Good day!

I'm trying to solve a simple problem, on switches this is a BPDU tunnel.

/interface bridge
add name=bridge1
/interface bridge nat
add action=dst-nat chain=dstnat dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF to-dst-mac-address=01:80:C2:00:00:03
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2.269.3
add bridge=bridge1 disabled=yes interface=sfp-sfpplus2.1269.3

At the exit from the bridge, the MAC destination address for the STP packet must be replaced with another multicast one. The count of the rule triggering is always equal to zero and is not added, probably STP packets do not get into it. Why doesn't it work?

I am using router CCR-1072, ROS 6.47.10.

HI!

I think thats not possible, this is a router ( L3 ) device not ( L2 ).

You need a separate non-Mikrotik switch/router for igmp-snooping ( multicast router ).
https://help.mikrotik.com/docs/pages/vi ... d=59277403

I'm afraid that the thing is that the bridge filter only handles traffic passing between ports of the bridge (where the router-facing port of the bridge has a privileged role in terms that the traffic to/from it is handled by chains input and output whereas the traffic between any other ports is handled by chain forward), whereas BPDUs fall into the "only intended for the direct neighbor - never to be forwarded" category. So if you need STP to run on your bridge, there is no way to do what you want on a single bridge; if you don't need STP on the bridge itself, set /interface bridge set bridge1 protocol-mode=none to make it "dumb" and forward everything, not discriminating by "link-local" destination MAC addresses. In this case, BPDUs will be handled just like any other frames, so maybe you wouldn't even need to dst-nat them.