Versions Compared

Old Version 87

changes.mady.by.user Serhii T.

Saved on

compared with

New Version 88

changes.mady.by.user Edgars P.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Section


Column
width49%
  1. A packet goes through the bridge NAT dst-nat chain, where MAC destination and priority can be changed, apart from that, a packet can be simply accepted, dropped, or marked;
  2. Checks whether the use-ip-firewall option is enabled in the bridge settings;
  3. Run packet through the bridge host table to make a forwarding decision. A packet that ends up being flooded (e.g. broadcast, multicast, unknown unicast traffic), gets multiplied per bridge port and then processed further in the bridge forward chain. When using vlan-filtering=yes, packets that are not allowed due to the "/interface bridge vlan" table, will be dropped at this stage.
  4. A packet goes through the bridge filter forward chain, where priority can be changed or the packet can be simply accepted, dropped, or marked;
  5. Checks whether the use-ip-firewall option is enabled in the bridge settings;
  6. A packet goes through the bridge NAT src-nat chain, where MAC source and priority can be changed, apart from that, a packet can be simply accepted, dropped, or marked;
  7. Checks whether the use-ip-firewall option is enabled in the bridge settings;


Column
width49%




Info

For RouterOS v6:
When bridge vlan-filtering is enabled, received untagged packets might get encapsulated into the VLAN header before the "DST-NAT" block, which means these packets can be filtered using the mac-protocol=vlan and vlan-encap settings. Encapsulation can happen if the outgoing interface has frame-types is set  set to admit-all or admit-only-untagged-and-priority-tagged.

Tagged packets might get decapsulated on the "BRIDGING DECISION" block, which means these packets will no longer match the mac-protocol=vlan and vlan-encap settings. Decapsulation can happen if the packet's VLAN ID matches the outgoing port's untagged VLAN membership.

For RouterOS v7 and newer:

When bridge vlan-filtering is enabled, received untagged packets might get encapsulated into the VLAN header on the "BRIDGING-DECISION" block, which means these packets can be filtered using the mac-protocol=vlan and vlan-encap settings.  Encapsulation can happen if the outgoing interface has frame-types set to admit-all or admit-only-untagged-and-priority-tagged.

Tagged packets might get decapsulated on the "BRIDGING DECISION" block, which means these packets will no longer match the mac-protocol=vlan and vlan-encap settings. Decapsulation can happen if the packet's VLAN ID matches the outgoing port's untagged VLAN membership.

...