Sorry for the minimalist approach, it is not really a question with regard to my own config, altough I reference it.
It was more a question with regard to how VLAN interfaces attached to bridges work.
As I was experimenting switching from the VLAN interface to the bridge attached to it in my RAW rules, and it broke my config.
So I am wondering how the bridges and VLAN interfaces relate to eachother.
If you believe it not to be that but rather something else I'll gladly pay the config tax so as not to be disrespectful of your time and support:
It was more a question with regard to how VLAN interfaces attached to bridges work.
As I was experimenting switching from the VLAN interface to the bridge attached to it in my RAW rules, and it broke my config.
So I am wondering how the bridges and VLAN interfaces relate to eachother.
If you believe it not to be that but rather something else I'll gladly pay the config tax so as not to be disrespectful of your time and support:
Code:
# 2024-03-03 17:24:23 by RouterOS 7.14# software id = 1P1E-2RD2## model = RB952Ui-5ac2nD# serial number = <obfuscated>/interface bridgeadd ingress-filtering=no name=MBR port-cost-mode=short pvid=24 \ vlan-filtering=yes/interface wirelessset [ find default-name=wlan2 ] country=sweden disabled=no frequency=auto \ installation=indoor mode=ap-bridge ssid=Iovis/interface vlanadd interface=MBR name=MVLAN vlan-id=24/interface listadd name=LANadd name=WLANadd name=Masteradd name=Upstreamadd comment="Bridge/All Ports" name=APAN/interface wireless security-profilesset [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \ supplicant-identity=MikroTikadd authentication-types=wpa2-psk mode=dynamic-keys name=IoTsec \ supplicant-identity=""/interface wirelessset [ find default-name=wlan1 ] country=sweden disabled=no frequency=auto \ installation=indoor mode=ap-bridge security-profile=IoTsec ssid=Vesta/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip smb usersset [ find default=yes ] disabled=yes/interface bridge portadd bridge=MBR frame-types=admit-only-untagged-and-priority-tagged interface=\ wlan2 internal-path-cost=10 path-cost=10 pvid=48add bridge=MBR frame-types=admit-only-untagged-and-priority-tagged interface=\ wlan1 internal-path-cost=10 path-cost=10 pvid=66add bridge=MBR frame-types=admit-only-untagged-and-priority-tagged interface=\ ether2 internal-path-cost=10 path-cost=10 pvid=69add bridge=MBR frame-types=admit-only-vlan-tagged interface=ether1 \ internal-path-cost=10 path-cost=10 pvid=24add bridge=MBR frame-types=admit-only-untagged-and-priority-tagged interface=\ LAN internal-path-cost=10 path-cost=10 pvid=69/ip firewall connection trackingset udp-timeout=10s/ip neighbor discovery-settingsset discover-interface-list=none/ip settingsset rp-filter=strict/interface bridge vlanadd bridge=MBR tagged=MBR,ether1 vlan-ids=24add bridge=MBR tagged=ether1 untagged=wlan2 vlan-ids=48add bridge=MBR tagged=ether1 untagged=wlan1 vlan-ids=66add bridge=MBR tagged=ether1 untagged=ether2,ether3,ether4,ether5 vlan-ids=69/interface list memberadd interface=ether3 list=LANadd interface=ether4 list=LANadd interface=ether5 list=LANadd interface=wlan2 list=WLANadd interface=wlan1 list=WLANadd interface=MVLAN list=Masteradd interface=MBR list=APANadd interface=ether1 list=Upstream/ip addressadd address=192.168.7.13/24 interface=MVLAN network=192.168.7.0/ip cloudset update-time=no/ip dnsset servers=10.0.69.10/ip firewall address-listadd address=192.168.7.10-192.168.7.254 list=MAddrListadd address=192.168.7.0/24 list=LANAddrListadd address=10.0.48.0/24 list=LANAddrListadd address=10.0.66.0/24 list=LANAddrListadd address=10.0.69.0/24 list=LANAddrListadd address=192.168.7.10-192.168.7.254 list=VLAddrListadd address=10.0.48.10-10.0.48.254 list=VLAddrListadd address=10.0.66.10-10.0.66.254 list=VLAddrListadd address=10.0.69.10-10.0.69.254 list=VLAddrListadd address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\ bad_ipv4add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\ bad_ipv4add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\ bad_ipv4add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4/ip firewall filteradd action=accept chain=input comment="defconf: accept ICMP after RAW" \ protocol=icmpadd action=accept chain=input comment=\ "Default Config::Established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment=Invalid connection-state=invalid log=yes \ log-prefix=Invalidadd action=drop chain=input comment=\ "Drop packets from LAN that do not have LAN IP" in-interface-list=APAN \ log=yes log-prefix=LAN!LAN src-address-list=!LANAddrListadd action=accept chain=input comment="Allow VLAN" in-interface-list=APAN \ src-address-list=LANAddrListadd action=accept chain=input in-interface=MVLAN src-address-list=MAddrListadd action=drop chain=inputadd action=fasttrack-connection chain=forward connection-state=\ established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid log=yes log-prefix=invalidadd action=drop chain=forward comment="defconf: drop bad forward IPs" \ src-address-list=no_forward_ipv4add action=drop chain=forward comment="defconf: drop bad forward IPs" \ dst-address-list=no_forward_ipv4add action=drop chain=forward comment=\ "Drop packets from LAN that do not have LAN IP" in-interface-list=APAN \ log=yes log-prefix=LAN!LAN src-address-list=!LANAddrListadd action=accept chain=forward comment="Allow All from MVLAN" in-interface=\ MVLAN src-address-list=MAddrListadd action=accept chain=forward comment="Allow Upstream" in-interface-list=\ APAN out-interface-list=Upstream src-address-list=VLAddrListadd action=drop chain=forward/ip firewall rawadd action=accept chain=prerouting comment=\ "defconf: enable for transparent firewall" disabled=yesadd action=accept chain=prerouting comment="defconf: accept DHCP discover" \ dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\ udp src-address=0.0.0.0 src-port=68add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_src_ipv4add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_dst_ipv4add action=drop chain=prerouting comment=\ "defconf: drop forward to local lan from Upstream" dst-address-list=\ !LANAddrList in-interface-list=Upstreamadd action=drop chain=prerouting comment=\ "defconf: drop local if not from default IP range" in-interface-list=APAN \ src-address-list=!LANAddrListadd action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \ protocol=udpadd action=jump chain=prerouting comment="defconf: jump to ICMP chain" \ jump-target=icmp4 protocol=icmpadd action=jump chain=prerouting comment="defconf: jump to TCP chain" \ jump-target=bad_tcp protocol=tcpadd action=accept chain=prerouting comment=\ "defconf: accept everything else from VLAN" in-interface-list=Masteradd action=drop chain=prerouting comment="defconf: drop the rest"add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \ tcp-flags=!fin,!syn,!rst,!ackadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,synadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rstadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ackadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urgadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rstadd action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urgadd action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \ protocol=tcpadd action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \ limit=5,10:packet protocol=icmpadd action=accept chain=icmp4 comment="defconf: net unreachable" \ icmp-options=3:0 protocol=icmpadd action=accept chain=icmp4 comment="defconf: host unreachable" \ icmp-options=3:1 protocol=icmpadd action=accept chain=icmp4 comment="defconf: protocol unreachable" \ icmp-options=3:2 protocol=icmpadd action=accept chain=icmp4 comment="defconf: port unreachable" \ icmp-options=3:3 protocol=icmpadd action=accept chain=icmp4 comment="defconf: fragmentation needed" \ icmp-options=3:4 protocol=icmpadd action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\ 5,10:packet protocol=icmpadd action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\ 11:0-255 protocol=icmpadd action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=192.168.7.1 routing-table=main \ suppress-hw-offload=no/ip serviceset telnet address=192.168.7.0/24 disabled=yesset ftp disabled=yesset www address=192.168.7.0/24 disabled=yesset ssh address=192.168.7.0/24set api disabled=yesset winbox address=192.168.7.0/24set api-ssl disabled=yes/ip smb sharesset [ find default=yes ] directory=/flash/pub/ip sshset strong-crypto=yes/ipv6 firewall address-listadd address=::1/128 comment="defconf: Io" list=bad_ipv6add address=fec0::/10 comment="::defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="::defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="::defconf: ipv4 compat" list=bad_ipv6add address=2001:db8::/32 comment="::defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="::defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="::defconf: 6bone" list=bad_ipv6add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\ no_forward_ipv6add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6/ipv6 firewall filteradd action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \ protocol=icmpv6add action=accept chain=input comment=\ "::defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="::drop invalid" connection-state=invalid \ log=yes log-prefix=ipv6,invalidadd action=drop chain=input log-prefix=IPV6add action=accept chain=forward comment=\ "::defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="drop invalid" connection-state=invalid \ log=yes log-prefix=ipv6,invalidadd action=drop chain=forward comment="defconf: drop bad forward IPs" \ src-address-list=no_forward_ipv6add action=drop chain=forward comment="defconf: drop bad forward IPs" \ dst-address-list=no_forward_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \ protocol=icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=drop chain=forward/ipv6 firewall rawadd action=accept chain=prerouting comment=\ "defconf: enable for transparent firewall" disabled=yesadd action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \ dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \ src-address=::/128add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ src-address-list=bad_ipv6add action=drop chain=prerouting comment="defconf: drop bogon IP's" \ dst-address-list=bad_ipv6add action=drop chain=prerouting comment=\ "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6add action=drop chain=prerouting comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \ jump-target=icmp6 protocol=icmpv6add action=accept chain=prerouting comment=\ "defconf: accept local multicast scope" dst-address=ff02::/16add action=drop chain=prerouting comment=\ "defconf: drop other multicast destinations" dst-address=ff00::/8add action=accept chain=prerouting comment=\ "defconf: accept everything else from WAN" in-interface-list=APANadd action=drop chain=prerouting comment="defconf: drop the rest"add action=accept chain=icmp6 comment=\ "defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \ hop-limit=not-equal:255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: dst unreachable" \ icmp-options=1:0-255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\ 2:0-255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\ 3:0-1 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\ 4:0-2 protocol=icmpv6add action=accept chain=icmp6 comment=\ "defconf: Mobile home agent address discovery" icmp-options=144:0-255 \ protocol=icmpv6add action=accept chain=icmp6 comment=\ "defconf: Mobile home agent address discovery" icmp-options=145:0-255 \ protocol=icmpv6add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \ icmp-options=146:0-255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \ icmp-options=147:0-255 protocol=icmpv6add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \ icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \ icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6add action=accept chain=icmp6 comment=\ "defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \ icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\ icmpv6add action=accept chain=icmp6 comment=\ "defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \ icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\ icmpv6add action=accept chain=icmp6 comment=\ "defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \ icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\ icmpv6add action=accept chain=icmp6 comment=\ "defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\ equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \ protocol=icmpv6add action=accept chain=icmp6 comment=\ "defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\ equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \ protocol=icmpv6add action=accept chain=icmp6 comment=\ "defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\ equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \ protocol=icmpv6add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\ icmpv6/ipv6 ndset [ find default=yes ] disabled=yes/system clockset time-zone-name=Europe/Stockholm/system identityset name=Helios/system leds settingsset all-leds-off=after-1min/system noteset note="A note for the mikrotik forums."/tool bandwidth-serverset enabled=no/tool mac-serverset allowed-interface-list=none/tool mac-server mac-winboxset allowed-interface-list=none/tool mac-server pingset enabled=noStatistics: Posted by Xaesar — Wed Mar 06, 2024 2:46 pm