Bridge Filters Don't Seem to be working

dlynes · September 2, 2021, 12:19pm

It doesn’t seem to matter what I put into the bridge filters for 7.0b4 or 7.1rc2. Hardware offloading or no hardware offloading. Fast forward or no fast forward. Allow fast path or disallow fast path. Block by destination MAC address, or block by destination IP address. Input or forward. Adding a switch rule from one port to another port (that are in the bridge) and copy to the cpu.

Nothing seems to help block the traffic bound for a particular public IP on a device that’s on the bridge. The device is connected directly to the bridge. It is not connected via another switch. The Internet feed is also connected directly to the bridge.

I’ve followed every example i can find on the forums for RouterOS 6 to no avail. What worked on RouterOS 6 does not appear to work for RouterOS 7.

Thanks for any help.

nescafe2002 · September 2, 2021, 12:24pm

This works fine on ROSv7.1rc2 (ping request timed out):

/interface bridge filter
add action=drop chain=forward dst-mac-address=E4:8D:8C:B0:DE:37/FF:FF:FF:FF:FF:FF

Could you share a code example and your test setup?

dlynes · September 2, 2021, 12:51pm

sep/02/2021 05:42:10 by RouterOS 7.1rc2

software id = MXUY-2KEQ

model = CCR2004-16G-2S+

serial number = HAW073H26RE

/interface bridge
add name=bridge-wan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-to-navigata
set [ find default-name=ether3 ] disabled=yes name=ether3-to-billing-server
set [ find default-name=ether16 ] name=ether16-to-backside
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge filter
add action=drop chain=forward comment="Drop all" dst-mac-address=
00:14:5E:17:5E:24/FF:FF:FF:FF:FF:FF log=yes log-prefix=BILLING
/interface bridge host
add bridge=bridge-wan comment="Billing Server" interface=ether3-to-billing-server
mac-address=00:14:5E:17:5E:24
/interface bridge port
add bridge=bridge-wan hw=no ingress-filtering=no interface=ether1-to-navigata
add bridge=bridge-wan hw=no ingress-filtering=no interface=ether2
add bridge=bridge-wan hw=no ingress-filtering=no interface=ether3-to-billing-server
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set tcp-syncookies=yes
/interface ethernet switch rule
add copy-to-cpu=yes disabled=yes ports=ether1-to-navigata,ether3-to-billing-server
switch=switch1
/interface l2tp-server server
set enabled=yes l2tpv3-circuit-id="" l2tpv3-cookie-length=0
l2tpv3-digest-hash=md5 use-ipsec=yes
/interface sstp-server server
set enabled=yes pfs=yes
/ip address
add address=10.1.1.4/24 interface=ether16-to-backside network=10.1.1.0
add address=5.0.0.4/26 interface=bridge-wan network=5.0.0.0
/ip dns
set servers=8.8.8.8,4.2.2.4
/ip firewall address-list
add address=1.0.0.0 comment="Hammer Software VPN" list=admin-list
add address=2.0.0.0 comment="Hammer Software Virtual Hosting Server"
list=admin-list
add address=3.0.0.0 comment="Head office" list=admin-list
add address=4.0.0.0 comment="Head office" list=admin-list
add address=5.0.0.2 comment="Other VPN" list=admin-list
add address=5.0.0.62 comment="Other Firewall" list=admin-list
add address=172.16.254.0/24 comment="temporary VPN" list=
admin-list
/ip firewall filter
add action=jump chain=input comment="Control access to router from Internet"
dst-address=5.0.0.4 in-interface=bridge-wan jump-target=WAN
add action=accept chain=WAN comment=
"Allow ICMP access to router from anywhere" protocol=icmp
add action=accept chain=WAN comment="Allow SSTP from anywhere" dst-port=443
protocol=tcp
add action=accept chain=WAN comment="ESTABLISHED, RELATED" connection-state=
established,related
add action=accept chain=WAN comment=
"Allow access to privileged TCP ports from whitelisted IPs" dst-port=
20,21,22,23,53,80,161,443,2000,8291,8728,8729 protocol=tcp
src-address-list=admin-list
add action=accept chain=WAN comment=
"Allow access to privileged UDP ports from whitelisted IPs" dst-port=
53,161,2000 protocol=udp src-address-list=admin-list
add action=accept chain=WAN comment="Allow access to L2TP/ipsec" dst-port=
500,1701,4500 protocol=udp
add action=accept chain=WAN comment="Allow access to ipsec" protocol=
ipsec-esp
add action=drop chain=WAN comment="Drop everything else"
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
5.0.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=
no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=172.16.254.1 name=dlynes remote-address=172.16.254.2
/system clock
set time-zone-name=America/Vancouver
/system identity
set name="Core Router"
/system package update
set channel=testing
/tool sniffer
set file-limit=100000KiB file-name=comvida.pcap filter-interface=bridge-wan

dlynes · September 2, 2021, 3:38pm

Export has been sanitized.

Brief diagram of how it’s connected
Internet → [ether1 BRIDGE ether3] → Billing Server

I want to block everything on the billing server except HTTPS.

dlynes · September 2, 2021, 3:39pm

I’ve got it working after I enabled ‘use ip firewall’ in the bridge settings, and now I’m using the raw ip firewall table.

However, I have to wonder which is the better way of getting it to work.

raimondsp · September 3, 2021, 6:50am

The problem with use-ip-firewall is that it affects only the traffic that goes through the CPU and does not affect hardware bridging. Take a look at switch ACL rules instead (/in/eth/switch/rule). ACL rules are offloaded to the hardware and, therefore, are applied by the switch chip and do not use the CPU resources.

EDIT: Sorry, I didn’t pay attention that you are using CCR2004-16G-2S+. It has 88E6191X switch chip, which, unfortunately, does not support ACL rule offloading.

kormenator · October 29, 2021, 4:15am

I’m having exactly the same problem with CCR2004-16G-2S+ and RouterOS 7.1rc5; no matter what I put into the bridge filters, nothing gets filtered, I also tried HW Offloading on/off Fast Path on/off etc.

The IP firewall filtering works, so I’m using that for now, but I would like to filter by dst MAC, and I can’t do that with ip firewall.

Knoblauch · November 16, 2021, 6:16pm

The same here using v7.1rc5 on CCR2004-16G-2S+

I have bridge filters allowing IPv6 for some destination MAC addresses on a VLAN out-interface and dropping everything else.

The counter stays on 0 (zero)…I switch back to v6.49 and everything is fine.

MT please investigate…Thank you!

dlynes · November 16, 2021, 8:38pm

Hello Raymond,

Is this why bridge filter doesn’t work? i.e. because it’s a switch chip? If so, why is the bridge filter section visible if it’s not usable?

Mackila · November 21, 2021, 1:54am

Hi,

Same problem here. Bridge filter rules not working on a CCR2004-16G-2S+.
I use them to change VLAN CoS of DHCP paquets from the DHCP client on WAN side of the router (ISP requires it).

/interface bridge
add fast-forward=no name=WAN-BRIDGE
[...]
/interface vlan
add interface=sfp1-WAN name="VLAN832 - WAN" vlan-id=832
[...]
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes \
    log-prefix="Set CoS 6 on DHCP requests" mac-protocol=ip new-priority=6 \
    out-bridge=WAN-BRIDGE passthrough=yes
[...]
/interface bridge port
add bridge=WAN-BRIDGE ingress-filtering=no interface="VLAN832 - WAN"
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
[...]

Exact same configuration works flawlessly on a HexS (but HexS does not have 10G ports…).

For now, I use a CRS305 connected to SFP1 of CCR2004 to handle the change (running SwitchOS, using an ACL rule).
I tried setting simple rules, so I could see counters. Whatever rule I add, whatever settings (fast path y/n, fast forward y/n, IP firewall y/n) I use, counters stay at 0. No bridge filter rule are working.

CCR2004-16G-2S+ is currently running ROS 7.1rc6.

Mackila

dmfr · November 22, 2021, 12:02pm

Interesting.
I’ve reported same issue for RB4011 as well :
http://forum.mikrotik.com/t/bridge-filter-rules-set-priority-for-vlan-non-functional/143818/1

However, for this device (RB4011) at least, it is now working from rc3.

Knoblauch · December 22, 2021, 7:55am

v7.2rc1 on CCR2004-16G-2S+ does still not filter the bridge.
I have a VLAN interface added to a bridge and try to drop IPv6 MAC protocol on that Out. Interface using bridge filter. The counters stay on zero and nothing gets droped. Because it is working fine in v6.49 I do assume it is related to the v7 internal bridge filter handling. Would be nice if Mikrotik can test and give a short reply if someone looks into it .. at least the final v7 should be able to handle this task. Thanks CK

kormenator · February 2, 2022, 7:57am

Change log in 7.2rc2 claims that this issue has been fixed

*) bridge - fixed bridge filter and NAT rules on ARM64 and TILE devices;

will take a few days until I can test this with mine.

Knoblauch · February 12, 2022, 1:45pm

Its working now on my brand new CCR2116-12G-4S+ under 7.2rc3

But this hardware has a nice switch chip so I don’t need it anymore
My older CCR2004-1G-12S+2XS could not handle switch ACL.

Actually I opened a MT ticket after my last post here and got the following reply:
“We have managed to reproduce the issue locally in our labs and look forward to fixing it on upcoming RouterOS versions…”

So there was some positive action on it…

dlynes · February 12, 2022, 2:53pm

Now if only L2TP/IPsec got fixed on both routeros 7 and Windows 10/11. Then we’d all be happy