I want to bridge two interfaces together. I would like to filter out all arp requests and responses unless they are for the 10.0.0.0/8 subnet. Is there a way to do that?
Basically I want to filter everything out but 10.0.0.0/8 which will be used for modem management etc.
The following example should block all ARP traffic that is not “issued from” or “destined to” 10.0.0.0/8
/interface bridge filter
add action=accept arp-dst-address=10.0.0.0/8 chain=forward mac-protocol=arp
add action=accept arp-src-address=10.0.0.0/8 chain=forward mac-protocol=arp
add action=drop chain=forward mac-protocol=arp
Thanks. Why didn’t I see that.
The following example should block all ARP traffic that is not “issued from” or “destined to” 10.0.0.0/8
/interface bridge filter
add action=accept arp-dst-address=10.0.0.0/8 chain=forward mac-protocol=arp
add action=accept arp-src-address=10.0.0.0/8 chain=forward mac-protocol=arp
add action=drop chain=forward mac-protocol=arp
>
If I change:
> add action=drop chain=forward mac-protocol=arp
to:
> add action=accept chain=forward ac-protocol=ip src-address=10.0.0.0/16
> add action=accept chain=forward ac-protocol=ip dst-address=10.0.0.0/16
> add action=drop chain=forward
Will it drop all traffic except 10.0.0.0/16 IP type? I want to have PPPoE and everything but 10.0.0.0/16 traffic dropped.Yes.
I want to have PPPoE and everything but 10.0.0.0/16 traffic dropped.
Take a note that ARP requests/replies will be blocked too.