Bridge Filters - Allow VLAN, Block IP

troy · Wed May 11, 2011 11:20 pm

I have a bridge with wlan1 and ether1.

On ether1, I have an IP address of 1.1.1.1/28
On wlan1, I have an IP address of 2.2.2.2/30

OSPF is running on both networks, all IP traffic is being routed, while VLAN traffic is being bridged. Now, I want to block everything that's not on a VLAN from passing through the bridge (has to be routed). The goal is to eliminate all broadcast traffic.

From what I can tell, the following rules are all that's needed, but I'm wondering if they'll cause more problems than they'll solve.

/interface bridge filter
add action=accept chain=forward mac-protocol=vlan
add action=drop chain=forward

Thanks,

troy · Fri May 13, 2011 5:42 pm

I'm really needing some help here... I have this set up on one of our towers, and it's working well enough, but it seems a little wonky... When doing a ping to a host outside the local network, I get ICMP redirects, like the source and next hop are on the same interface...

Oh wait, they ARE on the same interface, go figure... Each interface on the router is configured in a different subnet. OSPF is running on both networks, but uses the bridge as a dynamic interface, even when I attempt to manually configure the psychical interfaces in OSPF.

[admin@LRS_BH] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   172.17.86.97/28    172.17.86.96    ether1
 1   172.17.84.194/30   172.17.84.192   backhaul

[admin@LRS_BH] > /routing ospf network print 
Flags: X - disabled, I - invalid 
 #   NETWORK            AREA
 0   172.17.84.192/30   backbone
 1   172.17.86.96/28    backbone

[admin@LRS_BH] > /routing ospf interface print
Flags: X - disabled, I - inactive, D - dynamic, P - passive
 #    INTERFACE                       COST  PRIORITY NETWORK-TYPE   AUTHENTICATION AUTHENTICATION-KEY
 0 D  bridge1                         10    1        broadcast      none
 1 D  bridge1                         10    1        broadcast      none

I really need to have complete, normal, straight routing of L3 traffic while maintaining the ability to bridge VLAN traffic. Can anyone help with this?

blake · Mon May 16, 2011 1:35 am

I really need to have complete, normal, straight routing of L3 traffic while maintaining the ability to bridge VLAN traffic. Can anyone help with this?

A tunnel is probably your best bet. VPLS, or otherwise.

troy · Tue May 17, 2011 11:46 pm

Ok, I have a /30 on the wireless
VPLS on the /30
Bridge between ether1 and vpls1

Damned ugly way to do it, but it works!

IP traffic is being routed with no more redirects. YAY!
VLAN traffic is being bridged over the VPLS tunnel. YAY!
Layer3 broadcast traffic is also bridged over VPLS. BOO!

Now, I'm the sort of guy who loves to play with things, and normally, I'm not afraid to break things. However, I've already killed 2 routers attempting to figure this out, and I'm not sure I want to risk another until I get some feedback.

How, specifically, do I keep the crap off the bridge? A filter to block all IP traffic scares the crap out of me because ROS behaves as if the IP is bound to the bridge, and not to the physical interface. Behold:

[admin@some_dumb_router] > /ip ad pr
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                   
 0   aaa.bb.cc.29/32    aaa.bb.cc.29    lo0                                                         
 1   aaa.bb.cc.218/30   aaa.bb.cc.216   backhaul                                                    
 2   aaa.bb.cc.177/28   aaa.bb.cc.176   ether1                                                      
[admin@some_dumb_router] > /ip arp pr
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic 
 #   ADDRESS         MAC-ADDRESS       INTERFACE                                                    
 0 D aaa.bb.cc.180   00:XX:XX:XX:XX:74 bridge1                                                      
 1 D aaa.bb.cc.179   00:XX:XX:XX:XX:56 bridge1                                                      
 2 D aaa.bb.cc.217   00:XX:XX:XX:XX:E9 backhaul                                                     
 3 D aaa.bb.cc.178   00:XX:XX:XX:XX:41 bridge1

If I block non-vlan traffic, won't that prevent packets from getting to the IP, which ROS treats as being on the bridge rather than on the physical interface?

blake · Wed May 18, 2011 1:03 am

Unfortunately I haven't found a way to keep broadcast off of a VPLS tunnel. I guess it wouldn't be broadcast if it couldn't go everywhere on a single layer 2 domain.

If you don't want broadcasts on a backhaul, route.

camlost · Fri Sep 09, 2011 3:30 pm

Hello!
I need some help in filtering traffic on bridges

We have bridge between ether1 and wds1 interfaces and 3 VLANS passing through bridge (for example vlan id 2,.3 and 4)

I want to allow all traffic in vlan 2 and 3, but drop non pppoe traffic (ip, dhcp, arp,netbios and others) in vlan 4.

my config

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes      

/interface bridge filter
add action=accept chain=forward disabled=no mac-protocol=vlan vlan-encap=pppoe-discovery vlan-id=4
add action=accept chain=forward disabled=no mac-protocol=vlan vlan-encap=pppoe vlan-id=4
add action=drop chain=forward disabled=no mac-protocol=vlan vlan-id=4

But this filter dooesn't work, counters of this rules don't grow and all traffic continue to pass through bridge.

Can anyone tell me, where do i mistake?

Bridge Filters - Allow VLAN, Block IP

Bridge Filters - Allow VLAN, Block IP

Re: Bridge Filters - Allow VLAN, Block IP

Re: Bridge Filters - Allow VLAN, Block IP

Re: Bridge Filters - Allow VLAN, Block IP

Re: Bridge Filters - Allow VLAN, Block IP

Re: Bridge Filters - Allow VLAN, Block IP

Who is online