Hi all,
I have a subnet configured for an interface which I do not want to be able to access the rest of my network. Unfortunately, when I add a firewall rule to drop packets, it is never hit and all packets are passed. My first rule is an input chain with the interface set to the Ethernet port to drop all packets and this rule is not getting hit. I have verified that packets are passing through this Ethernet interface (ether5) and even though rule 0 is set to drop all packets from ether0 it is not getting hit.
IP firewall filter:
0
chain=input action=drop in-interface=ether5 log=yes log-prefix=“”
I have a laptop connected to ether5 and it is able to talk to my entire network with no packets getting dropped.
I have this interface configured as 192.168.5.0/24 with a DHCP relay to my DHCP server.
This is on a RB1100DX4 running 6.47.8.
I also cannot find any other rule getting hit with these packets which could pass them.
It’s obvious that traffic is coming in this interface, since disabling the interface itself drops all traffic. There are no VLANs or bridges associated with this Ethernet port. The only setting I have is on the switch it is configured as VLAN Mode disabled, VLAN Header leave as is and Default VLAN ID 5.
Note that when I do enable the rule that I can no longer ping from the router to the laptop, however, a machine that is connected to a different subnet that is connected via link aggregation CAN still ping the laptop.
I have two subnets in question.
192.168.0.0/24 is connected to a switch using link aggregation. 192.168.5.0 is connected directly to a laptop using ether5. When the above rule is in place I cannot ping from the router to the laptop, as I would expect. However, even when the rule is in place, traffic (i.e. ping) is STILL being routed between the 192.168.0.0/24 subnet and the 192.168.5.33 laptop. Shouldn’t the above rule block ALL packets being received on that interface?