Community discussions

MikroTik App
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Cannot modify frame-types and ingress-filtering on a dynamically added bridge port

Sun Jan 09, 2022 8:06 am

I have a configuration for a VLAN-tagged virtual-AP on CAPsMAN. When added to CAP, an immutable entry is created at `/interface bridge port` for that interface. On the CAP neither UI nor CLI allows me to modify the frame-types and ingress-filtering options on that port. On the CAPsMAN such options do not exist, only vlan-id and tagging mode can be altered.

Do I read it correctly, that these options cannot be altered on a CAPsMAN managed wireless interface / bridge port?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot modify frame-types and ingress-filtering on a dynamically added bridge port  [SOLVED]

Sun Jan 09, 2022 12:27 pm

It is hard to determine exact configuration, set by CAPsMAN, but it seems like CAPsMAN configures things in a hybrid way (a mix of dumb and vlan-aware bridge config):
  • wireless interface is configured with properties vlan-mode=use-tag vlan-id=<VID>, so essentially wireless interface works as tagged interface
  • bridge port is configured with properties pvid=<VID> frame-types=admit-all ingress-filtering=no, so the port acts as access port
The later is clearly displayed by /interface bridge port print, the former is based on my own observations (and may be completely wrong).

Then the exact behaviour boils down to two possibilities, determined by setting of vlan-filtering property on bridge:
  • when vlan-filtering=yes, bridge tags with pvid untagged frames on ingress but accepts already tagged frames as well. Bridge untags frames on egress.
    It seems that wireless interface untags tagged frames on ingress but accepts untagged as well.
    Which all means that frames passing from bridge to wireless interface are tagless while frames passing from wireless interface to bridge are tagged
  • when vlan-filtering=no, bridge doesn't do anything about VLAN tags, while wireless interface does tagging and untagging.
    In this case frames passing between bridge and wireless interface in both directions are tagged. If bridge is carrying other vlans or untagged, then those frames may leak into wireless interface. Wireless interface then discards frames with wrong vlan tags but accepts untagged frames which can then leak via air interface.
(N.b. if wireless interface is configured with vlan-mode=no-tag this actually means that wireless driver doesn't treat VLAN tags at all and tagged frames get transmitted over the air ... which allows to build trunk PtP connections via wireless).

And yes, bridge port entries as well as wireless interfaces are dynamic which means you can't change their properties.
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Cannot modify frame-types and ingress-filtering on a dynamically added bridge port

Mon Jan 10, 2022 12:30 am

It is hard to determine exact configuration, set by CAPsMAN, but it seems like CAPsMAN configures things in a hybrid way (a mix of dumb and vlan-aware bridge config):
  • wireless interface is configured with properties vlan-mode=use-tag vlan-id=<VID>, so essentially wireless interface works as tagged interface
  • bridge port is configured with properties pvid=<VID> frame-types=admit-all ingress-filtering=no, so the port acts as access port
The later is clearly displayed by /interface bridge port print, the former is based on my own observations (and may be completely wrong).

Then the exact behaviour boils down to two possibilities, determined by setting of vlan-filtering property on bridge:
  • when vlan-filtering=yes, bridge tags with pvid untagged frames on ingress but accepts already tagged frames as well. Bridge untags frames on egress.
    It seems that wireless interface untags tagged frames on ingress but accepts untagged as well.
    Which all means that frames passing from bridge to wireless interface are tagless while frames passing from wireless interface to bridge are tagged
  • when vlan-filtering=no, bridge doesn't do anything about VLAN tags, while wireless interface does tagging and untagging.
    In this case frames passing between bridge and wireless interface in both directions are tagged. If bridge is carrying other vlans or untagged, then those frames may leak into wireless interface. Wireless interface then discards frames with wrong vlan tags but accepts untagged frames which can then leak via air interface.
(N.b. if wireless interface is configured with vlan-mode=no-tag this actually means that wireless driver doesn't treat VLAN tags at all and tagged frames get transmitted over the air ... which allows to build trunk PtP connections via wireless).

And yes, bridge port entries as well as wireless interfaces are dynamic which means you can't change their properties.
I find this behavior inconsistent with respect to non virtual-AP interfaces: these still can be (even must be) edited on the CAP.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot modify frame-types and ingress-filtering on a dynamically added bridge port

Mon Jan 10, 2022 4:33 pm

I find this behavior inconsistent with respect to non virtual-AP interfaces: these still can be (even must be) edited on the CAP.

Not according to my experience. Which properties do you have to set on CAP devices and why?
 
User avatar
Kentzo
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Cannot modify frame-types and ingress-filtering on a dynamically added bridge port

Mon Jan 10, 2022 10:24 pm

See my other post: viewtopic.php?t=182021

CAPsMAN did not configure VLAN tagging at /interface bridge for "physical" wlans (I don't know if this the right term), only for virtual wlans it itself created.

Who is online

Users browsing this forum: No registered users and 100 guests