Bridge Interface

Document revision 1.2 (12-May-2003)
This document applies to the MikroTik RouterOS V2.7

Table of Contents

Overview

MAC level bridging of Ethernet packets is supported. Ethernet, Ethernet over IP (EoIP), Prism, Atheros and RadioLAN interfaces are supported. All 802.11b and 802.11a client wireless interfaces (both ad-hoc and infrastructure or station modes) do not support this because of the limitations of 802.11 - it is possible to bridge over them using the Ethernet over IP protocol (please see documentation on EoIP).

Features include:

Specifications

Packages required : None
License required : None
Home menu level : /interface bridge
Standards and Technologies : Media Access Control (MAC) Bridges (IEEE801.1D)
Hardware usage : not significant

Related Documents

Software Package Installation and Upgrading
IP Addresses and Address Resolution Protocol (ARP)
EoIP (Ethernet over IP) Tunnel Interface
Packet Filter (Firewall) and NAT (Network Address Translation)

Description

Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 Wireless interfaces in AP mode) can be connected together using MAC Bridges. The bridge feature allows the interconnection of stations connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary)

Bridge Interface Setup

Submenu level : /interface bridge

Description

To bridge a number of networks into one bridge, a bridge interface should be created, that will group all the bridged interfaces. One MAC address will be assigned to all the bridged interfaces.

Note that you may only assign IP addresses to the bridge interface (the one is created in this submenu level), not the bridged interfaces (the ones which will be grouped in the bridge).

Property Description

name (name; default: bridgeN) - a descriptive name of the interface
mtu (integer; default: 1500) - Maximum Transmission Unit
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol setting
mac-address (read-only: MAC address) - Media Access Control address for the interface
forward-protocols (multiple choice: ip, arp, appletalk, ipx, ipv6, other; default: ip,arp,appletalk,ipx,ipv6,other) - list of forwarded protocols.
  • other - all other protocols than appletalk, arp, ip, ipv6, or ipx, e.g., netbeui, vlan, etc.
    priority - bridge interface priority (integer: 0..65535, default 1). The priority argument is used by Spanning Tree Protocol to determine, which port remains enabled if two ports form a loop

    Notes

    forwarded-protocols is a simple filter that also affects the locally-destined and locally-originated packets. So disabling ip protocol you will not be able to communicate with the router from the bridged interfaces.

    Example

    To add and enable a bridge interface that will forward all the protocols: 
    [admin@MikroTik] interface bridge> add
[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
  1 X  name="bridge2" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
       forward-protocols=ip,arp,appletalk,ipx,ipv6,other priority=1

[admin@MikroTik] interface bridge> enable 0

    Port Settings

    Submenu level : /interface bridge port

    Description

    The submenu is used to group interfaces in a particular bridge interface

    Property Description

    interface (read-only: name) - interface name
    bridge (name; default: none) - the bridge interface the respective interface is grouped in
  • none - the interface is not grouped

    Example

    To group ether1 and prism1 in the bridge1 bridge: 
    [admin@MikroTik] interface bridge port> set ether1,prism1 bridge=bridge1
[admin@MikroTik] interface bridge port> print
Flags: X - disabled
  #   INTERFACE BRIDGE
  0   ether1    bridge1
  1   ether2    none
  2   prism1    bridge1

[admin@MikroTik] interface bridge port>

    Bridge Monitoring

    Submenu level : /interface bridge host

    Property Description

    bridge (read-only: name) - the bridge the entry belonds to
    mac-address (read-only: MAC address) - host's MAC address
    on-interface (read-only: name) - which of the bridged interfaces the host is connected to
    age (read-only: time) - the time since the last packet received from the host

    Example

    To get the active host table: 
    [admin@MikroTik] interface bridge host> print
Flags: L - local
   BRIDGE              MAC-ADDRESS       ON-INTERFACE       AGE
   bridge1             00:00:B4:5B:A6:58 ether1             4m48s
   bridge1             00:30:4F:18:58:17 ether1             4m50s
 L bridge1             00:50:08:00:00:F5 ether1             0s
 L bridge1             00:50:08:00:00:F6 ether2             0s
   bridge1             00:60:52:0B:B4:81 ether1             4m50s
   bridge1             00:C0:DF:07:5E:E6 ether1             4m46s
   bridge1             00:E0:C5:6E:23:25 prism1             4m48s
   bridge1             00:E0:F7:7F:0A:B8 ether1             1s
[admin@MikroTik] interface bridge host>

    Bridge Firewall

    Submenu level : /interface bridge firewall

    Description

    Traffic between bridged interfaces can be filtered.

    Note that packets between bridged interfaces are also passed through the 'generic' /ip firewall rules, so they even can be NATted. These rules can be used with real, physical receiving/transmitting interfaces, as well as with bridge interface that simply groups bridged interfaces.

    Property Description

    mac-src-address (MAC address; default: 00:00:00:00:00:00)- MAC address of the source host
    in-interface (name; default: all) - interface the packet has entered the bridge through
  • all - any interface
    mac-dst-address (MAC address; default: 00:00:00:00:00:00)- MAC address of the destination host
    out-interface (name; default: all) - interface the packet is leaving the bridge through
  • all - any interface
    mac-protocol (all | integer; default: all) - the MAC protocol of the packet. Most widely used MAC protocols are (many other exist):
  • all - all the MAC protocols
  • 2048 - IP
  • 2054 - ARP
  • 32821 - RARP
  • 32823 - IPX
  • 32923 - AppleTalk (EtherTalk)
  • 33011 - AppleTalk Address Resolution Protocol (AARP)
  • 33169 - NetBEUI
  • 34525 - IPv6
    src-address (IP address/netmask; default: 0.0.0.0) - source IP address of the packet
    dst-address (IP address/netmask; default: 0.0.0.0) - destination IP address of the packet
    protocol (all | egp | ggp | icmp | igmp | ip-encap | ip-sec | tcp | udp | integer; default: all) - IP protocol name/number
  • all - match all the IP protocols
    action (accept | drop | passthrough; default: accept) - action to undertake if the packet matches the rule:
  • accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed
  • drop - silently drop the packet (without sending the ICMP reject message)
  • passthrough - ignore this rule. Acts the same way as a disabled rule, except for ability to count packets

    Example

    To make a brouter (the router that routes routable (IP in our case) protocols and bridges unroutable protocols), make a rule that drops IP, ARP and RARP traffic (these protocols should be disabled in bridge firewall, not in forwarded protocols as in the other case the router will not be able to receive IP packets itself, and thus will not be able to provide routing).

    To make bridge drop IP, ARP ad RARP packets: 

    [admin@MikroTik] interface bridge firewall> add mac-protocol=2048 action=drop
[admin@MikroTik] interface bridge firewall> add mac-protocol=2054 action=drop
[admin@MikroTik] interface bridge firewall> add mac-protocol=32821 action=drop
[admin@MikroTik] interface bridge firewall> print
Flags: X - disabled, I - invalid
  0   mac-src-address=00:00:00:00:00:00 in-interface=all
      mac-dst-address=00:00:00:00:00:00 out-interface=all mac-protocol=2048
      src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all action=drop

  1   mac-src-address=00:00:00:00:00:00 in-interface=all
      mac-dst-address=00:00:00:00:00:00 out-interface=all mac-protocol=2054
      src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all action=drop

  2   mac-src-address=00:00:00:00:00:00 in-interface=all
      mac-dst-address=00:00:00:00:00:00 out-interface=all mac-protocol=32821
      src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all action=drop

[admin@MikroTik] interface bridge firewall>

    Application Example

    Assume we want to enable bridging between two Ethernet LAN segments and have the MikroTik router be the default gateway for them:

    When configuring the MikroTik router for bridging you should do the following:

    1. Add bridge interface
    2. Configure the bridge interface
    3. Enable the bridge interface
    4. Assign an IP address to the bridge interface, if needed

    Note that there should be no IP addresses on the bridged interfaces. Moreover, IP address on the bridge interface itself is not required for the bridging to work.

    When configuring the bridge settings, each protocol that should be forwarded should be added to the forward-protocols list. The other protocol includes all protocols not listed before (as VLAN).

    [admin@MikroTik] interface bridge> add forward-protocols=ip,arp,other
[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
  0 X  name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
       forward-protocols=ip,arp,other priority=1

[admin@MikroTik] interface bridge>
    The priority argument is used by the Spanning Tree Protocol to determine, which port remains enabled if two ports form a loop.

    Next, each interface that should be included in the bridging port table: 

    [admin@MikroTik] interface bridge port> print
Flags: X - disabled
  #   INTERFACE                            BRIDGE
  0   ether1                               none
  1   ether2                               none
  2   ether3                               none
  3   prism1                               none
[admin@MikroTik] interface bridge port> set "0,1" bridge=bridge1
[admin@MikroTik] interface bridge port> print
Flags: X - disabled
  #   INTERFACE                            BRIDGE
  0   ether1                               bridge1
  1   ether2                               bridge1
  2   ether3                               none
  3   prism1                               none
[admin@MikroTik] interface bridge port>

    After setting some interface for bridging, the bridge interface should be enabled in order to start using it: 

    [admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
  0 X  name="bridge1" mtu=1500 arp=enabled mac-address=00:50:08:00:00:F5
       forward-protocols=ip,arp,other priority=1

[admin@MikroTik] interface bridge> enable 0
[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
  0  R name="bridge1" mtu=1500 arp=enabled mac-address=00:50:08:00:00:F5
       forward-protocols=ip,arp,other priority=1

[admin@MikroTik] interface bridge>

    If you want to access the router through unnumbered bridged interfaces, it is required to add an IP address to the bridge interface: 

    [admin@MikroTik] ip address> add address=192.168.0.254/24 interface=bridge1
[admin@MikroTik] ip address> add address=10.1.1.12/24 interface=prism1
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   bridge1
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      prism1
[admin@MikroTik] ip address>

    Note!Assigning an IP address to bridged interfaces ether1 or ether2 has no sense. Thus, when you assign an interface to a bridge, you should move its IP address to the bridge interface at the same time!

    Hosts on LAN segments #1 and #2 should use IP addresses from the same network 192.168.0.0/24 and have the default gateway set to 192.168.0.254 (MikroTik router).

    Additional Bridge Firewall Resources

    Links for Bridge Firewall documentation:

    http://users.pandora.be/bart.de.schuymer/ebtables/br_fw_ia/br_fw_ia.html

    Troubleshooting

    © Copyright 1999-2002, MikroTik