Hi everyone.
I have a strange problem.
I have configured a bridge 10.10.0.0/24 and various Vlan (10.10.10.0/24,10.20.10/24)
The bridge is connected via trunk to a CISCO switch.
Strangely enough, I don’t see traffic from the 10.10.10.0/24 network passing through my router, so the IP Firewall Filter rules don’t work for me.
If I want to block traffic between two hosts on this network
A 10.10.10.20
B 10.10.10.198
DROP IP FILTER Rules do not work.
From all the other networks I have no problem.(if connected to access point)
IP FIREWALL is already active in the bridge configuration.
Where can I check this? Using TORCH I don’t see traffic passing through the router
Thanks
If both the device A and device B are connected to vlan-aware switch no wonder that traffic between them never even hit the router - the switch passes it directly.
You need to configure port isolation on the switch then.
I had imagined it.
The problem that the other vlan work without problems.
Should it depend on a configuration on the interface of the cisco switch then?
Many thanks
Well, then it looks like all you need, is to find a place in cisco config where these two vlans are configured differently 
Unfortunately, everything is the same.
same configuration for vlan.
Only difference
vlan 10 ARP:enabled
vlan 20 ARP:reply on.
I tried to change but the problem remains.
On vlan 20 I can use Firewall Ip filter without problems
thanks
Guys for 2 hosts in the same subnet no router is needed to have a connection, you are in L2 connection and router operates in L3 networking. So you need to block this traffic on switch, not in Mikrotik. If rules works form one subnet to other one, Mikrotik has done his job!
The traffic between 2 hosts in the same Vlan20 can be blocked via Mikrotik
The traffic between 2 hosts in the same Vlan 10 cannot be blocked via Mikrotik
thanks
Disabled ARP on switch could be the answer.
After disabling it for vlan 10 did you reboot the switch or forced it to flush already learned MACs?
hello.
ARP is configured on mikrotik interface.
cisco switch it used only at L2 (tagged port) using a trunk port.
Well, there must be something in Cisco switch that is configured differently for this two vlans, that makes the switch send frames in vlan20 to mikrotik instead of to send them directly to the recipient.
And while you think things are “working” for vlan20 and not vlan10, actually it is the opposite - the correct default behaviour for the switch is the one seen in vlan10.
Simplistically I mentioned only 2 vlan.
Actually there are 8 vlan in the network and they all work like vlan20. 
Thanks
Anyway, the answer has to be in cisco config.
I checked everything on the cisco configuration. Everything seems to be the same
Do you have any suggestions?
Any PVLANs, or protected/isolated ports configured on the switch?
But that would explain the situation when two hosts in one vlan CAN’T talk to each other, not the situation when they CAN but through mikrotik.
So there must be something else.
Not, I didn’t set any port to protected.
I remind you that normally in order not to communicate 2 hosts I have to set a “drop” in IP filter Firewall.
I’m still talking about cisco switch.
There’s nothing strange in mikrotik’s bridge behaviour: if it gets frames from cisco - it forwards them, unless you intentionally forbid it by firewall, if it doesn’t get frames from cisco, well, it does nothing.
I cleared arp cache on vlan10 cisco switch.
Also, I disabled ip arp-proxy, with no success
Could it possibly be that this was done for all vlans except vlan10?
https://community.cisco.com/t5/metro/disable-mac-address-learning-per-vlan/td-p/698258
https://www.cisco.com/c/en/us/td/docs/wireless/mwr_2941_dc/software_config/guide/3_3/2941_33_Config_Guide/mac_lrn.pdf
unfortunately not so
Switch#show mac address-table learning
VLAN Learning Status
1 yes
10 yes
20 yes
30 yes
40 yes
50 yes
60 yes
70 yes
80 yes
90 yes
I have no guesses left then… Sorry.