Community discussions

MikroTik App
 
ZAJDAN
just joined
Topic Author
Posts: 24
Joined: Wed Nov 06, 2013 1:54 pm

Firewall rules for ports in switch mode

Wed Nov 06, 2013 8:18 pm

Hi,
will firewall works for ports which are in switch mode? for example block comunication between IP form same subnet and so on

Thank You
 
Feklar
Forum Guru
Forum Guru
Posts: 1724
Joined: Tue Dec 01, 2009 11:46 pm

Re: Firewall rules for ports in switch mode

Wed Nov 06, 2013 9:00 pm

Not if the ports are setup in the switch group. For traffic between those ports it's processed by the switch chip and never touches the CPU, for something to go through the firewall, it needs to go through the CPU. The closest you can get to what you are asking for is to make a bridge and assign the necessary ports to that bridge. Then in bridge settings, check "use IP firewall".
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Firewall rules for ports in switch mode

Thu Nov 07, 2013 6:44 am

Feklar,
To clarify ... if I have ether1 as the WAN port and ether2-ether5 switched together what is the recommended way to have traffic leaving those ports for ether1 viewed as a single entity for firewall purposes? Create a bridge and do as you suggested or simply use the master port?

What I'm asking is something that will work using the following. Renamed ether-LAN to bridge1 or ether2 (which is a master)?

ros code

/ip firewall filter
add chain=input   action=drop   connection-state=invalid                            comment="Disallow weird packets" 
add chain=input   action=accept connection-state=new         in-interface=ether-LAN comment="Allow LAN access to the router"
add chain=input   action=accept connection-state=established                        comment=" ^^ originated from LAN"
add chain=input   action=accept connection-state=related                            comment=" ^^ originated from LAN"
add chain=input   action=drop                                                       comment="Disallow other" 
add chain=forward action=drop   connection-state=invalid                            comment="Disallow weird packets" 
add chain=forward action=accept connection-state=new         in-interface=ether-LAN comment="Allow LAN access moving through router"
add chain=forward action=accept connection-state=established                        comment=" ^^ originated from LAN"
add chain=forward action=accept connection-state=related                            comment=" ^^ originated from LAN"
add chain=forward action=drop                                                       comment="Disallow other"
 
Rudios
Forum Veteran
Forum Veteran
Posts: 972
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: Firewall rules for ports in switch mode

Thu Nov 07, 2013 8:11 am

What you said is correct.
Use the rules suggested and rename ether-LAN to the correct interface.
If you have a bridge (with port 2-5 as members) use the name of the bridge.
If you have ether2 set as master for port 3-5, use ether2 as interface.
 
ZAJDAN
just joined
Topic Author
Posts: 24
Joined: Wed Nov 06, 2013 1:54 pm

Re: Firewall rules for ports in switch mode

Thu Nov 07, 2013 11:59 am

OK...
and now question:
what will torment CPU more?
the routing or the bridging
 
CelticComms
Forum Guru
Forum Guru
Posts: 1765
Joined: Wed May 02, 2012 5:48 am

Re: Firewall rules for ports in switch mode

Thu Nov 07, 2013 2:13 pm

Using a bridge will use more CPU than using the master/slave arrangement in the switch chip (which does not use the CPU).

In general, routing / layer 3 activity tends to use more CPU than bridging / layer 2 activity.
 
ZAJDAN
just joined
Topic Author
Posts: 24
Joined: Wed Nov 06, 2013 1:54 pm

Re: Firewall rules for ports in switch mode

Thu Nov 07, 2013 2:20 pm

Using a bridge will use more CPU than using the master/slave arrangement in the switch chip (which does not use the CPU).

In general, routing / layer 3 activity tends to use more CPU than bridging / layer 2 activity.
the reason is that I want to get bigger throughput but also use firewalling
 
becs
MikroTik Support
MikroTik Support
Posts: 499
Joined: Thu Jul 07, 2011 8:26 am

Re: Firewall rules for ports in switch mode

Thu Nov 07, 2013 3:09 pm

ZAJDAN,
Firewall rules for switched ports are available from "switch" menu: /interface ethernet switch rule
http://wiki.mikrotik.com/wiki/Manual:Sw ... Rule_Table
Note that these rules have some restrictions depending on switch-chip.
 
ZAJDAN
just joined
Topic Author
Posts: 24
Joined: Wed Nov 06, 2013 1:54 pm

Re: Firewall rules for ports in switch mode

Thu Nov 07, 2013 3:46 pm

ZAJDAN,
Firewall rules for switched ports are available from "switch" menu: /interface ethernet switch rule
http://wiki.mikrotik.com/wiki/Manual:Sw ... Rule_Table
Note that these rules have some restrictions depending on switch-chip.
Thank You

Who is online

Users browsing this forum: jaclaz and 90 guests