Community discussions

MikroTik App
 
nonolk
just joined
Topic Author
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

RB5009: Bridge filter rules help

Fri Dec 02, 2022 6:51 pm

Hello everybody,

I'm actually struggling with one problem with my new router (rb5009).

Indeed, to be able to get an ip address from my ISP, I need to change the vlan priority of the dhcp packets.

I used to use switch rules to do it on my former rb3011, but the rb5009 does not support new-vlan-priority switch rules :-p

I also know, I could use bridge filter rules to achieve it, but as I need to use vlan filtering I ended with a 2 bridges configuration which is working, the problem of this configuration is that only the first bridge is hardware offloaded.... So I'm also loosing fastrack....

My question is the following, is there a better way to achieve it ? DFor instance with only one bridge ?

I'm posting here a sanitized configuration export (ipv6 part is also removed):
# nov/29/2022 09:59:07 by RouterOS 7.6
# software id = NYZZ-0FRB
#
# model = RB5009UPr+S+
# serial number = 
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=CH1
add band=2ghz-b/g/n frequency=2417 name=CH2
add band=2ghz-b/g/n frequency=2422 name=CH3
add band=2ghz-b/g/n frequency=2427 name=CH4
add band=2ghz-b/g/n frequency=2432 name=CH5
add band=2ghz-b/g/n frequency=2437 name=CH6
add band=2ghz-b/g/n frequency=2442 name=CH7
add band=2ghz-b/g/n frequency=2447 name=CH8
add band=2ghz-b/g/n frequency=2452 name=CH9
add band=2ghz-b/g/n frequency=2457 name=CH10
add band=2ghz-b/g/n frequency=2462 name=CH11
add band=2ghz-b/g/n frequency=2467 name=CH12
add band=2ghz-b/g/n frequency=2472 name=CH13
add band=5ghz-a/n/ac frequency=5180 name=CH36
add band=5ghz-a/n/ac frequency=5200 name=CH40
add band=5ghz-a/n/ac frequency=5220 name=CH44
add band=5ghz-a/n/ac frequency=5240 name=CH48
add band=5ghz-a/n/ac frequency=5260 name=CH52
add band=5ghz-a/n/ac frequency=5280 name=CH56
add band=5ghz-a/n/ac frequency=5300 name=CH60
add band=5ghz-a/n/ac frequency=5320 name=CH64
add band=5ghz-a/n/ac frequency=5500 name=CH100
add band=5ghz-a/n/ac frequency=5520 name=CH104
add band=5ghz-a/n/ac frequency=5540 name=CH108
add band=5ghz-a/n/ac frequency=5560 name=CH112
add band=5ghz-a/n/ac frequency=5580 name=CH116
add band=5ghz-a/n/ac frequency=5600 name=CH120
add band=5ghz-a/n/ac frequency=5620 name=CH124
add band=5ghz-a/n/ac frequency=5640 name=CH128
add band=5ghz-a/n/ac frequency=5660 name=CH132
add band=5ghz-a/n/ac frequency=5680 name=CH136
add band=5ghz-a/n/ac frequency=5700 name=CH140
add band=5ghz-a/n/ac frequency=5160 name=CH32
add band=5ghz-a/n/ac frequency=5340 name=CH68
add band=5ghz-a/n/ac frequency=5480 name=CH96
add band=5ghz-n/ac extension-channel=eeeC frequency=5500,5520,5540,5560 name=\
    CH106
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no name=bridge-LAN \
    vlan-filtering=yes
add name=bridge-wan protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-TV poe-out=off
set [ find default-name=ether2 ] name=ether2-Livebox poe-out=off speed=\
    100Mbps
set [ find default-name=ether3 ] name=ether3-Garage
set [ find default-name=ether4 ] name=ether4-PI
set [ find default-name=ether5 ] name=ether5-AP poe-out=off
set [ find default-name=ether6 ] name=ether6-Bureau poe-out=off
set [ find default-name=ether7 ] name=ether7-Cave
set [ find default-name=ether8 ] name=ether8-Salon
set [ find default-name=sfp-sfpplus1 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full name=sfp-wan
/interface vlan
add interface=bridge-LAN name=DMZ vlan-id=30
add interface=bridge-LAN name=vlan1 vlan-id=10
add interface=bridge-LAN name=vlan2 vlan-id=2
add interface=ether2-Livebox name=vlan832-livebox vlan-id=832
add interface=sfp-wan name=vlan832-wan vlan-id=832
add arp=disabled interface=sfp-wan loop-protect=off name=vlan840-wan vlan-id=\
    840
/caps-man datapath
add bridge=bridge-LAN name=datapath_vlan2 vlan-id=2 vlan-mode=use-tag
add bridge=bridge-LAN name=datapath_vlan10 vlan-id=10 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=nonolk
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=Iot
/caps-man configuration
add channel=CH6 channel.band=2ghz-g/n .extension-channel=disabled country=\
    france datapath=datapath_vlan2 datapath.local-forwarding=no mode=ap name=\
    Iot security=Iot ssid=nonolk_g
add channel=CH106 channel.band=5ghz-n/ac country=france datapath=\
    datapath_vlan10 mode=ap name=nonolk_net5 security=nonolk ssid=nonolk.net5
add datapath=datapath_vlan10 name=nonolk_net security=nonolk ssid=nonolk.net
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Orange_TV
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=class-identifier value="'sagem'"
add code=77 name=userclass value=\
    ""
add code=90 name=authsend value=""
/ip dhcp-server option
add code=120 name=SIP value=""
add code=119 name=domain-search value=\
    0x0353545206616363657373116f72616e67652d6d756c74696d65646961036e657400
add code=125 name=VendorSPecific value=0x000005580c010a0001000000ffffffffff
add code=90 name=authsend value=\
    0x0000000000000000000000646863706c697665626f786672323530
/ip pool
add name=pool-lan ranges=192.168.1.100-192.168.1.200
add name=pool-IOT ranges=192.168.2.100-192.168.2.200
add name=pool-livebox ranges=192.168.4.10-192.168.4.20
add name=poot-tv ranges=192.168.42.10-192.168.42.19
/ip dhcp-server
add add-arp=yes address-pool=pool-lan interface=vlan1 lease-time=8h name=Lan
add add-arp=yes address-pool=pool-IOT interface=vlan2 lease-time=8h name=IOT
add add-arp=yes address-pool=pool-livebox interface=vlan832-livebox \
    lease-time=8h name=Livebox
add address-pool=poot-tv interface=ether1-TV lease-time=8h name=TV \
    use-framed-as-classless=no
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Iot name-format=prefix \
    name-prefix=garage_24_ radio-mac= slave-configurations=\
    nonolk_net
add action=create-dynamic-enabled master-configuration=nonolk_net5 \
    name-format=prefix name-prefix=garage_5_ radio-mac=
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp \
    mac-protocol=ip new-priority=6 out-interface=vlan832-wan passthrough=yes
add action=set-priority chain=output dst-port=547 ip-protocol=udp \
    mac-protocol=ipv6 new-priority=6 out-interface=vlan832-wan
/interface bridge port
add bridge=bridge-LAN comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5-AP pvid=10
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether6-Bureau
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether7-Cave
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether8-Salon
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-PI pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-Garage pvid=10
add bridge=bridge-wan interface=vlan832-wan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-LAN tagged=\
    bridge-LAN,ether8-Salon,ether7-Cave,ether6-Bureau vlan-ids=10
add bridge=bridge-LAN tagged=\
    bridge-LAN,ether6-Bureau,ether7-Cave,ether8-Salon vlan-ids=2
add bridge=bridge-LAN tagged=\
    ether6-Bureau,ether7-Cave,ether8-Salon,bridge-LAN vlan-ids=30
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=DMZ list=LAN
add interface=ether2-Livebox list=LAN
add interface=ether1-TV list=Orange_TV
add interface=vlan840-wan list=Orange_TV
add interface=bridge-wan list=WAN
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.3.1/24 interface=DMZ network=192.168.3.0
add address=192.168.4.1/24 interface=vlan832-livebox network=192.168.4.0
add address=192.168.255.254 comment="TV Orange" interface=vlan840-wan \
    network=192.168.255.254
add address=192.168.42.1/24 interface=ether1-TV network=192.168.42.0
/ip dhcp-client
add dhcp-options=hostname,clientid,authsend,class-identifier,userclass \
    interface=bridge-wan use-peer-ntp=no
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=53 protocol=udp src-address=\
    192.168.3.2
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow multicast TV Orange" dst-port=\
    8200,8202 in-interface=vlan840-wan protocol=udp
add action=accept chain=input comment="Service Orange TV" dst-port=5678 \
    in-interface-list=Orange_TV protocol=udp
add action=accept chain=input comment="Allow IGMP for Orange TV" \
    in-interface-list=Orange_TV protocol=igmp
add action=accept chain=forward comment="DNS/NTP pour le decodeur TV Orange" \
    dst-port=53,123,5000 in-interface=ether1-TV out-interface=bridge-wan \
    protocol=udp
add action=accept chain=forward comment="HTTP/S pour le decodeur TV Orange" \
    dst-port=80,443,8554 in-interface=ether1-TV out-interface=bridge-wan \
    protocol=tcp
add action=accept chain=forward comment="TV Orange" dst-port=8200,8202 \
    in-interface=vlan840-wan out-interface=ether1-TV protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=debug
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward dst-address=192.168.10.1 protocol=icmp \
    src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.10.1 dst-port=80,443 \
    protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.3.2 in-interface=vlan1 \
    protocol=icmp
add action=accept chain=forward dst-address=192.168.3.2 dst-port=22,443 \
    protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=\
    192.168.0.0/16
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=output new-priority=5 out-interface=vlan840-wan \
    passthrough=yes src-address-type=local
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=bridge-wan \
    protocol=tcp src-port="" to-addresses=192.168.3.2 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=bridge-wan protocol=\
    tcp to-addresses=192.168.3.2 to-ports=80
/ip firewall service-port
set sip disabled=yes

/routing igmp-proxy interface
add alternative-subnets=193.0.0.0/8,81.0.0.0/8,172.0.0.0/8,80.0.0.0/8 \
    interface=vlan840-wan upstream=yes
add interface=ether1-TV
/system clock
set time-zone-name=Europe/Paris
/system logging
add disabled=yes topics=radvd
/system ntp client
set enabled=yes
/system ntp client servers
add address=5.196.160.139
add address=212.85.158.10
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank in advance for your help.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB5009: Bridge filter rules help

Sat Dec 03, 2022 8:43 pm

If the switch chip rules do not support setting of the priority field, there is no other way to achieve your goal than to use a bridge filter.

The presence of bridge filter rules as such does not disable hardware acceleration of bridging (or at least it did not on RouterOS 6), it just doesn't handle frames that are hardware-accelerated (means forwarded by the switch chip, bypassing the CPU). I remember there used to be issues with vlan-encap matching on some architectures (endianness problem); I also hazily remember this to be mentioned as fixed in some of the RouterOS 7 changelogs. So it should be possible to make the WAN just one of the VLANs on a common bridge with vlan-filtering=yes and still be able to use a bridge filter rule to set the priority field in the 802.1Q tag. But you can use a dedicated bridge for WAN as well, because if you don't like the decision of RouterOS regarding which bridge should be hardware accelerated, you can affect it on a per-port basis: if the hw item is set to yes on an /interface bridge port row, it permits RouterOS to hw-accelerate this port, but it does not force it; setting it to no prohibits hardware acceleration, and if hardware acceleration of all ports of some bridge is prohibited, RouterOS chooses to hw-accelerate another bridge. So if you set hw=no for the physical WAN interface, the bridge it is a single member of will not be hw-accelerated and the other one will (unless all its member ports have also hw set to no).

There is no benefit in hw-accelerating the WAN bridge, because the frames are not forwarded between two ethernet ports of that bridge so the CPU is always involved.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB5009: Bridge filter rules help

Sat Dec 03, 2022 10:28 pm

Very frustrating that MT does not provide a way to ensure return packets have the proper priority......................... FAIL
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB5009: Bridge filter rules help

Sat Dec 03, 2022 11:48 pm

Very frustrating ...
What? What the OP is asking is how to address a very specific misuse of available packet fields - the ISP discourages people from using their own routers by making the core network equipment assign much lower bandwidth limit to devices that do not send their DHCP requests with a specific value in the 802.1Q priority field. Except the ISPs routers and Linux boxes, I don't know any other router than Mikrotik that would be flexible enough to allow this. So yes, it is definitely a fail, but not of Mikrotik.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 2:06 am

I suspect some ISPs enforce the requirement of DHCP requests having a specific 802.1Q priority to prevent any other devices a client has from acquiring an address if misconnected directly to the WAN. Requiring a specific DHCP option in the request would be a more friendly way of them achieving this as it more commonly supported by generally available routers.

In the meantime it would be really nice if Mikrotik pemitted an /interface vlan to be created with an ID of zero so /ip firewall mangle rules with action=set-priority could be used rather than having to resort to abusing switch chip rules. There are use cases beyond identifying specific DHCP requests, e.g. prioritising upstream VoIP packets. Certainly the main UK provider will make decisions based on 802.1Q priority only - for anyone interested section 2.3.12 of https://www.openreach.co.uk/cpportal/co ... IN_506.pdf
 
nonolk
just joined
Topic Author
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 11:40 am

Hello All,

Thank you for your first feedbacks.

@sindy, sadly when using only one bridge like you said it, the filter rule is never applied…
@anav do you confirm there is no solution for this ?

It’s really frustrating that the rb5009 do not support the new-vlan-priority switch rules… why ?

Thank you.
Last edited by nonolk on Sun Dec 04, 2022 12:08 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 11:48 am

Thank you for your fist feedbacks.
Did it hurt :-) ?

@sindy, sadly when using only one bridge like you said it, the filter rule is never applied…
Show me the actual configuration where it does not work, please. It may be the bug I've referred to, or another bug, or a misconfiguration. Unfortunately, I've got no 5009 in my reach, so I cannot test myself.

It’s really frustrating that the rb5009 do not support the new-vlan-priority switch rules… why ?
Either because the switch chip chosen for the design doesn't support this in hardware but it was the best trade-off between technical and price requirements, or maybe because the chip supports it but in a new way so it has not been implemented yet.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 12:04 pm

I suspect some ISPs enforce the requirement of DHCP requests having a specific 802.1Q priority to prevent any other devices a client has from acquiring an address if misconnected directly to the WAN. Requiring a specific DHCP option in the request would be a more friendly way of them achieving this as it more commonly supported by generally available routers.
If it was this clever idea, I would expect no address to be offered at all. But here you do get an address, except that the available bandwidth is severely restricted. In the U.S., I've seen a cable operator to do the same thing (bandwidth throttling rather than total ignorance of the DHCP request); there, it depends on vendor-class-id in the DHCP requests from the client rather than the contents of the 802.1Q priority field.

In the meantime it would be really nice if Mikrotik pemitted an /interface vlan to be created with an ID of zero so /ip firewall mangle rules with action=set-priority could be used
No idea how this works in RouterOS 7, but in RouterOS 6, I hazily remember there is no need to explicitly set VLAN ID 0 manually - if set-priority is used, and the physical interface does support 802.1Q tagging, the tag with VID set to 0 and the priority field set to the desired value is added automatically. But I've tested this a long time ago.

The actual issue is that DHCP(v4) outgoing traffic does not pass through the IP firewall at all, that's how DHCP is hooked to the networking stack.
 
nonolk
just joined
Topic Author
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 12:12 pm

@sindy, sorry for the missing "r", yes otherwise it could hurt a bit ;-)

Here is the non-working configuration:
# dec/03/2022 14:17:23 by RouterOS 7.6
# software id = NYZZ-0FRB
#
# model = RB5009UPr+S+
# serial number = 
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=CH1
add band=2ghz-b/g/n frequency=2417 name=CH2
add band=2ghz-b/g/n frequency=2422 name=CH3
add band=2ghz-b/g/n frequency=2427 name=CH4
add band=2ghz-b/g/n frequency=2432 name=CH5
add band=2ghz-b/g/n frequency=2437 name=CH6
add band=2ghz-b/g/n frequency=2442 name=CH7
add band=2ghz-b/g/n frequency=2447 name=CH8
add band=2ghz-b/g/n frequency=2452 name=CH9
add band=2ghz-b/g/n frequency=2457 name=CH10
add band=2ghz-b/g/n frequency=2462 name=CH11
add band=2ghz-b/g/n frequency=2467 name=CH12
add band=2ghz-b/g/n frequency=2472 name=CH13
add band=5ghz-a/n/ac frequency=5180 name=CH36
add band=5ghz-a/n/ac frequency=5200 name=CH40
add band=5ghz-a/n/ac frequency=5220 name=CH44
add band=5ghz-a/n/ac frequency=5240 name=CH48
add band=5ghz-a/n/ac frequency=5260 name=CH52
add band=5ghz-a/n/ac frequency=5280 name=CH56
add band=5ghz-a/n/ac frequency=5300 name=CH60
add band=5ghz-a/n/ac frequency=5320 name=CH64
add band=5ghz-a/n/ac frequency=5500 name=CH100
add band=5ghz-a/n/ac frequency=5520 name=CH104
add band=5ghz-a/n/ac frequency=5540 name=CH108
add band=5ghz-a/n/ac frequency=5560 name=CH112
add band=5ghz-a/n/ac frequency=5580 name=CH116
add band=5ghz-a/n/ac frequency=5600 name=CH120
add band=5ghz-a/n/ac frequency=5620 name=CH124
add band=5ghz-a/n/ac frequency=5640 name=CH128
add band=5ghz-a/n/ac frequency=5660 name=CH132
add band=5ghz-a/n/ac frequency=5680 name=CH136
add band=5ghz-a/n/ac frequency=5700 name=CH140
add band=5ghz-a/n/ac frequency=5160 name=CH32
add band=5ghz-a/n/ac frequency=5340 name=CH68
add band=5ghz-a/n/ac frequency=5480 name=CH96
add band=5ghz-n/ac extension-channel=eeeC frequency=5500,5520,5540,5560 name=\
    CH106
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no name=bridge-LAN \
    protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether2 ] name=ether2-Livebox poe-out=off 
set [ find default-name=ether3 ] name=ether3-Garage
set [ find default-name=ether4 ] name=ether4-PI
set [ find default-name=ether5 ] name=ether5-AP poe-out=off
set [ find default-name=ether6 ] name=ether6-Bureau poe-out=off
set [ find default-name=ether7 ] name=ether7-Cave
set [ find default-name=ether8 ] name=ether8-Salon
set [ find default-name=sfp-sfpplus1 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full name=sfp-wan
/interface vlan
add interface=bridge-LAN name=DMZ vlan-id=30
add interface=bridge-LAN name=vlan-tv vlan-id=40
add interface=bridge-LAN name=vlan1 vlan-id=10
add interface=bridge-LAN name=vlan2 vlan-id=2
add interface=ether2-Livebox name=vlan832-livebox vlan-id=832
add interface=bridge-LAN name=vlan832-wan vlan-id=832
add interface=brdige-LAN name=vlan840-wan vlan-id=840
/caps-man datapath
add bridge=bridge-LAN name=datapath_vlan2 vlan-id=2 vlan-mode=use-tag
add bridge=bridge-LAN name=datapath_vlan10 vlan-id=10 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=nonolk
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=Iot
/caps-man configuration
add channel=CH6 channel.band=2ghz-g/n .extension-channel=disabled country=\
    france datapath=datapath_vlan2 datapath.local-forwarding=no mode=ap name=\
    Iot security=Iot ssid=xxx
add channel=CH106 channel.band=5ghz-n/ac country=france datapath=\
    datapath_vlan10 mode=ap name=xxx security=xxx ssid=xxx
add datapath=datapath_vlan10 name=xxx security=xxx ssid=xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Orange_TV
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=class-identifier value="'sagem'"
add code=77 name=userclass value=\
    "'+FSVDSL_livebox.Internet.softathome.Livebox5'"
add code=90 name=authsend value="chaine longue"
/ip dhcp-server option
add code=120 name=SIP value="0x00067362637433670353545206616363657373116F72616\
    E67652D6D756C74696D65646961036E657400"
add code=119 name=domain-search value=\
    0x0353545206616363657373116f72616e67652d6d756c74696d65646961036e657400
add code=125 name=VendorSPecific value=0x000005580c010a0001000000ffffffffff
add code=90 name=authsend value=\
    0x000000000000000000000064
add code=125 name=authtv value="Livebox5based"
/ip pool
add name=pool-lan ranges=192.168.1.100-192.168.1.200
add name=pool-IOT ranges=192.168.2.100-192.168.2.200
add name=pool-livebox ranges=192.168.4.10-192.168.4.20
add name=poot-tv ranges=192.168.42.10-192.168.42.19
/ip dhcp-server
add add-arp=yes address-pool=pool-lan interface=vlan1 lease-time=8h name=Lan
add add-arp=yes address-pool=pool-IOT interface=vlan2 lease-time=8h name=IOT
add add-arp=yes address-pool=pool-livebox interface=vlan832-livebox \
    lease-time=8h name=Livebox
add address-pool=poot-tv interface=vlan-tv lease-time=8h name=TV \
    use-framed-as-classless=no
/ipv6 dhcp-client option
add code=16 name="class-identifer " value=0x0000040e0005736167656d
add code=11 name=authsend value="chaine longue"
add code=15 name=userclass value="bla bla"
/ipv6 dhcp-server option
add code=23 name=dnssrv value=0x2a01cbxxxx
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Iot name-format=prefix \
    name-prefix=garage_24_ radio-mac=xxx slave-configurations=\
    xxx
add action=create-dynamic-enabled master-configuration=xx \
    name-format=prefix name-prefix=garage_5_ radio-mac=xxx
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp \
    mac-protocol=ip new-priority=6 out-interface=vlan832-wan passthrough=yes
add action=set-priority chain=output dst-port=547 ip-protocol=udp \
    mac-protocol=ipv6 new-priority=6 out-interface=vlan832-wan
add action=set-priority chain=output mac-protocol=arp new-priority=6 \
    out-interface=vlan832-wan passthrough=yes
add action=set-priority chain=output comment=NA/NS mac-protocol=ipv6 \
    new-priority=6 out-interface=vlan832-wan packet-mark=na/ns passthrough=\
    yes
/interface bridge port
add bridge=bridge-LAN comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5-AP pvid=10
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether6-Bureau
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether7-Cave
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether8-Salon
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-PI pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-Garage pvid=10
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=sfp-wan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-LAN tagged=\
    bridge-LAN,ether8-Salon,ether7-Cave,ether6-Bureau vlan-ids=10
add bridge=bridge-LAN tagged=\
    bridge-LAN,ether6-Bureau,ether7-Cave,ether8-Salon vlan-ids=2
add bridge=bridge-LAN tagged=\
    ether6-Bureau,ether7-Cave,ether8-Salon,bridge-LAN vlan-ids=30
add bridge=bridge-LAN tagged=ether8-Salon,bridge-LAN vlan-ids=40
add bridge=bridge-LAN tagged=sfp-wan,bridge-LAN vlan-ids=832
add bridge=bridge-LAN tagged=bridge-LAN,sfp-wan vlan-ids=840
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=DMZ list=LAN
add interface=ether2-Livebox list=LAN
add interface=vlan-tv list=Orange_TV
add interface=vlan840-wan list=Orange_TV
add interface=vlan832-wan list=WAN
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.3.1/24 interface=DMZ network=192.168.3.0
add address=192.168.4.1/24 interface=vlan832-livebox network=192.168.4.0
add address=192.168.255.254 comment="TV Orange" interface=vlan840-wan \
    network=192.168.255.254
add address=192.168.42.1/24 interface=vlan-tv network=192.168.42.0
/ip dhcp-client
add dhcp-options=hostname,clientid,authsend,class-identifier,userclass \
    interface=vlan832-wan use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=80.10.246.5,81.253.149.13 gateway=\
    192.168.2.1 netmask=24
add address=192.168.4.0/24 dhcp-option=\
    authsend,SIP,domain-search,VendorSPecific dns-server=\
    80.10.246.5,81.253.149.13 gateway=192.168.4.1 netmask=24
add address=192.168.42.0/24 dhcp-option=authtv,domain-search dns-server=\
    80.10.246.5,81.253.149.13 gateway=192.168.42.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.nextdns.io/ \
    verify-doh-cert=yes
/ip dns static
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
add address=45.90.28.0 name=dns.nextdns.io
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input dst-port=53 protocol=udp src-address=\
    192.168.3.2
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow multicast TV Orange" dst-port=\
    8200,8202 in-interface=vlan840-wan protocol=udp
add action=accept chain=input comment="Service Orange TV" dst-port=5678 \
    in-interface-list=Orange_TV protocol=udp
add action=accept chain=input comment="Allow IGMP for Orange TV" \
    in-interface-list=Orange_TV protocol=igmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=debug
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="DNS/NTP pour le decodeur TV Orange" \
    dst-port=53,123,5000 in-interface=vlan-tv out-interface=bridge-wan \
    protocol=udp
add action=accept chain=forward comment="HTTP/S pour le decodeur TV Orange" \
    dst-port=80,443,8554 in-interface=vlan-tv out-interface=bridge-wan \
    protocol=tcp
add action=accept chain=forward comment="TV Orange" dst-port=8200,8202 \
    in-interface=vlan840-wan out-interface=vlan-tv protocol=udp
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=\
    192.168.0.0/16
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=output new-priority=5 out-interface=vlan840-wan \
    passthrough=yes src-address-type=local
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=xxx/64,192.168.1.0/24,192.168.4.0/24
set ssh address=xxx/64,192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24,xxxx/64,192.168.4.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=local
/ipv6 address
add address=::1 from-pool=pool_FT_6 interface=vlan1
add address=::1 from-pool=pool_FT_6 interface=vlan2
add address=::1 from-pool=pool_FT_6 interface=DMZ
/ipv6 dhcp-client
add add-default-route=yes dhcp-options="authsend,userclass,class-identifer " \
    dhcp-options="authsend,userclass,class-identifer " interface=vlan832-wan \
    pool-name=pool_FT_6 rapid-commit=no request=prefix use-peer-dns=no
/ipv6 dhcp-server
add address-pool="" dhcp-option=dnssrv interface=vlan1 lease-time=8h name=\
    Ip6vlan1
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
add address=2a01:xxx::/64 comment="Internal Vlan1" list=\
    internal_lan
add address=2a01:xxx::/64 comment="Internal Vlan2" list=\
    internal_lan
add address=2a01:xxx::/64 comment="Internal DMZ" list=internal_lan
/ipv6 firewall filter
add action=accept chain=input dst-port=546 in-interface=bridge-wan protocol=\
    udp src-address=fe80::ba0:bab/128
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="Allow ssh access from Vlan1 to DMZ" \
    dst-port=22 in-interface=vlan1 out-interface=DMZ protocol=tcp src-port=""
add action=drop chain=forward comment="Block interVLAN to Vlan1" \
    out-interface=vlan1 src-address-list=internal_lan
add action=drop chain=forward comment="Block interVLAN to Vlan2" \
    out-interface=vlan2 src-address-list=internal_lan
add action=drop chain=forward comment="Block interVLAN to DMZ" out-interface=\
    DMZ src-address-list=internal_lan
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall mangle
add action=mark-packet chain=output comment="Neighbor Solicitation NS" \
    icmp-options=135:0-255 new-packet-mark=na/ns out-interface=bridge-wan \
    passthrough=no protocol=icmpv6
add action=mark-packet chain=output comment="Neighbor Advertisement NA" \
    icmp-options=136:0-255 new-packet-mark=na/ns out-interface=bridge-wan \
    passthrough=no protocol=icmpv6
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
/ipv6 nd
set [ find default=yes ] advertise-dns=no dns=2a01:xxx::1 \
    hop-limit=64 interface=vlan1 other-configuration=yes ra-interval=6s-15s
add advertise-dns=no interface=vlan2
add advertise-dns=no interface=DMZ
/ipv6 nd prefix default
set preferred-lifetime=30m valid-lifetime=1h
/routing igmp-proxy interface
add alternative-subnets=193.0.0.0/8,81.0.0.0/8,172.0.0.0/8,80.0.0.0/8 \
    interface=vlan840-wan upstream=yes
add interface=vlan-tv
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes
/system ntp client servers
add address=5.196.160.139
add address=212.85.158.10
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I hope it will help to find my misstake. ANy other remarks are welcome ;-)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 12:51 pm

The following items are relevant (but it was absolutely correct that you've posted a complete one!):

/interface vlan
add interface=bridge-LAN name=vlan832-wan vlan-id=832

/interface bridge port
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged interface=sfp-wan

/interface bridge vlan
add bridge=bridge-LAN tagged=sfp-wan,bridge-LAN vlan-ids=832

/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-interface=vlan832-wan passthrough=yes


The thing is that there is a slight mess in item naming. In the bridge filter rules, interface refers to interfaces that can be member ports of a bridge; in the ip firewall rules, interfacerefers to interfaces to which IP configuration can be attached. Moreover, the actual path of the packet is the following:

IP stack -> (U)vlan832-wan(T) -> bridge(interface of the router) -> bridge(port of virtual switch) -> bridge(the virtual switch itself) -> sfp-wan(port of virtual switch)

If it looks confusing, read this.

So the vlan interface attached to the bridge-facing interface of the router, vlan832-wan, is not a member port of the bridge and the rule can never match. So change the rule as follows:
out-interface=sfp-wan chain=output mac-protocol=vlan vlan-encap=ip ip-protocol=udp dst-port=67 action=set-priority new-priority=6
and try again.

Btw, passthrough=yes has little use here as it only affects handlings of packets that did match the rule, and those that did match any of your rules do not need to proceed to any of the subsequent ones.
 
nonolk
just joined
Topic Author
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 1:44 pm

@sindy, thank you for the explanation, it’s Cristal clear… my bad.

I’ll test it soon and I’ll give you feedback

Thank you for your time and help.
 
nonolk
just joined
Topic Author
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 2:23 pm

@sindy so it works better in a way as I'm able to get a valid ip address.

But as this command doesn't work
add out-interface=sfp-wan chain=output mac-protocol=vlan vlan-encap=ip ip-protocol=udp dst-port=67 action=set-priority new-priority=6
failure: ip matchers are valid only when mac-protocol is set to ip or ipv6
It slows down my complete traffic as I'm marking all the packets and not only the dhcp one, I tried to bypass it with a mangle rule wihtout success.

It there a solution for this too ??
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 3:11 pm

The fact that IP matchers do not work on VLAN-encapsulated traffic is really annoying, but if marking of all traffic is slowing down your router noticeably, I'm not sure whether there is a solution at all. The bridge filter rules are common for all bridges, so even if you make them match on bridge name, the system will still check all bridged frames against the rules, they just will not match. And I have no idea what is the share of setting the priority field on the overall time of processing the rule (the evaluation of the match conditions to find out whether to take the action or not is always there, except that for a non-match, it is enough that the first condition tested doesn't match), i.e. whether setting the priority only for the required packets would make a noticeable difference.

DHCP requests from the device bypass mangle rules, so there is no way to assign a packet-mark only to DHCP packets. But you can invert the logic and use a mangle rule in chain postrouting to assign a packet-mark to all packets leaving through vlan832-wan (except the DHCP ones that bypass mangle), and make the bridge filter rule match on packet-mark=no-mark in addition to out-interface=sfp-wan. Doing so will replace, for every packet, an assignment of priority value using a bridge filter rule by an assignment of a packet-mark value using a mangle rule, so in theory, the resulting load will be about the same. But on the other hand, substitution of source or destination address and port (NAT) is also done for every packet passing through vlan832-wan, so one additional rule should not have such an impact on throughput, unless NAT is done in hardware. So it should still make sense to try this - maybe there is something wrong with the bridge filter rules and their processing takes longer than processing of mangle ones? In any case, bear in mind that you cannot use fasttracking along with mangling, so if your throughput depends on fasttracking, forget this mangling idea at once.

If the above fails, only an ugly hack comes to my mind - find out for how long the ISP is leasing you the address and whether it specifies the renewal time. Then, schedule a script that will actively renew the lease just before the renewal timer expires, but right before doing that, it will enable the bridge filter rules and right after getting the renewed lease, it will disable them again.
 
nonolk
just joined
Topic Author
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 4:58 pm

@sindy, thank you very much it works now ;-), following your advice to reverse the question.
If one day you come to northern-east par of France, I will pay you a bier ;-)

The strange part is, in IPV6 the mangle rules works for dhcp.

One last question do you have any idea why fastrack seems still not working ? I mean the fastrack rules counters increase, but none of the mangle rules do the same neither the global fastrack counter ? I suspect one missconfiguration in the frewall rules, but where ?

Here is the last configuration:
# dec/04/2022 15:42:49 by RouterOS 7.6
# software id = NYZZ-0FRB
#
# model = RB5009UPr+S+
# serial number = 
/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=CH1
add band=2ghz-b/g/n frequency=2417 name=CH2
add band=2ghz-b/g/n frequency=2422 name=CH3
add band=2ghz-b/g/n frequency=2427 name=CH4
add band=2ghz-b/g/n frequency=2432 name=CH5
add band=2ghz-b/g/n frequency=2437 name=CH6
add band=2ghz-b/g/n frequency=2442 name=CH7
add band=2ghz-b/g/n frequency=2447 name=CH8
add band=2ghz-b/g/n frequency=2452 name=CH9
add band=2ghz-b/g/n frequency=2457 name=CH10
add band=2ghz-b/g/n frequency=2462 name=CH11
add band=2ghz-b/g/n frequency=2467 name=CH12
add band=2ghz-b/g/n frequency=2472 name=CH13
add band=5ghz-a/n/ac frequency=5180 name=CH36
add band=5ghz-a/n/ac frequency=5200 name=CH40
add band=5ghz-a/n/ac frequency=5220 name=CH44
add band=5ghz-a/n/ac frequency=5240 name=CH48
add band=5ghz-a/n/ac frequency=5260 name=CH52
add band=5ghz-a/n/ac frequency=5280 name=CH56
add band=5ghz-a/n/ac frequency=5300 name=CH60
add band=5ghz-a/n/ac frequency=5320 name=CH64
add band=5ghz-a/n/ac frequency=5500 name=CH100
add band=5ghz-a/n/ac frequency=5520 name=CH104
add band=5ghz-a/n/ac frequency=5540 name=CH108
add band=5ghz-a/n/ac frequency=5560 name=CH112
add band=5ghz-a/n/ac frequency=5580 name=CH116
add band=5ghz-a/n/ac frequency=5600 name=CH120
add band=5ghz-a/n/ac frequency=5620 name=CH124
add band=5ghz-a/n/ac frequency=5640 name=CH128
add band=5ghz-a/n/ac frequency=5660 name=CH132
add band=5ghz-a/n/ac frequency=5680 name=CH136
add band=5ghz-a/n/ac frequency=5700 name=CH140
add band=5ghz-a/n/ac frequency=5160 name=CH32
add band=5ghz-a/n/ac frequency=5340 name=CH68
add band=5ghz-a/n/ac frequency=5480 name=CH96
add band=5ghz-n/ac extension-channel=eeeC frequency=5500,5520,5540,5560 name=\
    CH106
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no name=bridge-LAN \
    protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether2 ] name=ether2-Livebox poe-out=off 
set [ find default-name=ether3 ] name=ether3-Garage
set [ find default-name=ether4 ] name=ether4-PI
set [ find default-name=ether5 ] name=ether5-AP poe-out=off
set [ find default-name=ether6 ] name=ether6-Bureau poe-out=off
set [ find default-name=ether7 ] name=ether7-Cave
set [ find default-name=ether8 ] name=ether8-Salon
set [ find default-name=sfp-sfpplus1 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full name=sfp-wan
/interface vlan
add interface=bridge-LAN name=DMZ vlan-id=30
add interface=bridge-LAN name=vlan-tv vlan-id=40
add interface=bridge-LAN name=vlan1 vlan-id=10
add interface=bridge-LAN name=vlan2 vlan-id=2
add interface=ether2-Livebox name=vlan832-livebox vlan-id=832
add interface=bridge-LAN name=vlan832-wan vlan-id=832
add arp=disabled interface=bridge-LAN loop-protect=off name=vlan840-wan \
    vlan-id=840
/caps-man datapath
add bridge=bridge-LAN name=datapath_vlan2 vlan-id=2 vlan-mode=use-tag
add bridge=bridge-LAN name=datapath_vlan10 vlan-id=10 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=xxx
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=xxx
/caps-man configuration
add channel=CH6 channel.band=2ghz-g/n .extension-channel=disabled country=\
    france datapath=datapath_vlan2 datapath.local-forwarding=no mode=ap name=\
    Iot security=xxx ssid=xxx
add channel=CH106 channel.band=5ghz-n/ac country=france datapath=\
    datapath_vlan10 mode=ap name=xxx security=xxx ssid=xxx
add datapath=datapath_vlan10 name=xxx security=xxx ssid=xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Orange_TV
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=class-identifier value="'sagem'"
add code=77 name=userclass value=\
    "'+FSVDSL_livebox.Internet.softathome.Livebox5'"
add code=90 name=authsend value=""
/ip dhcp-server option
add code=120 name=SIP value=""
add code=119 name=domain-search value=\
    0x0353545206616363657373116f72616e67652d6d75
add code=125 name=VendorSPecific value=0x000005580c010a0001000000ffffffffff
add code=90 name=authsend value=\
    0x0000000000000000000000646
add code=125 name=authtv value=""
/ip pool
add name=pool-lan ranges=192.168.1.100-192.168.1.200
add name=pool-IOT ranges=192.168.2.100-192.168.2.200
add name=pool-livebox ranges=192.168.4.10-192.168.4.20
add name=poot-tv ranges=192.168.42.10-192.168.42.19
/ip dhcp-server
add add-arp=yes address-pool=pool-lan interface=vlan1 lease-time=8h name=Lan
add add-arp=yes address-pool=pool-IOT interface=vlan2 lease-time=8h name=IOT
add add-arp=yes address-pool=pool-livebox interface=vlan832-livebox \
    lease-time=8h name=Livebox
add address-pool=poot-tv interface=vlan-tv lease-time=8h name=TV \
    use-framed-as-classless=no
/ipv6 dhcp-client option
add code=16 name="class-identifer " value=0x0000040e00057
add code=11 name=authsend value=""
add code=15 name=userclass value=""
/ipv6 dhcp-server option
add code=23 name=dnssrv value=0x2a0101
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Iot name-format=prefix \
    name-prefix=garage_24_ radio-mac=xxx slave-configurations=\
    nonolk_net
add action=create-dynamic-enabled master-configuration=xxx \
    name-format=prefix name-prefix=garage_5_ radio-mac=xxx
/interface bridge filter
add action=set-priority chain=output mac-protocol=vlan new-priority=6 \
    out-interface=sfp-wan packet-mark=no-mark passthrough=yes vlan-encap=ip \
    vlan-id=832
add action=set-priority chain=output mac-protocol=vlan new-priority=6 \
    out-interface=sfp-wan packet-mark=dhcp-v6 passthrough=no vlan-encap=ipv6 \
    vlan-id=832
add action=set-priority chain=output mac-protocol=vlan new-priority=6 \
    out-interface=sfp-wan passthrough=yes vlan-encap=arp vlan-id=832
add action=set-priority chain=output comment=NA/NS mac-protocol=vlan \
    new-priority=6 out-interface=sfp-wan packet-mark=na/ns passthrough=yes \
    vlan-encap=ipv6 vlan-id=832
/interface bridge port
add bridge=bridge-LAN comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5-AP pvid=10
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether6-Bureau
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether7-Cave
add bridge=bridge-LAN comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether8-Salon
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-PI pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-Garage pvid=10
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged interface=sfp-wan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge-LAN tagged=\
    bridge-LAN,ether8-Salon,ether7-Cave,ether6-Bureau vlan-ids=10
add bridge=bridge-LAN tagged=\
    bridge-LAN,ether6-Bureau,ether7-Cave,ether8-Salon vlan-ids=2
add bridge=bridge-LAN tagged=\
    ether6-Bureau,ether7-Cave,ether8-Salon,bridge-LAN vlan-ids=30
add bridge=bridge-LAN tagged=ether8-Salon,bridge-LAN vlan-ids=40
add bridge=bridge-LAN tagged=sfp-wan,bridge-LAN vlan-ids=832
add bridge=bridge-LAN tagged=bridge-LAN,sfp-wan vlan-ids=840
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=DMZ list=LAN
add interface=ether2-Livebox list=LAN
add interface=vlan-tv list=Orange_TV
add interface=vlan840-wan list=Orange_TV
add interface=vlan832-wan list=WAN
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.3.1/24 interface=DMZ network=192.168.3.0
add address=192.168.4.1/24 interface=vlan832-livebox network=192.168.4.0
add address=192.168.255.254 comment="TV Orange" interface=vlan840-wan \
    network=192.168.255.254
add address=192.168.42.1/24 interface=vlan-tv network=192.168.42.0
/ip dhcp-client
add dhcp-options=hostname,clientid,authsend,class-identifier,userclass \
    interface=vlan832-wan use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24
add address=192.168.2.0/24 dns-server=80.10.246.5,81.253.149.13 gateway=\
    192.168.2.1 netmask=24
add address=192.168.4.0/24 dhcp-option=\
    authsend,SIP,domain-search,VendorSPecific dns-server=\
    80.10.246.5,81.253.149.13 gateway=192.168.4.1 netmask=24
add address=192.168.42.0/24 dhcp-option=authtv,domain-search dns-server=\
    80.10.246.5,81.253.149.13 gateway=192.168.42.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.nextdns.io/ \
    verify-doh-cert=yes
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow multicast TV Orange" dst-port=\
    8200,8202 in-interface=vlan840-wan protocol=udp
add action=accept chain=input comment="Service Orange TV" dst-port=5678 \
    in-interface-list=Orange_TV protocol=udp
add action=accept chain=input comment="Allow IGMP for Orange TV" \
    in-interface-list=Orange_TV protocol=igmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=debug
add action=accept chain=forward comment="DNS/NTP pour le decodeur TV Orange" \
    dst-port=53,123,5000 in-interface=vlan-tv out-interface=vlan832-wan \
    protocol=udp
add action=accept chain=forward comment="HTTP/S pour le decodeur TV Orange" \
    dst-port=80,443,8554 in-interface=vlan-tv out-interface=vlan832-wan \
    protocol=tcp
add action=accept chain=forward comment="TV Orange" dst-port=8200,8202 \
    in-interface=vlan840-wan out-interface=vlan-tv protocol=udp
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward dst-address=192.168.3.2 in-interface=vlan1 \
    protocol=icmp
add action=accept chain=forward dst-address=192.168.3.2 dst-port=22,443 \
    protocol=tcp src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.0.0/16 src-address=\
    192.168.0.0/16
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=output new-priority=5 out-interface=vlan840-wan \
    passthrough=yes src-address-type=local
add action=mark-packet chain=postrouting new-packet-mark=std-traffic \
    out-interface=vlan832-wan passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=2a01:xxx::/64,192.168.1.0/24,192.168.4.0/24
set ssh address=2a01:xxx::/64,192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24,2a01:xxx::/64,192.168.4.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=local
/ipv6 address
add address=::1 from-pool=pool_FT_6 interface=vlan1
add address=::1 from-pool=pool_FT_6 interface=vlan2
add address=::1 from-pool=pool_FT_6 interface=DMZ
/ipv6 dhcp-client
add add-default-route=yes dhcp-options="authsend,userclass,class-identifer " \
    dhcp-options="authsend,userclass,class-identifer " interface=vlan832-wan \
    pool-name=pool_FT_6 rapid-commit=no request=prefix use-peer-dns=no
/ipv6 dhcp-server
add address-pool="" dhcp-option=dnssrv interface=vlan1 lease-time=8h name=\
    Ip6vlan1
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
add address=2a01:xxx::/64 comment="Internal Vlan1" list=\
    internal_lan
add address=2a01:xxx::/64 comment="Internal Vlan2" list=\
    internal_lan
add address=2a01:xxx::/64 comment="Internal DMZ" list=internal_lan
/ipv6 firewall filter
add action=accept chain=input dst-port=546 in-interface=vlan832-wan protocol=\
    udp src-address=fe80::ba0:bab/128
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="Allow ssh access from Vlan1 to DMZ" \
    dst-port=22 in-interface=vlan1 out-interface=DMZ protocol=tcp src-port=""
add action=drop chain=forward comment="Block interVLAN to Vlan1" \
    out-interface=vlan1 src-address-list=internal_lan
add action=drop chain=forward comment="Block interVLAN to Vlan2" \
    out-interface=vlan2 src-address-list=internal_lan
add action=drop chain=forward comment="Block interVLAN to DMZ" out-interface=\
    DMZ src-address-list=internal_lan
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall mangle
add action=mark-packet chain=postrouting comment="Neighbor Solicitation NS" \
    icmp-options=135:0-255 new-packet-mark=na/ns out-interface=vlan832-wan \
    passthrough=no protocol=icmpv6
add action=mark-packet chain=postrouting comment="Neighbor Advertisement NA" \
    icmp-options=136:0-255 new-packet-mark=na/ns out-interface=vlan832-wan \
    passthrough=no protocol=icmpv6
add action=mark-packet chain=postrouting dst-port=547 new-packet-mark=dhcp-v6 \
    out-interface=vlan832-wan passthrough=no protocol=udp
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=drop chain=prerouting comment="defconf: drop the rest"
/ipv6 nd
set [ find default=yes ] advertise-dns=no dns=2a01:xxx::1 \
    hop-limit=64 interface=vlan1 other-configuration=yes ra-interval=6s-15s
add advertise-dns=no interface=vlan2
add advertise-dns=no interface=DMZ
/ipv6 nd prefix default
set preferred-lifetime=30m valid-lifetime=1h
/routing igmp-proxy interface
add alternative-subnets=193.0.0.0/8,81.0.0.0/8,172.0.0.0/8,80.0.0.0/8 \
    interface=vlan840-wan upstream=yes
add interface=vlan-tv
/system clock
set time-zone-name=Europe/Paris
/system ntp client
set enabled=yes
/system ntp client servers
add address=5.196.160.139
add address=212.85.158.10
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank you so much for your help.

Best regards,
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: RB5009: Bridge filter rules help

Sun Dec 04, 2022 8:15 pm

The strange part is, in IPV6 the mangle rules works for dhcp.
It's not that strange - the IPv6 stack is quite separate from the IP(v4) one, and the concepts have changed.

One last question do you have any idea why fastrack seems still not working ? I mean the fastrack rules counters increase, but none of the mangle rules do the same neither the global fastrack counter ? I suspect one missconfiguration in the frewall rules, but where ?
I have little experience with ROS 7 outside CHR (which does not actually fasttrack traffic even though the connections do get the fasttrack attribute), so I cannot say what you should expect. The rule with action=fasttrack only handles a single packet of each connection, so it is normal that it doesn't count much. I don't know what global fasttrack counter you are talking about - you mean the dynamically created rule commented with "special dummy rule to show fasttrack counters"?

If you can see the mangle rule in postrouting to count almost all traffic, then indeed fasttracking doesn't actually work; vice versa, if fastracking works, it is normal that mangle rules do not count, because skiping all stages of firewall handling except the raw table and connection tracking (which provides also the NAT handling) is the essence of the fasttracking. So fasttracked packets leaving through sfp-wan do not get the packet-mark in mangle, and thus they do match the action=set-priority rule in bridge filter - unless fasttracking would bypass also the bridge filter in RouterOS 7, which doesn't sound logical to me.

Who is online

Users browsing this forum: No registered users and 39 guests