Community discussions

MikroTik App
 
jkohan
newbie
Topic Author
Posts: 28
Joined: Fri Jun 06, 2008 6:55 am
Location: Rosario, Argentina
Contact:

RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Sat Dec 20, 2008 4:07 am

Do someone has reports of in-bridge-port= and out-bridge-port= beeing ignored in RB1000s ??

I have a configuration were I use VLANs on ether1 and a bridge between them , and another bridge between ether3 and ether4. Internet is connected to ether4 so I´m trying to clasify traffic entering or leaving my ISP using that, but the rules seem to ignore the bridge port used.

If it is a misconfiguration, can someone point out where I´m mistaken ?

Thanks alot.

My configuration (the relevant part) are:



  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 3.13 (c) 1999-2008       http://www.mikrotik.com/










[admin@MyISP-Master] > /interface bridge port pri 
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE              BRIDGE              PRIORITY PATH-COST  HORIZON   
 0    vlan2                  puenteDistribCiu... 0x80     10         none      
 1    vlan3                  puenteDistribCiu... 0x80     10         none      
 2    vlan4                  puenteDistribCiu... 0x80     10         none      
 3 I  ether3                 puenteServsInet     0x80     10         none      
 4    ether4                 puenteServsInet     0x80     10         none      
 5    vlan7                  puenteServsInet     0x80     10         none     

[admin@MyISP-Master] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;;
     chain=prerouting action=change-dscp new-dscp=0 

 1 X ;;;
     chain=prerouting action=add-src-to-address-list p2p=all-p2p 
     src-address-list=!Todo MyISP address-list=ListaNegraP2P 
     address-list-timeout=6h 

 2 X ;;;
     chain=prerouting action=add-dst-to-address-list p2p=all-p2p 
     dst-address-list=!Todo MyISP address-list=ListaNegraP2P 
     address-list-timeout=6h 

 3 X ;;;
     chain=prerouting action=mark-packet new-packet-mark=Basura-Exp 
     passthrough=yes dst-address-list=ListaNegraP2P 

 4 X ;;;
     chain=prerouting action=mark-packet new-packet-mark=Basura-Exp 
     passthrough=yes src-address-list=ListaNegraP2P 

 5   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Basura 
     passthrough=no p2p=all-p2p connection-state=new 

 6   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Basura 
     passthrough=no p2p=all-p2p connection-state=related 

 7   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Basura 
     passthrough=no p2p=all-p2p 

 8   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no p2p=!all-p2p connection-state=new 
     dst-port=21,22,23,25,53,80,110,143,443 protocol=tcp 

 9   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no p2p=!all-p2p connection-state=new 
     dst-port=993,995,1863,3128,5050,5190,5222,8291 protocol=tcp 

10   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no connection-state=new connection-type=pptp 

11   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no connection-state=new protocol=ipsec-esp 

12   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no connection-state=new protocol=ipsec-ah 

13   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no connection-state=new protocol=gre 

14   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=new connection-type=sip 

15   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=related connection-type=sip 

16   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=new connection-type=h323 

17   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=related connection-type=h323 

18   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=new protocol=icmp 

19   ;;;
     chain=forward action=mark-packet new-packet-mark=TraficoLocal 
     passthrough=no in-bridge-port=!ether4 out-bridge-port=!ether4 

20   ;;;
     chain=forward action=mark-packet new-packet-mark=SInteresante 
     passthrough=no src-address-list=Servidores in-bridge-port=ether3 
     out-bridge-port=ether4 

21 X ;;;
     chain=forward action=log in-bridge-port=ether3 log-prefix="orig_srv" 

22   ;;;
     chain=forward action=mark-packet new-packet-mark=BInteresante 
     passthrough=no src-address-list=!Todo MyISP dst-address-list=Servidores 
     in-bridge-port=ether4 out-bridge-port=ether3 

23   ;;;
     chain=forward action=mark-packet new-packet-mark=BPrioritaria 
     passthrough=no connection-mark=Prioritario in-bridge-port=ether4 

24   ;;;
     chain=forward action=mark-packet new-packet-mark=SPrioritaria 
     passthrough=no connection-mark=Prioritario out-bridge-port=ether4 

25   ;;;
     chain=forward action=mark-packet new-packet-mark=BInteresante 
     passthrough=no connection-mark=Interesante in-bridge-port=ether4 

26   ;;;
     chain=forward action=mark-packet new-packet-mark=SInteresante 
     passthrough=no connection-mark=Interesante out-bridge-port=ether4 

27   ;;;
     chain=forward action=mark-packet new-packet-mark=BBasura passthrough=no 
     connection-mark=Basura in-bridge-port=ether4 

28   ;;;
     chain=forward action=mark-packet new-packet-mark=SBasura passthrough=no 
     connection-mark=Basura out-bridge-port=ether4 

29   ;;;
     chain=forward action=mark-packet new-packet-mark=BOmision passthrough=no 
     connection-state=new in-bridge-port=ether4 

30   ;;;
     chain=forward action=mark-packet new-packet-mark=SOmision passthrough=no 
     connection-state=new out-bridge-port=ether4 

[admin@MyISP-Master] > /interface print 
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                              TYPE             MTU  
 0  R  ;;;
       ether1                                            ether            1500 
 1  X  ether2                                            ether            1500 
 2     ;;;
       ether3                                            ether            1500 
 3  R  ;;;
       ether4                                            ether            1500 
 4  R  ;;;
       vlan2                                             vlan             1500 
 5  R  ;;;
       vlan3                                             vlan             1500 
 6  R  ;;;
       vlan4                                             vlan             1500 
 7  R  ;;;
       vlan5                                             vlan             1500 
 8  R  ;;;
       vlan6                                             vlan             1500 
 9  R  ;;;
       vlan7                                             vlan             1500 
10  R  ;;;
       vlan8                                             vlan             1500 
11  R  ;;;
       vlan9                                             vlan             1500 
12  R  puenteDistribCiudad                              bridge           1500 
13  R  puenteServsInet                                   bridge           1500 

[admin@MyISP-Master] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;;
     chain=prerouting action=change-dscp new-dscp=0 

 1 X ;;;

     chain=prerouting action=add-src-to-address-list p2p=all-p2p 
     src-address-list=!Todo MyISP address-list=ListaNegraP2P 
     address-list-timeout=6h 

 2 X ;;;
     chain=prerouting action=add-dst-to-address-list p2p=all-p2p 
     dst-address-list=!Todo MyISP address-list=ListaNegraP2P 
     address-list-timeout=6h 

 3 X ;;;
     chain=prerouting action=mark-packet new-packet-mark=Basura-Exp 
     passthrough=yes dst-address-list=ListaNegraP2P 

 4 X ;;;
     chain=prerouting action=mark-packet new-packet-mark=Basura-Exp 
     passthrough=yes src-address-list=ListaNegraP2P 

 5   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Basura 
     passthrough=no p2p=all-p2p connection-state=new 

 6   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Basura 
     passthrough=no p2p=all-p2p connection-state=related 

 7   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Basura 
     passthrough=no p2p=all-p2p 

 8   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no p2p=!all-p2p connection-state=new 
     dst-port=21,22,23,25,53,80,110,143,443 protocol=tcp 

 9   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no p2p=!all-p2p connection-state=new 
     dst-port=993,995,1863,3128,5050,5190,5222,8291 protocol=tcp 

10   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no connection-state=new connection-type=pptp 

11   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no connection-state=new protocol=ipsec-esp 

12   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no connection-state=new protocol=ipsec-ah 

13   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Interesante 
     passthrough=no connection-state=new protocol=gre 

14   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=new connection-type=sip 

15   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=related connection-type=sip 

16   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=new connection-type=h323 

17   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=related connection-type=h323 

18   ;;;
     chain=prerouting action=mark-connection new-connection-mark=Prioritario 
     passthrough=no connection-state=new protocol=icmp 

19   ;;;
     chain=forward action=mark-packet new-packet-mark=TraficoLocal 
     passthrough=no in-bridge-port=!ether4 out-bridge-port=!ether4 

20   ;;;
     chain=forward action=mark-packet new-packet-mark=SInteresante 
     passthrough=no src-address-list=Servidores in-bridge-port=ether3 
     out-bridge-port=ether4 

21 X ;;;
     chain=forward action=log in-bridge-port=ether3 log-prefix="orig_srv" 

22   ;;;
     chain=forward action=mark-packet new-packet-mark=BInteresante 
     passthrough=no src-address-list=!Todo MyISP dst-address-list=Servidores 
     in-bridge-port=ether4 out-bridge-port=ether3 

23   ;;;
     chain=forward action=mark-packet new-packet-mark=BPrioritaria 
     passthrough=no connection-mark=Prioritario in-bridge-port=ether4 

24   ;;;
     chain=forward action=mark-packet new-packet-mark=SPrioritaria 
     passthrough=no connection-mark=Prioritario out-bridge-port=ether4 

25   ;;;
     chain=forward action=mark-packet new-packet-mark=BInteresante 
     passthrough=no connection-mark=Interesante in-bridge-port=ether4 

26   ;;;
     chain=forward action=mark-packet new-packet-mark=SInteresante 
     passthrough=no connection-mark=Interesante out-bridge-port=ether4 

27   ;;;
     chain=forward action=mark-packet new-packet-mark=BBasura passthrough=no 
     connection-mark=Basura in-bridge-port=ether4 

28   ;;;
     chain=forward action=mark-packet new-packet-mark=SBasura passthrough=no 
     connection-mark=Basura out-bridge-port=ether4 

29   ;;;
     chain=forward action=mark-packet new-packet-mark=BOmision passthrough=no 
     connection-state=new in-bridge-port=ether4 

30   ;;;
     chain=forward action=mark-packet new-packet-mark=SOmision passthrough=no 
     connection-state=new out-bridge-port=ether4 

[admin@MyISP-Master] >   /ip firewall nat print    
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=src-nat to-addresses=10.9.8.49 
     src-address-list=A natear dst-address-list=!A natear 
[admin@MyISP-Master] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   ;;;
     200.43.189.225/27  200.43.189.224  200.43.189.255  puenteDistribCiudad   
 1   192.168.25.1/24    192.168.25.0    192.168.25.255  puenteDistribCiudad   
 2   192.168.20.1/30    192.168.20.0    192.168.20.3    puenteDistribCiudad   
 3   192.168.20.5/30    192.168.20.4    192.168.20.7    puenteDistribCiudad   
 4   192.168.20.9/30    192.168.20.8    192.168.20.11   puenteDistribCiudad   
 5   192.168.20.13/30   192.168.20.12   192.168.20.15   puenteDistribCiudad   
 6   192.168.20.17/30   192.168.20.16   192.168.20.19   puenteDistribCiudad   
 7   192.168.20.21/30   192.168.20.20   192.168.20.23   puenteDistribCiudad   
 8   192.168.20.25/30   192.168.20.24   192.168.20.27   puenteDistribCiudad   
 9   192.168.20.29/30   192.168.20.28   192.168.20.31   puenteDistribCiudad   
10   192.168.20.33/30   192.168.20.32   192.168.20.35   puenteDistribCiudad   
11   192.168.20.37/30   192.168.20.36   192.168.20.39   puenteDistribCiudad   
12   192.168.20.41/30   192.168.20.40   192.168.20.43   puenteDistribCiudad   
13   192.168.20.45/30   192.168.20.44   192.168.20.47   puenteDistribCiudad   
14   192.168.20.49/30   192.168.20.48   192.168.20.51   puenteDistribCiudad   
15   192.168.20.53/30   192.168.20.52   192.168.20.55   puenteDistribCiudad   
16   192.168.20.57/30   192.168.20.56   192.168.20.59   puenteDistribCiudad   
17   192.168.20.61/30   192.168.20.60   192.168.20.63   puenteDistribCiudad   
18   192.168.20.65/30   192.168.20.64   192.168.20.67   puenteDistribCiudad   
19   192.168.20.69/30   192.168.20.68   192.168.20.71   puenteDistribCiudad   
20   192.168.20.73/30   192.168.20.72   192.168.20.75   puenteDistribCiudad   
21   192.168.20.77/30   192.168.20.76   192.168.20.79   puenteDistribCiudad   
22   192.168.20.81/30   192.168.20.80   192.168.20.83   puenteDistribCiudad   
23   192.168.20.85/30   192.168.20.84   192.168.20.87   puenteDistribCiudad   
24   192.168.20.89/30   192.168.20.88   192.168.20.91   puenteDistribCiudad   
25   192.168.20.93/30   192.168.20.92   192.168.20.95   puenteDistribCiudad   
26   192.168.20.97/30   192.168.20.96   192.168.20.99   puenteDistribCiudad   
27   192.168.20.101/30  192.168.20.100  192.168.20.103  puenteDistribCiudad   
28   192.168.20.105/30  192.168.20.104  192.168.20.107  puenteDistribCiudad   
29   192.168.20.109/30  192.168.20.108  192.168.20.111  puenteDistribCiudad   
30   192.168.20.113/30  192.168.20.112  192.168.20.115  puenteDistribCiudad   
31   192.168.20.117/30  192.168.20.116  192.168.20.119  puenteDistribCiudad   
32   192.168.20.121/30  192.168.20.120  192.168.20.123  puenteDistribCiudad   
33   192.168.20.125/30  192.168.20.124  192.168.20.127  puenteDistribCiudad   
34   192.168.20.129/30  192.168.20.128  192.168.20.131  puenteDistribCiudad   
35   192.168.20.133/30  192.168.20.132  192.168.20.135  puenteDistribCiudad   
36   192.168.20.137/30  192.168.20.136  192.168.20.139  puenteDistribCiudad   
37   192.168.20.141/30  192.168.20.140  192.168.20.143  puenteDistribCiudad   
38   192.168.20.145/30  192.168.20.144  192.168.20.147  puenteDistribCiudad   
39   192.168.20.149/30  192.168.20.148  192.168.20.151  puenteDistribCiudad   
40   192.168.20.153/30  192.168.20.152  192.168.20.155  puenteDistribCiudad   
41   192.168.20.157/30  192.168.20.156  192.168.20.159  puenteDistribCiudad   
42   192.168.20.161/30  192.168.20.160  192.168.20.163  puenteDistribCiudad   
43   192.168.20.165/30  192.168.20.164  192.168.20.167  puenteDistribCiudad   
44   192.168.20.169/30  192.168.20.168  192.168.20.171  puenteDistribCiudad   
45   192.168.20.173/30  192.168.20.172  192.168.20.175  puenteDistribCiudad   
46   192.168.20.177/30  192.168.20.176  192.168.20.179  puenteDistribCiudad   
47   192.168.20.181/30  192.168.20.180  192.168.20.183  puenteDistribCiudad   
48   192.168.20.185/30  192.168.20.184  192.168.20.187  puenteDistribCiudad   
49   192.168.20.189/30  192.168.20.188  192.168.20.191  puenteDistribCiudad   
50   192.168.20.193/30  192.168.20.192  192.168.20.195  puenteDistribCiudad   
51   192.168.20.197/30  192.168.20.196  192.168.20.199  puenteDistribCiudad   
52   192.168.20.201/30  192.168.20.200  192.168.20.203  puenteDistribCiudad   
53   192.168.20.205/30  192.168.20.204  192.168.20.207  puenteDistribCiudad   
54   192.168.20.209/30  192.168.20.208  192.168.20.211  puenteDistribCiudad   
55   192.168.20.213/30  192.168.20.212  192.168.20.215  puenteDistribCiudad   
56   192.168.20.217/30  192.168.20.216  192.168.20.219  puenteDistribCiudad   
57   192.168.20.221/30  192.168.20.220  192.168.20.223  puenteDistribCiudad   
58   192.168.20.225/30  192.168.20.224  192.168.20.227  puenteDistribCiudad   
59   192.168.20.229/30  192.168.20.228  192.168.20.231  puenteDistribCiudad   
60   192.168.20.233/30  192.168.20.232  192.168.20.235  puenteDistribCiudad   
61   192.168.20.237/30  192.168.20.236  192.168.20.239  puenteDistribCiudad   
62   192.168.20.241/30  192.168.20.240  192.168.20.243  puenteDistribCiudad   
63   192.168.20.245/30  192.168.20.244  192.168.20.247  puenteDistribCiudad   
64   192.168.20.249/30  192.168.20.248  192.168.20.255  puenteDistribCiudad   
65   192.168.20.253/30  192.168.20.252  192.168.20.255  puenteDistribCiudad   
66   192.168.22.1/30    192.168.22.0    192.168.22.3    puenteDistribCiudad   
67   192.168.22.5/30    192.168.22.4    192.168.22.7    puenteDistribCiudad   
68   192.168.22.9/30    192.168.22.8    192.168.22.11   puenteDistribCiudad   
69   192.168.22.13/30   192.168.22.12   192.168.22.15   puenteDistribCiudad   
70   192.168.22.17/30   192.168.22.16   192.168.22.19   puenteDistribCiudad   
71   192.168.22.21/30   192.168.22.20   192.168.22.23   puenteDistribCiudad   
72   192.168.22.25/30   192.168.22.24   192.168.22.27   puenteDistribCiudad   
73   192.168.22.29/30   192.168.22.28   192.168.22.31   puenteDistribCiudad   
74   192.168.22.33/30   192.168.22.32   192.168.22.35   puenteDistribCiudad   
75   192.168.22.37/30   192.168.22.36   192.168.22.39   puenteDistribCiudad   
76   192.168.22.41/30   192.168.22.40   192.168.22.43   puenteDistribCiudad   
77   192.168.22.45/30   192.168.22.44   192.168.22.47   puenteDistribCiudad   
78   192.168.22.49/30   192.168.22.48   192.168.22.51   puenteDistribCiudad   
79   192.168.22.53/30   192.168.22.52   192.168.22.55   puenteDistribCiudad   
80   192.168.22.57/30   192.168.22.56   192.168.22.59   puenteDistribCiudad   
81   192.168.22.61/30   192.168.22.60   192.168.22.63   puenteDistribCiudad   
82   192.168.22.65/30   192.168.22.64   192.168.22.67   puenteDistribCiudad   
83   192.168.22.69/30   192.168.22.68   192.168.22.71   puenteDistribCiudad   
84   192.168.22.73/30   192.168.22.72   192.168.22.75   puenteDistribCiudad   
85   192.168.22.77/30   192.168.22.76   192.168.22.79   puenteDistribCiudad   
86   192.168.22.81/30   192.168.22.80   192.168.22.83   puenteDistribCiudad   
87   192.168.22.85/30   192.168.22.84   192.168.22.87   puenteDistribCiudad   
88   192.168.22.89/30   192.168.22.88   192.168.22.91   puenteDistribCiudad   
89   192.168.22.93/30   192.168.22.92   192.168.22.95   puenteDistribCiudad   
90   192.168.22.97/30   192.168.22.96   192.168.22.99   puenteDistribCiudad   
91   192.168.22.101/30  192.168.22.100  192.168.22.103  puenteDistribCiudad   
92   192.168.22.105/30  192.168.22.104  192.168.22.107  puenteDistribCiudad   
93   192.168.22.109/30  192.168.22.108  192.168.22.111  puenteDistribCiudad   
94   192.168.22.113/30  192.168.22.112  192.168.22.115  puenteDistribCiudad   
95   192.168.22.117/30  192.168.22.116  192.168.22.119  puenteDistribCiudad   
96   192.168.22.121/30  192.168.22.120  192.168.22.123  puenteDistribCiudad   
97   192.168.22.125/30  192.168.22.124  192.168.22.127  puenteDistribCiudad   
98   192.168.22.129/30  192.168.22.128  192.168.22.131  puenteDistribCiudad   
99   192.168.22.133/30  192.168.22.132  192.168.22.135  puenteDistribCiudad   
100   192.168.22.137/30  192.168.22.136  192.168.22.139  puenteDistribCiudad >
101   192.168.22.141/30  192.168.22.140  192.168.22.143  puenteDistribCiudad >
102   192.168.22.145/30  192.168.22.144  192.168.22.147  puenteDistribCiudad >
103   192.168.22.149/30  192.168.22.148  192.168.22.151  puenteDistribCiudad >
104   192.168.22.153/30  192.168.22.152  192.168.22.155  puenteDistribCiudad >
105   192.168.22.157/30  192.168.22.156  192.168.22.159  puenteDistribCiudad >
106   192.168.22.161/30  192.168.22.160  192.168.22.163  puenteDistribCiudad >
107   192.168.22.165/30  192.168.22.164  192.168.22.167  puenteDistribCiudad >
108   192.168.22.169/30  192.168.22.168  192.168.22.171  puenteDistribCiudad >
109   192.168.22.173/30  192.168.22.172  192.168.22.175  puenteDistribCiudad >
110   192.168.22.177/30  192.168.22.176  192.168.22.179  puenteDistribCiudad >
111   192.168.22.181/30  192.168.22.180  192.168.22.183  puenteDistribCiudad >
112   192.168.22.185/30  192.168.22.184  192.168.22.187  puenteDistribCiudad >
113   192.168.22.189/30  192.168.22.188  192.168.22.191  puenteDistribCiudad >
114   192.168.22.193/30  192.168.22.192  192.168.22.195  puenteDistribCiudad >
115   192.168.22.197/30  192.168.22.196  192.168.22.199  puenteDistribCiudad >
116   192.168.22.201/30  192.168.22.200  192.168.22.203  puenteDistribCiudad >
117   192.168.22.205/30  192.168.22.204  192.168.22.207  puenteDistribCiudad >
118   192.168.22.209/30  192.168.22.208  192.168.22.211  puenteDistribCiudad >
119   192.168.22.213/30  192.168.22.212  192.168.22.215  puenteDistribCiudad >
120   192.168.22.217/30  192.168.22.216  192.168.22.219  puenteDistribCiudad >
121   192.168.22.221/30  192.168.22.220  192.168.22.223  puenteDistribCiudad >
122   192.168.22.225/30  192.168.22.224  192.168.22.227  puenteDistribCiudad >
123   192.168.22.229/30  192.168.22.228  192.168.22.231  puenteDistribCiudad >
124   192.168.22.233/30  192.168.22.232  192.168.22.235  puenteDistribCiudad >
125   192.168.22.237/30  192.168.22.236  192.168.22.239  puenteDistribCiudad >
126   192.168.22.241/30  192.168.22.240  192.168.22.243  puenteDistribCiudad >
127   192.168.22.245/30  192.168.22.244  192.168.22.247  puenteDistribCiudad >
128   192.168.22.249/30  192.168.22.248  192.168.22.251  puenteDistribCiudad >
129   192.168.22.253/30  192.168.22.252  192.168.22.255  puenteDistribCiudad >
130   192.168.19.1/30    192.168.19.0    192.168.19.3    puenteDistribCiudad >
131   192.168.19.5/30    192.168.19.4    192.168.19.7    puenteDistribCiudad >
132   192.168.19.9/30    192.168.19.8    192.168.19.11   puenteDistribCiudad >
133   192.168.19.13/30   192.168.19.12   192.168.19.15   puenteDistribCiudad >
134   192.168.19.17/30   192.168.19.16   192.168.19.19   puenteDistribCiudad >
135   192.168.19.21/30   192.168.19.20   192.168.19.23   puenteDistribCiudad >
136   192.168.19.25/30   192.168.19.24   192.168.19.27   puenteDistribCiudad >
137   192.168.19.29/30   192.168.19.28   192.168.19.31   puenteDistribCiudad >
138   192.168.19.33/30   192.168.19.32   192.168.19.35   puenteDistribCiudad >
139   192.168.19.37/30   192.168.19.36   192.168.19.39   puenteDistribCiudad >
140   192.168.19.41/30   192.168.19.40   192.168.19.43   puenteDistribCiudad >
141   192.168.19.45/30   192.168.19.44   192.168.19.47   puenteDistribCiudad >
142   192.168.19.49/30   192.168.19.48   192.168.19.51   puenteDistribCiudad >
143   192.168.19.53/30   192.168.19.52   192.168.19.55   puenteDistribCiudad >
144   192.168.19.57/30   192.168.19.56   192.168.19.59   puenteDistribCiudad >
145   192.168.19.61/30   192.168.19.60   192.168.19.63   puenteDistribCiudad >
146   192.168.19.65/30   192.168.19.64   192.168.19.67   puenteDistribCiudad >
147   192.168.19.69/30   192.168.19.68   192.168.19.71   puenteDistribCiudad >
148   192.168.19.73/30   192.168.19.72   192.168.19.75   puenteDistribCiudad >
149   192.168.19.77/30   192.168.19.76   192.168.19.79   puenteDistribCiudad >
150   192.168.19.81/30   192.168.19.80   192.168.19.83   puenteDistribCiudad >
151   192.168.19.85/30   192.168.19.84   192.168.19.87   puenteDistribCiudad >
152   192.168.19.89/30   192.168.19.88   192.168.19.91   puenteDistribCiudad >
153   192.168.19.93/30   192.168.19.92   192.168.19.95   puenteDistribCiudad >
154   192.168.19.97/30   192.168.19.96   192.168.19.99   puenteDistribCiudad >
155   192.168.19.101/30  192.168.19.100  192.168.19.103  puenteDistribCiudad >
156   192.168.19.105/30  192.168.19.104  192.168.19.107  puenteDistribCiudad >
157   192.168.19.109/30  192.168.19.108  192.168.19.111  puenteDistribCiudad >
158   192.168.19.113/30  192.168.19.112  192.168.19.115  puenteDistribCiudad >
159   192.168.19.117/30  192.168.19.116  192.168.19.119  puenteDistribCiudad >
160   192.168.19.121/30  192.168.19.120  192.168.19.123  puenteDistribCiudad >
161   192.168.19.125/30  192.168.19.124  192.168.19.127  puenteDistribCiudad >
162   192.168.19.129/30  192.168.19.128  192.168.19.131  puenteDistribCiudad >
163   192.168.19.133/30  192.168.19.132  192.168.19.135  puenteDistribCiudad >
164   192.168.19.137/30  192.168.19.136  192.168.19.139  puenteDistribCiudad >
165   192.168.19.141/30  192.168.19.140  192.168.19.143  puenteDistribCiudad >
166   192.168.19.145/30  192.168.19.144  192.168.19.147  puenteDistribCiudad >
167   192.168.19.149/30  192.168.19.148  192.168.19.151  puenteDistribCiudad >
168   192.168.19.153/30  192.168.19.152  192.168.19.155  puenteDistribCiudad >
169   192.168.19.157/30  192.168.19.156  192.168.19.159  puenteDistribCiudad >
170   192.168.19.161/30  192.168.19.160  192.168.19.163  puenteDistribCiudad >
171   192.168.19.165/30  192.168.19.164  192.168.19.167  puenteDistribCiudad >
172   192.168.19.169/30  192.168.19.168  192.168.19.171  puenteDistribCiudad >
173   192.168.19.173/30  192.168.19.172  192.168.19.175  puenteDistribCiudad >
174   192.168.19.177/30  192.168.19.176  192.168.19.179  puenteDistribCiudad >
175   192.168.19.181/30  192.168.19.180  192.168.19.183  puenteDistribCiudad >
176   192.168.19.185/30  192.168.19.184  192.168.19.187  puenteDistribCiudad >
177   192.168.19.189/30  192.168.19.188  192.168.19.191  puenteDistribCiudad >
178   192.168.19.193/30  192.168.19.192  192.168.19.195  puenteDistribCiudad >
179   192.168.19.197/30  192.168.19.196  192.168.19.199  puenteDistribCiudad >
180   192.168.19.201/30  192.168.19.200  192.168.19.203  puenteDistribCiudad >
181   192.168.19.205/30  192.168.19.204  192.168.19.207  puenteDistribCiudad >
182   192.168.19.209/30  192.168.19.208  192.168.19.211  puenteDistribCiudad >
183   192.168.19.213/30  192.168.19.212  192.168.19.215  puenteDistribCiudad >
184   192.168.19.217/30  192.168.19.216  192.168.19.219  puenteDistribCiudad >
185   192.168.19.221/30  192.168.19.220  192.168.19.223  puenteDistribCiudad >
186   192.168.19.225/30  192.168.19.224  192.168.19.227  puenteDistribCiudad >
187   192.168.19.229/30  192.168.19.228  192.168.19.231  puenteDistribCiudad >
188   192.168.19.233/30  192.168.19.232  192.168.19.235  puenteDistribCiudad >
189   192.168.19.237/30  192.168.19.236  192.168.19.239  puenteDistribCiudad >
190   192.168.19.241/30  192.168.19.240  192.168.19.243  puenteDistribCiudad >
191   192.168.19.245/30  192.168.19.244  192.168.19.247  puenteDistribCiudad >
192   192.168.19.249/30  192.168.19.248  192.168.19.251  puenteDistribCiudad >
193   192.168.19.253/30  192.168.19.252  192.168.19.255  puenteDistribCiudad >
194   192.168.18.1/30    192.168.18.0    192.168.18.3    puenteDistribCiudad >
195   192.168.18.5/30    192.168.18.4    192.168.18.7    puenteDistribCiudad >
196   192.168.18.9/30    192.168.18.8    192.168.18.11   puenteDistribCiudad >
197   192.168.18.13/30   192.168.18.12   192.168.18.15   puenteDistribCiudad >
198   192.168.18.17/30   192.168.18.16   192.168.18.19   puenteDistribCiudad >
199   192.168.18.21/30   192.168.18.20   192.168.18.23   puenteDistribCiudad >
200   192.168.18.25/30   192.168.18.24   192.168.18.27   puenteDistribCiudad >
201   192.168.18.29/30   192.168.18.28   192.168.18.31   puenteDistribCiudad >
202   192.168.18.33/30   192.168.18.32   192.168.18.35   puenteDistribCiudad >
203   192.168.18.37/30   192.168.18.36   192.168.18.39   puenteDistribCiudad >
204   192.168.18.41/30   192.168.18.40   192.168.18.43   puenteDistribCiudad >
205   192.168.18.45/30   192.168.18.44   192.168.18.47   puenteDistribCiudad >
206   192.168.18.49/30   192.168.18.48   192.168.18.51   puenteDistribCiudad >
207   192.168.18.53/30   192.168.18.52   192.168.18.55   puenteDistribCiudad >
208   192.168.18.57/30   192.168.18.56   192.168.18.59   puenteDistribCiudad >
209   192.168.18.61/30   192.168.18.60   192.168.18.63   puenteDistribCiudad >
210   192.168.18.65/30   192.168.18.64   192.168.18.67   puenteDistribCiudad >
211   192.168.18.69/30   192.168.18.68   192.168.18.71   puenteDistribCiudad >
212   192.168.18.73/30   192.168.18.72   192.168.18.75   puenteDistribCiudad >
213   192.168.18.77/30   192.168.18.76   192.168.18.79   puenteDistribCiudad >
214   192.168.18.81/30   192.168.18.80   192.168.18.83   puenteDistribCiudad >
215   192.168.18.85/30   192.168.18.84   192.168.18.87   puenteDistribCiudad >
216   192.168.18.89/30   192.168.18.88   192.168.18.91   puenteDistribCiudad >
217   192.168.18.93/30   192.168.18.92   192.168.18.95   puenteDistribCiudad >
218   192.168.18.97/30   192.168.18.96   192.168.18.99   puenteDistribCiudad >
219   192.168.18.101/30  192.168.18.100  192.168.18.103  puenteDistribCiudad >
220   192.168.18.105/30  192.168.18.104  192.168.18.107  puenteDistribCiudad >
221   192.168.18.109/30  192.168.18.108  192.168.18.111  puenteDistribCiudad >
222   192.168.18.113/30  192.168.18.112  192.168.18.115  puenteDistribCiudad >
223   192.168.18.117/30  192.168.18.116  192.168.18.119  puenteDistribCiudad >
224   192.168.18.121/30  192.168.18.120  192.168.18.123  puenteDistribCiudad >
225   192.168.18.125/30  192.168.18.124  192.168.18.127  puenteDistribCiudad >
226   192.168.18.129/30  192.168.18.128  192.168.18.131  puenteDistribCiudad >
227   192.168.18.133/30  192.168.18.132  192.168.18.135  puenteDistribCiudad >
228   192.168.18.137/30  192.168.18.136  192.168.18.139  puenteDistribCiudad >
229   192.168.18.141/30  192.168.18.140  192.168.18.143  puenteDistribCiudad >
230   192.168.18.145/30  192.168.18.144  192.168.18.147  puenteDistribCiudad >
231   192.168.18.149/30  192.168.18.148  192.168.18.151  puenteDistribCiudad >
232   192.168.18.153/30  192.168.18.152  192.168.18.155  puenteDistribCiudad >
233   192.168.18.157/30  192.168.18.156  192.168.18.159  puenteDistribCiudad >
234   192.168.18.161/30  192.168.18.160  192.168.18.163  puenteDistribCiudad >
235   192.168.18.165/30  192.168.18.164  192.168.18.167  puenteDistribCiudad >
236   192.168.18.169/30  192.168.18.168  192.168.18.171  puenteDistribCiudad >
237   192.168.18.173/30  192.168.18.172  192.168.18.175  puenteDistribCiudad >
238   192.168.18.177/30  192.168.18.176  192.168.18.179  puenteDistribCiudad >
239   192.168.18.181/30  192.168.18.180  192.168.18.183  puenteDistribCiudad >
240   192.168.18.185/30  192.168.18.184  192.168.18.187  puenteDistribCiudad >
241   192.168.18.189/30  192.168.18.188  192.168.18.191  puenteDistribCiudad >
242   192.168.18.193/30  192.168.18.192  192.168.18.195  puenteDistribCiudad >
243   192.168.18.197/30  192.168.18.196  192.168.18.199  puenteDistribCiudad >
244   192.168.18.201/30  192.168.18.200  192.168.18.203  puenteDistribCiudad >
245   192.168.18.205/30  192.168.18.204  192.168.18.207  puenteDistribCiudad >
246   192.168.18.209/30  192.168.18.208  192.168.18.211  puenteDistribCiudad >
247   192.168.18.213/30  192.168.18.212  192.168.18.215  puenteDistribCiudad >
248   192.168.18.217/30  192.168.18.216  192.168.18.219  puenteDistribCiudad >
249   192.168.18.221/30  192.168.18.220  192.168.18.223  puenteDistribCiudad >
250   192.168.18.225/30  192.168.18.224  192.168.18.227  puenteDistribCiudad >
251   192.168.18.229/30  192.168.18.228  192.168.18.231  puenteDistribCiudad >
252   192.168.18.233/30  192.168.18.232  192.168.18.235  puenteDistribCiudad >
253   192.168.18.237/30  192.168.18.236  192.168.18.239  puenteDistribCiudad >
254   192.168.18.241/30  192.168.18.240  192.168.18.243  puenteDistribCiudad >
255   192.168.18.245/30  192.168.18.244  192.168.18.247  puenteDistribCiudad >
256   192.168.18.249/30  192.168.18.248  192.168.18.255  puenteDistribCiudad >
257   192.168.18.253/30  192.168.18.252  192.168.18.255  puenteDistribCiudad >
258   192.168.0.1/24     192.168.0.0     192.168.0.255   vlan6                >
259   192.168.2.11/24    192.168.2.0     192.168.2.255   vlan6                >
260   192.168.1.5/24     192.168.1.0     192.168.1.255   vlan6                >
261 X ;;;
     192.168.26.1/24    192.168.26.0    192.168.26.255  vlan8                  
262 X ;;;
     192.168.27.1/24    192.168.27.0    192.168.27.255  vlan9                  
263   ;;;
     200.43.189.6/25    200.43.189.0    200.43.189.127  puenteServsInet        
264 X ;;;
     190.139.102.228/29 190.139.102.224 190.139.102.231 puenteServsInet        
265   ;;;
     10.9.8.49/24       10.9.8.0        10.9.8.255      puenteServsInet        
266   ;;;
     10.80.0.1/24       10.80.0.0       10.80.0.255     puenteDistribCiudad   
267   ;;;
     10.80.1.1/24       10.80.1.0       10.80.1.255     ether1                 
268   ;;;
     10.80.32.1/24      10.80.32.0      10.80.32.255    vlan8                  
269   ;;;
     10.80.64.1/24      10.80.64.0      10.80.64.255    vlan9                  
270   ;;;
     10.80.2.1/24       10.80.2.0       10.80.2.255     puenteDistribCiudad   
271   ;;;
     10.80.3.1/24       10.80.3.0       10.80.3.255     puenteDistribCiudad   
272   ;;;
     10.80.4.1/24       10.80.4.0       10.80.4.255     puenteDistribCiudad   
273   ;;;
     10.80.5.1/24       10.80.5.0       10.80.5.255     vlan5                  

[admin@MyISP-Master] > 


 
jkohan
newbie
Topic Author
Posts: 28
Joined: Fri Jun 06, 2008 6:55 am
Location: Rosario, Argentina
Contact:

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Sat Dec 20, 2008 4:43 am

tried with 3.13 and 3.17, FW 2.12, 2.16 and 2.18 and all the same.
 
User avatar
vegard
just joined
Posts: 24
Joined: Sat Feb 12, 2005 6:55 pm

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Sat Dec 20, 2008 5:54 pm

/int bri sett set use-ip-firewall-for-vlan=yes
/int bri sett set use-ip-firewall=yes
 
jkohan
newbie
Topic Author
Posts: 28
Joined: Fri Jun 06, 2008 6:55 am
Location: Rosario, Argentina
Contact:

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Sat Dec 20, 2008 6:20 pm

/int bri sett set use-ip-firewall-for-vlan=yes
/int bri sett set use-ip-firewall=yes

I forgot to mention, but are both enabled.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Mon Dec 22, 2008 12:04 pm

Do you expect us to search for particular rules in your setup that doesn't work?

please, try to create as narrow configuration as possible, that shows the problem.

At this point it might be some rules before your problematic mange rule etc
 
digicomtech
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Apr 20, 2007 5:03 pm
Location: Alma, Qc, Canada
Contact:

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Mon Jul 06, 2009 10:52 pm

I notice something strange that could be related to your problem.
I don't know if it's normal but in that kind of setup:

ether1 -> Public port
ether2 -> Bridge1 port
ether3 -> Bridge1 port

Bridge1 -> LAN port
Bridge firewall enabled

Traffic going through the router from ether1 to ether2 (bridge1) won't match this rule:
/ip firewall filter add chain=forward in-interface=ether1 out-interface=bridge1 out-bridge-port=ether2
However, traffic going through the router from ether2 (bridge1) to ether1 will match this rule:
/ip firewall filter add chain=forward out-interface=ether1 in-interface=bridge1 in-bridge-port=ether2
This traffic should match both rules, if ipt_physdev module is loadded on standard linux.


Regards,
Michael
 
jkohan
newbie
Topic Author
Posts: 28
Joined: Fri Jun 06, 2008 6:55 am
Location: Rosario, Argentina
Contact:

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Mon Jul 06, 2009 11:23 pm

I notice something strange that could be related to your problem.
I don't know if it's normal but in that kind of setup:

ether1 -> Public port
ether2 -> Bridge1 port
ether3 -> Bridge1 port

Bridge1 -> LAN port
Bridge firewall enabled

Traffic going through the router from ether1 to ether2 (bridge1) won't match this rule:
/ip firewall filter add chain=forward in-interface=ether1 out-interface=bridge1 out-bridge-port=ether2
However, traffic going through the router from ether2 (bridge1) to ether1 will match this rule:
/ip firewall filter add chain=forward out-interface=ether1 in-interface=bridge1 in-bridge-port=ether2
This traffic should match both rules, if ipt_physdev module is loadded on standard linux.


Regards,
Michael
Is exactly what happened to me. Finally, I gave up and configured my rules using IPs (not the better solution but at least works).
 
digicomtech
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Apr 20, 2007 5:03 pm
Location: Alma, Qc, Canada
Contact:

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Mon Jul 06, 2009 11:25 pm

I have done my test on a RB450G with 3.25 OS

same problem

Any idea janis,

Michael Plourde
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1764
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Tue Jul 07, 2009 8:18 am

I notice something strange that could be related to your problem.
I don't know if it's normal but in that kind of setup:

ether1 -> Public port
ether2 -> Bridge1 port
ether3 -> Bridge1 port

Bridge1 -> LAN port
Bridge firewall enabled

Traffic going through the router from ether1 to ether2 (bridge1) won't match this rule:
/ip firewall filter add chain=forward in-interface=ether1 out-interface=bridge1 out-bridge-port=ether2
However, traffic going through the router from ether2 (bridge1) to ether1 will match this rule:
/ip firewall filter add chain=forward out-interface=ether1 in-interface=bridge1 in-bridge-port=ether2
This traffic should match both rules, if ipt_physdev module is loadded on standard linux.


Regards,
Michael

"in-interface" and "out-interface" are IP layer options - so in case "Traffic going through the router from ether1 to ether2 (bridge1)" it is bridged (MAC layer), not routed (IP layer), so these options will NEVER match.
 
digicomtech
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Apr 20, 2007 5:03 pm
Location: Alma, Qc, Canada
Contact:

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Tue Jul 07, 2009 3:48 pm

"in-interface" and "out-interface" are IP layer options - so in case "Traffic going through the router from ether1 to ether2 (bridge1)" it is bridged (MAC layer), not routed (IP layer), so these options will NEVER match
If you look back at my config:
ether1 -> Public port
ether2 -> Bridge1 port
ether3 -> Bridge1 port

ether1 is not bridged and that would be MAC layer, if traffic gone throught bridge (ether2 to ether3 or ether3 to ether2). In fact these rules are match when traffic is going from ether1 to bridge1(port ether2):

Rule 1:
/ip firewall filter add chain=forward in-interface=ether1 out-interface=bridge1
or from bridge1(port ether2) to ether1:

Rule 1:
/ip firewall filter add chain=forward in-interface=bridge1 out-interface=ether1
So as i describe before, if i add in-bridge-port in the second rule, traffic continu to get in rule. But if i add out-bridge-port to the first one, then stats stop to grow up.

I will try it on a standard linux dist and let you know,

Regards,
Michael Plourde
Digicom
 
jkohan
newbie
Topic Author
Posts: 28
Joined: Fri Jun 06, 2008 6:55 am
Location: Rosario, Argentina
Contact:

Re: RB1000 (3.13, 3.17) no honouring (in/out)-bridge-port= ?

Tue Jul 07, 2009 4:54 pm


"in-interface" and "out-interface" are IP layer options - so in case "Traffic going through the router from ether1 to ether2 (bridge1)" it is bridged (MAC layer), not routed (IP layer), so these options will NEVER match.
Not even with "Use IP Firewall" checked in Bridge Settings ?

Who is online

Users browsing this forum: No registered users and 24 guests