Lets have any routerboard with just two ether ports bridged together. Throught these two ports traffic between server 192.168.1.10 and PC 192.168.1.11 is flowing nicely. This bridge is as simple as: interface/bridge/add name=bridge1
interface/bridge/port/add interface=ether4 bridge=bridge1 hw=no
interface/bridge/port/add interface=ether5 bridge=bridge1 hw=no
If I add bridge filter rule with dst IP address of the server (for example), filter works and counts packets and traffic is dropped. Which is fine. interface/bridge/filter/add chain=forward action=drop mac-protocol=ip dst-address=192.168.1.10/32
“Problem”:
When traffic between server and client is VLAN TAGget and in VLAN 100, same bridge rule does not work, ie. does not DROP the traffic.
Question:
How can I make the bridge rule to “see” the source IP address even if the ethernet frame has the VLAN TAG?
Thank you
Pep.
PS: I tried it on ROS 6.47, 6.49 and on 7.6
Generally if you want bridge to do anything about VLAN tags, you have to set vlan-filtering=yes on bridge … beware that blindly enabling it can break all traffic accross it, including management access (if it’s passing bridge).
yes, I was playing a bit with vlan-filtering=yes already, setting PVIDs on bridge ports, etc… but with no success. Do you please have any specific tip or commands example?
thank you
Pep.
Without seeing the whole config … default config has (implicit) setting of pvid=1 on all bridge ports (which includes bridge interface itself), so any explicit settings of pvid should not be necessary, simply enabling vlan-filtering=yes on bridge should do the trick. And if my memory serves me correct, it should also not break anything (if you don’t change other things), my warning was more a precaution.
Other than that: bridge manual in bridge firewall section mentions the following bridge filter property:
mac-protocol> : Ethernet payload type (MAC-level protocol). > To match protocol type for VLAN encapsulated frames (0x8100 or 0x88a8), a > vlan-encap > property should be used.
Default is unset for both properties …
Having read that part of manual it seems like you actually don’t have to enable vlan-filtering on bridge after all.
Hi,
thank you for you suggestion. I did try to play with Mac Protocol-Num set to “8100 (vlan)” and VLAN Encap to “800 (ip)” in bridge filter as you suggested. It is really capable to filter packets inside TAGget frame, but unfortunatelly it matches only whole protocol families - like ip, ipv6, arp, … Using VLAN Encap it is not possible to match specific IPv4 address in TAGged frame.
I`ll try harder to work with “vlan-filtering=yes” to be able to match by IP address in frame with VLAN TAG. But, so far, no success
Pep.
I`m giving it up. It seems the only way, how it is possible to filter bridged TAGged traffic by IP address is to have “Use IP Firewall” turned on and do the filtering in iptables (ip firewall). Which is unfortunatelly huge throughput/performance penalization
