Hi !

I have the standard bridge config with the 5 ports, ether1 I use for WAN and the rest are LAN.

I want to remove port2 and add it to a new bridge to use for IPTV, since it can’t be behind NAT. So, I go to Bridge → Ports → ether2 → DEL.

After I do this, the router basically dies and nothing else happens at all, and I have to reset the settings and restore the config from backup. Seems like I don’t fully understand how the bridge config works.

Could someone help me with this, or point me to a resource that is explaining it ?

Thanks

Are you plugged in to ether2 when you are doing this? If you are connecting to the router via IP, the IP sits on the bridge, if you remove the port from the bridge then you lose your IP connectivity.

I am connected but on another port. It should not have impact in theory. I also tried moving port when that happen and it doesn’t work. Wifi also doesn’t work.

What happens if you use MAC address rather than IP? I always use MAC where I can as it means I don’t lock myself out with L3 problems.

From picture above I can see that the port ether 2 is not in Italic and it does not have an I in first column.
So there are something coneted to it, what?

The STB that I’m going to use for IPTV. Is that a problem ?

No, should not loos you connection removing that port.
Can you post your config?

/export hide-sensitive

Your config comment inspired me to reset to default config and try with it. It worked ! Could you tell me if there may be something wrong with the config, like being insecure ? Does the bridge that I created for the IPTV reduce my security ?

dec/10/2018 19:06:58 by RouterOS 6.43.7

software id =(hidden by me)

model = RBD52G-5HacD2HnD

serial number = (hidden by me)

/interface bridge
add igmp-snooping=yes name=STB protocol-mode=none
add admin-mac=(hidden by me) auto-mac=no comment=defconf igmp-snooping=yes name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto mode=ap-bridge
ssid=MikroTik-BFD4F2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto mode=
ap-bridge ssid=MikroTik-BFD4F3 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=STB interface=ether1
add bridge=STB interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=STB list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=1
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interfa
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,rel
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection
add action=drop chain=input comment="defconf: drop all not coming from
add action=accept chain=input comment="defconf: accept ICMP" protocol=
add action=accept chain=forward comment="defconf: accept in ipsec poli
add action=accept chain=forward comment="defconf: accept out ipsec pol
add action=fasttrack-connection chain=forward comment="defconf: fasttr
add action=accept chain=forward comment="defconf: accept established,r
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connecti
add action=drop chain=forward comment="defconf: drop all from WAN not
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec
/system clock
set time-zone-name=Europe/Sofia
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The cause of router getting inaccessible when removing ether2 from bridge is that bridge, by default, steals MAC address from one of member ports for its own use. It seems to take MAC from first active port and it is highly probable that’s gonna be first ether port … in OPs case ether2.
Remedy: first change bridge’s admin-mac to something else (a locally-administered MAC address will do[*]) and only then remove ether2 from bridge.

[*] Locally administered MAC addresses are all MACs whoose second hex digits are either 2, 6, A or E. Example of locally administered MAC is thus 02:00:00:00:00:00 … or AE:12:34:56:78:90. Keep in mind that MACs have to be unique inside L2 network. Perhaps the safest choice is: take MAC address of ether1 and change only second hex digit to one denoting locally administered MAC address.

Change of bridge MAC address will temporarily stall magement IP connection, but it should recover. Some connections might not recover though. In my case, PPPoE client entered endless loop of trying to connect to server and failing to do so. Manualy disabling PPPoE client and enabling it again did the trick.

mkx, that is a great explanation of mac address usage by bridge, it explains perhaps why I have had some loop issues.
I will give all my mikrotik bridges fake mac addresses…

Interesting
So I will then always set up bridges like this:

/interface bridge
add admin-mac=x[26AE]:xx:xx:xx:xx:xx auto-mac=no name=bridge

Where x are random[0-9A-F]

My MTCNA tutor taught to increment the first digit set by 2.
IE 00:AA:BB becomes 02:AA:BB

OK, things are not as simple and my interpretation in post #9 above is not complete. Wikipedia says it’s about second-least-significant bit of the first octet of the address - if it’s set, then such MAC is LAA (locally administered) and if it’s not set, then it’s a UAA (universally administered) address. So the complete list of first octet values which are LAAs, is: x2, x3, x6, x7, xA, xB, xE and xF (where x is anything from range [0-F]).

Yes, Steve’s tutor was right … if the “base line” MAC address is an UAA (which all MACs “burned into equipment” are supposed to be).

Here you see the second-least-significant bit of the first octet.

universally administered addresses
locally administered addresses

Hexadecimal Binary
X
0 0000
1 0001
2 0010
3 0011
4 0100
5 0101
6 0110
7 0111
8 1000
9 1001
A 1010
B 1011
C 1100
D 1101
E 1110
F 1111

Mac address
yX:yy:yy:yy:yy:yy

y=[0-9A-F]

This is my understanding if you change from UAA to LAA:

Convert the first octet from Hex to Bin, then change the 2nd-least-significant bit to 1, then convert back to Hex, i.e.
B8:69:F4:00:00:00 = 1011 1000, then change to 1011 1010 back to Hex and the
LAA MAC will then be BA:69:F4:00:00:00

This is exactly what Steve’s instructor said: take 8, add 2 and result is … correct, it’s A.

Yes, cause 0x2^0 + 1 x 2^1 = 2

Clear as mud, I think I will stick with Buleria time… 3,6,8,10,12