Bridge Filter

ithink · May 23, 2015, 11:16am

Hello,
I have a Bridge interface (gateway wan ether1 IpPublic x.x.x.6, asterisk server ether2 ipPuclic x.x.x.7)

And in ether6, ether7 I have LAN network 192.168.1.0/24 192.168.2.0/24, and the LAN network go in WAN with the IpPublic x.x.x.6 and reach the Asterisk Server in ether2 with the IpPublic x.x.x.7

The question is How to create Filter in Bridge that allow all traffic from Ether6 and Ether7 to Ether2 asterisk server IpPublic x.x.x.7 and deny all trafic from 0.0.0.0/0

ithink · May 25, 2015, 2:54pm

Have any knowledge about my case?

kburzyns · May 26, 2015, 6:07am

To enable firewall on the Brige (Winbox) go to Bridge > Settings and mark ‘Use IP Firewall’. If You need more help You should paste config or picture of Your network.

ithink · April 19, 2016, 1:17pm

Thank you,
I have create bridge filter:

 ;;; China - 175.0.0.0/8      175.255.255.255
     chain=forward action=drop mac-protocol=ip src-address=175.0.0.0/8 
     dst-address=IpPublic /32 ip-protocol=!tcp log=no log-prefix=""

But the questions are;
How to see the packing from my local interfaces to server IpPublic x.x.x.7 that is on ether2 interface, and in the brigde wan.
Because If I create a Bridge Filter to drop all rc-address=0.0.0.0/0 to dst-address=IpPublic /32, more services from local network will be drop.

How to permit all Local traffic (ether5,6,7,8,9,10) to IpPublic /32

nxs02 · April 19, 2016, 2:12pm

accept each interface to IpPublic and drop the rest? or u can use horizon bridge

ZeroByte · April 19, 2016, 3:01pm

You should probably enable the “use IP firewall” option on your WAN bridge and then make IP firewall filter rules to protect the Asterisk server because the IP firewall can use connection state tracking, and the bridge firewall cannot (as far as I know - if I’m wrong about that I’m sure that someone will correct me).

I’m not sure what the particulars are for your upstream SIP connectivity, but obviously the Asterisk box is talking to some service out on the Internet and you should probably whitelist the service provider’s IP address(es) for communicating with the Asterisk box, because SIP uses UDP which times out relatively quickly in the connection state tracking.

In general, the forward filter should have rules that allow existing/related connections, and after that, you should probably allow src-address=IP.OF.SIP.PROVIDER protocol=udp dst-port=5060 dst-address=x.x.x.6 If the provider has many addresses, then use an address-list instead of the single address.

Connections from the LAN to the Asterisk box should “just work” because to the firewall, they’re going to get accepted as “outbound” connections, and then the replies from the Asterisk server are going to be accepted as “established” or “related” connections.