Bridge filtering on CRS354-48G-4S+2Q+RM

Hardware
1

Hello Team,

I tried to configure bridge filtering on my CRS354-48G-4S+2Q+RM, but I haven’t been able to get the traffic to be handled by the hardware. Here is an example of my configuration:

[admin@MikroTik] > interface bridge filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop mac-protocol=ip src-address=10.0.0.2/32 dst-address=10.0.0.1/32 ip-protocol=icmp
[admin@MikroTik] >

Could you please confirm whether bridge mode L3/L4 filtering is supported on this device, or if there is any known issue/bug in RouterOS version 7.14.3 (stable) affecting this functionality?

Thank you in advance for your assistance.

2

The answer to your question is really simple: bridge filtering is a software only function. Switch rules are however executed in hardware and are line rate.

Usually, wanting bridge filtering is a sign of a network architecture problem. You should have a hard look at what exactly you are trying to solve, and how to do it properly.

1 Like
3

Just to clarify:

  • Bridge filtering → allows filtering based on L3/L4 information (IP addresses, ports, protocols), but all traffic is processed by the CPU (software).

  • Switch rules → are executed in hardware (ASIC) at line rate, but they only support L2 filtering (MAC, VLAN, EtherType, ports); L3/L4 filtering is not possible, only redirect to cpu.

My question is:

Is there any MikroTik function (or device) that can:

  1. Stay in bridge mode,

  2. Filter based on L3/L4 information,

  3. Have the traffic handled in hardware (line rate),

  4. Support speeds greater than 1 Gbps, and

  5. Allow a large number of ACL entries/rules?

4

Not correct! Your CRS switch has support for 170 ACL rules:
CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features - RouterOS - MikroTik Documentation

that can filter based on L3/L4 criteria

too. Please note this available action:

  • new-dst-ports (can be used to drop packets)

Use new-dst-ports="" to drop the matching frames.

1 Like
5

So, if my understanding is correct:

  • I can use switch rules to match the traffic I want to allow, and then, at the end, I can add a generic rule like:
interface/ethernet/switch/rule/add switch=switch1 ports=ether1 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 mac-protocol=ip new-dst-ports=""

to block everything else, similar to an explicit “deny” in classic ACLs?

  • Also, does this method align with my plan to have a device in bridge mode, filtering based on L3/L4 information, with traffic handled by hardware (not CPU)?

  • Additionally, according to the Mikrotik documentation, my device supports 170 ACL rules. Is this the same as the number of switch rules?

6

Most firewalling should be conducted at L3.

7

Yes, you can filter with switch (ACL) rules and it is handled in hardware by switch chip without sending traffic to CPU.

I’m not 100% sure on this, but you might not get 170 rules into the hardware before the switch chip resources are exhausted depending on how many conditions you add to each rule. I know that can be the case with some of the older switches, but maybe not with the chip in a CRS354. After adding all your rules, you can print the rule table and check if any of them have the invalid tag.

1 Like