Block traffice between bridges

RouterOS General
1

Hi,

I have add three bridges on my RB951G-2HnD
Now I want not traffice between these bridges.
How can I do this?
and is it allso possible to make an execption for cummunication TO one IP address on a bridge?
That is my DNS server.

2

I think you could match the bridge and the interfaces that shouldn’t be allowed in bridge filters and drop the traffic at the layer two bridge level.

If you cannot then you can drop the traffic in ip firewall. Match the traffic that is coming from one bridge going to the other and drop.

3

Some like this below?
But how to make the exeption?

Enable firewall between bridges

#/ip firewall address-list add list=local-networks address=192.9.201.0/24 disabled=no
#/ip firewall address-list add list=local-networks address=192.9.202.0/24 disabled=no
#/ip firewall address-list add list=local-networks address=192.9.203.0/24 disabled=no
#/ip firewall filter add chain=forward src-address-list=local-networks dst-address-list=local-networks action=drop

4

That should work.

How I generally do this kind of thing in a production environment is I create the rule but have the action be to add an IP to a list… that way I can ensure that I am matching the traffic I want and only the traffic I want to match.

something like:
/ip firewall filter add chain=forward in-interface=ether3 src-address=!192.168.3.0/24 src-address-list=local-networks action=add-src-to-address-list address-list=trafficTo3NetFromOtherNet

The above would assume that 192.168.3.0/24 traffic belonged on ether3 and any other traffic from local subnets would be added to an address list for my inspection. After determining that I did in fact want to block all of that traffic and that my matching rules were how I wanted them I would change the action to drop

You may also be able to do this in the bridge interface like:
/interface bridge filter add in-bridge=bridge1 out-interface=ether3 action=drop

but again begin with an action like passthrough or something to see how much traffic this will match… and safemode is helpful so that you don’t block yourself out.

5

Thanks for your answere.
But how do I make the exption?
(in code please.)