Dynamic filtering in PPP tunnels working in bridge mode

Hi,

I’ve been a happy user of RouterOS 3.10 for a few months now. My setup consists of two LANs connected through a PPP tunnel between a Linux machine and a Mikrotik router. Tunnelling is handled by OpenVPN in bridge mode.

Lately I decided to restrict communications between the LANs based on source IP address. As soon as the tunnel is formed, RouterOS creates two dynamic filter rules according to the following PPP profile.
/ppp profile print
1 name=“ovpn-test” local-address=192.168.0.x bridge=bridge1 use-compression=default use-vj-compression=default use-encryption=required only-one=default change-tcp-mss=default incoming-filter=ovpn-in outgoing-filter=ovpn-out

/ip firewall filter print dynamic
0 D chain=ppp action=jump jump-target=ovpn-in in-interface=
1 D chain=ppp action=jump jump-target=ovpn-out out-interface=

Unfortunately that’s incorrect, because ovpn-test is a bridge port. The rules should use in-bridge-port and out-bridge-port keywords instead. Is there anything simple I overlooked?

Best regards

There will be always actual interface as in-interface, not as in-bridge-port.

Thanks for the reply. Such rules don’t catch any traffic in my case (a setup with bridging). They do as soon as I manually unset in/out-interface and set in/out-bridge-port instead. Perhaps RouterOS could do this automatically after having checked whether the “bridge” attribute of the PPP profile was set?

Additionally you need to add jump rule to the built-in chains, input forward output, which forwards traffic to ppp chain.

For example to apply filter for clients traffic, which is going through the router. Add jump rule to chain=forward with jump-target=ppp.

Yes, I had done that. Without that the traffic would have never been caught by my own PPP chains.

For the bridged traffic you should have ‘interface bridge settings set use-ip-firewall=yes’ as well.

Yes, it is so.