Community discussions

MikroTik App
 
boldsalt2800
just joined
Topic Author
Posts: 4
Joined: Thu Nov 10, 2022 9:01 pm

Flooded broadcast filtering by VLAN tag?

Thu Nov 24, 2022 9:00 pm

How can I filter some flooded broadcast packets on some VLANs?

I have multiple VLANs configured on a bridge, with vlan-filtering=yes on the bridge, and hw=no on every bridge port. All ether ports are on the bridge (accepting only untagged packets), and clients are assigned to their VLAN via dot1x. One SFP port is on the bridge, accepting tagged packets for any VLAN (coming from a WiFi AP). On most VLANs, I want broadcasts to work as normal. But on a certain VLAN, I want to filter broadcast packets (similar to switch port isolation, but at the bridge/VLAN level). However, none of the filter rules ever see a VLAN-tagged packet -- neither on ingress, nor on egress after the broadcast is flooded.

I've tried putting log rules in all bridge filter chains (input, forward, output, srcnat, dstnat). I've also tried enabling "Use IP Firewall" & "Use IP Firewall for VLAN", and putting log rules in several the IP firewall filter chains (input, forward, output, prerouting); I can't filter by VLAN in the firewall, but I did it just to confirm the packet flow.

I see the packet enter untagged on the source's ether interface. It then is flooded to the destinations' ether interfaces, and I see it pass the bridge forward chain, again untagged.

I can't just turn off broadcast flood on the ether ports under /interface/bridge/port: if a port is assigned to a different VLAN due to the dot1x auth, I still want broadcast to work; and also, even on the broadcast-filtered VLAN, I ideally would still want certain broadcasts to work (I'd like to be able to choose using filters). I can't use a separate bridge per VLAN, because any ether port could have a client assigned to any VLAN, and the SFP port from the WiFi AP brings in tagged traffic from all VLANs.

None of the filter chains ever see the broadcast packet with the VLAN tag, so I'm unable to filter broadcasts just on that one VLAN. Is there any way to do this?

Thank you

Device: CCR2116-12G-4S+
OS: RouterOS 7.6
 
pe1chl
Forum Guru
Forum Guru
Posts: 10184
Joined: Mon Jun 08, 2015 12:09 pm

Re: Flooded broadcast filtering by VLAN tag?

Thu Nov 24, 2022 10:47 pm

I think you cannot filter on IP address in a bridge filter that applies only to a VLAN, because you cannot configure a "MAC protocol" stack.
Also when you filter on MAC protocol "vlan" you cannot enter a VLAN number.
So what you write is probably correct: it is not possible.
 
boldsalt2800
just joined
Topic Author
Posts: 4
Joined: Thu Nov 10, 2022 9:01 pm

Re: Flooded broadcast filtering by VLAN tag?

Thu Nov 24, 2022 11:22 pm

I think you cannot filter on IP address in a bridge filter that applies only to a VLAN, because you cannot configure a "MAC protocol" stack.
Also when you filter on MAC protocol "vlan" you cannot enter a VLAN number.
So what you write is probably correct: it is not possible.
If I could filter on VLAN alone, I could perhaps use packet-type=broadcast or dst-mac=FF...FF to filter broadcasts?

But the issue is that even when I set a simple log rule like "action=log chain=forward", I never see packets with eth-proto 8100 (VLAN); I only ever see packets with 0800 (IPv4). This includes:
  • the packet coming in from the source ether interface
    dstnat: in:ether1 out:(unknown 0) ... eth-proto 0800
  • the flooded packets being forwarded to the destination ether interfaces
    forward: in:ether1 out:ether2 ... eth-proto 0800
  • the packets going out to the destination interfaces
    srcnat: in(unknown 0) out:ether2 ... eth-proto 0800
It seems like the broadcast flooding mechanism knows about the VLAN (so that it knows which destination ether interfaces to flood to), but is always working on packets before before they've been tagged or after they've been untagged?

Is there any alternative way to achieve what I'm trying to do (filtering flooded broadcasts, or VLAN-based port isolation)?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10184
Joined: Mon Jun 08, 2015 12:09 pm

Re: Flooded broadcast filtering by VLAN tag?

Thu Nov 24, 2022 11:33 pm

Probably not. I do have a router somewhere with a bridge filtering setup that is different per VLAN, but it was implemented using a separate bridge per VLAN. Each bridge is connected to a VLAN subinterface of an ethernet port that is connected to a trunk port of the core switch (outside the router).
And that is a solution you probably cannot use.
(I don't think it is possible to have a bridge with VLAN filtering that has different bridges as untagged members, where you could do the filtering per VLAN)

Who is online

Users browsing this forum: GoogleOther [Bot], HugoCar, lurker888, pajapatak and 75 guests