Community discussions

MikroTik App
 
User avatar
miconof
just joined
Topic Author
Posts: 4
Joined: Thu May 25, 2023 7:52 am
Location: France

help or documentation about bridge vlan filtering

Fri May 26, 2023 1:56 pm

Hi, I'm quite new in setup Mikrotik devices here is my setup.
model: CRS328-24P-4S+ 
current-firmware: 7.9

I've also a 'cAP ax' but it's not the point here.

I'm looking for a documentation on how to implement vlan on bridge with filtering on .

Image

For general environnement, my switch router name 'SwRo' is directly connected to the ONT of my internet provider (no box anymore).
/interface vlan add interface=sfp1 name=ONT-Bouygue-Fibre vlan-id=100
/ip dhcp-client option add code=60 name=vendorid value=0x42594754454c494144
/ip dhcp-client add dhcp-options=vendorid disabled=no interface=Fibre_ByTel_vl100
/interface bridge port add bridge=bridge interface=ether1
[...]
/interface bridge port add bridge=bridge interface=ether24
/interface bridge port add bridge=bridge interface=sfp-sfpplus1
/interface bridge port add bridge=bridge interface=sfp-sfpplus3
/interface bridge port add bridge=bridge interface=sfp-sfpplus4

/ip firewall nat add action=masquerade chain=srcnat out-interface=ONT-Bouygue-Fibre
/ip address add address=192.168.0.2/24 comment=LAN_HOME interface=bridge network=192.168.0.0
/ip address add address=192.168.0.88/24 comment=defconf interface=ether2 network=192.168.0.0

All above works as attended.

Next I setup a Trunk port with 2 tagged vlan.

I did my setup following this guide : viewtopic.php?f=13&t=143620
post #2 : Switch with a separate router (RoaS) : section Router Configuration at a glance.
/interface bridge
	add frame-types=admit-only-vlan-tagged name=bridge-v vlan-filtering=no
	
/interface vlan
	add interface=bridge-v name=VLAN2 vlan-id=2
	add interface=bridge-v name=VLAN5 vlan-id=5
	
/interface bridge vlan
	add bridge=bridge-v tagged=sfp-sfpplus2 vlan-ids=2,5

/interface list member
	add interface=VLAN2 list=VLAN
	add interface=VLAN5 list=VLAN

/ip address
	add address=192.168.2.1/24 interface=VLAN2 network=192.168.2.0
	add address=192.168.5.1/24 interface=VLAN5 network=192.168.5.0

On the other side I plug a FreeBSD host with Jail on Vlan. All seems to work I can ping internet or anyone in my lan from booth Vlan.

What I wanted is to isolate VLAN2 and VLAN5 of anyone else. But they need to be able to go to internet.

For this I had to change on bridge-v vlan-filtering to yes.
But when I did this on booth vlan I can't even ping there gateway (192.168.2.1 / 192.168.5.1).

I think I add to add some rules in : /interface/bridge/nat and /interface/bridge/filter/ .

I'm looking for documentation about this.
Thanks.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Ahrefs [Bot], karlisi, kivimart, Omerik, peterda, tangent and 105 guests