Bridge filter rules

RouterOS General
9

Hi!

First of all thank you for so many replies in such short time!

Answering the questions :
@johnson73 - in general I want to block everything issued by NICs in “automatic way” in a broadcast manner - like DHCP client requests etc. I think this is called BOOTSP (bootstrap) on both IPv4 and IPv6. I’m checking the result just by wireshark on one of the interfaces is there is nothing received.

I have all of the firewall switched off (cleared). In general I would like to have minimal CPU load by such filtering (not affecting routing speed). That’s exactly as @mkx underlined.

Just to give some more description. This network is a completely isolated/local network for streaming tests only. I’m streaming custom protocol and due to simplicity of implementation I want to block any other packets that is not related to the stream (so that my hardware and applications wouldn’t retransmit such packets). I think @mkx you really got my idea :wink: I want to exactly trace the wire-speed operation. The minimal CPU load I think would be necessary with those rules → I would be generating about 80Gbps traffic (50Gbps TX and 40Gbps RX) around the ports in bridge configuration (and later maybe more). That’s why I don’t put any special config. And routing will be based on ARP table only (Layer 2 routing).

@mkx The full model is: CCR2216-1G-12XS-2XQ . Btw - I didn’t know about this switching option (ACL) - is it also capable of (for example) DSC_MAC swapping or other “on the go” modifications in Layer 2?

Due to description from what I read the Bridge filter have less CPU load than using IP Firewall (I don’t know if RAW is the same in this case?).

By the way, in the mean time I’m found some presentation that was describing, that this kind of filtering (bridge level) can be only done with HW offload switched OFF. I have checked this and the filter started to working.
However, this maybe affect the streaming performance (relating to @mkx maximum wirespeed)? Now I tested on only 10Gbps on TX on one port.

@anav - I think the description above mostly explains the necessity of the filtering. I could also do it on each server separately, however just again for simplicity I wanted to try to do it more “central” in simple way - but maybe this is much less efficient than disabling this in each NICs configuration?

Thanks! Best regards