I have consolidated my home setup some time ago to only a 1x router/fw and 1x switch. I know that the devices are crazy overkill, but got them used for a good price.
I’m fairly certain that in my previous setup I got inter vlan traffic to pass the firewall/router, but this is not the case now.
The setup I have is a CCR2116 where my WAN terminates on eth1 and the 4x SFP+ ports is put in a bond (802.3ad - L3/L4) that goes towards my switch which is a CRS354.
The CRS354 is where all my cabled clients is connected to as well as my APs(2x CAP ax and 1x Mantbox ax).
It has a breakout cable connected to QSFP+ port 1 where the 4x SFTP+ interfaces are in a bond, connected to the CCR2116 as mentioned above.
Everything “works” in the meaning that all traffic reaches its destination, like clients from all VLANs to the internet, and VLAN to VLAN.
BUT the problem is that only block rules which involves WAN interface on the CCR2116 as dst seem to work.
ALL other traffic seems to be allowed between all of the VLANS.
I’m far from a networking expert so I’ve probably missed something fundamental, like something about the bridge setup or bonding etc.
But after many days of looking and trying things I can’t seem to get it to work as I want to.
I (think) I’ve implemented the FW rules correct, with a DENY ALL rule at the end for the forward chain, thus only traffic that I explicitly allowed should get through between the VLANs.
If anyone has any ideas where to look and what to changed it’d be greatly appreciated!
I tried chatgpt haha, but that one lied to me and almost broke my config even more
I’ve attached the config for the CCR2116 and the CRS354 and hopefully I’ve managed to hopefully redact the sensitive stuff.
My test case so far has been to block traffic from 192.168.2.9 towards 192.168.3.20, but no matter what I do I still manage to access for example port 80 on 192.168.3.20 from 192.168.2.9.
I’ve tried to sniff the traffic as well on both devices, but no traffic towards that specific IP from that source is being picked up. CCR2116_2025-06-20.rsc (21.7 KB) swtich_conf_2025-06-26.rsc (13.5 KB)
FastTrack packets bypass firewall, connection tracking, simple queues, queue tree with parent=global, ip traffic-flow, IP accounting, IPSec, hotspot universal client, VRF assignment, so it is up to the administrator to make sure FastTrack does not interfere with other configuration!
As you can see, to use the IPv4 Firewall, same with IPv4 NAT, the special remark “FW” applies. Which means you have to:
Set l3-hw-offloading=no for all the switch ports that are part of the VLANs that you want to filter using the firewall.
Add the fasttrack firewall filter rule with the option hw-offload=yes
You already have the fasttrack rule, so do not disable that rule! Also you have already set l3-hw-offloading=no for the WAN ethernet port, that’s why NAT works, and you could apply the filter rule for LAN-WAN traffics.
Now you will have to set l3-hw-offloading=no for the 4 SFP+ ports too!
As a result, the first packets of the connections will not be L3 HW Offloaded, and will use the router’s CPU. After the FW has processed those packet and allowed them through, the following packets of the connections might be fasttracked, and might then profit from L3 HW Offload. However. there is a limit on the CCR2116, and only max 2.25K connections can be fasttracked with hardware offload.
