Community discussions

 
AVA
just joined
Topic Author
Posts: 21
Joined: Mon Jun 18, 2018 6:19 pm

Bridge filter not matching (CRS328-4C-20S-1S+ with v6.42.3)

Mon Jun 18, 2018 7:00 pm

Hi,

I have a problem with the mentioned Switch. My scenario is as followed:

1Gbit Uplink Port is "combo1"

Switch is connected per "combo1" to a Router with PPPoE Server. Therefore I'm using vlan number 266, with tagged traffic between pppoeserver and switch-uplink.

the normal sfp ports are in the vlan group 266 but untagged. These are customers' edge ports.

the uplink port is also part of vlan group 1337 for management.

Some of the costumer ports are in an own vlan group 5xx. Those costumers don't use pppoe but static routing....

This configuration is working besides the filter... I want to always allow arp, and in the vlan group 266 only pppoe in addition. The 5xx vlan groups should be allowd to use IP and no pppoe. All other frame types have to be dropped! But the packet/byte counters stay either "0" or they show strange values (negative value for packets or billions of GB for Bytes) :shock:

So here is an export of the bridge configuration:
/interface bridge
add name=bridge_local protocol-mode=none vlan-filtering=yes
/interface bridge filter
add action=accept chain=forward mac-protocol=arp
add action=accept chain=input mac-protocol=arp
add action=accept chain=output mac-protocol=arp
add action=accept chain=forward mac-protocol=vlan vlan-encap=pppoe-discovery vlan-id=266
add action=accept chain=forward mac-protocol=vlan vlan-encap=pppoe vlan-id=266
add action=accept chain=output mac-protocol=vlan vlan-encap=pppoe-discovery vlan-id=266
add action=accept chain=output mac-protocol=vlan vlan-encap=pppoe vlan-id=266
add action=accept chain=input mac-protocol=vlan vlan-encap=pppoe-discovery vlan-id=266
add action=accept chain=input mac-protocol=vlan vlan-encap=pppoe vlan-id=266
add action=accept chain=forward log=yes mac-protocol=vlan vlan-encap=ip vlan-id=558
add action=accept chain=output mac-protocol=vlan vlan-encap=ip vlan-id=558
add action=accept chain=input mac-protocol=vlan vlan-encap=ip vlan-id=558
add action=accept chain=forward mac-protocol=vlan vlan-encap=ip vlan-id=504
add action=accept chain=input mac-protocol=vlan vlan-encap=ip vlan-id=504
add action=accept chain=output mac-protocol=vlan vlan-encap=ip vlan-id=504
add action=accept chain=forward mac-protocol=vlan vlan-encap=ip vlan-id=503
add action=accept chain=output mac-protocol=vlan vlan-encap=ip vlan-id=503
add action=accept chain=input mac-protocol=vlan vlan-encap=ip vlan-id=503
add action=accept chain=forward mac-protocol=vlan vlan-encap=ip vlan-id=501
add action=accept chain=output mac-protocol=vlan vlan-encap=ip vlan-id=501
add action=accept chain=input mac-protocol=vlan vlan-encap=ip vlan-id=501
add action=accept chain=forward mac-protocol=vlan vlan-id=1337
add action=drop chain=input log=yes
add action=drop chain=forward
add action=drop chain=output log=yes
/interface bridge port
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp1 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp2 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp3 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp4 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp5 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp6 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp7 pvid=558
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp8 pvid=504
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp9 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp10 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp11 pvid=503
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp12 pvid=501
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp13 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp14 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp15 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp16 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp17 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp18 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp19 pvid=266
add bridge=bridge_local frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=sfp20 pvid=266
add bridge=bridge_local interface=combo1 pvid=266
add bridge=bridge_local interface=sfp-sfpplus1
/interface bridge vlan
add bridge=bridge_local comment=CA tagged=sfp-sfpplus1,combo1 untagged=sfp1,sfp2,sfp3,sfp4,sfp5,sfp6,sfp9,sfp10,sfp13,sfp14,sfp15,sfp16,sfp17,sfp18,sfp19,sfp20 vlan-ids=266
add bridge=bridge_local comment=MGMT tagged=sfp-sfpplus1,combo1 vlan-ids=1337
add bridge=bridge_local comment="cStatic xxxxxxx" tagged=combo1,sfp-sfpplus1 untagged=sfp7 vlan-ids=558
add bridge=bridge_local comment="cStatic xxxxxxx" tagged=combo1,sfp-sfpplus1 untagged=sfp8 vlan-ids=504
add bridge=bridge_local comment="cStatic xxxxxxx" tagged=combo1,sfp-sfpplus1 untagged=sfp11 vlan-ids=503
add bridge=bridge_local comment="cStatic xxxxxxx" tagged=sfp-sfpplus1,combo1 untagged=sfp12 vlan-ids=501
I have no clue whats wrong with my config, any ideas? Thanks in advance!

Michael
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1740
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Bridge filter not matching (CRS328-4C-20S-1S+ with v6.42.3)

Mon Jun 18, 2018 7:41 pm

be aware bridge filtering is done in software using CPU, that limits your throughput

try using switch ACL to filter without performance Penalty
 
AVA
just joined
Topic Author
Posts: 21
Joined: Mon Jun 18, 2018 6:19 pm

Re: Bridge filter not matching (CRS328-4C-20S-1S+ with v6.42.3)

Mon Jun 18, 2018 7:57 pm

Thanks for your quick answer!

The problem is, the "Switch" menu is really chopped for the CRS328. There is no ACL table...

Image


My hope was that the new bridge implementation would allow to use bridge filter without cpu usage. But even if it's using the CPU, why don't the frames match to the filter rules when running throught the bridge?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1740
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Bridge filter not matching (CRS328-4C-20S-1S+ with v6.42.3)

Mon Jun 18, 2018 8:11 pm

Thanks for your quick answer!

The problem is, the "Switch" menu is really chopped for the CRS328. There is no ACL table...

Image


My hope was that the new bridge implementation would allow to use bridge filter without cpu usage. But even if it's using the CPU, why don't the frames match to the filter rules when running throught the bridge?

are you sure??

i see the rule tab, try creating a rule
rules.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
artz
MikroTik Support
MikroTik Support
Posts: 88
Joined: Tue Oct 17, 2017 5:51 pm
Location: Riga
Contact:

Re: Bridge filter not matching (CRS328-4C-20S-1S+ with v6.42.3)

Tue Jun 19, 2018 10:11 am

When hardware offloading is active, then bridge filter rules will be ignored since the packets are not processed by the CPU. You can read more about this case here:
https://wiki.mikrotik.com/wiki/Manual:L ... C_learning

You either need to disable hardware offloading (not recommended) or use ACL rules, which exist in CRS3xx as well under /interface ethernet switch rule.
 
AVA
just joined
Topic Author
Posts: 21
Joined: Mon Jun 18, 2018 6:19 pm

Re: Bridge filter not matching (CRS328-4C-20S-1S+ with v6.42.3)

Tue Jun 19, 2018 7:46 pm

Ok thank you very much, now I got it. I missed the menu Switch -> ACL :lol: It's also clear that the bridge filter won't match when the filter are done in the CPU....
 
AVA
just joined
Topic Author
Posts: 21
Joined: Mon Jun 18, 2018 6:19 pm

Re: Bridge filter not matching (CRS328-4C-20S-1S+ with v6.42.3)

Fri Jun 22, 2018 5:07 pm

Hi again,

now I have almost everything running. Only one thing: Port Isolation. I follow this manual:

https://wiki.mikrotik.com/wiki/Manual:C ... s_switches

Under the point port isolation you only get this link:

https://wiki.mikrotik.com/wiki/Manual:S ... _isolation

...here we have the info that you should use the command
/interface ethernet switch port-isolation
which doesn't exist for CRS3xx . Do I miss something again? :lol: Thanks in advance so far!


Michael
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1740
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Bridge filter not matching (CRS328-4C-20S-1S+ with v6.42.3)

Fri Jun 22, 2018 9:52 pm

Hi again,

now I have almost everything running. Only one thing: Port Isolation. I follow this manual:

https://wiki.mikrotik.com/wiki/Manual:C ... s_switches

Under the point port isolation you only get this link:

https://wiki.mikrotik.com/wiki/Manual:S ... _isolation

...here we have the info that you should use the command
/interface ethernet switch port-isolation
which doesn't exist for CRS3xx . Do I miss something again? :lol: Thanks in advance so far!


Michael
available on routeros 6.43rc32 (Release candidate)
currently i have one CRS 326 running on 6.43rc32 (because i needed to use isolation) and running fine

dont forget to try "unknown unicast flood" and "unknow multicast flood" bridge port options, they work without loosing hardware acceleration

Who is online

Users browsing this forum: No registered users and 84 guests