Hi,
is a ingressing untagged framed filteres as well, if the port (PVID) is not member of the VLAN??
Ingress filtering, PVID=1
VLAN1 = ether1 not member
When one uses vlan1, I skip to the next question LOL.
But in your case I will pretend its vlan99.
In an access port scenario,
one typically puts frame type priority or untagged frames only pvid=99
there is no harm in stating ingress filtering, as all that is saying is that any traffic going through that port must be associated with vlan99 traffic, which it is.
(there are two types of ingress/filtering going on, not sure which is which on the MT but
a. one is the router allows any vlan that is identified anywhere on the router or switch to be allowed on that port. ( my guess is this is bridge ingress filtering and it applies to the bridge writ large)
b. one is only the vlans prescribed for the specific port are allowed on that port (regardless if they exist somewhere else on the router/switch/bridge (my guess is this is bridge port ingress filtering)
VLAN filtering is different and is a way of ensuring that only management access to the device hosting the bridge is permitted.
+++++++++++++++++++++++++++++++++
Trunk port , ingress filtering frame type tagged only is best security
Access port, ingress filtering frame type priority and untagged pvid=xx is best security
hybrid port, ingress filtering frame type admit all pvid=xx is best security
1 Like
In mikrotik settings for ingress and for egress are pretty independent of each other (but not entirely).
In example by @Guscht: ingress settings say that both tagged and untagged frames are allowed on ingress and that untagged frames get tagged with PVID (in example it’s 1). Additional setting “ingress filtering ” creates dependency between ingress and egress settings (see below).
Egress settings are made in bridge - VLAN tab. This table tells bridge which ports can egress which VLANs … if member ports are defined as untagged, then VLAN tags are stripped on egress. Here comes a little magic: if port has PVID set, it is automatically added as untagged member of same VLAN. The dependency between ingress and egress is that if port has ingress filtering set, it will pass on ingress only frames with VLAN IDs from the egress table for that port.
It is possible to create a confusing case when port has PVID set, at the same time it is marked as tagged member of same VLAN. Which means it will accept untaged frames on ingress (and tagged as well) but will transmit tagged frames on egress. Which might work with some buggy OS (many windows NIC drivers automatically strip VLAN tags on ingress and transmit untagged frames) but fail with those OSes who take VLANs seriously.