Hi,
I tried to build a test setup with the new bridge implementation with CRS125 to get familiar with the feature and ran into a problem.
I use port ETH1 and ETH2 to bridge VLAN11-12,50 and would like to use the firewall to limit access to one of the hosts. When I enable “Bridge Setup>>Use IP Firewall+Use IP Firewall for VLAN” connection is interrupted.
Packets to host 172.0.0.123 get marked in mangle and are then further processed in filters.
Mangle counters are ticking but nothing in filters… There is no connection even when mangle and filters are disabled. Without Use “IP Firewall for VLAN” it’s all good.
Is the conf ok or just a mistake?
When I add
/interface bridge filter
add action=accept chain=forward log=yes packet-mark=PM_CON-TO-Client
The log shows
01:20:53 firewall,info forward: in:ether1(ether1) out:ether2, src-mac 00:0c:42:b7:aa:7e, dst-mac d4:ca:6d:7c:c6:c6, vlan-id 12, vlan-prio 0, eth-proto 0800, ICMP (type 8, code 0), 172.0.0.234->172.0.0.123, len 56
Here’s the conf
# jan/01/2002 01:18:30 by RouterOS 6.41
# software id = VA05-JWJJ
#
# model = CRS125-24G-1S
/interface bridge
add comment="Test Bridge" fast-forward=no name=bridgeTest vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink SW1"
set [ find default-name=ether2 ] comment="Uplink SW2"
set [ find default-name=ether3 ] comment="Uplink SW3"
/interface vlan
add interface=bridgeTest name=vlan12 vlan-id=12
add interface=bridgeTest name=vlan50 vlan-id=50
/interface bridge port
add bridge=bridgeTest frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeTest frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridgeTest frame-types=admit-only-vlan-tagged interface=ether3
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=bridgeTest tagged=ether1,ether2,ether3 vlan-ids=11
add bridge=bridgeTest tagged=ether1,ether2,ether3,bridgeTest vlan-ids=12
add bridge=bridgeTest tagged=ether1,ether3,bridgeTest vlan-ids=50
/interface ethernet switch port
set 2 qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-based,vlan-based,pcp-based"
/ip address
add address=172.0.0.254/24 interface=vlan12 network=172.0.0.0
add address=172.0.1.254/24 interface=vlan50 network=172.0.1.0
/ip firewall filter
add action=accept chain=forward comment="Accept --> Connection to Client" packet-mark=PM_CON-TO-Client src-address=172.0.0.234
add action=drop chain=forward comment="Drop --> Connection to Client" log=yes log-prefix="Access_Violation: Host XXX" packet-mark=PM_CON-TO-Client
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address=172.0.0.123 new-connection-mark=CM_CON-TO-Client passthrough=yes
add action=mark-packet chain=prerouting connection-mark=CM_CON-TO-Client new-packet-mark=PM_CON-TO-Client passthrough=no