it appears as if switch rules on a CRS326-24S+2Q+ (running RouterOS 6.46.3) do not match on anything relating to Layer-2 (“MAC”).
I tried matching on MAC-Protocol or on SRC/DST MAC Addresses (varying masks) - all to no avail. I can, however, match on IPv6 or legacy IPv4 addresses or -protocols or layer-4 ports, so the “rule system” in general does work as expected.
My intent is to use the CRS326-24S+2Q+ as a switch interfacing with networks not under my control and to only allow IPv6, IPv4 and ARP (and, maybe, LLDP), but to filter out all the cruft originating from those “alien” networks (CDP; (R)STP, loop-detection, etc.), so I thought I build a simple ruleset: Allow IPv6 (L2-proto 0x86dd), IPv4 (0x0800) and ARP (0x0806) and drop everything else.
Can anyone share a functioning config snippet, where a switch rule matches on the ethernet protocol or at least on mac addresses (either)?
As mentioned by my words number 6 and 7 of my post I am attempting to use switch rules.
I have tried matching on MAC addresses, both SRC and DST with varying length masks and I have, of course, attempted to match on MAC protocols (0x0800 or 0x0806 for example).
No matter what I specified as an L2 rule: It never matches - with one exception: If I used a MAC address match with a mask of 00:00:00:00:00:00 it matches every frame, but that is obvious.
To test my general setup I have attempted to match on IPv6 or IPv4 addresses and this worked instantly. Though this was not of any use to me towards my ultimate goal, it still proved that my setup was correct in general.
Bridge Filters aren’t of use to me either, as I need the CRS326-24S+2Q+ (and the rules) to work at full 10/40Gbps speeds.
My test setup: I am injecting both IPv6 multicast packets is well as IPv4 broadcast packets into sfp-sfpplus3 and observe what comes out of a different port.
These are the rules:
This represents the general idea: Have a set of rules explicitly allowing something and dropping everything else: Rule #0 ensures that IPv4 ICMP packets (i.e., my IPv4 broadcast pings) always make it through. Rule #1 is the one I am experimenting with - see below. Rule #2 drops everything which still makes it thus far.
In this mode rule #1 matches everything and because it is an “allow” rule → the ICMPv6 pings to ff02::1 I inject into sfp-sfpplus3 can be seen on the outbound port. (As can the broadcast IPv4 pings already matched by rule #0)
If I modify rule #1 to no longer be a “match all” rule, packets not matching it “fall through” to rule #2, which is a “drop everything” rule. And lo and behold: If I say
set 1 mac-protocol=1234
(match on something stupid) packets get dropped by rule #2 because they are no longer “saved” by #1. Fine. So the general succession of rules is being followed.
Now if I do
set 1 mac-protocol=0x86dd
I would expect rule #1 to “save” my IPv6 packets from destruction, but they are still being dropped by rule #2, which means #1 doesn’t match them. Invoking
unset 1 mac-protocol
turns rule #1 back into a match-all→allow-all rule and packets are flowing again instantly.
I tried with various other Layer-2 conditions (src/dst MAC addresses) and even swapping bytes/nibbles around for the MAC protocol but to no avail. No matter what I give as a Layer-2 condition it never matches, except when I specify an address condition with a mask of 00:00:00:00:00:00 …