Hello,

I have ether1 and ether2 as two providers links, and ether3 and ether4 as two esxi hosts.
I need create bridge1 (ether1, ether3, ether4) with IP1 and bridge2 (ether2, ether3, ether4) with IP2, but i cannot add interface to two bridge.

You need to put a vlan in each bridge - and bridge this with the third bridge.

How can i add bridge to other bridge?
In Winbox i can add only Interfaces.

Hello,

I have ether1 and ether2 as two providers links, and ether3 and ether4 as two esxi hosts.
I need create bridge1 (ether1, ether3, ether4) with IP1 and bridge2 (ether2, ether3, ether4) with IP2, but i cannot add interface to two bridge.

It is probably better to first re-think your setup...
What do you want to accomplish? Can't you make separate VLANs on the ESXi hosts for each provider?

I cant touch esxi settings. I must do it with Mikrotik settings.
Currently i have very simple setup: two providers links and two esxi hosts (with vm router) connected to one switch.
I need replace vm router to Mikrotik router.
Why i cannot simply set IP-addresses to ether1 and ether2, add eth1//2/3/4 to bridge, and use it???
Why i get error message
"in/out-interface matcher not possible when interface (ether-gw) is slave - use master instead (bridge-gw)"

Of course you can use one bridge! That will be similar to a switch.
However, you stated you wanted two bridges. That is a different story.
Of course when you want filtering with a bridge you must use it as a bridge
filter, not a firewall filter.

>>Of course you can use one bridge! That will be similar to a switch.
cannot.
Mikrotik cannot use individual IP on individual interfaces, when these interfaces in bridge. See error:
"in/out-interface matcher not possible when interface (ether-gw) is slave - use master instead (bridge-gw)".
I am very disappointed by the RouterOS...

I am very disappointed by the RouterOS...

I think your fundamental understanding of networking is probably not correct.
Your desired configuration doesn't make sense to me - why are you trying to bridge things in this way?
What ethernet-layer behavior are you working towards / working around?

In very general terms, state your goal:
ex: "I want two servers to be protected from a LAN, but have access to two different ISPs"
or
"I want servers to have a public IP address from each of my ISPs"

etc -

Mikrotik/RouterOS lets you do a lot of things, many of which are "strange"/"mad science" solutions that don't strictly adhere to "best practice..."

cannot.
Mikrotik cannot use individual IP on individual interfaces, when these interfaces in bridge.

Are You sure ? It works for me

See error:
"in/out-interface matcher not possible when interface (ether-gw) is slave - use master instead (bridge-gw)".

Is it message from firewall ?
Interfaces in the bridge are slaves and you cannot use them at regular firewall level. If you wish, then there is filter section at bridge level
so you can filter traffice insde bridges.

I am very disappointed by the RouterOS...

"The hardest thing in the world to understand is the income tax." (c) A. Einstein
So start with simple things : http://forum.mikrotik.com/viewtopic.php ... 50#p418055

>>Is it message from firewall ?

This error message from Mangle rules

>>In very general terms, state your goal:

I already describe my current configuration: Currently i have very simple setup: two providers links and two esxi hosts (with vm router) connected to one external switch.
I need replace vm router to Mikrotik router (also it is necessary to remove the external switch).
Mikrotik should have IP1 on eth1 and IP2 on eth2. Esxi hosts connect to eth3 and eth4 (VMs should have IP3/4/5... from both providers)

Why would you want to put an IP address on the bridge?
When it is a bridge, it does not need an IP address to make packets flow through!
An address is only required for traffic that flows into or out of the bridge (to the router itself)

>>Why would you want to put an IP address on the bridge?
I no need IP on bridge!
I need IPs on eth1, eth2, and on VMs. (All VMs shoud have access to both provider)

>>Why would you want to put an IP address on the bridge?
I no need IP on bridge!
I need IPs on eth1, eth2, and on VMs. (All VMs shoud have access to both provider)

No you don't need those either.
The bridge will just pass traffic based on MAC address.

still - my first post. to bridge bridges - add some vlan to the bridges you want to bridge. And bridge the vlan in a new bridge. This is a bit off box thingking, compared to cisco etc - but soooooooooo much more managable. if you add a vlan. a vlan is just a vlan. And can be the same vlan manny times. The macic just happen when vlan is bridged. In other system. Once you add a vlan. you add a vlan...... and its like "ah. you add the same... we automaticly bridge... even if thats not what you want.

>>to bridge bridges - add some vlan to the bridges you want to bridge.

ok. but i no need tagged traffic. how can i create virtual interface without tagging?

>>In very general terms, state your goal:

Mikrotik should have IP1 on eth1 and IP2 on eth2. Esxi hosts connect to eth3 and eth4 (VMs should have IP3/4/5... from both providers)

okay - this is getting somewhere.

Now - first off, you do not want to do this by bridging the two providers together. It's bad design to do so.
You have three options:
1)
Use a single internal IP range for your server network and assign just one private IP to each server
Then use dstnat from ISP1 address X -> server-in-ether3 / and ISP2 address X -> server-in-ether3
and use dstnat from ISP1 address Y -> server-in-ether4 / and ISP2 address Y -> server-in-ether4
Finally, use policy routing to mark connections based on which ISP is used and stick the routing to the correct ISP
- this is very doable but involves a lot of settings in the mangle table and extra routing tables, and isn't that straightforward in my opinion. However,
if you're going to be using dual-ISP configuration for other devices, then doing the same for the servers isn't going to add much complexity to this and you're going to need to do it anyway, so why not?

2)
Use a VLAN tag on the servers to make them aware of the two ISP networks and that way, on the server side, you have two discreet interfaces that each one can know exactly what its supposed to do. Then on the Mikrotik, use two WAN bridges (named wanbridge1 wanbridge2 for instance) and connect ether1, ether3.vlan100, and ether4.vlan100 to wanbridge1, and connect ether2, ether3.vlan200, and ether4.vlan200 to wanbridge2.
You then put the Mikrotik's own two ISP addresses on wanbridge1 and wanbridge2.


3) - less clean solution but easy enough to do and would be the most similar to what you were doing before:
Use a single WAN bridge, and connect ports ether1, ether2, ether3, and ether4 to the one bridge (just call it WAN).
Then in the bridge > ports menu, set horizon=1 on ports ether1 and ether2. This way, the ISP circuits won't see each other, but the Mikrotik and servers will be able to use both. You'd assign two IP addresses to the WAN interface and to the servers just as you did before.

>>3) - less clean solution but easy enough to do and would be the most similar to what you were doing before:
Use a single WAN bridge, and connect ports ether1, ether2, ether3, and ether4 to the one bridge (just call it WAN).
Then in the bridge > ports menu, set horizon=1 on ports ether1 and ether2. This way, the ISP circuits won't see each other, but the Mikrotik and servers will be able to use both. You'd assign two IP addresses to the WAN interface and to the servers just as you did before.

Thanks, a variant 3) is acceptable.
But, when i set:
set "Use IP Firewall" on bridge
set IP1 to ether1
set Out.BridgePort=ether1 on Firewall Filter Rules forward rule
set Out.BridgePort=ether1 on Firewall NAT masquerade rule

i cannot communicate from LAN to Internet!

(communication work only when i set IP1 to bridge_wan and change Out.BridgePort=ether1 to OutInterface=bridge_wan, but i need IP1/IP2 on ether1/ether2)

If you bridge some interfaces together, they no longer behave as separate interfaces. It's like regular ethernet switch, everything is connected with everything. On IP level, router does not care if something came from one interface or the other, from its point of view it came from bridge interface. Period. Therefore assigning IP address to bridged interface does not make sense.

One more thing, can you write more about your addresses? Because I can't see anything about it in this thread and it's important too. Specifically, from ISP1 you have:

a) Just one public address.
b) Several public addresses, but you have to use ISP's gw. E.g. you'd have 1.2.3.0/24 for your use, but with gw 1.2.3.1 assigned to ISP's router.
c) Routed public subnet, completely yours. E.g. ISP's router has 1.2.3.1/30 and yours 1.2.3.2/30 to talk to each other. And on top of that you have another 1.2.10.0/24 routed to you.

And then the same question for ISP2.

>>If you bridge some interfaces together, they no longer behave as separate interfaces.
>>Therefore assigning IP address to bridged interface does not make sense.

Are you sure? I can ping IP1 from internet and can ping internet resources from Mikrotik, but i cannot communicate from LAN to Internet!
And if "they no longer behave as separate interfaces" why Mikrotik allows you to assign addresses to them?


>>One more thing, can you write more about your addresses?
variant b) for both ISP.

If you add IP address to bridged interface, you can access it just fine. But traffic will no longer look like it comes from/to that interface, the bridge interface will be used instead. Why is it allowed? I don't know, probably because it doesn't really break anything, even though it might be a little confusing.

Your main problem seems to be that you can't touch ESXi settings. Otherwise suggested solution with different VLANs for each ISP would be a simple and clean one.

Anyway, what exactly are you trying to do with firewall? Why NAT, when the point of this exercise was to get public addresses to servers (or at least it gave that impression to me)? Where the LAN comes from, is that some additional private network? If so, how and where it's connected?

You need to put a vlan in each bridge - and bridge this with the third bridge.

still - my first post. to bridge bridges - add some vlan to the bridges you want to bridge. And bridge the vlan in a new bridge. This is a bit off box thingking, compared to cisco etc - but soooooooooo much more managable. if you add a vlan. a vlan is just a vlan. And can be the same vlan manny times. The macic just happen when vlan is bridged. In other system. Once you add a vlan. you add a vlan...... and its like "ah. you add the same... we automaticly bridge... even if thats not what you want.

I tried this: create vlan1 on interface bridge1; create vlan2 on interface bridge2; create bridge3; add vlan1 and vlan2 to bridge3.
THIS NOT WORK!
see:http://forum.mikrotik.com/viewtopic.php ... 99#p532950