How can I filter some flooded broadcast packets on some VLANs?
I have multiple VLANs configured on a bridge, with vlan-filtering=yes on the bridge, and hw=no on every bridge port. All ether ports are on the bridge (accepting only untagged packets), and clients are assigned to their VLAN via dot1x. One SFP port is on the bridge, accepting tagged packets for any VLAN (coming from a WiFi AP). On most VLANs, I want broadcasts to work as normal. But on a certain VLAN, I want to filter broadcast packets (similar to switch port isolation, but at the bridge/VLAN level). However, none of the filter rules ever see a VLAN-tagged packet -- neither on ingress, nor on egress after the broadcast is flooded.
I've tried putting log rules in all bridge filter chains (input, forward, output, srcnat, dstnat). I've also tried enabling "Use IP Firewall" & "Use IP Firewall for VLAN", and putting log rules in several the IP firewall filter chains (input, forward, output, prerouting); I can't filter by VLAN in the firewall, but I did it just to confirm the packet flow.
I see the packet enter untagged on the source's ether interface. It then is flooded to the destinations' ether interfaces, and I see it pass the bridge forward chain, again untagged.
I can't just turn off broadcast flood on the ether ports under /interface/bridge/port: if a port is assigned to a different VLAN due to the dot1x auth, I still want broadcast to work; and also, even on the broadcast-filtered VLAN, I ideally would still want certain broadcasts to work (I'd like to be able to choose using filters). I can't use a separate bridge per VLAN, because any ether port could have a client assigned to any VLAN, and the SFP port from the WiFi AP brings in tagged traffic from all VLANs.
None of the filter chains ever see the broadcast packet with the VLAN tag, so I'm unable to filter broadcasts just on that one VLAN. Is there any way to do this?
Thank you
Device: CCR2116-12G-4S+
OS: RouterOS 7.6