Hi all,
I played around with switch rule ACLs and 802.1X and found out that I don’t get the ACLs working properly.
My dynamic rules:
/interface ethernet switch rule> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; dot1x dynamic
switch=switch1 ports=ether26
src-mac-address=00:24:54:XX:XX:XX/FF:FF:FF:FF:FF:FF mac-protocol=ipv6
copy-to-cpu=no redirect-to-cpu=no mirror=no
1 D ;;; dot1x dynamic
switch=switch1 ports=ether26
src-mac-address=00:24:54:XX:XX:XX/FF:FF:FF:FF:FF:FF mac-protocol=ip
dst-address=10.0.0.0/8 copy-to-cpu=no redirect-to-cpu=no mirror=no
2 D ;;; dot1x dynamic
switch=switch1 ports=ether26
src-mac-address=00:24:54:XX:XX:XX/FF:FF:FF:FF:FF:FF copy-to-cpu=no
redirect-to-cpu=no mirror=no new-dst-ports=""
When I understand this correctly, I shouldn’t be able to ping 8.8.8.8, but it works.
Then I tried static rules:
/interface ethernet switch rule> print
Flags: X - disabled, I - invalid, D - dynamic
0 X switch=switch1 ports=ether26 copy-to-cpu=no redirect-to-cpu=no mirror=no
new-dst-ports=""
1 switch=switch1 ports=ether26 mac-protocol=ip copy-to-cpu=no
redirect-to-cpu=no mirror=no new-dst-ports=""
With rule 0 disabled and only rule 1 active all IPv4 traffic should be blocked, but isn’t. Rule 0 works and blocks everything.
I also tried to swap bytes (0x0800 → 0x0008) but without success (like mentioned here http://forum.mikrotik.com/t/acl-firewall-problem-missing-l2-ethertype/140860/18).
This is on a CRS-354-48G-4S+2Q+ with RouterOS 6.47.2.
What could be wrong?