Bridge

Document revision:1.4 (Wed Feb 02 17:06:55 GMT 2005)
Applies to: V2.8

General Information

Summary

MAC level bridging of Ethernet, Ethernet over IP (EoIP), Prism, Atheros and RadioLAN interfaces are supported. All 802.11b and 802.11a client wireless interfaces (both ad-hoc and infrastructure or station modes) do not support this because of the limitations of 802.11 - it is possible to bridge over them using the Ethernet over IP protocol (please see documentation on EoIP).

For preventing loops in a network, you can use the Spanning Tree Protocol (STP). This protocol also makes redundant paths possible.

Features include:

Quick Setup Guide

To put interface ether1 and ether2 in a bridge.

  1. Add a bridge interface, called MyBridge:

    /interface bridge add name="MyBridge" disabled=no

  2. Add ether1 and ether2 to MyBridge interface:

    /interface bridge port set ether1,ether2 bridge=MyBridge

Specifications

Packages required: system
License required: Level4
Submenu level: /interface bridge
Standards and Technologies: Media Access Control, IEEE801.1D
Hardware usage: Not significant

Related Documents

Description

Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 Wireless interfaces in AP mode) can be connected together using MAC Bridges. The bridge feature allows the interconnection of stations connected to separate LANs (using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them) as if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged (depending on the way the LANs are interconnected, latency and data rate between hosts may vary).

Additional Resources

http://ebtables.sourceforge.net/

Bridge Interface Setup

Submenu level: /interface bridge

Description

To bridge a number of networks into one bridge, a bridge interface should be created, that will group all the bridged interfaces. One MAC address will be assigned to all the bridged interfaces.

Property Description

ageing-time (time; default: 5m) - how long the host information will be kept in the bridge database

arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol setting

forward-delay (time; default: 15s) - time which is spent in listening/learning state

forward-protocols (multiple choice: ip, arp, appletalk, ipx, ipv6, other; default: ip, arp, appletalk, ipx, ipv6, other) - list of forwarded protocols
other - all other protocols than AppleTalk, ARP, IP, IPv6, or IPX, e.g., NetBEUI, VLAN, etc.

garbage-collection-interval (time; default: 4s) - how often to drop old host entries in the bridge database

mac-address (read-only: MAC address) - Media Access Control address for the interface

mtu (integer; default: 1500) - Maximum Transmission Unit

name (name; default: bridgeN) - a descriptive name of the interface

priority (integer: 0..65535; default: 32768) - bridge interface priority. The priority argument is used by Spanning Tree Protocol to determine, which port remains enabled if two (or even more) ports form a loop

stp (no | yes; default: no) - whether to enable or disable the Spanning Tree Protocol

Notes

forwarded-protocols is a simple filter that also affects the locally-destined and locally-originated packets. So disabling ip protocol you will not be able to communicate with the router from the bridged interfaces.

Always take care not to bridge virtual interfaces with their respective parent interfaces.

Example

To add and enable a bridge interface that will forward all the protocols:

[admin@MikroTik] interface bridge> add; print
Flags: X - disabled, R - running
 0 X  name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
      forward-protocols=ip,arp,appletalk,ipx,ipv6,other stp=no priority=32768
      ageing-time=5m forward-delay=15s garbage-collection-interval=4s
      hello-time=2s max-message-age=20s
[admin@MikroTik] interface bridge> enable 0

Port Settings

Submenu level: /interface bridge port

Description

The submenu is used to group interfaces in a particular bridge interface.

Property Description

bridge (name; default: none) - the bridge interface the respective interface is grouped in
none - the interface is not grouped in a bridge

interface (read-only: name) - interface name

path-cost (integer: 0..65535; default: 10) - path cost to the interface, used by STP to determine the 'best' path

priority (integer: 0..255; default: 128) - interface priority compared to other interfaces, which are destined to the same network

Example

To group ether1 and ether2 in the bridge1 bridge:

[admin@MikroTik] interface bridge port> set ether1,ether2 bridge=bridge1
[admin@MikroTik] interface bridge port> print
 # INTERFACE   BRIDGE PRIORITY PATH-COST
 0 ether1      bridge1   128      10
 1 ether2      bridge1   128      10
 2 wlan1       none      128      10
[admin@MikroTik] interface bridge port>

Bridge Monitoring

Command name: /interface bridge monitor

Description

Used to monitor the current status of a bridge.

Property Description

bridge-id (text) - the bridge ID, which is in form of bridge-priority.bridge MAC Address

designated-root (text) - ID of the root bridge

path-cost (integer) - the total cost of path along to the root-bridge

root-port (name) - port to which the root bridge is connected to

Example

To monitor a bridge:

[admin@MikroTik] interface bridge> monitor bridge1
          bridge-id: 32768.00:02:6F:01:CE:31
    designated-root: 32768.00:02:6F:01:CE:31
          root-port: ether2
          path-cost: 180

[admin@MikroTik] interface bridge>

Bridge Port Monitoring

Command name: /interface bridge port monitor

Description

Statistics of an interface that belongs to a bridge

Property Description

designated-port (text) - port of designated-root bridge

designated-root (text) - ID of bridge, which is nearest to the root-bridge

port-id (integer) - port ID, which represents from port priority and port number, and is unique

status (disabled | blocking | listening | learning | forwarding) - the status of the bridge port:
disabled - the interface is disabled. No frames are forwarded, no Bridge Protocol Data Units (BPDUs) are heard
blocking - the port does not forward any frames, but listens for BPDUs
listening - the port does not forward any frames, but listens to them
learning - the port does not forward any frames, but learns the MAC addresses
forwarding - the port forwards frames, and learns MAC addresses

Example

To monitor a bridge port:

[admin@MikroTik] interface bridge port> mo 0
               status: forwarding
              port-id: 28417
      designated-root: 32768.00:02:6F:01:CE:31
    designated-bridge: 32768.00:02:6F:01:CE:31
      designated-port: 28417
      designated-cost: 0
-- [Q quit|D dump|C-z pause]

Bridge Host Monitoring

Command name: /interface bridge host

Property Description

age (read-only: time) - the time since the last packet was received from the host

bridge (read-only: name) - the bridge the entry belongs to

mac-address (read-only: MAC address) - host's MAC address

on-interface (read-only: name) - which of the bridged interfaces the host is connected to

Example

To get the active host table:

[admin@MikroTik] interface bridge host> print
Flags: L - local
   BRIDGE              MAC-ADDRESS       ON-INTERFACE       AGE
   bridge1             00:00:B4:5B:A6:58 ether1             4m48s
   bridge1             00:30:4F:18:58:17 ether1             4m50s
 L bridge1             00:50:08:00:00:F5 ether1             0s
 L bridge1             00:50:08:00:00:F6 ether2             0s
   bridge1             00:60:52:0B:B4:81 ether1             4m50s
   bridge1             00:C0:DF:07:5E:E6 ether1             4m46s
   bridge1             00:E0:C5:6E:23:25 prism1             4m48s
   bridge1             00:E0:F7:7F:0A:B8 ether1             1s
[admin@MikroTik] interface bridge host>

Bridge Firewall

Submenu level: /interface bridge firewall

Description

Traffic between bridged interfaces can be filtered.

Note that packets between bridged interfaces are also passed through the 'generic' /ip firewall rules, so they even can be NATted. These rules can be used with real, physical receiving/transmitting interfaces, as well as with bridge interface that simply groups bridged interfaces.

Property Description

action (accept | drop | passthrough; default: accept) - action to undertake if the packet matches the rule:
accept - accept the packet. No action, i.e., the packet is passed through without undertaking any action, and no more rules are processed
drop - silently drop the packet (without sending the ICMP reject message)
passthrough - ignore this rule. Acts the same way as a disabled rule, except for ability to count packets

dst-address (IP address mask; default: 0.0.0.0/0) - destination IP address of the packet

in-interface (name; default: all) - interface the packet has entered the bridge through
all - any interface

in-interface (name; default: all) - interface the packet is coming into the bridge
all - any interface

mac-dst-address (MAC address; default: 00:00:00:00:00:00) - MAC address of the destination host

mac-protocol (all | integer; default: all) - the MAC protocol of the packet. Most widely used MAC protocols are (many other exist):
all - all MAC protocols
0x0004 - 802.2
0x0800 - IP
0x0806 - ARP
0x8035 - RARP
0x809B - AppleTalk (EtherTalk)
0x80F3 - AppleTalk Address Resolution Protocol (AARP)
0x8037 - IPX
0x8100 - VLAN
0x8137 - Novell (old) NetWare IPX (ECONFIG E option)
0x8191 - NetBEUI
0x86DD - IPv6

mac-src-address (MAC address; default: 00:00:00:00:00:00) - MAC address of the source host

out-interface (name; default: all) - interface the packet is leaving the bridge through
all - any interface

protocol (all | egp | ggp | icmp | igmp | ip-encap | ip-sec | tcp | udp | integer; default: all) - IP protocol name/number
all - match all the IP protocols

src-address (IP address mask; default: 0.0.0.0/0) - source IP address of the packet

Drop broadcast packets

[admin@MikroTik] interface bridge firewall> add mac-dst-address=FF:FF:FF:FF:FF:FF action=drop
[admin@MikroTik] interface bridge firewall> print
Flags: X - disabled, I - invalid
 0   mac-src-address=00:00:00:00:00:00 in-interface=all
     mac-dst-address=FF:FF:FF:FF:FF:FF out-interface=all mac-protocol=all
     src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all action=drop
[admin@MikroTik] interface bridge firewall>

Drop IP, ARP and RARP

To make a brouter (the router that routes routable (IP in our case) protocols and bridges unroutable protocols), make a rule that drops IP, ARP, and RARP traffic (these protocols should be disabled in bridge firewall, not in forwarded protocols as in the other case the router will not be able to receive IP packets itself, and thus will not be able to provide routing).

To make bridge, drop IP, ARP and RARP packets:

[admin@MikroTik] interface bridge firewall> add mac-protocol=2048 action=drop
[admin@MikroTik] interface bridge firewall> add mac-protocol=2054 action=drop
[admin@MikroTik] interface bridge firewall> add mac-protocol=32821 action=drop
[admin@MikroTik] interface bridge firewall> print
Flags: X - disabled, I - invalid
  0   mac-src-address=00:00:00:00:00:00 in-interface=all
      mac-dst-address=00:00:00:00:00:00 out-interface=all mac-protocol=2048
      src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all action=drop

  1   mac-src-address=00:00:00:00:00:00 in-interface=all
      mac-dst-address=00:00:00:00:00:00 out-interface=all mac-protocol=2054
      src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all action=drop

  2   mac-src-address=00:00:00:00:00:00 in-interface=all
      mac-dst-address=00:00:00:00:00:00 out-interface=all mac-protocol=32821
      src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all action=drop

[admin@MikroTik] interface bridge firewall>

Application Example

Example

Assume we want to enable bridging between two Ethernet LAN segments and have the MikroTik router be the default gateway for them:

When configuring the MikroTik router for bridging you should do the following:

  1. Add a bridge interface
  2. Configure the bridge interface
  3. Enable the bridge interface
  4. Assign an IP address to the bridge interface, if needed

Note that there should be no IP addresses on the bridged interfaces. Moreover, IP address on the bridge interface itself is not required for the bridging to work.

When configuring the bridge settings, each protocol that should be forwarded should be added to the forward-protocols list. The other protocol includes all protocols not listed before (as VLAN).

[admin@MikroTik] interface bridge> add forward-protocols=ip,arp,other
[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
 0 X  name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
      forward-protocols=ip,arp,other stp=no priority=32768 ageing-time=5m
      forward-delay=15s garbage-collection-interval=4s hello-time=2s
      max-message-age=20s
[admin@MikroTik] interface bridge>

The priority argument is used by the Spanning Tree Protocol to determine, which port remains enabled if two ports form a loop.

Next, each interface that should be included in the bridging port table:

[admin@MikroTik] interface bridge> port
[admin@MikroTik] interface bridge port> print
 # INTERFACE BRIDGE  PRIORITY PATH-COST
 0 ether1    none    128      10
 1 ether2    none    128      10
 2 prism1    none    128      10
[admin@MikroTik] interface bridge port> set 0,1 bridge=bridge1
[admin@MikroTik] interface bridge port> print
 # INTERFACE BRIDGE  PRIORITY PATH-COST
 0 ether1    bridge1    128      10
 1 ether2    bridge1    128      10
 2 prism1    none       128      10
[admin@MikroTik] interface bridge port>

After setting some interfaces for bridging, the bridge interface should be enabled in order to start using it:

[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
 0 X  name="bridge1" mtu=1500 arp=enabled mac-address=00:0B:6B:31:01:6A
      forward-protocols=ip,arp,other stp=no priority=32768 ageing-time=5m
      forward-delay=15s garbage-collection-interval=4s hello-time=2s
      max-message-age=20s
[admin@MikroTik] interface bridge> enable 0
[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
 0  R name="bridge1" mtu=1500 arp=enabled mac-address=00:0B:6B:31:01:6A
      forward-protocols=ip,arp,other stp=no priority=32768 ageing-time=5m
      forward-delay=15s garbage-collection-interval=4s hello-time=2s
      max-message-age=20s
[admin@MikroTik] interface bridge>

If you want to access the router through unnumbered bridged interfaces, it is required to add an IP address to the bridge interface:

[admin@MikroTik] ip address> add address=192.168.0.254/24 interface=bridge1
[admin@MikroTik] ip address> add address=10.1.1.12/24 interface=prism1
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
  #   ADDRESS            NETWORK         BROADCAST       INTERFACE
  0   192.168.0.254/24   192.168.0.0     192.168.0.255   bridge1
  1   10.1.1.12/24       10.1.1.0        10.1.1.255      prism1
[admin@MikroTik] ip address>

Note! Assigning an IP address to bridged interfaces ether1 or ether2 has no sense, because the actual interface will be the bridge interface to which these interfaces belong. You can check this by typing /ip address print detail

Hosts on LAN segments #1 and #2 should use IP addresses from the same network. 192.168.0.0/24 and have the default gateway set to 192.168.0.254 (MikroTik router).

Troubleshooting

Description

© Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registered trademarks mentioned herein are properties of their respective owners.