Bridge filter not working

ferdl9999 · August 14, 2020, 2:38pm

Hello,

i have newly bought one MikroTik CRS317-1G-16S+ and one CRS326-24G-2S+RM.

Everything working fine so far. Great devices! But i have one problem:

Basically i want to assign some IP addresses to specific ports / bind them to MAC addresses. I know, the best way would be to use VLANs, but for inter-vlan connectivity i need a router and the router is posed from the datacenter.

I know that on a simple Layer-2 switch (like in my case) the IP firewall rules are not working correctly (just with passing it to the CPU what means a very high cpu load on high traffic scenarios). So i wanted to implement bridge filters because they are operating on Layer-2: https://mum.mikrotik.com/presentations/EU18/presentation_5164_1523428784.pdf

All of my ports are currently in the default bridge “bridge”. But i have the problem that also very simple bridge filters like this are not working:

[admin@MikroTik] /interface bridge filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=drop in-interface=ether23 log=no log-prefix=""

I see zero traffic on these filter. At the end, i would like to create a filter like this to bind a mac to a specific ip:

[admin@MikroTik] /interface bridge filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=accept src-mac-address=12:34:56:78:AB:CE/FF:FF:FF:FF:FF:FF mac-protocol=ip src-address=10.10.10.123/32 
     log=no log-prefix=""

On both of these filters i do not see any traffic.
I would be very grateful if anyone could tell me what i am doing wrong.
I am very new in MikroTik devices, so please be patient with me.

Thank you very much for your help!

EnigmAX · August 14, 2020, 4:17pm

Is fast forward enabled on the bridge?

ferdl9999 · August 14, 2020, 4:35pm

Thanks for your answer.

I see an option for “fast path”, see the following picture.

But also when i disable this feature, the filter rules still doesn’t work.

ferdl9999 · August 14, 2020, 4:39pm

Oh, sorry. I found the option for “fast forward” (see picture below).

But also changing this option didn’t made the filter work.

tdw · August 14, 2020, 8:32pm

If you are using hardware offload the bridge filters will not see packets forwarded between ports as they are handled within the switch chips, look at switch ACLs.

ferdl9999 · August 14, 2020, 9:08pm

Thank you! It’s working now. But throughput is very low and the CPU usage is around 80% at 500 Mbit on the CRS 326-24G-2S+RM.

I had a look on the Switch Rules and i have a question: Is there a way to negate these rules?

So i can say: Let’s drop everything with source IP 10.12.1.1 which has not the source MAC-address AA:AA:AA:12:34:56?

ferdl9999 · August 14, 2020, 9:23pm

Okay, i have found out. I needed to create a rule to block everything (i have selected “Set new dst. port = switch1 cpu”) and needed to create another rule with higher priority to accept certain ip / mac combinations.

ferdl9999 · August 14, 2020, 9:29pm

Okay, problem not completely solved.
The connection is working for around 1 minute, but after that time, there is no connection possible anymore.

Then i first need to disable the “blocking” rule and enabling it again. Then the connection works again for around 1 minute but then again - no connection is possible from that port with certain MAC and IP.

Here is a picture of these two rules:

Do you have any ideas why it’s not working anymore after a certain time? Is this a bug?

ferdl9999 · August 14, 2020, 9:37pm

Sorry for my little “spam”, but now it’s working and i want to document it if anyone has the same problem in the future.

I’ve found out that when i set the field “MAC protocol” to “ip” the problem with the ending of the connection after 1 minute persists.
As soon as i removed this field from the rule, the rule was working fine (source IP still set).

Is this a bug or is this the expected behavior?