Hello,
I’ve got a bridge between 2 SXT-devices. This bridge has 2 VLAN’s, 1308 and 1901. VLAN1308 is for my device-management, and 1901 for PPPoE Clients.
I’m trying to block all incoming traffic from CPE on VLAN1901 except for PPPoE Discovery and PPPoE session. The way to do this is “bridge filter”, i would think.
Now i’ve created some bridge-filter rules to mark the packets on the right VLAN, and then drop al IP packets which carry the mark. This does not work. What does work is a rule where all marked packets are droppen, and where i don’t specify “MAC Protocol-Num”.
jun/05/2018 13:30:47 by RouterOS 6.43rc21
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=SECC supplicant-identity="" wpa2-pre-shared-key=SECCES
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyac disabled=no frequency=auto mode=station-wds security-profile=SEC ssid=SSID
/interface bridge
add name=bridge-vlan pvid=1308 vlan-filtering=yes
/interface vlan
add interface=bridge-vlan name=vlan-1308 vlan-id=1308
add interface=bridge-vlan name=vlan-1901 vlan-id=1901
/interface bridge filter
add action=mark-packet chain=forward in-bridge=bridge-vlan in-interface=ether1 log-prefix=mark-vlan-1901 mac-protocol=vlan new-packet-mark=mark-vlan-1901 vlan-id=1901
add action=accept chain=forward log=yes log-prefix=accept_1901_Discovery mac-protocol=pppoe-discovery packet-mark=mark-vlan-1901
add action=drop chain=forward log=yes log-prefix=drop_1901_IP mac-protocol=ip packet-mark=mark-vlan-1901
add action=drop chain=forward in-interface=ether1 log=yes log-prefix=drop_1901_all packet-mark=mark-vlan-1901
add action=drop chain=input in-interface=ether1 log-prefix=input-vlan-1901 mac-protocol=vlan vlan-id=1901
/interface bridge port
add bridge=bridge-vlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge-vlan frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=wlan1
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridge-vlan tagged=bridge-vlan,ether1,wlan1 vlan-ids=1308
add bridge=bridge-vlan tagged=bridge-vlan,ether1,wlan1 vlan-ids=1901
With this current config, all input chain packets on vlan1901 are dropped, all forward chain packets are marked, and then rule 1 should accept the discovery packets, and rule 2 should drop (for example) dhcp request packets, but these 2 rules don’t trigger. The 3th rule; drop all with packet mark, does trigger. So my conclusion is this; somewhere in my configuration i’m missing something that prevents “MAC Protocol-Num” from working. Except is does work, but only to mark VLAN traffic with vlan 1901 specified (filter rule 0)
What am i missing here?