how to block bridged packet routed through firewall

sdombora · January 6, 2024, 8:37pm

Hello,

I have an external router doing nat translation and providing DHCP services to the internal VLANs under the bridge interface. I want to block the packets coming from the VLANs to the router except DHCP. For testing reasons at first I wanted to block the DHCP packets then invert the conditions. I routed the bridged packets through the firewall (use-ip-firewall and use-ip-firewall-for vlan), marked them in the mangle prerouting chain (added packet mark: dhcp and log prefix: dhcp_prerouting:) and then wanted to block in the filter rules input chain (packet mark: dhcp, chain: input action: drop, log prefix: Drop-DHCP:). I log all firewall actions related to the given rules. The packet is marked correctly then identified by the filter rule but it reaches the router and gets answered.

/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface vlan
add interface=bridge name=Vlan10 vlan-id=10
add interface=bridge name=Vlan20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN10 ranges=192.168.10.2-192.168.10.254
add name=VLAN20 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=VLAN10 interface=Vlan10 lease-time=1d name=Vlan10DHCP
add address-pool=VLAN20 interface=Vlan20 lease-time=1d name=Vlan20DHCP
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=20
/ip address
add address=192.168.10.1/24 interface=Vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=Vlan20 network=192.168.20.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=input log=yes log-prefix=Drop-DHCP: packet-mark=dhcp
add action=accept chain=input connection-state=established
add action=drop chain=input
/ip firewall mangle
add action=mark-packet chain=prerouting dst-port=67 in-interface=bridge log=yes log-prefix=dhcp_prerouting: new-packet-mark=dhcp passthrough=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat log=yes log-prefix=nat: out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

and get the following log:

*25E 21:24:25 firewall,info dhcp_prerouting: prerouting: in:bridge(ether3) out:(unknown 0), connection-state:new src-mac 00:0c:29:17:0a:63, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328
*25F 21:24:25 firewall,info Drop-DHCP: input: in:Vlan20(ether3) out:(unknown 0), packet-mark:dhcp connection-state:new src-mac 00:0c:29:17:0a:63, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328
*260 21:24:26 dhcp,info Vlan20DHCP assigned 192.168.20.254 for 00:0C:29:17:0A:63 MikroTik
*261 21:24:26 firewall,info dhcp_prerouting: prerouting: in:bridge(ether3) out:(unknown 0), connection-state:new src-mac 00:0c:29:17:0a:63, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328
*262 21:24:26 firewall,info Drop-DHCP: input: in:Vlan20(ether3) out:(unknown 0), packet-mark:dhcp connection-state:new src-mac 00:0c:29:17:0a:63, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 328

What is wrong in the configuration?

anav · January 6, 2024, 11:22pm

Sorry your requirement makes no sense. Dont care about what you want to try on the config… illogical
What are the traffic requirements from the user perspective?
What equipment do you have and what is the network design…?

ROUTER to MT acting as a switch?? OR
ROUTER to MT acting as a ROUTER?? OR
Router to MT acting as both a switch for some vlans and router for own vlans??

The FiREWALL RULES if the DHCP is offered from the MAIN router should be from the MAIN ROUTER!!
The MT Router is transparent at L3 and is just carrying the L2 tagged frames from trunk port to access ports and untagged to devices…

tdw · January 7, 2024, 1:24am

DHCP servers use raw sockets, not regular UDP sockets as you may expect.

So whilst the DHCP packets traverse /ip firewall they are actually processed before the packets can be dropped, and from previous threads I don’t believe it is possible in /ip firewall raw either, you would have to use /bridge filter

sdombora · January 8, 2024, 9:01pm

Did you read carefully the question? It is generic and not related to any equipment.
I want to block the router access from given VLANs conneced to the bridge ports of the router except DHCP requests and the management VLAN. Blocking the DHCP requests was just a test.

sdombora · January 8, 2024, 9:30pm

Tried bridge filter, could not block. Can you give more detail on this?

tdw · January 9, 2024, 12:07am

IIRC you will have to both identify and drop packets in the bridge. Using the IP firewall to identify them would be too late in the packet flow as the packet will have left the bridge by that point.

The minimal case to drop any DHCP requests via a bridge port would be
/interface bridge filter
add action=drop chain=input mac-protocol=ip ip-protocol=udp src-port=68 dst-port=67

un9edsda · January 9, 2024, 12:17am

Maybe its the language barrier maybe something else however it seems you have not understood @anav questions as by now probably you are well aware that with Mikrotik there is no such thing as generic if you using a configuration file as because of the quite different hardware and their capabilities answering both the second and the first question is essential in case you expect a right answer (as seemingly similar equipment such as the RB2011iLS-IN, the RB3011UiAS-RM and the RB4011iGS+RM require different configuration in order to achieve the same packet flow).

sdombora · January 14, 2024, 6:00pm

This would be the best solution, but I tried to do this except src-port=68 with logging the packets.
Is seems the packets do not go through this bridge filter rule.

Noticed HW offload is turned on → turned off. Then set the mac-protocol=vlan - then I could log the packets.
Great, but could not filter - for the ip-protocol=udp src-port=68 dst-port=67.

Any suggestions on how to go forward?

Tried differend devices, RouterOS 7.13.

tdw · January 16, 2024, 7:12pm

I probably haven’t used bridge filters with mac-protocol qualifiers since before VLAN-aware bridges were introduced. It appears that with vlan-filtering=yes on a bridge much of the bridge filtering options become unusable, all I can suggest is opening a support case with Mikrotik regarding not being able to use any mac-protocol (and the associated qualifiers for those protocols) other than vlan.

Depending on which Mikrotik you have it may be possible to use switch ACLs as a last attempt.