I have added a switch to my hAPac2 to get more ports and I have several firewall rules that allow/deny certain devices on my LAN.
I can copy a 1GB file between machines connected to the switch but none of this 1GB of traffic appears in any firewall rules. If I connect directly to the Mikrotik the rules seem to work as expected. The devices connected to the switch pick up DHCP leases from the Mikrotik.
The switch is just a bog standard Netgear.
Is this as expected?
Thanks
Yes. Traffic between hosts in the same IP subnet that are on the same switch will not leave the switch they are on, so it will never reach your hAP. If you want to force the traffic to do so, put them in different subnets, so the hAP has to get involved as a router.
Ofcorse it is expected and ofcorse the traffic will reach the Hap AC2 ( if the communication is between a host in hap and a host in the second switch ).
But since this is a Layer 2 of OSI model communication it does not pass through the firewall !!!
Hosts in the same subnet always communicate in Layer 2.
So when a host eg a computer connected in your Hap and a second computer connected on your second switch want to communicate they do it in the Layer 2, meaning through mac addresses.
So when Host A wants to reach Host B with IP address of 192.168.1.11 connected on your second switch ( in case they do not already know each other ), Host A sends a broadcast message asking who has the address 192.168.1.11. When Host B gets the message will reply to Host A mac’s address saying i have the address 192.168.1.11 and my mac address is aa:aa:aa:aa:aa:aa.
So now that they both know each others mac address they commmunicate through them using ethernet frames.
That is the process in simple words. For more details you can find a lot of information around the internet.
In case you want to catch Layer 2 traffic you can use Bridge firewall.
Thanks for the replies very useful.
Just want to check that if I have two devices connected directly to the hAPac2 (no switch involved) the firewall filter rules should be able to drop traffic between these two devices?
I have forward rules that seem to do this fine but want to ensure that there isn’t something I am not considering especially with the comment regarding MAC addresses and ethernet frames and the rules look like they are working but they are not?
For example, to stop 192.168.88.10 from talking to anything on the LAN and to stop anything talking over the LAN to 192.168.88.10 I use these two rules:
drop
forward
in interface list=lan
out interface list=lan
src address=192.168.88.10
drop
forward
in interface list=lan
out interface list=lan
dst address=192.168.88.10
Just want to check that if I have two devices connected directly to the hAPac2 (no switch involved) the firewall filter rules should be able to drop traffic between these two devices?
Switch is involved. All the ports inside the Bridge of your Hap Ac 2 do talk in Layer 2.
A Bridge is a switch!
Please read again my earlier post.