RouterOS bridge VLAN filtering breaks MNDP over IPv6 reception/response processing

RouterOS General
1

Hello,

I replaced my hEX Refresh with an AX3.

The configuration is essentially identical on both devices, with one key difference: on the AX3, vlan-filtering=yes is enabled on the bridge, whereas on the hEX Refresh VLAN was configured on the interface.

After this change, MNDP (MikroTik Neighbor Discovery Protocol)works over IPv4 but not over IPv6 when vlan-filtering=yes is enabled on the AX3.

Is this expected behavior, or is there an additional configuration required to make MNDP work over IPv6 with bridge VLAN filtering enabled?

Everything else is working ok, both IPv4 and IPv6.

image
image590×130 3.55 KB

/interface bridge add arp=proxy-arp name=LAN vlan-filtering=yes
/interface vlan add interface=LAN name=BASE vlan-id=192
/interface vlan add interface=LAN name=GUEST vlan-id=155
/interface bridge port add bridge=LAN comment=defconf interface=ether2
/interface bridge port add bridge=LAN comment=defconf interface=ether3
/interface bridge port add bridge=LAN comment=defconf interface=ether4
/interface bridge port add bridge=LAN comment=defconf interface=ether5
/interface bridge port add bridge=LAN interface=wifi1
/interface bridge port add bridge=LAN interface=wifi2
/interface bridge port add bridge=LAN frame-types=admit-only-untagged-and-priority-tagged interface=wifi3 pvid=155
/interface bridge port add bridge=LAN frame-types=admit-only-untagged-and-priority-tagged interface=wifi4 pvid=155
/ip neighbor discovery-settings set discover-interface-list=all
/interface bridge vlan add bridge=LAN tagged=LAN,ether3 untagged=wifi3,wifi4 vlan-ids=155
/interface bridge vlan add bridge=LAN tagged=LAN,ether3 vlan-ids=192

3

The package is received at the router, but the router is not responding.

/tool sniffer quick port=5678
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS
INTERFACE  TIME   NUM  DIR  SRC-MAC            DST-MAC            SRC-ADDRESS
wifi1      8.049   44  ->   00:D8:XX:ZZ:XX:ZZ  33:33:00:00:00:01  fe80::2868:cbef:e408:525b:5678 (discovery)
wifi2      8.049   45  ->   00:D8:XX:ZZ:XX:ZZ  33:33:00:00:00:01  fe80::2868:cbef:e408:525b:5678 (discovery)
LAN        8.049   46  <-   00:D8:XX:ZZ:XX:ZZ  33:33:00:00:00:01  fe80::2868:cbef:e408:525b:5678 (discovery)

ether3     8.765   54  <-   00:D8:XX:ZZ:XX:ZZ  33:33:00:00:00:01  fe80::2868:cbef:e408:525b:5678 (discovery)
wifi1      8.765   56  ->   00:D8:XX:ZZ:XX:ZZ  33:33:00:00:00:01  fe80::2868:cbef:e408:525b:5678 (discovery)
wifi2      8.765   57  ->   00:D8:XX:ZZ:XX:ZZ  33:33:00:00:00:01  fe80::2868:cbef:e408:525b:5678 (discovery)
LAN        8.765   58  <-   00:D8:XX:ZZ:XX:ZZ  33:33:00:00:00:01  fe80::2868:cbef:e408:525b:5678 (discovery)

Should have responded like this (This is another working Mikrotik in my home)

18:45:50.048525 IP6 (flowlabel 0x933c3, hlim 1, next-header UDP (17) payload length: 166) fe80::20c:29ff:fe23:26e9.5678 > ff02::1.5678: [udp sum ok] UDP, length 158
` 3...............)..#&........................a..........)#&.....MikroTik...&7.20.8 (long-term) 2026-01-30 09:17:54....MikroTik.
..........aaMBNimJXSJ....CHR...................)..#&.....ether1....
..p.....

4

Here's what proven:

Protocol Transport Status Evidence
LLDP Layer 2 (Ethernet) :white_check_mark: Working Pi5 transmitting LLDP successfully
MNDP IPv4 :white_check_mark: Working Packets from 10.2.5.1 & 192.168.155.1 received
MNDP TX IPv6 :white_check_mark: Working Router sending to ff02::1
MNDP RX IPv6 :cross_mark: BROKEN Router receives but doesn't respond
ICMPv6 IPv6 :white_check_mark: Working Ping6, Router Advertisements all work
General IPv6 IPv6 :white_check_mark: Working Full connectivity confirmed

The Bug is Isolated To:

RouterOS bridge VLAN filtering breaks MNDP over IPv6 reception/response processing

Specifically:

  • When vlan-filtering=yes is enabled on the bridge

  • The router receives MNDP discovery packets on port 5678 over IPv6

  • The packets reach the router (visible in /tool sniffer)

  • But the router's MNDP service fails to process and respond to them

  • All other IPv6 multicast functions work normally

5

The existing topic title "MNDP only works over IPv4 when vlan-filtering=yes" can easily be misinterpreted.

"RouterOS bridge VLAN filtering breaks MNDP over IPv6 reception/response processing" as you have in the post above is much clearer.

The way I interpreted "MNDP only works over IPv4 when vlan-filtering=yes" was that MNDP did not work over IPv4 unless vlan-filtering=yes. And that isn't what you meant.

Consider editing the topic title.

I also don't understand what you mean by "on the hEX Refresh VLAN filtering was configured on the interface."

1 Like
6

Thanks, have edited the text.

Neighbor Discovery on Bridge Interfaces