L3 filtering between hosts on bridge

dimitarkunchev · October 18, 2018, 3:24pm

Hello Everyone
I have been happy user of Mikrotik routers for the past years and never been happier. Not an expert, but usually get the job done decently (as far as I can tell). But recently I stumbled across a problem I just can’t figure out.

The situation is this: RB3011 with uplink on ether1 (connected to the internet provider gateway that has forwarded an IP range to us) and some servers on ether2 trough ether5. The ports are bridged together and the hosts on them are in the same network (including the ISP gateway). Bridge ip-firewall is disabled. So far so good - the hosts see the ISP gateway and can talk to it, no problem. They use the ISP gateway as their gateway address.
The bridge itself also has external IP address and I have some NAT rules for a private network behind the router.

On the other hand I have some scripts that do analysis of logs on the servers and gather list of offending IP addresses (you know - spam robots trying to guess passwords, etc). I generate an address list and upload it to the router. There are a couple of ip firewall rules that block communication with them and that is all good.
Obviously that works only for the network that is behind the gateway - since bridge ip-firewall is disabled these rules play no role when the servers on ether2-ether5 talk to the outside world / ISP gateway.
And that is what I am trying to accomplish - have a “blacklist” of IPs and block traffic to/from them completely.

First I tried to create /bridge filter rules. Unfortunately that doesn’t seem to support lists. And for some reason experimenting with it I could not make it match traffic between the hosts on the bridge and the upstream gateway.
Next I tried enabling bridge ip-firewall so it goes trough the /ip firewall rules. My understanding is I should be able to match in the raw prerouting/output chains. But again - no luck. Servers on ether2-5 were able to talk to the blacklisted IPs without a hitch.

Basically what I want is to be able to filter out traffic between hosts on the bridge, matching against ip address list. Like a switch with built-in L3 firewall between the ports.

I have searched and searched everywhere and supposedly /bridge filter should get the job done but did not work for me. I am starting to think this is because the packets just go trough the internal switch IC and never even make it to the bridge, going directly to the upstream ISP gateway.

I am out of ideas really so if anyone can share thoughts on this one I would be grateful.

(skipping configuration export, because it will be a nightmare to clear out irrelevant/sensitive details…)

Thanks!

sindy · October 20, 2018, 6:07pm

Can you confirm that I understand correctly that you have both the private and public IP address on the same bridge, and some of the devices connected to the bridge have private addresses and other devices have public addresses?

If “hardware acceleration” is active on the bridge, and the servers are in the same public IP subnet as the WAN gateway, the frames between the servers and the gateway take a shortcut via the switch chip and the CPU never sees them. So to make /interface bridge settings use-ip-firewall=yes effective, you have to disable the hardware acceleration of the bridge. But depending on the uplink bandwidth and Routerboard model, you may experience a slowdown.

If I haven’t guessed your configuration properly, you may have to export important items:

/interface bridge export
/ip address export
/ip dhcp-client export

Other than that, my automatic signature suggests what to do to keep a full configuration export anonymous.

dimitarkunchev · October 22, 2018, 6:44am

Hi

Hardware acceleration was the trick! I did try it before but probably have messed it up the first time and it didn’t help. This time I disabled it on all ports and sure thing - the packets started hitting the rules.

I actually thought if IP Firewall is enabled this will disable hardware acceleration, because then how would it work at all.

Anyway - thanks for the tip, sindy!
Cheers

(not that it matters, but no - the public and private network are not on the same bridge…)

sindy · October 22, 2018, 6:51am

use-ip-firewall is a global setting for all bridges, while hardware acceleration can be configured per port of a bridge. So the fact that setting use-ip-firewall to yes doesn’t automatically disable hardware acceleration of all ports of all bridges is no surprise. You can have as many hardware-accelerated bridges as you have independent switch chips in the machine (one hw-accelerated bridge per switch chip).

dimitarkunchev · October 22, 2018, 6:57am

Yes, now I see my error. It really makes no sense enabling use-ip-firewall to disable all hardware offloading. I don’t know why I thought of it this way.
Oh well, it all works fine and dandy now and I have a proper firewall to fend off the hundreds of bots trying to reach our servers. Cool!