Bridge filter on L009UiGS not working

system · November 24, 2024, 3:05pm

Is it possible there is a bug in the bridge filter on this device and firmware? (I never used this device before so haven’t tried ROS6 but tried some versions of 7)

I’m trying to block PPPOE going through a bridge. It only works sporadically.
Fast path and fast forward are disabled as far as I can see, but there are still fp- packets showing in stats.
The numbers only increase randomly, very seldom.

[admin@hs42] > /sys resource/print
                  version: 7.16.1 (stable)
               build-time: 2024-10-10 14:03:32
         factory-software: 7.12
              free-memory: 394.9MiB
             total-memory: 512.0MiB
                      cpu: ARM
                cpu-count: 2
            cpu-frequency: 800MHz
                 cpu-load: 3%
           free-hdd-space: 103.3MiB
          total-hdd-space: 128.0MiB
  write-sect-since-reboot: 87
         write-sect-total: 359426
               bad-blocks: 0%
        architecture-name: arm
               board-name: L009UiGS
                 platform: MikroTik
[admin@hs42] > /int bridge/settings/print
              use-ip-firewall: no
     use-ip-firewall-for-vlan: no
    use-ip-firewall-for-pppoe: no
              allow-fast-path: no
      bridge-fast-path-active: no
     bridge-fast-path-packets: 0
       bridge-fast-path-bytes: 0
  bridge-fast-forward-packets: 0
    bridge-fast-forward-bytes: 0
[admin@hs42] > /int bridge/print
Flags: X - disabled, R - running
 0 R ;;; defconf
     name="br-bb" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=xx:xx:xx:xx:xx:xx protocol-mode=rstp fast-forward=no
     igmp-snooping=no auto-mac=no admin-mac=xx:xx:xx:xx:xx:xx ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
     vlan-filtering=no dhcp-snooping=no port-cost-mode=short mvrp=no max-learned-entries=auto
[admin@hs42] > /int bridge/filter/print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=forward action=drop in-interface=ether3 mac-protocol=pppoe-discovery

 1   chain=forward action=drop out-interface=ether3 mac-protocol=pppoe-discovery

 2   chain=forward action=drop in-interface=ether3 mac-protocol=pppoe

 3   chain=forward action=drop out-interface=ether3 mac-protocol=pppoe
[admin@hs42] > /int bridge/filter/print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN    ACTION  BYTES  PACKETS
0 forward  drop     1104       24
1 forward  drop        0        0
2 forward  drop        0        0
3 forward  drop     1965        7
[admin@hs42] > /int monitor-traffic ether3
                         name:    ether3
        rx-packets-per-second:     1 591
           rx-bits-per-second:   2.0Mbps
     fp-rx-packets-per-second:         8
        fp-rx-bits-per-second:  11.2kbps
        tx-packets-per-second:     2 603
           tx-bits-per-second:  25.1Mbps
     fp-tx-packets-per-second:         0
        fp-tx-bits-per-second:      0bps
    tx-queue-drops-per-second:         0

[admin@hs42] > /int bridge/filter/print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN    ACTION  BYTES  PACKETS
0 forward  drop     1104       24
1 forward  drop        0        0
2 forward  drop        0        0
3 forward  drop     1965        7

10 minutes later

[admin@hs42] > /int bridge/filter/print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN    ACTION  BYTES  PACKETS
0 forward  drop     1104       24
1 forward  drop        0        0
2 forward  drop        0        0
3 forward  drop     1965        7

If I add just a “catch all” it only captures bytes and a few packets while there is over 20Mbps going through the interface:

[admin@hs42] > /interface bridge filter add chain=forward in-interface=ether3 place-before=0

[admin@hs42] > /int monitor-traffic ether3
                         name:      ether3
        rx-packets-per-second:       1 206
           rx-bits-per-second:  1321.0kbps
     fp-rx-packets-per-second:           5
        fp-rx-bits-per-second:     8.2kbps
        tx-packets-per-second:       2 966
           tx-bits-per-second:    29.2Mbps
     fp-tx-packets-per-second:           0
        fp-tx-bits-per-second:        0bps
    tx-queue-drops-per-second:           0

[admin@hs42] > /int bridge/filter/print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN    ACTION  BYTES  PACKETS
0 forward          56709      216
1 forward  drop     1196       26
2 forward  drop        0        0
3 forward  drop        0        0
4 forward  drop     1965        7
[admin@hs42] > /int bridge/filter/print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN    ACTION  BYTES  PACKETS
0 forward          56853      218
1 forward  drop     1196       26
2 forward  drop        0        0
3 forward  drop        0        0
4 forward  drop     1965        7
[admin@hs42] > /int bridge/filter/print stats terse
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN    ACTION  BYTES  PACKETS
0 forward          56997      220
1 forward  drop     1196       26
2 forward  drop        0        0
3 forward  drop        0        0
4 forward  drop     1965        7
[admin@hs42] > /int bridge/filter/print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN    ACTION  BYTES  PACKETS
0 forward          57316      223
1 forward  drop     1196       26
2 forward  drop        0        0
3 forward  drop        0        0
4 forward  drop     1965        7

There is also PPPOE sessions flowing through the interface with no problems.

Any idea how this is possible and what I missed?

Thanks

holvoetn · November 24, 2024, 3:15pm

Without config, nobody can tell.

PS L009 doesn’t run ROS6.

park2701 · November 25, 2024, 1:24am

Check if bridge hardware offload is disabled.