![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
BridgingFirewall
C <--> |B| <--> S
Traffic In / Out
Tx: port --> Out
Rx: port <-- In
Step 1
To add and enable a bridge interface that will forward all the protocols:
[admin@MikroTik] interface bridge> add
[admin@MikroTik] interface bridge> print
Flags: X - disabled, R - running
1 X name="bridge2" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
forward-protocols=ip,arp,appletalk,ipx,ipv6,other priority=1
[admin@MikroTik] interface bridge> enable 0
To group ether1 and prism1 in the bridge1 bridge:
[admin@MikroTik] interface bridge port> set ether1,prism1 bridge=bridge1
[admin@MikroTik] interface bridge port> print
Flags: X - disabled
# INTERFACE BRIDGE
0 ether1 bridge1
1 ether2 none
2 prism1 bridge1
To get the active host table:
[admin@MikroTik] interface bridge host> print
Flags: L - local
BRIDGE MAC-ADDRESS ON-INTERFACE AGE
bridge1 00:00:B4:5B:A6:58 ether1 4m48s
bridge1 00:30:4F:18:58:17 ether1 4m50s
L bridge1 00:50:08:00:00:F5 ether1 0s
L bridge1 00:50:08:00:00:F6 ether2 0s
Bridge Setting
# list setting
/interface bridge settings> print
allow-fast-path (yes | no; Default: yes) Allows fast path
use-ip-firewall (yes | no; Default: no) Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing
arp
reply-only - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the "/ip arp" table. No dynamic entries will be automatically stored in the "/ip arp" table. Therefore for communications to be successful, a valid static entry must already exist.
forward-delay (time; Default: 00:00:15)
Time which is spent during the initialization phase of the bridge interface (i.e., after router startup or enabling the interface) in listening/learning state before the bridge will start functioning normally
max-message-age (time; Default: 00:00:20)
How long to remember Hello messages received from other bridges
filter:
input - filters packets, where the destination is the bridge
forward - packets are traversing between the ports of the same bridge
* IP-related matchers are only valid if mac-protocol is set as ipv4
external-fdb (yes | no)
; Port Settings
; Whether to use wireless registration table to speed up bridge host learning
Edge ports
connected to a LAN that has no other bridges attached.
Discover: edge port then as soon as the bridge detects a BPDU coming to an edge port,
the port becomes a non-edge port.
auto-isolate (yes | no; Default:no)
Prevents STP blocking port from erroneously moving into a forwarding state if no BPDU's are received on the bridge.
action
passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule, except for ability to count packets
Enable L3/4 rule
/interface bridge settings
set use-ip-firewall=yes
=================
DOC
http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
