I have a “main” router that connects to my ISP, and it therefore has a lot of (mostly default) firewall rules. But I also must have a few firewall mangle rules (with action=change-ttl) on it that must act on packets going through the bridge.
However, when I simply turn on use-ip-firewall in bridge settings, if my understanding is correct, all of bridge packets start passing through all of the firewall chains, which is not only undesirable from a performance standpoint, but is also not at all required in my case.
Which brings me to my question. Is there an efficient way to skip firewall chains for packets that are being forwarded between bridge ports when use-ip-firewall is enabled? Maybe using fasttrack or custom chains? Does anyone have any experience with this?
I’m at a bit of a loss as to where to even begin, i.e. how to match only the packets going through the bridge. I’ve tried creating a passthrough rule with in-interface=bridge out-interface=bridge, but it registers a few packets even when use-ip-firewall is disabled. Is this normal?
P.S. As an aside, it seems like it would be nice if ROS used separate custom chains for packets that are affected by use-ip-firewall, or provided the ability for you to set this up in bridge settings. In my experience, bridge-related rules are constructed in such a different way and have such a different purpose that having them in the same place as IP firewall is just a cause for confusion. Although, that, of course, is only my experience, and please do correct me if I’m wrong.