Block traffic from switch

mikcsek · January 23, 2023, 7:35pm

Hi,
I would like to find the answer to a phenomenon that i have an ac2 router with a switch connected to it and from this switch 400 mbps traffic is coming back to the mikrotik router and how to block this traffic completely, so that nothing comes back from the switch.

The switch is connected to the eth 3 port of the mikrotik router, and the basic bridge is assigned.
No matter how I try, I can’t block the incoming RX traffic on the eth 3 port, I tried filter rules, bridge filter.

Does anyone have any ideas? i would really appreciate it.

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1
 5    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx dst-port=8291 log=no log-prefix="" 

 6    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx  dst-port=8291 log=no log-prefix="" 

 7    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx  dst-port=8291 log=no log-prefix="" 

 8    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx  dst-port=8291 log=no log-prefix="" 

 9    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx  dst-port=8291 log=no log-prefix="" 

10    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

11    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

12    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

13    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

14    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

15    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

16    chain=forward action=drop src-address=10.10.10.10 in-interface-list=LAN log=no log-prefix="" 

17    chain=forward action=drop src-address=10.10.80.60 in-interface-list=LAN log=no log-prefix="" 

18    chain=forward action=drop src-address=16.16.16.16 in-interface-list=LAN log=no log-prefix="" 

19    chain=forward action=drop src-address=192.168.2.0/24 in-interface-list=LAN log=no log-prefix="" 

20    chain=forward action=drop src-address=192.168.3.0/24 in-interface-list=LAN log=no log-prefix="" 

21    chain=forward action=drop src-address=192.168.20.0/24 in-interface-list=LAN log=no log-prefix="" 

22    chain=forward action=drop src-address=192.168.88.0/24 in-interface-list=LAN log=no log-prefix="" 

23    chain=forward action=drop src-address=192.168.100.0/24 in-interface-list=LAN log=no log-prefix="" 

24    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 

25    chain=output action=drop dst-address=xx.xx.xx.xx  out-interface=ether1 log=no log-prefix=""

anav · January 23, 2023, 9:30pm

Remove the ethernet cable from ether3 solved…

mikcsek · January 24, 2023, 6:04am

Wonderful comment thank you, but there is a reason why the switch is connected. I need to pass something from the router to the switch, but i need to prevent a lot of data from going backwards.

BartoszP · January 24, 2023, 7:22am

There is no way to block incoming traffic from a switch. You can filter it and do let pass it to the rest of network. Not more.
This traffic is as a crowd waiting to enter the venue. You can pass only validated ones but you can not stop the new ones to clog gates trying to get into without tickets

mikcsek · January 29, 2023, 3:38pm

Thank you for your reply. It is clear. Then I guess there is no way to prevent traffic on the interface where the switch is connected, just filter out what it needs and let it pass, but it will still show 400 Mbit traffic on the interface. I tried prerouting, it solved the excessive cpu usage, but the traffic was still present on the interface.

Since then, by the way, the switch has been configured to not allow outbound traffic on that port.