LAN Bridge works fine only with "USE IP Firewall" option, or torch enabled

zett93 · February 10, 2020, 1:51pm

Hi,

I have a question about the correct operation of the bridge.

Namely, I have a simple network (RB750GR3 - 1WAN + 4xWAN in the bridge).

The bridge only works properly with the “Use IP Firewall” option selected or Torch running.

Otherwise, traffic only works properly on a port that has the same MAC address as the bridge’s MAC address. On the other ports, a few minutes after starting the router, packets are lost and I get a lot of timeouts.

It seems to me that letting all traffic in the bridge should not go through the firewall (this consumes lot of the processor power), I would ask for information in this regard.

Routerboard RB750Gr3 (ROS 6.45.

Thanks for help!

WeWiNet · February 10, 2020, 2:12pm

So what?
Where is the config?
Mikrotik out of the box, the bridge does work so what have you modified?

When you say 1WAN + 4xWAN (sound weird) , is this WAN (?) or WLAN or LAN?

zett93 · February 10, 2020, 3:31pm

Sorry, 1xWAN, 4xLAN of course. I know, that it should work out of the box, but it doesent.

# feb/10/2020 16:18:51 by RouterOS 6.45.8
# software id = QCX6-3PXK
#
# model = RB750Gr3
# serial number = 8AFF0BFxxxx
/interface bridge add comment="ALL WAN INTERFACES" name=bridge0wan
/interface bridge add comment="ALL LAN INTERFACES" name=bridge1lan
/interface ethernet set [ find default-name=ether1 ] comment="WAN"
/interface ethernet set [ find default-name=ether2 ] comment="SWITCH "
/interface ethernet set [ find default-name=ether3 ] comment="AP UniFi"
/interface ethernet set [ find default-name=ether4 ] comment="QNAP LINK1"
/interface ethernet set [ find default-name=ether5 ] comment="QNAP LINK2" mac-address=C4:AD:xx:xx:xx
/interface bonding add down-delay=100ms lacp-rate=1sec mode=802.3ad name=qnap-bonding-e4-e5 slaves=ether4,ether5 up-delay=100ms
/interface ethernet switch port set 1 vlan-mode=disabled
/interface ethernet switch port set 2 vlan-mode=disabled
/interface ethernet switch port set 3 vlan-mode=disabled
/interface ethernet switch port set 4 vlan-mode=disabled
/interface ethernet switch port set 5 vlan-mode=disabled
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer add exchange-mode=ike2 name=peer1 passive=yes
/ip ipsec profile set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des
/ip pool add name="VPN POOL" ranges=192.168.30.100-192.168.30.150
/ip pool add name="LAN DHCP POOL" ranges=192.168.20.100-192.168.20.200
/ip dhcp-server add address-pool="LAN DHCP POOL" disabled=no interface=bridge1lan lease-time=1d name="LAN DHCP"
/ppp profile add change-tcp-mss=yes dns-server=xx.xx.xx.xx,1.1.1.1 local-address="VPN POOL" name=OFFICEPROFILE remote-address="VPN POOL" use-encryption=yes
/interface bridge port add bridge=bridge1lan interface=ether2
/interface bridge port add bridge=bridge0wan interface=ether1
/interface bridge port add bridge=bridge1lan interface=ether3
/interface bridge port add bridge=bridge1lan interface=qnap-bonding-e4-e5
/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface detect-internet set detect-interface-list=all
/interface l2tp-server server set authentication=mschap1,mschap2 default-profile=OFFICEPROFILE enabled=yes ipsec-secret=xxxxxxx! use-ipsec=yes
/interface list member add interface=bridge0wan list=WAN
/interface list member add interface=bridge1lan list=LAN
/ip address add address=xx.xx.xx.xx/30 comment="WAN NETWORK" interface=bridge0wan network=xx.xx.xx.xx
/ip address add address=192.168.20.254/24 comment="LAN NETWORK" interface=bridge1lan network=192.168.20.0
/ip address add address=10.125.24.1/24 interface=bridge1lan network=10.125.24.0
/ip dhcp-server network add address=192.168.20.0/24 gateway=192.168.20.254
/ip dns set servers=192.168.20.245,1.1.1.1
/ip dns static add address=192.168.88.1 name=router.lan
/ip firewall address-list add address=192.168.30.0/24 list=VPN-LOCAL
/ip firewall address-list add address=216.218.206.0/24 comment="VPN Shadowserver spam" list=BLACKLIST
/ip firewall address-list add address=xx.xx.xx.xx  list=SAFESTAR
/ip firewall address-list add address=xx.xx.xx.xx  list=SAFESTAR
/ip firewall address-list add address=xx.xx.xx.xx  list=WHITELIST
/ip firewall filter add action=drop chain=input src-address-list=BLACKLIST
/ip firewall filter add action=add-src-to-address-list address-list=BLACKLIST address-list-timeout=1h chain=input comment="Port Scanner Detect IP add to blacklist" protocol=tcp psd=21,3s,3,1 src-address-list=!WHITELIST
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="WINBOX ACCESS FROM VPN" dst-port=8291,80,443,20022 protocol=tcp src-address-list=VPN-LOCAL
/ip firewall filter add action=accept chain=input comment="IPSec UDP Ports" dst-port=500,4500 protocol=udp
/ip firewall filter add action=accept chain=input comment="L2TP UDP Ports" dst-port=1701 protocol=udp
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=INV
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix=IN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="WAN MASQUERADE" ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw add action=drop chain=prerouting comment="block open DNS server" dst-port=53 in-interface-list=WAN protocol=udp
/ip firewall raw add action=drop chain=prerouting comment="block open DNS server" dst-port=53 in-interface-list=WAN protocol=tcp
/ip route add distance=1 gateway=xx.xx.xx.xx
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh port=xxxx
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ppp aaa set use-radius=yes
/ppp secret add local-address=192.168.30.99 name=ss-backups password=xxxxxxxx profile=OFFICEPROFILE remote-address=192.168.30.100 service=l2tp
/radius add address=192.168.20.250 secret=xxxxxxxxx service=ppp,login,ipsec
/system clock set time-zone-name=Europe/Warsaw
/system identity set name=xxxxx
/system logging add prefix=RADIUS topics=radius
/system ntp client set enabled=yes primary-ntp=194.146.251.100 secondary-ntp=194.146.251.101
/system package update set channel=long-term
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/user aaa set use-radius=yes

Here is full drop of my config, i have to add this line, and now it works fine, but it consumes CPU

/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

WeWiNet · February 10, 2020, 3:39pm

Ok, just read through 2 first lines (no time right now).
WAN must not be in a bridge! (the router connects bridge to the WAN by itself).

remove that one… will look later through the rest…

zett93 · February 10, 2020, 4:02pm

OK, i removed wan bridge (i created it for future dual-wan plans (maybe? )), and changed all things assigned to it.

No changes, after disabling “Use IP Firewall” LAN breaks and send a lot of timeouts…

WeWiNet · February 10, 2020, 5:08pm

You removed also the bridge0WAN from WAN list I guess?

Could you export again the most recent config?

PS: Does your radius authentication work?

PSS: Dual WAN is not done via a “bridge”, but by routing to one or another WAN interface.
So there is no need for a bridge for the WAN side…

bpwl · February 10, 2020, 5:18pm

Don’t forget to put ether1 back in the WAN “interface list” .

change : /interface list member add interface=bridge0wan list=WAN
to /interface list member add interface=ether1 list=WAN

zett93 · February 10, 2020, 5:29pm

@WeWiNet - yes, i removed it from list, and added ether1 to them.
Yes, RADIUS works fine for authentication in L2TP tunnel.

Here is my fresh export

# feb/10/2020 18:22:40 by RouterOS 6.45.8
# software id = QCX6-3PXK
#
# model = RB750Gr3
# serial number = 8AFF0BFxxxx
/interface bridge add comment="ALL LAN INTERFACES" name=bridge1lan
/interface ethernet set [ find default-name=ether1 ] comment="WAN Orange"
/interface ethernet set [ find default-name=ether2 ] comment="SWITCH"
/interface ethernet set [ find default-name=ether3 ] comment="AP"
/interface ethernet set [ find default-name=ether4 ] comment="QNAP LINK1"
/interface ethernet set [ find default-name=ether5 ] comment="QNAP LINK2" mac-address=C4:AD:34:69:21:C4
/interface bonding add down-delay=100ms lacp-rate=1sec mode=802.3ad name=qnap-bonding-e4-e5 slaves=ether4,ether5 up-delay=100ms
/interface ethernet switch port set 1 vlan-mode=disabled
/interface ethernet switch port set 2 vlan-mode=disabled
/interface ethernet switch port set 3 vlan-mode=disabled
/interface ethernet switch port set 4 vlan-mode=disabled
/interface ethernet switch port set 5 vlan-mode=disabled
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer add exchange-mode=ike2 name=peer1 passive=yes
/ip ipsec profile set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des
/ip pool add name="VPN POOL" ranges=192.168.30.100-192.168.30.150
/ip pool add name="LAN DHCP POOL" ranges=192.168.20.100-192.168.20.200
/ip dhcp-server add address-pool="LAN DHCP POOL" disabled=no interface=bridge1lan lease-time=1d name="LAN DHCP"
/ppp profile add change-tcp-mss=yes dns-server=192.168.20.245,1.1.1.1 local-address="VPN POOL" name=OFFICEPROFILE remote-address="VPN POOL" use-encryption=yes
/interface bridge port add bridge=bridge1lan interface=ether2
/interface bridge port add bridge=bridge1lan interface=ether3
/interface bridge port add bridge=bridge1lan interface=qnap-bonding-e4-e5
/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface detect-internet set detect-interface-list=all
/interface l2tp-server server set authentication=mschap1,mschap2 default-profile=OFFICEPROFILE enabled=yes ipsec-secret=xxxxxxx! use-ipsec=yes
/interface list member add interface=ether1 list=WAN
/interface list member add interface=bridge1lan list=LAN
/ip address add address=xx.xx.xx.xx/30 comment="WAN NETWORK" interface=ether1 network=xx.xx.xx.xx
/ip address add address=192.168.20.254/24 comment="LAN NETWORK" interface=bridge1lan network=192.168.20.0
/ip address add address=10.125.24.1/24 interface=bridge1lan network=10.125.24.0
/ip dhcp-server network add address=192.168.20.0/24 gateway=192.168.20.254
/ip dns set servers=192.168.20.245,1.1.1.1
/ip dns static add address=192.168.88.1 name=router.lan
/ip firewall address-list add address=192.168.30.0/24 list=VPN-LOCAL
/ip firewall address-list add address=216.218.206.0/24 comment="VPN Shadowserver spam" list=BLACKLIST
/ip firewall address-list add address=xx.xx.xx.xx list=SAFESTAR
/ip firewall address-list add address=xx.xx.xx.xx list=SAFESTAR
/ip firewall address-list add address=192.168.20.0/24 comment=QNAP list=WHITELIST
/ip firewall filter add action=drop chain=input src-address-list=BLACKLIST
/ip firewall filter add action=add-src-to-address-list address-list=CHECKLIST address-list-timeout=1w chain=input comment="Port Scanner Detect IP add to checklist" protocol=tcp psd=21,3s,3,1
/ip firewall filter add action=add-src-to-address-list address-list=BLACKLIST address-list-timeout=1h chain=input comment="Port Scanner Detect IP add to blacklist" protocol=tcp psd=21,3s,3,1 src-address-list=!WHITELIST
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="WINBOX ACCESS FROM VPN" dst-port=8291,80,443,20022 protocol=tcp src-address-list=VPN-LOCAL
/ip firewall filter add action=accept chain=input comment="IPSec UDP Ports" dst-port=500,4500 protocol=udp
/ip firewall filter add action=accept chain=input comment="L2TP UDP Ports" dst-port=1701 protocol=udp
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=INV
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix=IN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="WAN MASQUERADE" ipsec-policy=out,none out-interface-list=WAN
/ip route add distance=1 gateway=xx.xx.xx.xx
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh port=xxxxx
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ppp aaa set use-radius=yes
/ppp secret add local-address=192.168.30.99 name=ss-backups password=xxxxxxx profile=OFFICEPROFILE remote-address=192.168.30.100 service=l2tp
/radius add address=192.168.20.250 secret=xxxxxxx service=ppp,login,ipsec
/system clock set time-zone-name=Europe/Warsaw
/system identity set name=OfficeTik
/system logging add prefix=RADIUS topics=radius
/system ntp client set enabled=yes primary-ntp=194.146.251.100 secondary-ntp=194.146.251.101
/system package update set channel=long-term
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/user aaa set use-radius=yes

WeWiNet · February 10, 2020, 8:24pm

Why do you do declare two IP address on the same bridge?

/ip address add address=192.168.20.254/24 comment="LAN NETWORK" interface=bridge1lan network=192.168.20.0
/ip address add address=10.125.24.1/24 interface=bridge1lan network=10.125.24.0

You don’t use DHCP client. Hope the route with GW xx.xx.xx.xx is correct?

I am not very familiar with VPN setups etc.

zett93 · February 11, 2020, 1:06am

All network configuration is fine. I have 2 addresses on that bridge because i found unknown network device in my LAN and i want to check that - that’s fine and that works.
VPN configuration also works fine.

My question only applies to the firewall on the bridge. LAN is unstable when I disable “Use IP Firewall” option. It works fine also, when that option is disabled, and Torch is enabled for checking traffic in that interfaces. Only on ether, that have the same MAC address like bridge interface works fine every time.

I think, that I shouldn’t put all bridge traffic into firewall - it’s not required for me.

Sob · February 11, 2020, 2:24am

As a test, did you try config without bonding? That’s the only “unusual” or less common thing there.

zett93 · February 11, 2020, 11:24am

I added the bonding later than the problems started, it has no effect.

However, I got a response from Mikrotik technical support.
They suspect problems with bridge fast-path and fast-forward.
In the evening I will send them a binlog and wait for an answer.

CZFan · February 11, 2020, 7:36pm

From the above symptoms, I suspect fasttrack causing problem, disable rule below, restart router to clear fasttrack connections or clear all connections in connection tracking and test.

/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related

zett93 · February 11, 2020, 8:53pm

Here is reply from Mikrotik support center

Sniffer, Torch and use-ip-firewall=yes will disable the bridge fast-path (also fast-forward when only two bridge ports are running). Perhaps the issue is related to this feature? You can manually
disable the fast-path under bridge settings and fast-forward on a specific bridge with these commands:

/interface bridge settings
allow-fast-path=no
/interface bridge
set bridge1 fast-forward=no

>

Now works fine, but i don't know, why default config wasn't, i'll attach next reply from them here :slight_smile: