Hello, i have a LAN 192.168.0.0/21 with a lot of hosts. A mikrotik.
ether2 … ether5 on mikrotik are in a bridge.
on ether2 i have 99% hosts and host C: 192.168.0.20/21. On ether3 i have two hosts - A: 192.168.3.1/21 and B: 192.168.3.2/21. I need hosts ‘A’ and ‘B’ communicate only with host ‘C’, and host C can communicate with hosts ‘A’ and ‘B’.
Other traffic from ether2 can’t pass to hosts ‘A’ and ‘B’ and from ether3 to other hosts.
I can’t reconfigure IP addresses on hosts ‘A’ and ‘B’ because it very expensive work.
The question is: how to configure mikrotik to do this?
I tried to configure Firewall on bridge to filter forwarding packets, but mikrotik doesn’t catch them, only input and output packets.
Below is an /export command output:
# jan/03/1970 19:17:20 by RouterOS 6.48.6
# software id = 9ETS-GWIZ
#
# model = RBD52G-5HacD2HnD
# serial number = HCZ089T2K7F
/interface bridge
add admin-mac=18:FD:74:7E:5E:1C auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-7E5E20 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-7E5E21 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=wan_pool ranges=192.168.10.0/24
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=wan_pool disabled=no interface=ether1 name=wan_dhcp
/interface bridge port
add bridge=bridge interface=ether5
add bridge=bridge interface=ether4
add bridge=bridge interface=ether3
add bridge=bridge interface=ether2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.7.3/21 comment="\CE\F1\ED\EE\E2\ED\E0\FF \F1\E5\F2\FC" \
interface=bridge network=192.168.0.0
add address=192.168.10.1 comment=WAN interface=ether1 network=192.168.10.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=WAN gateway=192.168.10.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward log=yes log-prefix="TEST: "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/system identity
set name=MikrotikAzurion5
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Except...If this is a VLAN bridge, not all matchers work (like IP address), since bridge firewall has the outer protocol as vlan. So if trying to match IP and use vlan-filtering=yes, that's not possible with bridge filter rules. The RouterOS docs on bridge filtering suggest this, and if vlan-filtering=yes, then mac-protocol is always vlan, not ip or ipv6 (even if IP/IPv6 is what inside the VLAN):
IP or IPv6 related matchers are only valid if mac-protocol is either set to ip or ipv6
On this one:
Since you're trying to block IP while bridging, you can use the use-ip-firewall=yes (/ use-ip-firewall-for-vlan=yes) which will send bridged packed through the IP firewall rules. This is not a light consideration, since other bridged traffic will now also flow through the /ip/firewall/filter, so you could end up block more/all traffic than anticipated, especially when [IP/IPv6] firewall has things like "drop all"./etc. rules. Or in some cases, disable hardware bridging. See "Settings" in Bridging and Switching - RouterOS - MikroTik Documentation
Now a more L3 purist like myself, might suggest subnetting the "Host A" and "Host B" so that you force routing by virtue of the smaller subnet of the restricted hosts. Then no tricks in bridge are needed to force the traffic through /ip/firewall/filter since routing engine will do it. Still need IP filter rule to block. But that's another approach.
And I guess a third approach is use MAC address as the matcher in bridge filter (instead of IP) to allow traffic from restricted hosts to the desired hosts by using their MAC address... assuming the allowed hosts access use a fixed MAC address.
Side note: In general on this forum, it best to post actual config. Since questions like "is the bridge VLAN enabled" can be answered by readers, and thus narrow down possibilities....
The modern/proper way of solving these problems is to separate the bridges and route between them, while using proxy arp to present the hosts to each other as directly accessible. Then the filtering becomes a matter for the ip firewall and hw offloading can also be fully enjoyed.
Thank you, but it’s not possible to change network addresses on Host A and Host B.
As i understand it, when i assign IP addresses from the same network 192.168.0.0/21 to ether2 and ether3 ports mikrotik becames not reachable (i do it in Safe Mode).
You do not have to upload them. He did mention "post".
Paste contents of config file between code quotes < / > (it's one of the buttons when editing post, preformatted text or CtrL-E), easier for readability too.
And then you turn on proxy arp (/interface ... set arp=proxy-arp) on both interfaces.
The packets between A/B and C become routed, while the hosts perceive each other to be in the same network segment. The packets can now be normally filtered in the ip firewall.
One of the limitations that sometimes comes up is that broadcasts don't propagate. But that's somewhat in the requirement "only these hosts can communicate".
In this case where on bridgeC only two IP addresses need to be advertised, and on bridgeAB a single one, it's probably better to not use proxy-arp (because the router will answer ARP for too many addresses, all reachable routes) and instead use published ARP entries, while keeping arp=enabled.
You are right (as usual). I tended to prefer published instead of proxy-arp as well. Lately I'm not so sure. Here's my logic:
published arp seems to me to be viewed as a bit archaic/backwards in the networking stack (just my opinion)
proxy-arp has the side effect of replying to many more addresses than necessary, which often includes all addresses that are routed to other interfaces - if the hosts are configured as they should be, this isn't a problem
the inability of a well-configured host to reach other hosts that do not have published entries may be easily confused with successfully blocking (firewalling) the traffic - this is not the case
@eugene987 Glad it works! Be mindful of my last point: for proper blocking, the drop rules are still necessary.
