Switch(Bridge) on WAN side.

sviat88 · Sat Nov 13, 2021 10:01 am

Hi. I have a problem. My ISP is providing 2 ip addresses via mac - It means when i want to use home web server, for 1 ip address, and rest LAN for the other, i need to use switch before router. I wanted to do this by software in mikrotik router os - to use another bridge for ether1 and ether2 (i have hap ac3). I call it WAN bridge. But i have a problem, as soon as i created wan.bridge and choosed wan bridge in dhcp client option - my isp automatically disabling port. I think this because of loop, but i dont get how loop is formed. I tried to use for wan.bridge mac address of ether1, tried to change mac address of ether1. Nothing works. I need help in configuring this, or better way to do this. My config:

# nov/07/2021 12:42:47 by RouterOS 6.49
# software id = *
#
# model = RBD53iG-5HacD2HnD
# serial number = *
/interface bridge
add admin-mac=2C:C8:1B:38:40:D7 auto-mac=no comment=defconf name=bridge
add admin-mac=2C:C8:1B:38:40:D5 auto-mac=no name=bridge.WAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-3840DA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-3840DB \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge.WAN comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge.WAN interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=bridge.WAN list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridge.WAN
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Kiev
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

mkx · Sat Nov 13, 2021 5:56 pm

You connected two bridge ports (ether1 and ether2) to ISP gadget, which obviously bridges its LAN ports as well ... that's your loop.

What you should do is to configure ether1 and ether2 directly, without using a bridge. Run DHCP clients on both ether ports and you'll get two IP addresses from ISP.

sviat88 · Sat Nov 13, 2021 8:00 pm

You connected two bridge ports (ether1 and ether2) to ISP gadget, which obviously bridges its LAN ports as well ... that's your loop.

What you should do is to configure ether1 and ether2 directly, without using a bridge. Run DHCP clients on both ether ports and you'll get two IP addresses from ISP.

No,no. From ISP i have 1 ethernet cable which i connected to ether1, ether2 is for my web server.

Amm0 · Sat Nov 13, 2021 8:25 pm

Assuming you have two bridge interfaces, and one is the "WAN bridge" with ether1 and ether2 as "ports".

Your ISP may not like the B/PDU packets that are generated by the bridge interface's STP settings (cisco call this "port-guard" but other carrier equipment may take same approach – drop link if it sees PDU packets).

If so, might be able to get away with setting "WAN bridge" interface to select "none" as protocol type in the STP tab (e.g. /interface/bridge/set bridge.WAN protocol-type=none) – essentially make the Mikrotik "WAN bridge" a dumb switch.

sviat88 · Sun Nov 14, 2021 1:52 am

Assuming you have two bridge interfaces, and one is the "WAN bridge" with ether1 and ether2 as "ports".

Your ISP may not like the B/PDU packets that are generated by the bridge interface's STP settings (cisco call this "port-guard" but other carrier equipment may take same approach – drop link if it sees PDU packets).

If so, might be able to get away with setting "WAN bridge" interface to select "none" as protocol type in the STP tab (e.g. /interface/bridge/set bridge.WAN protocol-type=none) – essentially make the Mikrotik "WAN bridge" a dumb switch.

Thanks for very fast answer! It worked! As simple as that!
One more question! Maybe this way of connecting my network (server and LAN) is not optimal, maybe there is better way. How do you think ? If my idea is ok, than tell me pls what bridge is to make with hardware offloading wan bridge or lan bridge ?

mkx · Sun Nov 14, 2021 12:31 pm

Your way of doing it is fine as long as the only thing required from router for the other WAN connected device is ethernet port (instead of placing dumb switch between router and ISP). If you want RB to offer any sort of security (firewall), then there are few options available .. feasibility of some is severely reduced due to need for running DHCP client to get the IP address(es).

Selection about which bridge to HW offload depends on amount of traffic transparently flowing between bridge member ports, the bridge with bigger (absolute amount) traffic flowing between member ports should be HW offloaded. Note: traffic being routed (e.g. between LAN and WAN) by router itself is not subject to HW offload. Neither is traffic passing other interfaces, such as wlan interfaces or various tunnel interfaces.
If router is also used as switch for LAN, then selection of LAN bridge for HW offload makes sense most of times.

Note to others: in the last paragraph above I'm talking about L2 HW offload performed by (very common) devices featuring switch chips. I'm not talking about L3 HW offload which is feature of select devices (CRS3xx series) running ROS v7.

Amm0 · Sun Nov 14, 2021 3:00 pm

If my idea is ok, than tell me pls what bridge is to make with hardware offloading wan bridge or lan bridge ?

If it works, it's at least "ok"

.

Since you found out only one bridge interface can be "hardware offloaded", I'd say you'd want [LAN] "bridge" hardware offloaded. e.g. Bridge>Ports showing an "H" next to your ether3-ether5 ports. Logic is you want local LAN transfers at line rate, say a file copy between two PCs on the LAN. Since outbound internet traffic is already going to require using the CPU to do NAT/firewall, that being a "software bridge" doesn't strike me as a huge problem.

One note, if device connected to your ether2 with public IP has multiple ethernet jacks and is also connected to the LAN, that's where you could introduce a loop - but if the ether2 device is only connect the internet, you should be good. While "none" seem good for the "bridge.WAN", you'd still want RSTP enabled on the [LAN] "bridge" to prevent loops if more switches are added downstream of ether3-5.

Now if your ISP/internet speed was closer to the Ethernet line rate (e.g. you have 1G internet and 1G ethernet devices on LAN) & wanted to spent time optimizing and learning alternative configs, there are other approaches. For example, you can use VLANs instead (e.g. need two VLAN: DMZ & LAN), and use the "VLAN Filtering" feature to tag ether1+2 to DMZ and ether3-5 to LAN – this mean you'd only need one bridge so more traffic might* be hardware offloaded. Note: There are other reasons why even with one bridge, ROS might not be able use hardware offloading & so NO guartenees this approach be actually faster in practice. My advice is stick with your simple "WAN bridge" config, if you see high CPU on your Mikrotik, then look at other approaches.

Switch(Bridge) on WAN side.

Switch(Bridge) on WAN side.

Re: Switch(Bridge) on WAN side.

Re: Switch(Bridge) on WAN side.

Re: Switch(Bridge) on WAN side.

Re: Switch(Bridge) on WAN side.

Re: Switch(Bridge) on WAN side.

Re: Switch(Bridge) on WAN side.