Hey
Running ROS 7.6 it seems that the firewall is not able to drop packets hitting router ether1 interface with DST IP address 224.0.0.252.
Tried blocking using DST packet type as Multicast, blocking by dst IP address as /32 and 224/8 and also blocking by src ip address sendig these packets. None of them works when check by logging.
Also tried input chaing and forward chain!
Probably something wrong with the firewall blocking incoming multicast packets in ROS v7.6?
Did you try to add it as “raw” rule?
Keep in mind that whatever you block with firewall (either raw or filter) will still arrive at WAN interface (torch will show it), it just won’t be forwarded anywhere … which is already the case with multicast traffic unless you have IGMP snooping enabled or instalked and configured multicast router (not part of ROS).
Yes, I know that the Torch shows whatever is passing.
By “Not Working”, I meant not being logged. If it was filtered then the it must be also logged (of course when logging is enabled).
So I blocked ALL incoming packets from the subnet sending massive broadcast and multicast packets BUT everything is dropped other than 224.a.b.c DST addresses (based on what I see in logs)
It worked with Raw rules… Any comment on “Why”?!
Not really, except that my understanding of “raw” means it sits very close to the interface itself at the point where dropping various stuff is not consuming much resources (eg. no connection tracking etc)
Firewall RAW table allows to selectively bypass or drop packets before connection tracking that way significantly reducing load on CPU.
RAW table does not have matchers that depend on connection tracking ( like connection-state, layer7 etc.).
Could this be a bug in ROS 7.6 or something by design when working with multicasts?!
How can we mention mikrotik dev team here?