Bridge filter blocking NAS SMB

Hi

A client of mine has an RB750GL (6.29.1)
Uplinks are on ports 1 and 5
Ports 2, 3 and 4 are bridged:
ether2 Synology NAS (DS211)
ether3 LAN
ether4 VPN router (SDSL)

Unfortunately, for now, the VPN router is on the same subnet as the LAN

I want to protect the VPN link trafic and avoid unnecessary noise so I enabled, on Saturday evening, the bridge firewall and created a filter to block forwarding all trafic to the VPN router unless it is destined for the remote PMS server

[RB750GL] > interface bridge filter pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop out-interface=ether4 - Op\E9ra mac-protocol=ip
dst-address=!192.168.1.21/32 log=no log-prefix=“”

This morning the users called me because they can’t access their shares on the NAS

They can ping the NAS, they can even access the NAS WEB console but hey can’t communicate via SMB with the NAS

SMB shares with other devices on the network e.g. other Windows workstation and servers work fine

I disabled the firewall on the bridge and all is back to normal

Why is the bridge filter blocking SMB commuinications on the LAN, i.e. between port 2 and port 3 ?

thanks
yann

You applied your drop rule on ether4 which is part of the bridge, so i think your rule is finally applied to the whole bridge, blocking all traffic to your NAS. All rules should be applied on the bridge itself, not the ports.
I’m afraid the only clean solution is to separate networks.

Thanks for your answer

If what you say is correct, why would one be able to select an individual out-interface ?

Why are other SMB shares operational ?

Everything else works fine for that matter

Just the Synology NAS SMB is blocked !

probably because Router OS is very rich and flexible, and some other functionality than IP firewall is using it.