Bridging #

Within this section we will:

  • Examine the fundamentals of “bridging”, laying out more clearly what this function is within our network.
  • Familiarize with Mikrotik RouterOS management/configuration idiosyncrasies

Fundamentals #


  • What is a bridge (Switch)? Why is it a special purpose computer?
  • Serial Console/RS-232
  • Bridging
  • VLAN(s), tagging, untagging, and filtering
  • Wireless Standards and planning
  • Port Security

Serial Console #

The serial console is an extremely useful but archaic technology that facilitates out of bound access to devices. In the case of these hardwares (CRS312-4C+8XG-RM, and CRS328-24P-4S+RM) each have a “console” port that you can use to control them directly (without requiring network access). This is an useful technique if you:

  • need to control the early boot of the system
  • have mucked up your networking (likely mis-configuring this device) and want to fix it

You can connect the FW6D to each of these devices with a “USB Rollover FTDI Cable” which has an FTDI chip that converts RS-232 to USB signals. Connecting to the FW6D via these console cables allows you to feel more confidence in remotely managing these devices.

Single Line Diagram #

It’s common to communicate how something is connected via a SLD, or, One Wire, or One-Line Diagram.

We will wire the devices up in the following way:

graph TD ISP == CAT6A === router router[FW6D] == CAT6A === crs328[CRS328-24P-4S+RM] router == CONSOLE === crs328 crs328 == CAT6A === ap[cAP XL ac]

Now let’s start using the console to configure devices:

[root@router ~]# ls /dev/ | grep ttyU

You can use screen to access each of the devices:

[root@router ~]# screen /dev/ttyUSB0 115200

Hit enter to change the screen input, the default login for the Mikrotik devices is admin with no password.

To exit the screen session you type CTRL+A, K

Wired Bridging #

We configure the switch, via console, so we do not have to worry about ensuring we maintain connection to the device.

[root@router ~]# screen /dev/ttyUSB0 115200

We first fully reset the device:

[admin@mikrotik] > /system/reset-configuration no-defaults=yes

We set the identity of the system:

[admin@mikrotik] > /system identity set name=core

We construct a bridge:

[admin@core] > /interface bridge
add admin-mac=[/interface/ethernet/get value-name=mac-address ether1] \
    auto-mac=no dhcp-snooping=yes frame-types=admit-only-vlan-tagged \
    igmp-snooping=yes name=BRIDGE priority=0 vlan-filtering=yes
  • set the bridge mac from the first port on the device
  • turn off auto-mac
  • turn on DHCP Snooping
  • turn on IGMP Snooping
  • We set the priority of the bridge to 0, this is to uniquely identify the “root bridge” in STP.
  • only allow VLAN tagged frames
  • turn on vlan-filtering which enables VLAN functionality for the bridge.

We define some VLAN(s):

/interface vlan
add interface=BRIDGE name=MANAGEMENT vlan-id=220
add interface=BRIDGE name=LAB vlan-id=222
add interface=BRIDGE name=HOME vlan-id=224
add interface=BRIDGE name=GUESTS vlan-id=226
add interface=BRIDGE name=THINGS vlan-id=228

We define some Interface Lists:


  • Explain how Interface Lists can save time
[admin@core] > /interface list
add name=LIST-LAB
add name=LIST-HOME
add name=LIST-GUESTS
add name=LIST-THINGS

We add interfaces to those Lists:

[admin@core] > /interface list member
add interface=ether1 list=LIST-HOME
add interface=ether2 list=LIST-HOME
add interface=ether3 list=LIST-HOME
add interface=ether4 list=LIST-HOME
add interface=ether5 list=LIST-HOME
add interface=ether6 list=LIST-HOME
add interface=ether7 list=LIST-HOME
add interface=ether8 list=LIST-HOME
add interface=ether9 list=LIST-HOME
add interface=ether10 list=LIST-HOME
add interface=ether11 list=LIST-HOME
add interface=ether12 list=LIST-HOME
add interface=ether13 list=LIST-HOME
add interface=ether14 list=LIST-HOME
add interface=ether15 list=LIST-HOME
add interface=ether16 list=LIST-HOME
add interface=ether17 list=LIST-LAB
add interface=ether18 list=LIST-LAB
add interface=ether19 list=LIST-LAB
add interface=ether20 list=LIST-LAB
add interface=ether21 list=LIST-MANAGEMENT
add interface=ether22 list=LIST-MANAGEMENT

We now add interfaces to the bridge:

[admin@core] > /interface bridge port 
add bridge=BRIDGE comment="LINK-ROUTER" frame-types=admit-only-vlan-tagged interface=ether23 trusted=yes
add bridge=BRIDGE comment="LINK-WIRELESS" frame-types=admit-only-vlan-tagged interface=ether24
add bridge=BRIDGE comment="LINK-SERVER" frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bpdu-guard=yes bridge=BRIDGE comment="MANAGEMENT INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-MANAGEMENT pvid=220
add bpdu-guard=yes bridge=BRIDGE comment="LAB INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-HOME pvid=222
add bpdu-guard=yes bridge=BRIDGE comment="HOME INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-HOME pvid=224
add bpdu-guard=yes bridge=BRIDGE comment="GUEST INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-GUESTS pvid=226
add bpdu-guard=yes bridge=BRIDGE comment="THINGS INTERFACES" frame-types=admit-only-untagged-and-priority-tagged interface=LIST-THINGS pvid=228


  • Explain what is happening

We now express what ports should allow tagged frames to pass:

[admin@core] > /interface bridge vlan
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=220
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=222
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=224
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=226
add bridge=BRIDGE tagged=BRIDGE,ether23,ether24,sfp-sfpplus1 vlan-ids=228


  • Explain what is happening

We now set the system time zone so that NTP can eventually synchronize time:

[admin@core] > /system clock set time-zone-autodetect=no time-zone-name=America/Detroit
[admin@core] > /system ntp client set enabled=yes

We now will add a DHCP client to the management interface, this effectively allows for an address to be assigned to the bridge management interface:

[admin@core] > /ip dhcp-client add interface=MANAGEMENT disabled=no


  • Check this, show diagnostic printout

We now turn off services we don’t plan to use on the switch, effectively “hardening” the device by reducing the attack surface:

[admin@core] > /ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh set strong-crypto=yes 

We now can check for updates:

[admin@core] > /system package update check-for-updates 
            channel: stable
  installed-version: 6.48.3
     latest-version: 6.48.4
             status: New version is available

Install them if they are available:

[admin@core] > /system package update install 

To update to RouterOS 7 you have to set the upgrade channel:

[admin@core] > /system package update set channel=upgrade 
[admin@core] > /system package update install 

You now have your first fully configured network bridge running on specialized hardware and passing frames real fast!

Wireless Bridging #

Spectrum & Standards #


  • 2.4
  • 5
  • other, like LTE, LORA
  • AC/AX

Planning #


  • Good initial rules
  • Tools, like wifiman for walk around analysis



  • configure CAPsMAN
  • “reset start” your first Audience device
  • see if CAPsMAN works with force tagged frames
  • show how to set specific channels for specific CAPs