Community discussions

MikroTik App
 
dmfr
newbie
Topic Author
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Bridge filter rules : set-priority for VLAN non functional

Thu Oct 15, 2020 11:18 am

Hello Mikrotik,

Consider following setup to set VLAN 802.1Q priority (PCP) = 6 for DHCP outbound packets.
/interface vlan add interface=ether1 name=ether1.832 vlan-id=832
/interface bridge add fast-forward=no name=orange-832 protocol-mode=none
/interface bridge filter add action=set-priority chain=output dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-interface=ether1.832 src-port=68
/interface bridge filter add action=set-priority chain=output dst-port=547 ip-protocol=udp mac-protocol=ipv6 new-priority=6 out-interface=ether1.832 src-port=546
/interface bridge port add bridge=orange-832 interface=ether1.832

/ip dhcp-client add disabled=no interface=orange-832
/ipv6 dhcp-client add add-default-route=yes interface=orange-832 pool-name=pool_orange6 request=prefix
It doesn't work using v7.1beta2 but works fine using v.6.47.4

Even simpler setup to force VLAN PCP at 6 for all traffic :
/interface vlan add interface=ether1 name=ether1.832 vlan-id=832
/interface bridge add fast-forward=no name=orange-832 protocol-mode=none
/interface bridge filter add action=set-priority chain=output new-priority=6 out-interface=ether1.832
/interface bridge port add bridge=orange-832 interface=ether1.832
doesn't work any better under v7.1beta2

Thanks in advance for investigation !
 
dmfr
newbie
Topic Author
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge filter rules : set-priority for VLAN non functional

Wed Mar 24, 2021 8:28 pm

Same on v7.1beta5. See above.

With some interesting fact,
Configuration similar to above defined under ROSv6 stays functional after upgrade to ROSv7.
However, after /system reset-configuration, identical configuration (typed or restored from a working /export) is non functional.

Might be related to this one ?
viewtopic.php?f=1&t=165301
 
dmfr
newbie
Topic Author
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge filter rules : set-priority for VLAN non functional

Mon Aug 09, 2021 11:17 pm

Seems fixed in v7.1beta6.
After multiple restores from /export output, bridge filter rules are correctly applied.
 
dmfr
newbie
Topic Author
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge filter rules : set-priority for VLAN non functional

Wed Jan 12, 2022 10:54 pm

Despite being fixed for RB4011 (arm),

That very issue is still occuring using 7.1.1 on RB5009 (arm64).
VLAN PCP/802.1p is not properly set through bridge filter rule.
 
Mackila
just joined
Posts: 3
Joined: Fri Oct 01, 2021 9:45 pm

Re: Bridge filter rules : set-priority for VLAN non functional

Fri Jan 14, 2022 9:13 pm

Same problem on CCR2004-16G-2S+
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: Bridge filter rules : set-priority for VLAN non functional

Mon Jan 17, 2022 1:00 am

That very issue is still occuring using 7.1.1 on RB5009 (arm64).
VLAN PCP/802.1p is not properly set through bridge filter rule.
In my experience, bridge filter rules do not work on RB5009 for bridges with L2 hw offload enabled.
But adding PCP/802.1p priorites works for me on RB5009 using interface/ethernet/switch/rule with action new-vlan-priority.
Special attention has to be paid to keep switch rules and bridge config in sync in case of member port changes.

While ROS 7.1.1 translates bridge VLAN filters into 88E6393X HW VLAN configs, it seems not to do it for bridge filters (yet?).
 
dmfr
newbie
Topic Author
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge filter rules : set-priority for VLAN non functional

Mon Jan 17, 2022 12:13 pm

In my experience, bridge filter rules do not work on RB5009 for bridges with L2 hw offload enabled.
But adding PCP/802.1p priorites works for me on RB5009 using interface/ethernet/switch/rule with action new-vlan-priority.
Special attention has to be paid to keep switch rules and bridge config in sync in case of member port changes.

While ROS 7.1.1 translates bridge VLAN filters into 88E6393X HW VLAN configs, it seems not to do it for bridge filters (yet?).
L2 hw offload is not currently enabled on any bridge interface as :
  • there's only one member interface (ether8) under WAN bridge (the one we want to set PCP/802.1p prio)
  • all ports (ether1-7) under LAN bridge are actively set to horizon=1 (port isolation)
Besides, in any circumstances I'm getting
new-vlan-priority not supported for this switch
while trying to apply switch-rules on Marvell-88E6393X

Am I missing something ?
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: Bridge filter rules : set-priority for VLAN non functional

Mon Jan 17, 2022 2:52 pm

Besides, in any circumstances I'm getting new-vlan-priority not supported for this switch while trying to apply switch-rules on Marvell-88E6393X

[admin@RB5009] /interface/ethernet/switch> rule add switch=switch1 ports=ether2,ether8 vlan-id=100 new-vlan-id=101
[admin@RB5009] /interface/ethernet/switch> rule add switch=switch1 ports=ether2,ether8 vlan-id=100 new-vlan-priority=6
failure: new-vlan-priority not supported for this switch

Hmm.. your right. On RB5009 only new-vlan-id is supported so far, new-vlan-priority is not. Altough the 88E6393X would support it.
Sorry, I mixed that up with the CRS Models where this works fine.

In my experiences, on RB5009 bridge rules only works reliable if using L2 HW offload and switch rules as far as supported.
/interface/bridge rules often just refuse to work without any further indication.
This indeed seems to be a bug.

The 88E6393X is a very powerful switch chip. Support in ROS for some of its features and bridges on top of it is broken or not yet complete.
 
dmfr
newbie
Topic Author
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge filter rules : set-priority for VLAN non functional

Mon Jan 17, 2022 4:01 pm

From support ticket #[SUP-71491], priority has been raised regarding bridge filter rules.
First, may they just work, even being CPU bound (like RB4011), it doesn't introduce a large performance cost.

Now, if eventually bridge filter rules transparently trigger hardware capabilities when available, it would be great, but that's another story...
 
User avatar
Gnubyte
just joined
Posts: 21
Joined: Sat Aug 15, 2020 7:31 pm
Location: Toulon - France

Re: Bridge filter rules : set-priority for VLAN non functional

Fri Jan 28, 2022 9:47 am

Hi all,
Same problem here on a CCR2004-1G-12S+2XS.
Thanks for these great equipments, and for your work harvesting this regrettable regression.
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: Bridge filter rules : set-priority for VLAN non functional

Fri Jan 28, 2022 11:03 pm

What's new in 7.2rc3 (2022-Jan-28 16:33):
*) bridge - fixed filter and NAT "set-priority" action;

Seems like this got fixed with 7.2rc3
 
dmfr
newbie
Topic Author
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge filter rules : set-priority for VLAN non functional

Sun Jan 30, 2022 7:25 pm

Seems like this got fixed with 7.2rc3
Still doesn't work with above configuration (first post).
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Bridge filter rules : set-priority for VLAN non functional

Mon Jan 31, 2022 2:40 am

Still doesn't work with above configuration (first post).
Probably you should report this via their support system. In the meantime, you can probably work around this with a mangle rule to get the same result.
 
dmfr
newbie
Topic Author
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge filter rules : set-priority for VLAN non functional

Mon Jan 31, 2022 12:10 pm

Probably you should report this via their support system. In the meantime, you can probably work around this with a mangle rule to get the same result.
SUP-71491 on Mikrotik jira.
Unfortunately DHCP client make use of raw sockets (at least for DHCPv4) and therefore bypasses IP firewall.
Marking packets through an external device (cisco switch, bridged RB4011...) is the only workaround now.
 
dmfr
newbie
Topic Author
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge filter rules : set-priority for VLAN non functional

Tue Feb 22, 2022 1:24 am

Confirmed fix on ROS v.7.1.3 for RB5009 (arm64).
 
CoyoGross
just joined
Posts: 9
Joined: Wed Jul 22, 2020 5:40 pm

Re: Bridge filter rules : set-priority for VLAN non functional

Thu Nov 17, 2022 3:53 pm

Hi all!

Hope you are doing fine,

Im trying to figure out how to configure VLAN 802.1Q priority on a 3011 with a QCA 8337 switch chip. According to the help documentation:

For VLAN related matchers or VLAN related action parameters to work, you need to enable vlan-filtering on the bridge interface and make sure that hardware offloading is enabled on those ports, otherwise, these parameters will not have any effect.

I understand that enabling vlan-filtering on QCA 8337 will disable HW offload. So, is it possible to set up vlan priority on 8337? If i enable vlan-filtering, knowing this will have a cost on CPU and use bridge filters, will this work?

Also, i need to apply same config on a Marvell 98DX3236 and im little confused about where to apply the rule, if is on bridge filters or on switch rules?

Who is online

Users browsing this forum: No registered users and 18 guests