Hi!
I have a RB760IGs, and i have a basic question.
I configured a bridge and insert ports 3,4 and 5 in the bridge.

But, i want to limit the traffic at port 4 only. I try these configurations: But doesn't work. Any ideas? Thanks a lot!

on bridge settings enable firewall and all traffic goes to cpu, all is slower and you can use queues

What is connected on ether 4 ?

I'm curious, like a cat,
about why you asked, that...

I just want to understand what type of traffic the OP wants to limit...

on bridge settings enable firewall and all traffic goes to cpu, all is slower and you can use queues

Curious cat, let me ask you another question. Enabling use-ip-firewall in bridge settings is definitely the only way to force L2 forwarding through queues, but as you recommend it this lightheartedly, how do you deal with the havoc it causes on NAT?

Good question, for sure,
but I want you reassure,
if I don't know all the configurations,
how can I make other assumptions ???

Never tried to rhyme in English,
so it's going to be childish:
keep preparing for the worst,
so in laughter you could burst
once it turns out could be worse
than you expected at first!

In plain words, I try hard not to propose solutions without mentioning possible negative effects, and the one of enabling use-ip-firewall for the bridges is a huge one, and also unexpected.

how do you deal with the havoc it causes on NAT?

@sindy, what do you mean ?

@sindy, what do you mean ?

Try and see... if I remember correctly, the packets were handled by NAT rules already during the bridging phase, so their addresses changed before reaching the routing, or something alike. I would have to google for the details, it was discussed here more than a year ago.

Maybe you mean that the packets will pass through the prerouting, forward and postrouting chains while still in the Bridge ?
https://help.mikrotik.com/docs/display/ ... dgeForward

No, is this:
https://help.mikrotik.com/docs/display/ ... allEnabled

on bridge settings enable firewall and all traffic goes to cpu, all is slower and you can use queues

In certain network configurations, you might need to enable additional processing on routing chains for bridged traffic, for example, to use simple queues or an IP firewall. This can be done when the use-ip-firewall is enabled under the bridge settings. Note that additional processing will consume more CPU resources to handle these packets.

Maybe you mean that the packets will pass through the prerouting, forward and postrouting chains while still in the Bridge ?
https://help.mikrotik.com/docs/display/ ... dgeForward

Of course I do, but that's the obvious part. The non-obvious one are the consequences this has when the packets are bridged from a host to the CPU, because in such case they pass through the prerouting (including dst-nat), forward, and postrouting (including src-nat) chains twice (or even three times if the packets are routed from one bridge to another).

@rextended the diagram is the same
@sindy, right...

Sorry, but on firefox I see two different diagrams...

https://help.mikrotik.com/docs/display/ ... dgeForward

https://help.mikrotik.com/docs/display/ ... allEnabled

I mean the number sequence indeed is different.. so at one point you are right...
But i was looking at the actual diagram ignoring the numbering...

Ops... I misunderstand...

I'm curious, like a cat,
about why you asked, that...

Rsrs

Our company controls hydroelectric plants remotely, and the internet links have very limited bandwidth. A router is connected to this port and the employees there consume almost all the bandwidth (1mbps :/), and thus the traffic with important automation devices (which are also on the bridge is harmed).

The ether4 only works to employees access the internet and access automation devices in LAN.

I can put this port in other bridge, this way it's easier to limit traffic?

I can put this port in other bridge, this way it's easier to limit traffic?

Shaping traffic will be equally easy or complex, but you'll avoid the side effects if you move the port to a separate subnet/vlan/bridge.

The ether4 only works to employees access the internet and access automation devices in LAN.

You don't even need use separate subnets if the automation devices use one address range and the employees use another, as you can link the bandwidth limitation to the addresses. But this is only true if you don't need to limit the bandwidth between the employees' PCs and the automation devices - I can imagine an upset employee to flood the automation gear with traffic locally.

the employees there consume almost all the bandwidth (1mbps :/), and thus the traffic with important automation devices (which are also on the bridge) is harmed.

There is a catch - you can only enforce bandwidth in outgoing direction. So you can limit the download from internet towards the employees' PCs only by throttling the output on LAN, which means that at the beginning of each download TCP session, the data will clog the uplink for a while, until the feedback tells the server that there's no point in sending this fast. So the automation protocols must be able to deal with some loss even if you enforce download bandwidth this way.

If they don't, and if the power plants are connected to the internet directly rather than via company's own infrastructure and you use VPN tunnels to talk to the automation devices, force the employees' access to internet through the HQ router by means of the VPN as well, as then you can control the bandwidth already when sending the traffic through the bottleneck. Doing so will waste some bandwidth for the VPN overhead but it will prevent any loss on the automation protocols.