Firewall filter by Interfaces

port · November 10, 2020, 8:59am

Hello MikroTik community,
I have a CRS109 router (v6.47.7) and I am trying to create a firewall filter by interfaces.

Simple example:
Device A is on ether2
On ether8 port 22 from A should be reachable
On ether7 port 22 from A should not be reachable

I have already tried for a while, but in order to use In-Interface in the firewall rule, the Interface must be a master.
“in/out-interface matcher not possible when interface (ether7) is slave - use master instead (bridge)”
If ether7 is a master (I removed it from the bridge), the error in the firewall is gone but without bridge I cannot connect to device A.

Is this even possible? Or have I misunderstood something?
I would be glad, if you can help me
~port

CZFan · November 10, 2020, 9:38pm

Look into bridge filter rules, might be what you need

port · November 11, 2020, 8:55am

Hello CZFan,

Thank you for your answer.
That’s probably what I was looking for, but it doesn’t work yet.

I would like to block all port 22 connections to the device on ether 3 from ether8.
The bridge filter I added is:

/interface bridge filter add chain=forward action=drop in-interface=ether8 out-interface=ether3 mac-protocol=ip dst-port=22 ip-protocol=tcp log=no log-prefix=""

But I still can connect to port 22
What am I doing wrong?

~port

CZFan · November 11, 2020, 10:05am

Probably cause its being offloaded to the switch chip, you can work around this by disabling “Hardware Offload” in bridge–>Ports, but that will cause a reduction in performance on those ports.

Best then will be to configure a switch ACL / Filter rule, sorry, I don’t have access to a CRS device to at the moment to confirm configuration required, maybe someone else with access to CRS will chime in.

port · November 11, 2020, 12:21pm

Thank you CZFan

If I disable “Hardware Offload” the bridge filter works. That’s what I was looking for.
It is true, the performance is a bit slower, but acceptable.

I have also tired to use the switch ACL filter, but there is an error “Couldn’t add New Switch ACL Rule - policy rules are not supported on this switch chip (6)”.
If I got that right, then it doesn’t work on my router.
Maybe someone knows another method, without the performance reduction.

~port

CZFan · November 11, 2020, 2:00pm

Unfortunately, it seems the CRS109 switch chip does not support ACL

https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches#Summary

EDIT:
I don’t know which method will have the worst performance hit of below methods on the CRS109 device, but you can try both:

Bridge filter as per previous posts
or
Enable “Use IP Firewall” in bridge settings, then create a firewall rule in IP Firewall Filter to block what is needed (Remember to re enable Hardware Offload on ports)

port · November 13, 2020, 9:55am

The first method works fine.

But if I use the second method there is still the problem from my first post.

“in/out-interface matcher not possible when interface (ether7) is slave - use master instead (bridge)”
If ether7 is a master (I removed it from the bridge), the error in the firewall is gone but without bridge I cannot connect to device A.

I have enabled “Use IP Firewall” and “Hardware Offload”

CZFan · November 14, 2020, 4:34pm

Use “in/out-bridge-port” properties under advanced tab, i.e.

/ip firewall filter
add action=drop chain=forward dst-port=22 out-bridge-port=ether7 protocol=tcp