Help Filtering in Bridge Filter by Subnet Network.

oxigeno20 · November 12, 2015, 2:38am

Hi everybody,

I am a WISP and i give conectivity by DHCP. For security reazons i have a bridge firewall (layer 2) with the customers Mac-Address, and bellow 3 rules with diferent Subnet where have a lots of IP Cameras and servers. I need to allow this last subnets to get this devices working but the rules doesn’t work.

This is the firewall:

add chain=input comment=CUSTOMER 5 in-bridge=bridge-de-servicio \
    src-mac-address=24:A4:3C:XX:XX:6F/FF:FF:FF:FF:FF:FF
add chain=input comment=CUSTOMER 111 in-bridge=bridge-de-servicio \
    src-mac-address=00:27:22:XX:XX:3F/FF:FF:FF:FF:FF:FF
add chain=input comment=CUSTOMER 203 in-bridge=bridge-de-servicio \
    src-mac-address=24:A4:3C:XX:XX:84/FF:FF:FF:FF:FF:FF
add chain=input comment=CUSTOMER 93 in-bridge=bridge-de-servicio \
    src-mac-address=00:27:22:XX:XX:3C/FF:FF:FF:FF:FF:FF
add chain=input comment=CUSTOMER 67 in-bridge=\
    bridge-de-servicio src-mac-address=24:A4:3C:XX:XX:2B/FF:FF:FF:FF:FF:FF

add chain=input comment="EXCEPCIONES   190.100.129.0/24" \
    in-bridge=bridge-de-servicio mac-protocol=ip src-address=190.100.129.0/24
add chain=input comment="EXCEPCIONES   190.100.143.0/29" \
    mac-protocol=ip src-address=190.100.143.0/29
add chain=input comment="EXCEPCIONES   190.100.130.0/24" \
    in-bridge=bridge-de-servicio mac-protocol=ip src-address=190.100.130.0/24

add action=drop chain=input comment=\
    "DROP EVERITHING ELSE" in-bridge=\
    bridge-de-servicio

The first rules filtering by src-mac-address are working very well, but the next rules like this…

add chain=input comment=“EXCEPCIONES 190.100.129.0/24”
in-bridge=bridge-de-servicio mac-protocol=ip src-address=190.100.129.0/24

aren’t working. (are matching packets), because the last rule for an unknown reason is dropping all the traffic to this entire block.

Then, have selected “Log Prefix” and i could print the next log:

64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->118.250.157.19:35081, len 78 
nov/10 23:54:26 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->50.183.90.43:48537, len 72 
nov/10 23:54:26 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->67.37.248.61:31881, len 78 
nov/10 23:54:26 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, TCP (RST,PSH,URG), 190.100.143.2:25->82.104.205.7:58720, len 40 
nov/10 23:54:26 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, TCP (SYN,ACK), 190.100.143.2:25->82.104.205.7:58874, len 52 
nov/10 23:54:27 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, TCP (ACK,PSH), 190.100.143.2:25->82.104.205.7:58874, len 78 
nov/10 23:54:27 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->36.226.227.149:11099, len 76 
nov/10 23:54:27 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->29.234.127.189:47505, len 74 
nov/10 23:54:27 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->44.68.84.218:43874, len 72 
nov/10 23:54:27 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->117.230.190.191:43149, len 78 
nov/10 23:54:27 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, TCP (URG), 190.100.143.2:25->82.104.205.7:58874, len 40 
nov/10 23:54:27 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, TCP (ACK,PSH), 190.100.143.2:25->82.104.205.7:58874, len 123 
nov/10 23:54:28 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->54.175.214.221:16957, len 72 
nov/10 23:54:28 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, TCP (ACK,PSH), 190.100.143.2:25->82.104.205.7:58874, len 76 
nov/10 23:54:28 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->76.251.253.11:38147, len 64 
nov/10 23:54:28 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, UDP, 190.100.143.2:53->35.218.179.174:63842, len 78 
nov/10 23:54:28 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, TCP (RST,FIN,PSH), 190.100.143.2:25->82.104.205.7:58874, len 40 
nov/10 23:54:28 firewall,info ACCEPT firewall input: in:vlan301 out:(none), src-mac 00:60:08:XX:XX:4a, dst-mac 64:70:02:13:0c:b6, eth-proto 0800, TCP (SYN,ACK), 190.100.143.2:25->82.104.205.7:59028, len 52

Any help will be appreciated

Sorry for my poor english

Best regards.

oxigeno20 · November 12, 2015, 3:03pm

Some help please!!