dst-nat for VLAN bridge

Xaesar · May 6, 2023, 5:36pm

Hi!

I am still rudimentary at best in my understanding of routing, so I have tried to read and see if there is something I am missing.
I recently realized my dst-nat rule did not work for

/ip firewall nat add chain=dstnat action=dst-nat in-interface=bridge dst-port=53 to-addresses=10.0.0.3 protocol=udp

but after changing it to

/ip firewall nat add chain=dstnat action=dst-nat in-interface-list=VLAN dst-port=53 to-addresses=10.0.0.3 protocol=udp

It seems to work fine.
The VLAN list contains all VLAN interfaces, which are in the bridge interface.
Is there something which makes bridges unable to match dst-nat rules?

Cheers,

X

anav · May 6, 2023, 6:16pm

Bridges are not interfaces???

Amm0 · May 6, 2023, 6:33pm

OP walked right into this one: http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1

There can only be one interface into the routing/firewall. vlan-filtering=yes is likely set, so from the Layer3/IPv4 POV, the interface is the VLAN and its IP – the bridge VLAN filtering just forwards it to the VLAN interface at Layer2/Ethernet.

mkx · May 7, 2023, 9:54am

I suspect that @OP also enabled some use-ip-firewall & co … which might not be necessary if only firewalling between different subnets (carried over VLANs) is necessary. I suggest to read bridge settings section of bridge manual.