As several other users I have some problems with configuring VLANs and bridges.
First I’ll explain my situation. I have a BR3011 and 2 network connections (internet and IPTV). IPTV is separated from the network because of using broadcast packages.
So I have configured the following (the description explains what I want on the interfaces):
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU Description
0 R ether1 ether 8156 8156 Internet in (1 IP address, routing is done by the microtik)
1 RS ether2 ether 8156 8156 IPTV in (including DHCP)
2 RS ether3-master ether 8156 8156 internet
3 RS ether4 ether 8156 8156 internet
4 RS ether5 ether 8156 8156 internet
5 RS ether6-master ether 8156 8156 internet
6 RS ether7 ether 8156 8156 internet
7 RS ether8 ether 8156 8156 untagged vlan = internet, tagged vlan3=iptv see below for additional information
8 S ether9 ether 8156 8156 untagged vlan = internet, tagged vlan3=iptv see below for additional information
9 S ether10 ether 8156 8156 iptv
10 XS sfp1 ether 8158 8158 not used
11 R ;;; defconf
bridge bridge 8156 8156
12 R bridge-iptv bridge 1500 8152 iptv bridge
13 RS eth8-iptv-vlan3 vlan 1500 8152 eth8 vlan3
14 S eth9-iptv-vlan3 vlan 1500 8152 eth9 vlan3
What works?
Port 10 gives an IP address in the iptv range (on pc and on iptv-box), for this I can assume that the iptv-bridge works.
On interface 3-9 there is internet on untagged vlan.
What does not work?
Port 8 and 9 gives nothing on vlan3
I have tested this with a pc (Windows 10 Pro) and an iptv device behind a managed switch (netgear GS724T) which puts tagged vlan3 to untagged on the port which the iptv device is connected to (this because I have no control about the iptv device). Everything is tested on interface 8. Interface 9 is not used yet.
If someone sees where I made a mistake please tell me. Before I combined everything on the netgear which worked perfectly but the configuration in the microtik is slightly different.
Thanks a lot for all the help.
Some relative information:
[admin@MikroTik] > /interface vlan print
Flags: X - disabled, R - running, S - slave
# NAME MTU ARP VLAN-ID INTERFACE
0 R eth8-iptv-vlan3 1500 enabled 3 ether8
1 eth9-iptv-vlan3 1500 enabled 3 ether9
[admin@MikroTik] > /interface bridge print
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=8156 l2mtu=8156 arp=enabled
arp-timeout=auto mac-address=E4:8D:8C:0A:2F:36 protocol-mode=rstp
fast-forward=no priority=0x8000 auto-mac=no admin-mac=E4:8D:8C:0A:2F:36
max-message-age=20s forward-delay=15s transmit-hold-count=6
ageing-time=5m
1 R name="bridge-iptv" mtu=auto actual-mtu=1500 l2mtu=8152 arp=enabled
arp-timeout=auto mac-address=E4:8D:8C:0A:2F:3D protocol-mode=rstp
fast-forward=no priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@MikroTik] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ;;; defconf
ether2 bridge-iptv 0x80 10 none
1 ;;; defconf
ether6-master bridge 0x80 10 none
2 I ;;; defconf
sfp1 bridge 0x80 10 none
3 I ether10 bridge-iptv 0x80 10 none
4 ether3-master bridge 0x80 10 none
5 ether4 bridge 0x80 10 none
6 eth8-iptv-vlan3 bridge-iptv 0x80 10 none
7 I eth9-iptv-vlan3 bridge-iptv 0x80 10 none
8 D ether5 bridge 0x80 10 none
9 D ether7 bridge 0x80 10 none
10 D ether8 bridge 0x80 10 none
11 ID ether9 bridge 0x80 10 none
#Compact config (stripped identification information)
# jul/02/2017 21:33:42 by RouterOS 6.39.2
#
/interface bridge
add admin-mac=E4:8D:8C:0A:2F:36 auto-mac=no comment=defconf fast-forward=no \
name=bridge
add fast-forward=no name=bridge-iptv
/interface ethernet
set [ find default-name=ether1 ] l2mtu=8156 mtu=8156
set [ find default-name=ether2 ] l2mtu=8156 mtu=8156
set [ find default-name=ether3 ] l2mtu=8156 mtu=8156 name=ether3-master
set [ find default-name=ether4 ] l2mtu=8156 mtu=8156
set [ find default-name=ether5 ] l2mtu=8156 master-port=ether3-master mtu=\
8156
set [ find default-name=ether6 ] l2mtu=8156 mtu=8156 name=ether6-master
set [ find default-name=ether7 ] l2mtu=8156 master-port=ether6-master mtu=\
8156
set [ find default-name=ether8 ] l2mtu=8156 master-port=ether6-master mtu=\
8156
set [ find default-name=ether9 ] l2mtu=8156 master-port=ether6-master mtu=\
8156
set [ find default-name=ether10 ] l2mtu=8156 mtu=8156 poe-out=off
set [ find default-name=sfp1 ] disabled=yes l2mtu=8158 mtu=8158
/ip neighbor discovery
set ether1 discover=no
/interface vlan
add interface=ether8 name=eth8-iptv-vlan3 vlan-id=3
add interface=ether9 name=eth9-iptv-vlan3 vlan-id=3
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.253
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
bridge name=defconf
/ppp profile
set *0 change-tcp-mss=default dns-server=192.168.89.1 local-address=\
192.168.89.1 remote-address=vpn use-encryption=yes
set *FFFFFFFE change-tcp-mss=default dns-server=192.168.89.1 local-address=\
192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge-iptv comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge-iptv interface=ether10
add bridge=bridge interface=ether3-master
add bridge=bridge interface=ether4
add bridge=bridge-iptv interface=eth8-iptv-vlan3
add bridge=bridge-iptv interface=eth9-iptv-vlan3
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=default \
enabled=yes ipsec-secret=X max-mru=1460 max-mtu=1460 mrru=1600 \
use-ipsec=yes
/interface ovpn-server server
set certificate=X.X.X.X cipher=\
blowfish128,aes128,aes192,aes256 keepalive-timeout=disabled
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether3-master network=\
192.168.1.0
add address=192.168.2.1/24 network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server lease
add address=192.168.1.2 mac-address=C4:04:15:86:83:28 server=defconf
add address=192.168.1.20 client-id=1:8c:ae:90:0:5:4d mac-address=\
8C:AE:90:00:05:4D server=defconf
add address=192.168.1.3 client-id=1:88:dc:96:0:e1:fa mac-address=\
88:DC:96:00:E1:FA server=defconf
add address=192.168.1.21 client-id=1:8c:ae:90:0:5:c6 mac-address=\
8C:AE:90:00:05:C6 server=defconf
add address=192.168.1.31 client-id=1:10:c3:7b:9b:e8:42 mac-address=\
10:C3:7B:9B:E8:42 server=defconf
add address=192.168.1.32 client-id=1:f8:ca:b8:52:28:1e mac-address=\
F8:CA:B8:52:28:1E server=defconf
add address=192.168.1.10 client-id=1:b8:ae:ed:73:d:fd mac-address=\
B8:AE:ED:73:0D:FD server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 domain=\
X gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input comment=Whitelist src-address-list=whitelist
add action=drop chain=input comment=Blacklist src-address-list=blacklist
add action=drop chain=forward comment=Blacklist src-address-list=blacklist
add action=drop chain=forward comment="Ad-block list drop" connection-state=\
new dst-address-list=ads_list protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=stage-3
add action=add-src-to-address-list address-list=stage-3 address-list-timeout=\
1m chain=input connection-state=new dst-port=22 protocol=tcp \
src-address-list=stage-2
add action=add-src-to-address-list address-list=stage-2 address-list-timeout=\
1m chain=input connection-state=new dst-port=22 protocol=tcp \
src-address-list=stage-1
add action=add-src-to-address-list address-list=stage-1 address-list-timeout=\
1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701,500,4500 \
protocol=udp
add action=accept chain=input dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=\
tcp
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1 log-prefix=DROP:
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=DROP1:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1 log-prefix=DROP2:
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=yes \
src-address-list=VPN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.1.0/24
add action=dst-nat chain=dstnat comment=\
"Server: HTTP;HTTPS;Plex;Transmission" dst-address=X.X.X.X \
dst-address-type=local dst-port=80,443,32400,8443 protocol=tcp \
to-addresses=192.168.1.10
add action=masquerade chain=srcnat dst-address=192.168.1.10 dst-port=\
80,443,32400,8443 out-interface=bridge protocol=tcp src-address=\
192.168.1.0/24
add action=dst-nat chain=dstnat comment=RDP dst-address=X.X.X.X \
dst-address-type=local dst-port=3389,8080 protocol=tcp to-addresses=\
192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=989 \
protocol=tcp to-addresses=192.168.1.32 to-ports=3389
add action=masquerade chain=srcnat dst-address=192.168.1.10 dst-port=\
3389,8080 out-interface=bridge protocol=tcp src-address=192.168.1.0/24 \
to-addresses=192.168.1.18 to-ports=3389
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-192,aes-128,3des \
exchange-mode=main-l2tp generate-policy=port-override secret=\
X send-initial-contact=no
/ip service
set telnet disabled=yes
set www disabled=yes
set www-ssl certificate=X disabled=no
set api disabled=yes
set api-ssl certificate=X
/ip ssh
set forwarding-enabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/lcd
set default-screen=informative-slideshow
/ppp secret
add name=X password=X profile=default-encryption service=\
l2tp
/system clock
set time-zone-name=Europe/Amsterdam
/system routerboard settings
set silent-boot=yes
/system scheduler
add interval=10s name="RDP WOL Interval" on-event=":foreach A in=[/ip firewall\
\_address-list find list=\"RDP\"] do={\
\n if ([/ip firewall address-list get \$A list]=\"RDP\") do={\
\n \A0:log info \"Sending WoL to RDP Host\"\
\n /tool wol mac=X interface=bridge1\
\n \A0/ip firewall address-list remove \$A\
\n }\
\n}" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=oct/06/2016 start-time=00:00:00
add comment=Download_Ads_List interval=1w name=DownloadAdsList on-event=\
Download_Ads_List policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=02:42:00
/system script
add name=rdpwol owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
foreach A in=[/ip firewall address-list find name=RDP] do={\
\n if ([/ip firewall address-list get \$A list]=\"RDP\") do={\
\n \A0:log info \"Sending WoL to RDP Host\"\
\n /tool wol mac=1E interface=bridge1\
\n \A0/ip firewall Address-list remove \$A\
\n }\
\n}"
add name=Download_Ads_List owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
tool fetch url=\"https://blocklister.gefoo.org/ads\" dst-path=ads.rsc; /im\
port file-name=ads.rsc;"
/tool e-mail
set address=X from="MikroTik Router<MikroTik@X>" \
password=X user=X
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
/tool sniffer
set streaming-enabled=yes streaming-server=192.168.1.32