Hi all,
I have checked several posts giving some hints about making a transparent bridge firewall with Mikrotics. I am having a hard time getting it work.
My setup:
Router <> transparent fw <> Switch environment
CRS354 as transparent fw with next setup:
/interface bridge
add admin-mac= auto-mac=no fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge pvid=30 vlan-filtering=yes
/interface vlan
add comment=ADM interface=bridge name=VLAN-30 vlan-id=30
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged hw=no ingress-filtering=yes interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged hw=no ingress-filtering=yes interface=ether2
/interface bridge vlan
add bridge=bridge comment=ADM tagged=bridge,ether1,ether2 untagged=ether9 vlan-ids=30
add bridge=bridge comment=TEST tagged=bridge,ether1,ether2 untagged=ether8 vlan-ids=10
/ip address
add address=192.168.88.12/24 comment=“ADM” interface=ether49 network=192.168.88.0
add address=192.168.100.110/24 comment=“ADMIP” interface=VLAN-30 network=192.168.100.0
/ip route
add distance=1 gateway=192.168.100.1
After this I can use ether8 as test port and connect a laptop to test firewall; then
- activate both ‘use ip firewall’ and ‘use ip firewall for VLAN’
- create a simple rule like
/ip firewall filter
add action=drop chain=forward dst-address=0.0.0.0 log=yes protocol=icmp src-address=0.0.0.0
Expecting the laptop not being able to ping anywhere.
I played with in/out interfaces, in/out bridges ports with no luck; obviously I am missing the rigth needed step/config.
Can you give me some hint?
Thanks in advance, best regards,