Bridge Interface Setup

Bridge

Document revision 2.3 (Fri Aug 18 11:56:45 GMT 2006) This document applies to V2.9 Table of Contents

Table of Contents General Information Summary Quick Setup Guide Specifications Related Documents Description Additional Documents Bridge Interface Setup Description Property Description Example Port Settings Description Property Description Notes Example Bridge Monitoring Description Property Description Example Bridge Port Monitoring Description Property Description Example Bridge Host Monitoring Property Description Example Bridge Firewall General Description Description Property Description Notes Bridge Packet Filter Description Property Description Bridge NAT Description Property Description Bridge Brouting Facility Description Property Description

Page 1 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. Troubleshooting Description General Information

Summary

!"" # $%&#'' $%&#'' $%&#'' client ( ad-hoc infrastructure station !"" ! $%&#''# )( " * ! +,- ! " " #

. " " ( * /! ! -" 0 -0# 0 " ! ! ( *!" *#

! 1

• -" 0 -0

• ! "

• 2 " 3

•

• !

• 2 0

• -!"" ! " *

Quick Setup Guide

0 "! ether1 ether2 #

1. MyBridge1 /interface bridge add name="MyBridge" disabled=no

2. ether1 ether2 MyBridge 1

/interface bridge port add interface=ether1 bridge=MyBridge /interface bridge port add interface=ether2 bridge=MyBridge

Specifications Packages required: system License required: level3 Home menu level: /interface bridge Standards and Technologies: IEEE801.1D Hardware usage: Not significant

Page 2 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. Related Documents

• -( * • • • .

Description

3 * ( * $%&#'' "3 +,- 4 ! # 0 ! ( " ! " / ! ( * ( / * ( * 5 ( / ( # " / "" ! ! / * ( ( * ( * " (/ / ( / /#

( * " / / "5 " # + ! / " " (! " ( * ! / / (! 3 * " * ! " # ! ( ! ( " " # -0 ( ! ( / " "/# (! ( " "! / ! ! * " # 0 5 ! 2,6 3 2 , 6 " / (! !" ( ( ! ( * "/# -0 ( " ( * ! ! * " " # 0 ( ( ,#

Additional Documents

"177 #! #7 Bridge Interface Setup Home menu level: /interface bridge Description

0 ! ( * ! ! !" " # 8 ( ( ! /#

Property Description ageing-time (time; default: 5m) - how long a host information will be kept in the bridge database arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol setting

Page 3 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. forward-delay (time; default: 15s) - time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally garbage-collection-interval (time; default: 4s) - how often to drop old (expired) host entries in the bridge database. The garbage collection process expurges the entries older than defined by the ageing-time property hello-time (time; default: 2s) - how often send hello packets to other bridges mac-address (read-only: MAC address) - MAC address for the interface max-message-age (time; default: 20s) - how long to remember Hello messages received from other bridges mtu (integer; default: 1500) - Maximum Transmission Unit name (name; default: bridgeN) - a descriptive name of the bridge interface priority (integer: 0..65535; default: 32768) - bridge interface priority. The priority argument is used by Spanning Tree Protocol to determine, which port remains enabled if at least two ports form a loop stp (no | yes; default: no) - whether to enable the Spanning Tree Protocol. Bridging loops will only be prevented if this property is turned on Example

0 ( ( " 1

[admin@MikroTik] interface bridge> add; print Flags: X - disabled, R - running 0 R name="bridge1" mtu=1500 arp=enabled mac-address=61:64:64:72:65:73 stp=no priority=32768 ageing-time=5m forward-delay=15s garbage-collection-interval=4s hello-time=2s max-message-age=20s [admin@MikroTik] interface bridge> enable 0

Port Settings Home menu level: /interface bridge port Description

0 ! ! ! " ! #

Property Description bridge (name; default: none) - the bridge interface the respective interface is grouped in • none - the interface is not grouped in any bridge interface (read-only: name) - interface name, which is to be included in a bridge path-cost (integer: 0..65535; default: 10) - path cost to the interface, used by STP to determine the 'best' path priority (integer: 0..255; default: 128) - interface priority compared to other interfaces, which are destined to the same network

Page 4 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. Notes

- #9 " ! ( 5"#

Example

0 !" ether1 ether2 / bridge1 #91

[admin@MikroTik] interface bridge port> add interface=ether1 bridge=bridge1 [admin@MikroTik] interface bridge port> add interface=ether2 bridge=bridge1 [admin@MikroTik] interface bridge port> print # INTERFACE BRIDGE PRIORITY PATH-COST 0 ether1 bridge1 128 10 1 ether2 bridge1 128 10 [admin@MikroTik] interface bridge port>

wlan1 / " # Bridge Monitoring Command name: /interface bridge monitor Description

6 ! ! #

Property Description bridge-id (text) - the bridge ID, which is in form of bridge-priority.bridge-MAC-address designated-root (text) - ID of the root bridge path-cost (integer) - the total cost of the path to the root-bridge root-port (name) - port to which the root bridge is connected to Example

0 1

[admin@MikroTik] interface bridge> monitor bridge1 bridge-id: 32768.00:02:6F:01:CE:31 designated-root: 32768.00:02:6F:01:CE:31 root-port: ether2 path-cost: 180 [admin@MikroTik] interface bridge>

Bridge Port Monitoring Command name: /interface bridge port monitor Description

Page 5 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. Property Description designated-port (text) - port of designated-root bridge designated-root (text) - ID of bridge, which is nearest to the root-bridge port-id (integer) - port ID, which represents from port priority and port number, and is unique status (disabled | blocking | listening | learning | forwarding) - the status of the bridge port: • disabled - the interface is disabled. No frames are forwarded, no Bridge Protocol Data Units (BPDUs) are heard • blocking - the port does not forward any frames, but listens for BPDUs • listening - the port does not forward any frames, but listens to them • learning - the port does not forward any frames, but learns the MAC addresses • forwarding - the port forwards frames, and learns MAC addresses

Example

0 " 1

[admin@MikroTik] interface bridge port> mo 0 status: forwarding port-id: 28417 designated-root: 32768.00:02:6F:01:CE:31 designated-bridge: 32768.00:02:6F:01:CE:31 designated-port: 28417 designated-cost: 0 -- [Q quit|D dump|C-z pause]

Bridge Host Monitoring Command name: /interface bridge host Property Description age (read-only: time) - the time since the last packet was received from the host bridge (read-only: name) - the bridge the entry belongs to local (read-only: flag) - whether the host entry is of the bridge itself (that way all local interfaces are shown) mac-address (read-only: MAC address) - host's MAC address on-interface (read-only: name) - which of the bridged interfaces the host is connected to Example

0 1

[admin@MikroTik] interface bridge host> print Flags: L - local BRIDGE MAC-ADDRESS ON-INTERFACE AGE bridge1 00:00:B4:5B:A6:58 ether1 4m48s bridge1 00:30:4F:18:58:17 ether1 4m50s L bridge1 00:50:08:00:00:F5 ether1 0s L bridge1 00:50:08:00:00:F6 ether2 0s bridge1 00:60:52:0B:B4:81 ether1 4m50s

Page 6 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. bridge1 00:C0:DF:07:5E:E6 ether1 4m46s bridge1 00:E0:C5:6E:23:25 prism1 4m48s bridge1 00:E0:F7:7F:0A:B8 ether1 1s [admin@MikroTik] interface bridge host>

Bridge Firewall General Description Home menu level: /interface bridge filter, /interface bridge nat, /interface bridge broute Description

0 ( " " * / " ! / ! ! ( !

Note " * ( :! * / " ! ; ; /ip firewall ! ! (/ "" 7 0 ! 3 5 " output ( 5 ! . ( 8!"!# 0 ! ! ( "/ 7 ( ( "/ !" #

0 1

• filter 3 ( ( " 1 • input 3 " * ( ! " * ( ! / /(/ • output 3 " * ( ! " * ! / • forward 3 " * ( 1 "" " * ! ! ! ! :! ( "

• nat 3 ( * " (/ ! 7 " * # ) ( ! 3 1 • scnat 3 ! < < ( * # 0 "" " * ! ! • dstnat 3 ! "*

• broute 3 * ! 3 ! " ! " * 3 # ) " 1 brouting ( " * <2 , <

Note: 0 5 !

=! "! " * * ( ! 0 ( " * * ( "! / # - " * * "! / ( ! (

> ( " " # - " ( ! ! ! #

Page 7 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. Property Description

802.3-sap (integer) - DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match an SAP byte 802.3-type (integer) - Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B arp-dst-address (IP address; default: 0.0.0.0/0) - ARP destination address arp-dst-mac-address (MAC address; default: 00:00:00:00:00:00) - ARP destination MAC address arp-hardware-type (integer; default: 1) - ARP hardware type. This normally Ethernet (Type 1) arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-request | reply | reply-reverse | request | request-reverse) - ARP opcode (packet type) • arp-nak - negative ARP reply (rarely used, mostly in ATM networks) • drarp-error - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated • drarp-reply - Dynamic RARP reply, with a temporaty IP address assignment for a host • drarp-request - Dynamic RARP request to assign a temporary IP address for the given MAC address • inarp-request - • reply - standard ARP reply with a MAC address • reply-reverse - reverse ARP (RARP) reply with an IP address assigned • request - standard ARP request to a known IP address to find out unknown MAC address • request-reverse - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service) arp-packet-type (integer)- arp-src-address (IP address; default: 0.0.0.0/0) - ARP source IP address arp-src-mac-address (MAC address; default: 00:00:00:00:00:00) - ARP source MAC address chain (text) - bridge firewall chain, which the filter is functioning in (either a built-in one, or a user defined) dst-address (IP address; default: 0.0.0.0/0) - destination IP address (only if MAC protocol is set to IPv4) dst-mac-address (MAC address; default: 00:00:00:00:00:00) - destination MAC address dst-port (integer: 0..65535) - destination port number or range (only for TCP or UDP protocols) flow (text) - individual packet mark to match in-bridge (name) - bridge interface through which the packet is coming in in-interface (name) - physical interface (i.e., bridge port) through which the packet is coming in ip-protocol (ipsec-ah | ipsec-esp | ddp | egp | ggp | gre | hmp | idpr-cmtp | icmp | igmp | ipencap | encap | ipip | iso-tp4 | ospf | pup | rspf | rdp | st | tcp | udp | vmtp | xns-idp | xtp) - IP protocol (only if

Page 8 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. MAC protocol is set to IPv4) • ipsec-ah - IPsec AH protocol • ipsec-esp - IPsec ESP protocol • ddp - datagram delivery protocol • egp - exterior gateway protocol • ggp - gateway-gateway protocol • gre - general routing encapsulation • hmp - host monitoring protocol • idpr-cmtp - idpr control message transport • icmp - internet control message protocol • igmp - internet group management protocol • ipencap - ip encapsulated in ip • encap - ip encapsulation • ipip - ip encapsulation • iso-tp4 - iso transport protocol class 4 • ospf - open shortest path first • pup - parc universal packet protocol • rspf - radio shortest path first • rdp - reliable datagram protocol • st - st datagram mode • tcp - transmission control protocol • udp - user datagram protocol • vmtp - versatile message transport • xns-idp - xerox ns idp • xtp - xpress transfer protocol jump-target (name) - if action=jump specified, then specifies the user-defined firewall chain to process the packet limit (integer | time | integer) - restricts packet match rate to a given limit. Usefull to reduce the amount of log messages • Count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option • Time - specifies the time interval over which the packet rate is measured • Burst - number of packets to match in a burst log-prefix (text) - defines the prefix to be printed before the logging information mac-protocol (integer | 802.2 | arp | ip | ipv6 | ipx | rarp | vlan) - Ethernet payload type (MAC-level protocol) mark-flow (name) - marks existing flow packet-type (broadcast | host | multicast | other-host) - MAC frame type: • broadcast - broadcast MAC packet • host - packet is destined to the bridge itself

Page 9 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. • multicast - multicast MAC packet • other-host - packet is destined to some other unicast address, not to the bridge itself src-address (IP address; default: 0.0.0.0/0) - source IP address (only if MAC protocol is set to IPv4) src-mac-address (MAC address; default: 00:00:00:00:00:00) - source MAC address src-port (integer: 0..65535) - source port number or range (only for TCP or UDP protocols) stp-flags (topology-change | topology-change-ack) - The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU peridiocally for preventing from loop • topology-change - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology • topology-change-ack - topology change acknowledgement flag is sen in replies to the notification packets stp-forward-delay (time: 0..65535) - forward delay timer stp-hello-time (time: 0..65535) - stp hello packets time stp-max-age (time: 0..65535) - maximal STP message age stp-msg-age (time: 0..65535) - STP message age stp-port (integer: 0..65535) - stp port identifier stp-root-address (MAC address) - root bridge MAC address stp-root-cost (integer: 0..65535) - root bridge cost stp-root-priority (time: 0..65535) - root bridge priority stp-sender-address (MAC address) - stp message sender MAC address stp-sender-priority (integer: 0..65535) - sender priority stp-type (config | tcn) - the BPDU type • config - configuration BPDU • tcn - topology change notification vlan-encap (802.2 | arp | ip | ipv6 | ipx | rarp | vlan) - the MAC protocol type encapsulated in the VLAN frame vlan-id (integer: 0..4095) - VLAN identifier field vlan-priority (integer: 0..7) - the user priority field Notes stp / %'1$%1&1%%1%%1%%7..1..1..1..1..1.. 2 > !" stp ! #

/ mac-protocol arp rarp

4 / vlan "

3 / mac-protocol ipv4

$%&#? / ! ! " ( $%&#& $%&#? note1 ! /3 ! ( * ( ( @# 0 " *#

Page 10 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. Bridge Packet Filter Home menu level: /interface bridge filter Description

0 " * " " ( ( ( "

Property Description action (accept | drop | jump | log | mark | passthrough | return; default: accept) - action to undertake if the packet matches the rule, one of the: • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain • drop - silently drop the packet (without sending the ICMP reject message) • jump - jump to the chain specified by the value of the jump-target argument • log - log the packet • mark - mark the packet to use the mark later • passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets • return - return to the previous chain, from where the jump took place out-bridge (name) - outgoing bridge interface out-interface (name) - interface via packet is leaving the bridge Bridge NAT Home menu level: /interface bridge nat Description

0 0 " ( ( ( "

Property Description action (accept | arp-reply | drop | dst-nat | jump | log | mark | passthrough | redirect | return | src-nat; default: accept) - action to undertake if the packet matches the rule, one of the: • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed in the relevant list/chain • arp-reply - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain) • drop - silently drop the packet (without sending the ICMP reject message) • dst-nat - change destination MAC address of a packet (only valid in dstnat chain) • jump - jump to the chain specified by the value of the jump-target argument

Page 11 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. • log - log the packet • mark - mark the packet to use the mark later • passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets • redirect - redirect the packet to the bridge itself (only valid in dstnat chain) • return - return to the previous chain, from where the jump took place • src-nat - change source MAC address of a packet (only valid in srcnat chain) out-bridge (name) - outgoing bridge interface out-interface (name) - interface via packet is leaving the bridge to-arp-reply-mac-address (MAC address) - source MAC address to put in Ethernet frame and ARP payload, when action=arp-reply is selected to-dst-mac-address (MAC address) - destination MAC address to put in Ethernet frames, when action=dst-nat is selected to-src-mac-address (MAC address) - source MAC address to put in Ethernet frames, when action=src-nat is selected Bridge Brouting Facility Home menu level: /interface bridge broute Description

0 ! / " " ( ( ( "

0 2 ! "" / " * ( ## ( * ! ( !

Property Description action (accept | drop | dst-nat | jump | log | mark | passthrough | redirect | return; default: accept)- action to undertake if the packet matches the rule, one of the: • accept - let the bridging code decide, what to do with this packet • drop - extract the packet from bridging code, making it appear just like it would come from a not-bridged interface (no further bridge decisions or filters will be applied to this packet except if the packet would be router out to a bridged interface, in which case the packet would be processed normally, just like any other routed packet ) • dst-nat - change destination MAC address of a packet (only valid in dstnat chain), an let bridging code to decide further actions • jump - jump to the chain specified by the value of the jump-target argument • log - log the packet • mark - mark the packet to use the mark later • passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets • redirect - redirect the packet to the bridge itself (only valid in dstnat chain), an let bridging

Page 12 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners. code to decide further actions • return - return to the previous chain, from where the jump took place to-dst-mac-address (MAC address) - destination MAC address to put in Ethernet frames, when action=dst-nat is selected Troubleshooting

Description

• Router shows that my rule is invalid • 3 3 3 3" " ! ! 5

• A *3" * ! (3" *3 *

• A *3 ! (3 3 *

• A *3 ! ! (3 ! 3 *

Page 13 of 13 Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registred trademarks mentioned herein are properties of their respective owners.