Community discussions

MikroTik App
 
User avatar
miconof
just joined
Topic Author
Posts: 4
Joined: Thu May 25, 2023 7:52 am
Location: France

help or documentation about bridge vlan filtering

Sat May 27, 2023 8:34 am

Hi, I'm quite new in setup Mikrotik devices here is my setup.
model: CRS328-24P-4S+ 
current-firmware: 7.9

I've also a 'cAP ax' but it's not the point here.

I'm looking for a documentation on how to implement vlan on bridge with filtering on .

Bellow a diagram of what I did :
network.png
For general environnement, my switch router name 'SwRo' is directly connected to the ONT of my internet provider (no internet box anymore).
/interface vlan add interface=sfp1 name=ONT-Bouygue-Fibre vlan-id=100
/ip dhcp-client option add code=60 name=vendorid value=0x42594754454c494144
/ip dhcp-client add dhcp-options=vendorid disabled=no interface=Fibre_ByTel_vl100
/interface bridge port add bridge=bridge interface=ether1
[...]
/interface bridge port add bridge=bridge interface=ether24
/interface bridge port add bridge=bridge interface=sfp-sfpplus1
/interface bridge port add bridge=bridge interface=sfp-sfpplus3
/interface bridge port add bridge=bridge interface=sfp-sfpplus4

/ip firewall nat add action=masquerade chain=srcnat out-interface=ONT-Bouygue-Fibre
/ip address add address=192.168.0.2/24 comment=LAN_HOME interface=bridge network=192.168.0.0
/ip address add address=192.168.0.88/24 comment=defconf interface=ether2 network=192.168.0.0

All above works as attended.

Next I setup a Trunk port with 2 tagged vlan.

I did my setup following this guide : viewtopic.php?f=13&t=143620#p706997
post #2 : Switch with a separate router (RoaS) : section Router Configuration at a glance.
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge-v vlan-filtering=no
	
/interface vlan
add interface=bridge-v name=VLAN2 vlan-id=2
add interface=bridge-v name=VLAN5 vlan-id=5
	
/interface bridge vlan
add bridge=bridge-v tagged=sfp-sfpplus2 vlan-ids=2,5

/interface list member
add interface=VLAN2 list=VLAN
add interface=VLAN5 list=VLAN

/ip address
add address=192.168.2.1/24 interface=VLAN2 network=192.168.2.0
add address=192.168.5.1/24 interface=VLAN5 network=192.168.5.0

On the other side I plug a FreeBSD host with Jail on Vlan. All seems to work I can ping internet or anyone in my lan from booth Vlan.

What I wanted is to isolate VLAN2 and VLAN5 of anyone else. But they need to be able to go to internet.

For this I had to change on bridge-v vlan-filtering to yes.
But when I did this on booth vlan I can't even ping there gateway (192.168.2.1 / 192.168.5.1).

I think I add to add some rules in : /interface/bridge/nat and /interface/bridge/filter/ .

I'm looking for documentation about bridge vlan filtering.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help or documentation about bridge vlan filtering

Mon May 29, 2023 3:47 am

WHY???

Read para C. PCUNITE wrote the bible on bridge vlan filtering. --> viewtopic.php?t=182373
BUT................ you dont have a router, you have a switch that can act as a poor router.
Basically if you have a 1 gig internet connection you probably will be lucky to get half that speed.

In any case, the last point is that its a switch so to configure it for efficient use may be bettered suited to switch vlan setup methods.
Which can be found at para P.
 
User avatar
miconof
just joined
Topic Author
Posts: 4
Joined: Thu May 25, 2023 7:52 am
Location: France

Re: help or documentation about bridge vlan filtering

Wed Jun 14, 2023 12:25 pm

Thanks for your answer, you are right.
In my use case will the hEX S be enough ?
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: help or documentation about bridge vlan filtering

Wed Jun 14, 2023 2:55 pm

What I wanted is to isolate VLAN2 and VLAN5 of anyone else. But they need to be able to go to internet.
You need to add the CPU port towards the bridge port itself as tagged interface for your VLANs so the switch forwards tagged packets to the CPU. After that, you will be able to enable VLAN filtering with the clients still be able to reach the CPU.
/interface bridge vlan
add bridge=bridge-v tagged=VLAN2,VLAN5,sfp-sfpplus2 vlan-ids=2,5
More details in the link provided by anav.

For traffic between VLAN2 and VLAN5:
You have different subnets for VLAN2 and VLAN5. Traffic between those is hence routed routed (L3) and not switched (L2). For isolation, add a forward firewall dropping packets with input interface VLAN2 and output VLAN5 and vice versa. Or in your case you can add one rule dropping packets with input and output interface in the VLAN interface group.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help or documentation about bridge vlan filtering

Wed Jun 14, 2023 3:32 pm

No a HEX S is not enough if talking about a 1gig connection.
The cheapest guaranteed throughput of 1 gig is the hapax3.
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: help or documentation about bridge vlan filtering

Wed Jun 14, 2023 4:00 pm

Depending on the packet size the HEX S can reach 1GB for routing with firewalling. I suggest to give it a try for your usage scenario.
Depending on the number of parallel connections and packet sizes, it might be enough or not.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: help or documentation about bridge vlan filtering

Wed Jun 14, 2023 4:11 pm

Lets stick to the facts shall we!

Looking at the Test Results: 512 byte
for 25 simple queues (736 Mbps)
and
25 filter rules (385 Mbps)

Realistically one should expect something between those two numbers and hopefully closer to the 736 number.
This is reflective of Version 7.0 firmware.
Older Vers 6 numbers, don't recall off the top of my head but were more in the range of 900/500 numbers ( guessing ).
I have hexes and used one as my first router and even on vers6, I was never able to hit 900Mbps on my 1 gig connection.

Thus from both a user perspective and from the MT results pages, dont waste your money on anything else than a hapax3 if you desire to optimize your ISP throughput.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: help or documentation about bridge vlan filtering

Wed Jun 14, 2023 10:23 pm

Asking if the hEX is sufficient for your use case without describing what your use case is won't get you useful answers.

Why did you specifically ask about the hEX? And by hEX do you mean RB750Gr3?

If you already have the hEX, I would try it to see if it is sufficient. It will be faster than the CPU that is built into the CRS328-24P-4S+ (which has a single core 800Mhz processor, the RB750Gr3 has a MediaTek MT7621 SoC with two 800 Mhz cores (4 virtual cores with hyperthreading).

If you will need to buy something for routing, the hEX isn't the best, especially since you won't really need the HW assisted vlan bridge in the hEX with v7, since you already have the capable CRS328-24P-4S+ switch.

Since you said that you want the vlans to be isolated from each other, the primary routing will be between the internet and your LANS, not inter-vlan routing between the vlans.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: help or documentation about bridge vlan filtering

Thu Jun 15, 2023 9:49 am

If you will need to buy something for routing, the hEX isn't the best, especially since you won't really need the HW assisted vlan bridge in the hEX with v7, since you already have the capable CRS328-24P-4S+ switch.

Since you said that you want the vlans to be isolated from each other, the primary routing will be between the internet and your LANS, not inter-vlan routing between the vlans.

The CRS328, if running ROS v7, should be a nice device to do the routing between VLANs ... specially if that doesn't involve too much of firewalling. CRS328 does support L3HW (HW assisted routing): https://help.mikrotik.com/docs/display/ ... iceSupport

So if requirements and topology allow, then hEX could be used only as border router/gateway/firewall with a bit lower performance requrements (obviously depends on WAN line specs).

Who is online

Users browsing this forum: No registered users and 44 guests