Community discussions

MikroTik App
 
crosswind
just joined
Topic Author
Posts: 21
Joined: Tue Feb 18, 2020 3:47 pm

bridge filter forward rules don't match packet mark

Mon Apr 11, 2022 11:23 pm

hello,

i'm having a problem using packet marks in bridge filter, and i can't tell if this is a bug or if i'm misunderstanding something. this is on v7.2 on a hAP ac2.

first, i configured some mangle rules in /ip/firewall/mangle to set packet-marks:
/ip firewall mangle
add action=set-priority chain=prerouting comment="try to set priority from ingress" ingress-priority=!0 new-priority=from-ingress passthrough=yes priority=0
add action=jump chain=prerouting comment="if priority is 0, try to set from DSCP" disabled=yes dscp=!0 jump-target=set-priority-from-dscp priority=0
add action=set-priority chain=prerouting comment="if priority is still 0, default to 1" new-priority=1 passthrough=yes priority=0
add action=mark-packet chain=prerouting new-packet-mark=p0 passthrough=yes priority=0
add action=mark-packet chain=prerouting new-packet-mark=p1 passthrough=yes priority=1
add action=mark-packet chain=prerouting new-packet-mark=p2 passthrough=yes priority=2
add action=mark-packet chain=prerouting new-packet-mark=p3 passthrough=yes priority=3
add action=mark-packet chain=prerouting new-packet-mark=p4 passthrough=yes priority=4
add action=mark-packet chain=prerouting new-packet-mark=p5 passthrough=yes priority=5
add action=mark-packet chain=prerouting new-packet-mark=p6 passthrough=yes priority=6
add action=mark-packet chain=prerouting new-packet-mark=p7 passthrough=yes priority=7
add action=set-priority chain=set-priority-from-dscp comment="DSCP 0 (DF - Standard)" dscp=0 new-priority=1 passthrough=yes priority=0
add action=set-priority chain=set-priority-from-dscp comment="DSCP 1" dscp=1 new-priority=1 passthrough=yes priority=0
add action=set-priority chain=set-priority-from-dscp comment="DSCP 2" dscp=2 new-priority=1 passthrough=yes priority=0
... many more DSCP rules elided ...
i see counters incrementing for these rules, so that seems to be working as intended.

then i added some bridge filter rules:
/interface bridge filter
add action=set-priority chain=forward new-priority=0 packet-mark=p0 passthrough=yes
add action=set-priority chain=forward new-priority=1 packet-mark=p1 passthrough=yes
add action=set-priority chain=forward new-priority=2 packet-mark=p2 passthrough=yes
add action=set-priority chain=forward new-priority=3 packet-mark=p3 passthrough=yes
add action=set-priority chain=forward new-priority=4 packet-mark=p4 passthrough=yes
add action=set-priority chain=forward new-priority=5 packet-mark=p5 passthrough=yes
add action=set-priority chain=forward new-priority=6 packet-mark=p6 passthrough=yes
add action=set-priority chain=forward new-priority=7 packet-mark=p7 passthrough=yes
these rules don't seem to be working: the counters stay at zero, even when the mark-packet rules show increasing counters.

bridge is configured like this:
/interface bridge
add add-dhcp-option82=yes admin-mac=74:4D:28:8E:7A:89 auto-mac=no dhcp-snooping=yes fast-forward=no name=lan protocol-mode=mstp vlan-filtering=yes
/interface bridge port
add bridge=lan edge=yes frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether1 point-to-point=no pvid=100
add bridge=lan edge=yes frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether2 point-to-point=no pvid=100
add bridge=lan edge=yes frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether3 point-to-point=no pvid=100
add bridge=lan edge=yes frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether4 point-to-point=no pvid=100
add bridge=lan edge=no frame-types=admit-only-vlan-tagged interface=wr2-wds internal-path-cost=100 path-cost=100 point-to-point=yes trusted=yes
add bridge=lan edge=no frame-types=admit-only-vlan-tagged interface=wr3-wds internal-path-cost=100 path-cost=100 point-to-point=yes trusted=yes
add bridge=lan edge=yes frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether5 point-to-point=no pvid=100
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=lan comment="default vlan" tagged=lan untagged=wr2-wds,wr3-wds vlan-ids=1
add bridge=lan comment="client network" tagged=lan,wr2-wds,wr3-wds vlan-ids=100
add bridge=lan comment="CAPsMAN vlan" tagged=lan,wr2-wds,wr3-wds vlan-ids=101
add bridge=lan comment="Management VLAN" tagged=lan,wr2-wds,wr3-wds vlan-ids=102
is there something i'm missing here?

Who is online

Users browsing this forum: Google [Bot], Michiganbroadband, sybadi and 73 guests