Firewall rule can't match packet by interface

RouterOS Beginner Basics
1

I have a RB4011iGS+ and have setup one of the ethernet interfaces as 192.168.88.253 and connected to that interface is a device with IP 192.168.88.1

I have setup a forwarding rule to pass all packets going in and out that interface (ether10). But this rule never matches, and I log the failure as shown below.

I see that the interfaces for this packet (input and output) are both “unknown” in the log. Why? I need to match my firewall rule based on source interface (ether10) but if the interface is never recognized as ether10 then the rule won’t work. What’s wrong here? Why is the interface name (port) missing?
mik1.jpg

2

No idea without seeing the config.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, VPN keys etc.)

3

I’m afraid to post that as :

  1. It’s embarassingly ugly (I learned how to setup a firewall on this box)
  2. I’m afraid I will accidentally let something private slip into the output that now the whole internet can get into my firewall.
  3. I’ve put lots of comment that mention my customer names etc…and would have to strip all that out.

Can I post just the interfaces, addresses, and routing table as below? (probably not enough, but maybe you see something stupid there already)

Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
 #   ADDRESS            NETWORK       INTERFACE             
;;; Internal general network
 0   172.31.254.1/24    172.31.254.0  bridge1-internal      
 1   172.31.250.1/24    172.31.250.0  ether5-wifilink       
 2   172.31.253.1/24    172.31.253.0  vlan10-Voice          
 3   172.31.252.1/24    172.31.252.0  vlan30-entertainment  
 4   172.31.251.1/24    172.31.251.0  vlan20-cameras        
 5   172.31.249.1/24    172.31.249.0  vlan40-guestwifi      
;;; Road warrior WireGuard interface
 6   172.31.247.1/24    172.31.247.0  wgRoadWarriors        
;;; Mobile Hotspot Client Network
 7   172.31.246.1/32    172.31.246.1  ether10-externalbackup
 8 D x.x.x.x/27    x.x.x.x  ether1-externalprimary
 9 D 192.168.88.253/24  192.168.88.0  ether10-externalbackup
10 D 10.6.0.1/32        10.6.0.1      ether1-externalprimary

#      DST-ADDRESS       GATEWAY                      DISTANCE
 0  Xs  172.31.232.0/24   l2tp-tunnel-from-XXXXX         1
 1  Xs  172.31.246.0/24   172.31.246.1                        1
   DAd  0.0.0.0/0         x/x/x/x                        1
;;; HOST-ON-WAN-PRIMARY
 2  As  1.1.1.1/32        x.x.x.x                       1
;;; HOST-ON-WAN-BACKUP
 3  As  9.9.9.9/32        x.x.x.x                        1
   DAc  10.6.0.1/32       ether1-externalprimary              0
   DAc  x.x.x.x/27   ether1-externalprimary              0
 4  As  172.31.231.0/24   172.31.247.2                        2
 5  As  172.31.232.0/24   172.31.247.2                        2
 6  As  172.31.233.0/24   172.31.247.2                        2
 7  As  172.31.234.0/24   172.31.247.2                        2
 8  As  172.31.235.0/24   172.31.247.2                        2
 9  IsH 172.31.246.0/24   172.31.246.1                        1
   DAc  172.31.246.1/32   ether10-externalbackup              0
   DAc  172.31.247.0/24   wgRoadWarriors                      0
   DAc  172.31.249.0/24   vlan40-guestwifi                    0
   DAc  172.31.250.0/24   ether5-wifilink                     0
   DAc  172.31.251.0/24   vlan20-cameras                      0
   DAc  172.31.252.0/24   vlan30-entertainment                0
   DAc  172.31.253.0/24   vlan10-Voice                        0
   DAc  172.31.254.0/24   bridge1-internal                    0


 0 R  ether1-externalprimary       ether             1500   1592       9578  08:55:31:06:F4:73
 1 RS ether2-internal              ether             1500   1592       9578  08:55:31:06:F4:74
 2 XS ether3                       ether             1500   1592       9578  08:55:31:06:F4:75
 3 XS ether4                       ether             1500   1592       9578  08:55:31:06:F4:76
 4 R  ether5-wifilink              ether             1500   1592       9578  08:55:31:06:F4:77
 5 X  ether6                       ether             1500   1592       9578  08:55:31:06:F4:78
 6 X  ether7                       ether             1500   1592       9578  08:55:31:06:F4:79
 7 X  ether8                       ether             1500   1592       9578  08:55:31:06:F4:7A
 8 X  ether9                       ether             1500   1592       9578  08:55:31:06:F4:7B
 9 R  ether10-externalbackup       ether             1500   1592       9578  08:55:31:06:F4:7C
10 X  sfp-sfpplus1                 ether             1500   1600       9586  08:55:31:06:F4:7D
11 R  bridge1-internal             bridge            1500   1592             08:55:31:06:F4:74
12 X  l2tp-tunnel-from-xxxx  l2tp-in                                                    
13 X  xxxx-tunnel     gre-tunnel        1476  65535                              
14 X  pptp-tunnel-from-xxx   pptp-in                                                    
15 R  vlan10-Voice                 vlan              1500   1588             08:55:31:06:F4:74
16 R  vlan20-cameras               vlan              1500   1588             08:55:31:06:F4:74
17 R  vlan30-entertainment         vlan              1500   1588             08:55:31:06:F4:74
18 R  vlan40-guestwifi             vlan              1500   1588             08:55:31:06:F4:74
;;; Wireguard interface for mobile users
19 R  wgRoadWarriors               wg                1420
4

jpegs mean little to me, also hard on my old eyes LOL.

5

It is a text cut & paste!

6

Regardless, not the config.

7

At least pist the exact rule which doesn’t work for you.

And a detail, it might be a hint: firewall rules may be executed before egress interface is known, routing decission is made after most firewall processing is done.
Also: screenshot in opening post also hints that ping is originated from router itself, pinging own IP address … and that works entirely within its IP stack, so no interfaces are ever involved.