" interface=SFP name=SFP-V200 vlan-id=200
/interface bridge
add admin-mac=04:00:00:00:00:01 auto-mac=no comment=\
"LAN - Bridge to network LAN " name=LAN protocol-mode=none
add admin-mac=04:00:00:00:01:00 auto-mac=no comment=\
"DMZ - Bridge to network DMZ" name=DMZ protocol-mode=none
add admin-mac=04:00:00:00:02:00 auto-mac=no comment=\
"FFNK - Bridge to network FFNK" name=FFNK protocol-mode=none
/interface bridge port
add bridge=LAN interface=SFP
add bridge=DMZ interface=SFP-V100
add bridge=FFNK interface=SFP-V200
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=SFP
/interface bridge port
add bridge=bridge interface=SFP
/interface bridge vlan
add bridge=bridge tagged=bridge,SFP vlan-ids=7
add bridge=bridge tagged=bridge,SFP vlan-ids=100
add bridge=bridge tagged=bridge,SFP vlan-ids=200
/interface vlan
add comment="VLAN ID 007 for FTTH modem" interface=bridge name=LAN vlan-id=7
add comment="VLAN ID 100 for DMZ bridge" interface=bridge name=DMZ vlan-id=100
add comment="VLAN ID 200 for FFNK bridge" interface=bridge name=FFNK vlan-id=200
For the rest of config you use interfaces LAN, DMZ and FFNK just the way you did before.
If you need to add some interface to some of VLANs, then you do it in /interface bridge port and /interface bridge vlan sections. Exact syntax depends on whether additional interface is member of single or multiple VLANs and is it’s tagged or untagged member of said VLAN(s).
thank you very much for pointing me to that document and creating the configuration.
It works perfectly!
May I asked another question about bridging an EOIP interface into VLAN 400 and getting an IP address for the router?
My understanding is that a transparent bridge, as below, is the recommended solution.
thank you very much again. I am happy with your help and solution.
Now I stripped down my bridges from 5 to 1 and your security tip is very usefull as I have not though about that problem.
Best regards,
dksoft
Update: 2020-09-03 13:15
I made one essential addition, which is to set the EOIP tunnel to untagged.
In case someone stumbles into this thread some time, here is my current configuration:
Just for the record: if a bridge interface has pvid set in section /interface bridge port, then it’s automatically added to list of untagged members of same VLAN in /interface bridge vlan. Hence your addition is good, it adds to readability of exported config, but doesn’t change the actual behaviour.