The DEFACTO DEFAULT FIREWALL Setup corrected link, removed sid from end, it should work now. (also edited link in previous post)
Oh, now I've scrolled to your 3rd post and take a closer look at your export. Your device is a
And you have enabled
You have only one bridge, which is correct for this device if you want L3HW offloading, but your bridge only has a single port which is your LAN port
This is a Frankenstein configuration. Not all ports are in the bridge, so depending on the setting the part of the packets might be routed by hardware and bypass the CPU firewall and have undefined behaviors. Also please note that your device switch chip has no hardware offload for NAT and Fasttrack L3 Hardware Offloading - RouterOS - MikroTik Documentation.
Now you'll have to check the value of l3-hw-offloading of the sfp-sfpplus2 port and make sure it's not turned on. Better is, because your bridge only has one port, to turn off l3-hw-offloading completely at the switch level.
/interface ethernet switch
set 0 l3-hw-offloading=no
This makes sure that the CPU is used for routing and that all firewall rules work as expected (FW rules are processed by CPU). Your switch chip has no Fasttrack and NAT L3HW support, so L3HW is only useful when you put more (all) ports in the single bridge, configure bridge VLAN filtering, and let the L3HW routes between VLANs, but without NAT and without firewall rules. Blocking between VLANs would need to be implemented by using the switch rules (ACL).
(Note: the Fasttrack mention only applies to the CRS & CCR with higher ends switch chip families L3 Hardware Offloading - RouterOS - MikroTik Documentation)
My guess is that if you disable that l3-hw-offloading setting, you'll see the return traffic blocked by that drop rule at the top as expected. Your current setup with l3-hw-offloading=yes and ports in & out of the single bridge cause unexpected effects, among them is that the FW don't see all packets.
EDIT: Routing with the CPU of course means your device with the dual-core 800MHz CPU will not be able to achieve multi-gigs routing throughput, even with fasttrack turned on. Expect 1Gbps with fasttrack and 270Mbps without fasttrack.
So you might need to study the link above and implement L3HW properly, which probably means:
- Put all ports in a single bridge, even the WAN port
- Configure VLAN, the WAN port is in a separate VLAN
- Turn off
l3-hw-offloadingon that WAN port, so that traffic between it and the others are handled by the CPU (for FW and NAT) - Turn on
l3-hw-offloadingon the other LAN & DMZ ports - Do not use the firewall rules to block/allow inter-VLAN traffics, instead...
- Write switch ACL rules if you want to block access between the VLANs
- Turn on
l3-hw-offloadingon the switch chip.
LAN-WAN traffic would still be slow (limited by slow CPU because NAT can only be processed with the CPU FW). But at least routing between the VLANs will be done by L3HW and achieve the full speed of the SFP+ ports. However, don't forget that this traffic bypasses the firewall.
Thx for all this information and analyse. I've disable the HW-offloading
This router is only used as an internet router with port-forwarding and VPN tunnel my internet connection at this site is 200Mb / 100Mb so the CPU should not be OK. the reste of the infra have other switches that are on SWos.
My next setup will have a router with the horsepower to handle 10G internet connection firewalling. before that I'll work with what I have.
I've learned a lot (and not finished learning) while implanting the actual setup and talking with you guys on the forum.
Thx for the help
Have a nice day
Clair