Community discussions

MikroTik App
 
User avatar
Hammy
Forum Veteran
Forum Veteran
Topic Author
Posts: 761
Joined: Fri May 28, 2004 5:53 pm
Location: DeKalb, IL
Contact:

Bridge Port Horizon not configured, yet ports are isolated

Thu Jan 14, 2021 3:19 pm

/interface bridge
add fast-forward=no name=Bridge-VPLS-vlan300
/interface bridge port
add bridge=Bridge-VPLS-vlan300 interface=VPLS-vlan300-DNALAB
add bridge=Bridge-VPLS-vlan300 interface=ether9-vlan300
For "Bridge-VPLS-vlan300", devices on both "ether9-vlan300" and "VPLS-vlan300-DNALAB" can ping an IP address assigned to the bridge but are unable to cross the bridge.

I'm not sure why this would be. Horizons aren't configured. "Use IP Firewall" isn't configured. It's a CHR, so there is no switch port isolation involved.


I was at 6.42.x, but I just upgraded to 6.46.8 to the same effect.
-----
Mike Hammett

The Brothers WISP
 
sindy
Forum Guru
Forum Guru
Posts: 6872
Joined: Mon Dec 04, 2017 9:19 pm

Re: Bridge Port Horizon not configured, yet ports are isolated

Thu Jan 14, 2021 3:41 pm

My bet is that this is due to the settings of the virtualization platform. By default, most of them drop packets sent by a VM interface if they have any other source MAC address than the one assigned to the interface. I.e. the ports are not actually isolated in the CHR, but frames forwarded by the CHR are dropped at its egress.

The way to change this behaviour is individual per virtualization platform.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Hammy
Forum Veteran
Forum Veteran
Topic Author
Posts: 761
Joined: Fri May 28, 2004 5:53 pm
Location: DeKalb, IL
Contact:

Re: Bridge Port Horizon not configured, yet ports are isolated

Thu Jan 14, 2021 4:42 pm

Promiscuous mode indeed!!!!

So, um...

looking through all of the other portgroups...

I've apparently encountered this before as multiple other production portgroups\VLANs have promiscuous mode turned on.

Son of a...
-----
Mike Hammett

The Brothers WISP

Who is online

Users browsing this forum: icttech, nickrod50, wI4d4 and 192 guests