Good afternoon people,

I have a little problem upgrading to 6.41 with the new bridge implementation, pre-6.41 I could use both master-slave and bridge configurations at the same time on the same ports, I let the master-slave configuration handles users traffic and let the bridge configuration handle my own monitoring traffic using just one port to monitor all other ports at the same time.

As you know after 6.41 the update eliminates the use of master-slave configuration and relies on only bridge with hw-offload, I like the idea but I don't have an idea on how to apply my same idea post 6.41.

I've attached a simple picture to explain what I mean.



Ether1 and Ether2 are their own network using Master-Slave
Ether3 and Ether4 are their own network using Master-Slave
Ether1, Ether3 and Ether5 are all in one bridge with Ether1 and Ether3 are using a horizon value of 1 (making them not see each other), Ether5 uses a horizon of 2 (making it see both Ether1 and Ether3 groups and thus being used for monitoring and control from my side).

Upgrading to 6.41 will merge my configuration making all ports see each other.

I'm having a bit of a trouble thinking of a solution to have the same results using just bridges or vlans to acquire the same idea.


Any input would be appreciated.

Thank you.

What do you mean with "monitor all ports at the same time"? Why is it needed to have ether5 in L2 with the rest?

What do you mean with "monitor all ports at the same time"? Why is it needed to have ether5 in L2 with the rest?

Sorry, maybe I wasn't clear, I use the bridge to monitor clients devices and other Mikrotik devices in each network (Ether1,2,3 and 4). Ether5 is connected to an Access point that sends the traffic remotely to my computer in the office.

Wouldn't using no horizon at all but using Bridge filters allow what you want (prevent ether1,2 to see ether3,4 and ether5)? You can use interface lists... Same goes for Switch > ACLs

Why the need to be in L2 to send traffic to monitor? IDS? Are you mirroring traffic and sending it towards your office? Wouldn't IP > Traffic Flow be a better method?

Wouldn't using no horizon at all but using Bridge filters allow what you want (prevent ether1,2 to see ether3,4 and ether5)? You can use interface lists... Same goes for Switch > ACLs

Why the need to be in L2 to send traffic to monitor? IDS? Are you mirroring traffic and sending it towards your office? Wouldn't IP > Traffic Flow be a better method?

This is helpful, I'll try the bridge filters and report back, although I have no idea on how to use filters, that's why we used that method in the first place.

Apparently Bridge filters in/out doesn't work when hw-offload is active on the ports. Any Ideas?

If you want to isolate clients on the switching chip (which is my understanding of what you want to do) you need to use the port isolation feature on CRS switches. For routerboard devices I have no idea how to resolve this though...

Apparently Bridge filters in/out doesn't work when hw-offload is active on the ports. Any Ideas?

Did you enable "Use IP Firewall" (on Bridge [Settings])? Filters won't work otherwise AFAIK.

If you did, maybe (as I still don't fully understand your requirements) is it possible that could be done as whitbread said, using Port Leakage and isolation or ACLs

Apparently Bridge filters in/out doesn't work when hw-offload is active on the ports. Any Ideas?

Did you enable "Use IP Firewall" (on Bridge [Settings])?

If you did, maybe (as I still don't understand your requirements) is it possible that could be done as withbread said, using Port Leakage and isolation or ACLs

Yes I did that.

I'll be trying what you guys suggested earlier and report back.

And yes I think you somewhat understood what I needed, I needed L2 access to both these networks from my computer at the same time.

Apparently Bridge filters in/out doesn't work when hw-offload is active on the ports. Any Ideas?

Correction: if using L2 bridge filters, there's no need to enable use ip firewall. Just tested on 6.41 (on a RB1100AHx2), and even with hw offload enabled, L2 filtering (.e.g manipulating priority, vlan, etc) does work fine too.

Ports will not have H in front, ROS will disable it.

Port-level Isolation worked well for me one the CRS switches. With non-CRS devices, I had to use bridge filters while having to disable HW-Offload.

There is little to no explanation on how Port-level Isolation works in the wiki, just and example with no clue on how it does its job.

Thanks for your help guys, I really appreciate it.