Bridge
Posted by telogodog pada Maret 28, 2009
MAC level bridging of Ethernet, Ethernet over IP (EoIP), Prism, Atheros and RadioLAN interfaces are supported. All 802.11a, 802.11b, and 802.11g clientwireless interfaces (ad-hoc, infrastructure or station mode) do not support this because of the limitations of 802.11. However, it is possible to bridge over the Prism and Atheros based links using the WDS feature (for Atheros and Prism chipset based cards) or Ethernet over IP protocol.
For preventing loops in a network, you can use the Spanning Tree Protocol (STP). This protocol is also used for configurations with backup links.
Main features:
- Spanning Tree Protocol (STP)
- Multiple bridge interfaces
- Bridge associations on a per-interface basis
- MAC address table can be monitored in real time
- IP address assignment for router access
- Bridge interfaces can be filtered and NATed
- Support for brouting based on bridge packet filter
Quick Setup Guide
To put interface ether1 and ether2 in a bridge.
- Add a bridge interface, called MyBridge:
/interface bridge add name="MyBridge" disabled=no
- Add ether1 and ether2 to MyBridge interface:
/interface bridge port add interface=ether1 bridge=MyBridge /interface bridge port add interface=ether2 bridge=MyBridge
Specifications
Packages required: system
License required: Level3
Submenu level: /interface bridge
Standards and Technologies: IEEE801.1D
Hardware usage: Not significant
Related Documents
Description
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 in ap-bridge or bridge mode, WDS, VLAN) can be connected together using MAC bridges. The bridge feature allows the interconnection of hosts connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).
Network loops may emerge (intentionally or not) in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop can be prevented. STP allows bridges to communicate with each other, so they can negotiate a loop free topology. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchange configuration messages (BPDU – Bridge Protocol Data Unit) periodically, so that all bridges would be updated with the newest information about changes in network topology. STP selects root bridge which is responosible for network reconfiguration, such as blocking and opening ports of the other bridges. The root bridge is the bridge with lowest bridge ID.
Additional Resources
http://ebtables.sourceforge.net/
Bridge Interface Setup
Submenu level: /interface bridge
Description
To combine a number of networks into one bridge, a bridge interface should be created (later, all the desired interfaces should be set up as its ports). One MAC address will be assigned to all the bridged interfaces (the smallest MAC address will be chosen automatically).
Property Description
ageing-time (time; default: 5m) – how long a host information will be kept in the bridge database
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) – Address Resolution Protocol setting
forward-delay (time; default: 15s) – time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally
garbage-collection-interval (time; default: 4s) – how often to drop old (expired) host entries in the bridge database. The garbage collection process expurges the entries older than defined by the ageing-time property
hello-time (time; default: 2s) – how often send hello packets to other bridges
mac-address (read-only: MAC address) – MAC address for the interface
max-message-age (time; default: 20s) – how long to remember Hello messages received from other bridges
mtu (integer; default: 1500) – Maximum Transmission Unit
name (name; default: bridgeN) – a descriptive name of the bridge interface
priority (integer: 0..65535; default: 32768) – bridge interface priority. The priority argument is used by Spanning Tree Protocol to determine, which port remains enabled if at least two ports form a loop
stp (no | yes; default: no) – whether to enable the Spanning Tree Protocol. Bridging loops will only be prevented if this property is turned on
Example
To add and enable a bridge interface that will forward all the protocols:
[admin@MikroTik] interface bridge> add; print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=61:64:64:72:65:73 stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@MikroTik] interface bridge> enable 0
Port Settings
Submenu level: /interface bridge port
Description
The submenu is used to enslave interfaces in a particular bridge interface.
Property Description
bridge (name; default: none) – the bridge interface the respective interface is grouped in
interface (read-only: name) – interface name, which is to be included in a bridge
path-cost (integer: 0..65535; default: 10) – path cost to the interface, used by STP to determine the ‘best’ path
priority (integer: 0..255; default: 128) – interface priority compared to other interfaces, which are destined to the same network
Notes
Starting from version 2.9.9, the ports in this lists should be added, not set, see the following examples.
Example
To group ether1 and ether2 in the already created bridge1 bridge (versions from 2.9.9):
[admin@MikroTik] interface bridge port> add interface=ether1 bridge=bridge1 [admin@MikroTik] interface bridge port> add interface=ether2 bridge=bridge1 [admin@MikroTik] interface bridge port> print # INTERFACE BRIDGE PRIORITY PATH-COST 0 ether1 bridge1 128 10 1 ether2 bridge1 128 10 [admin@MikroTik] interface bridge port>
Note that there is no wlan1 interface anymore, as it is not added as bridge port.
Bridge Monitoring
Command name: /interface bridge monitor
Description
Used to monitor the current status of a bridge.
Property Description
bridge-id (text) – the bridge ID, which is in form of bridge-priority.bridge-MAC-address
designated-root (text) – ID of the root bridge
path-cost (integer) – the total cost of the path to the root-bridge
root-port (name) – port to which the root bridge is connected to
Example
To monitor a bridge:
[admin@MikroTik] interface bridge> monitor bridge1
bridge-id: 32768.00:02:6F:01:CE:31
designated-root: 32768.00:02:6F:01:CE:31
root-port: ether2
path-cost: 180
[admin@MikroTik] interface bridge>
Bridge Port Monitoring
Command name: /interface bridge port monitor
Description
Statistics of an interface that belongs to a bridge
Property Description
designated-port (text) – port of designated-root bridge
designated-root (text) – ID of bridge, which is nearest to the root-bridge
port-id (integer) – port ID, which represents from port priority and port number, and is unique
status (disabled | blocking | listening | learning | forwarding) – the status of the bridge port:
blocking - the port does not forward any frames, but listens for BPDUs
listening - the port does not forward any frames, but listens to them
learning - the port does not forward any frames, but learns the MAC addresses
forwarding - the port forwards frames, and learns MAC addresses
Example
To monitor a bridge port:
[admin@MikroTik] interface bridge port> mo 0
status: forwarding
port-id: 28417
designated-root: 32768.00:02:6F:01:CE:31
designated-bridge: 32768.00:02:6F:01:CE:31
designated-port: 28417
designated-cost: 0
-- [Q quit|D dump|C-z pause]
Bridge Host Monitoring
Command name: /interface bridge host
Property Description
age (read-only: time) – the time since the last packet was received from the host
bridge (read-only: name) – the bridge the entry belongs to
local (read-only: flag) – whether the host entry is of the bridge itself (that way all local interfaces are shown)
mac-address (read-only: MAC address) – host’s MAC address
on-interface (read-only: name) – which of the bridged interfaces the host is connected to
Example
To get the active host table:
[admin@MikroTik] interface bridge host> print Flags: L - local BRIDGE MAC-ADDRESS ON-INTERFACE AGE bridge1 00:00:B4:5B:A6:58 ether1 4m48s bridge1 00:30:4F:18:58:17 ether1 4m50s L bridge1 00:50:08:00:00:F5 ether1 0s L bridge1 00:50:08:00:00:F6 ether2 0s bridge1 00:60:52:0B:B4:81 ether1 4m50s bridge1 00:C0:DF:07:5E:E6 ether1 4m46s bridge1 00:E0:C5:6E:23:25 prism1 4m48s bridge1 00:E0:F7:7F:0A:B8 ether1 1s [admin@MikroTik] interface bridge host>
Bridge Firewall General Description
Specifications
Submenu level: /interface bridge filter, /interface bridge nat, /interface bridge broute
Description
The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridge
Note that packets between bridged interfaces, just like any other IP traffic, are also passed through the ‘generic’ /ip firewall rules (but bridging filters are always applied before IP filters/NAT of the built-in chain of the same name, except for the output which is executed after IP Firewall Output). These rules can be used with real, physical receiving/transmitting interfaces, as well as with bridge interface that simply groups the bridged interfaces.
There are three bridge filter tables:
- filter - bridge firewall with three predefined chains:
- input - filters packets, which destination is the bridge (including those packets that will be routed, as they are anyway destined to the bridge MAC address)
- output - filters packets, which come from the bridge (including those packets that has been routed normally)
- forward - filters packets, which are to be bridged (note: this chain is not applied to the packets that should be routed through the router, just to those that are traversing between the ports of the same bridge)
- nat - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains:
- scnat - used for “hiding” a host or a network behind a different MAC address. This chain is applied to the packets leaving the router through a bridged interface
- dstnat - used for redirecting some pakets to another destinations
- broute - makes bridge a brouter – router that performs routing on some of the packets, and bridging – on others. Has one predefined chain: brouting, which is traversed right after a packet enters an enslaved interface (before “Bridging Decision”)
Note: the bridge destination NAT is executed before bridging desision
You can put packet marks in bridge firewall (filter, broute and NAT), which are the same as the packet marks in IP firewall put by mangle. So packet marks put by bridge firewall can be used in IP firewall, and vice versa
General bridge firewall properties are described in this section. Some parameters that differ between nat, broute and filter rules are described in further sections.
Property Description
802.3-sap (integer) – DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one byte fields, which identify the network protocol entities which use the link layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match an SAP byte
802.3-type (integer) – Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP – Sub-Network Attachment Point header). For example, AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B
arp-dst-address (IP address; default: 0.0.0.0/0) – ARP destination address
arp-dst-mac-address (MAC address; default: 00:00:00:00:00:00) – ARP destination MAC address
arp-hardware-type (integer; default: 1) – ARP hardware type. This normally Ethernet (Type 1)
arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-request | reply | reply-reverse | request | request-reverse) – ARP opcode (packet type)
drarp-error - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated
drarp-reply - Dynamic RARP reply, with a temporaty IP address assignment for a host
drarp-request - Dynamic RARP request to assign a temporary IP address for the given MAC address
inarp-request -
reply - standard ARP reply with a MAC address
reply-reverse - reverse ARP (RARP) reply with an IP address assigned
request - standard ARP request to a known IP address to find out unknown MAC address
request-reverse - reverse ARP (RARP) request to a known MAC address to find out unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)
arp-packet-type (integer) -
arp-src-address (IP address; default: 0.0.0.0/0) – ARP source IP address
arp-src-mac-address (MAC address; default: 00:00:00:00:00:00) – ARP source MAC address
chain (text) – bridge firewall chain, which the filter is functioning in (either a built-in one, or a user defined)
dst-address (IP address; default: 0.0.0.0/0) – destination IP address (only if MAC protocol is set to IPv4)
dst-mac-address (MAC address; default: 00:00:00:00:00:00) – destination MAC address
dst-port (integer: 0..65535) – destination port number or range (only for TCP or UDP protocols)
flow (text) – individual packet mark to match
in-bridge (name) – bridge interface through which the packet is coming in
in-interface (name) – physical interface (i.e., bridge port) through which the packet is coming in
ip-protocol (ipsec-ah | ipsec-esp | ddp | egp | ggp | gre | hmp | idpr-cmtp | icmp | igmp | ipencap | encap | ipip | iso-tp4 | ospf | pup | rspf | rdp | st | tcp | udp | vmtp | xns-idp | xtp) – IP protocol (only if MAC protocol is set to IPv4)
ipsec-esp - IPsec ESP protocol
ddp - datagram delivery protocol
egp - exterior gateway protocol
ggp - gateway-gateway protocol
gre - general routing encapsulation
hmp - host monitoring protocol
idpr-cmtp - idpr control message transport
icmp - internet control message protocol
igmp - internet group management protocol
ipencap - ip encapsulated in ip
encap - ip encapsulation
ipip - ip encapsulation
iso-tp4 - iso transport protocol class 4
ospf - open shortest path first
pup - parc universal packet protocol
rspf - radio shortest path first
rdp - reliable datagram protocol
st - st datagram mode
tcp - transmission control protocol
udp - user datagram protocol
vmtp - versatile message transport
xns-idp - xerox ns idp
xtp - xpress transfer protocol
jump-target (name) – if action=jump specified, then specifies the user-defined firewall chain to process the packet
limit (integer/time{0,1},integer) – restricts packet match rate to a given limit. Usefull to reduce the amount of log messages
Time - specifies the time interval over which the packet rate is measured
Burst - number of packets to match in a burst
log-prefix (text) – defines the prefix to be printed before the logging information
mac-protocol (integer | 802.2 | arp | ip | ipv6 | ipx | rarp | vlan) – Ethernet payload type (MAC-level protocol)
mark-flow (name) – marks existing flow
packet-type (broadcast | host | multicast | other-host) – MAC frame type:
host - packet is destined to the bridge itself
multicast - multicast MAC packet
other-host - packet is destined to some other unicast address, not to the bridge itself
src-address (IP address; default: 0.0.0.0/0) – source IP address (only if MAC protocol is set to IPv4)
src-mac-address (MAC address; default: 00:00:00:00:00:00) – source MAC address
src-port (integer: 0..65535) – source port number or range (only for TCP or UDP protocols)
stp-flags (topology-change | topology-change-ack) – The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU peridiocally for preventing from loop
topology-change-ack - topology change acknowledgement flag is sen in replies to the notification packets
stp-forward-delay (time: 0..65535) – forward delay timer
stp-hello-time (time: 0..65535) – stp hello packets time
stp-max-age (time: 0..65535) – maximal STP message age
stp-msg-age (time: 0..65535) – STP message age
stp-port (integer: 0..65535) – stp port identifier
stp-root-address (MAC address) – root bridge MAC address
stp-root-cost (integer: 0..65535) – root bridge cost
stp-root-priority (time: 0..65535) – root bridge priority
stp-sender-address (MAC address) – stp message sender MAC address
stp-sender-priority (integer: 0..65535) – sender priority
stp-type (config | tcn) – the BPDU type
tcn - topology change notification
vlan-encap (802.2 | arp | ip | ipv6 | ipx | rarp | vlan) – the MAC protocol type encapsulated in the VLAN frame
vlan-id (integer: 0..4095) – VLAN identifier field
vlan-priority (integer: 0..7) – the user priority field
Notes
stpmatchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF (Bridge Group address), also stp should be enabled.
ARP matchers are only valid if mac-protocol is arp or rarp
VLAN matchers are only valid for vlan ethernet protocol
IP-related matchers are only valid if mac-protocol is set as ipv4
802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3 standards (note: it is not the industry-standard Ethernet frame format used in most networks worldwide!). These matchers are ignored for other packets.
Bridge Packet Filter
Submenu level: /interface bridge filter
Description
This section describes bridge packet filter specific filtering options, which were omitted in the general firewall description
Property Description
action (accept | drop | jump | log | mark | passthrough | return; default: accept) – action to undertake if the packet matches the rule, one of the:
drop - silently drop the packet (without sending the ICMP reject message)
jump - jump to the chain specified by the value of the jump-target argument
log - log the packet
mark - mark the packet to use the mark later
passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
return - return to the previous chain, from where the jump took place
out-bridge (name) – outgoing bridge interface
out-interface (name) – interface via packet is leaving the bridge
Bridge NAT
Submenu level: /interface bridge nat
Description
This section describes bridge NAT options, which were omitted in the general firewall description
Property Description
action (accept | arp-reply | drop | dst-nat | jump | log | mark | passthrough | redirect | return | src-nat; default: accept) – action to undertake if the packet matches the rule, one of the:
arp-reply - send a reply to an ARP request (any other packets will be ignored by this rule) with the specified MAC address (only valid in dstnat chain)
drop - silently drop the packet (without sending the ICMP reject message)
dst-nat - change destination MAC address of a packet (only valid in dstnat chain)
jump - jump to the chain specified by the value of the jump-target argument
log - log the packet
mark - mark the packet to use the mark later
passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
redirect - redirect the packet to the bridge itself (only valid in dstnat chain)
return - return to the previous chain, from where the jump took place
src-nat - change source MAC address of a packet (only valid in srcnat chain)
out-bridge (name) – outgoing bridge interface
out-interface (name) – interface via packet is leaving the bridge
to-arp-reply-mac-address (MAC address) – source MAC address to put in Ethernet frame and ARP payload, when action=arp-reply is selected
to-dst-mac-address (MAC address) – destination MAC address to put in Ethernet frames, when action=dst-nat is selected
to-src-mac-address (MAC address) – source MAC address to put in Ethernet frames, when action=src-nat is selected
Bridge Brouting Facility
Submenu level: /interface bridge broute
Description
This section describes broute facility specific options, which were omitted in the general firewall description
The Brouting table is applied to every packet entering a forwarding enslaved interface (i.e., it does not work on regular interfaces, which are not included in a bridge)
Property Description
action (accept | drop | dst-nat | jump | log | mark | passthrough | redirect | return; default: accept) – action to undertake if the packet matches the rule, one of the:
drop - extract the packet from bridging code, making it appear just like it would come from a not-bridged interface (no further bridge decisions or filters will be applied to this packet except if the packet would be router out to a bridged interface, in which case the packet would be processed normally, just like any other routed packet )
dst-nat - change destination MAC address of a packet (only valid in dstnat chain), an let bridging code to decide further actions
jump - jump to the chain specified by the value of the jump-target argument
log - log the packet
mark - mark the packet to use the mark later
passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
redirect - redirect the packet to the bridge itself (only valid in dstnat chain), an let bridging code to decide further actions
return - return to the previous chain, from where the jump took place
to-dst-mac-address (MAC address) – destination MAC address to put in Ethernet frames, when action=dst-nat is selected
Troubleshooting
Description
- Router shows that my rule is invalid
- in-interface, in-bridge (or in-bridge-port) is specified, but such an interface does not exist
- there is an action=mark-packet, but no new-packet-mark
- there is an action=mark-connection, but no new-connection-mark
- there is an action=mark-routing, but no new-routing-mark
©
