Hi everyone,
This is my first post to this forum and it’s my first experience with Mikrotik so please bear with me on this 
I’m more used to manage Juniper devices.
You will find below a network diagram of my current setup.
Right now, even if the crs305-1g-4s+in is running router OS 7.1, I’m only using switching capabilities.
At the moment everything is running in a flat layer 2, so it’s the same broadcast domain on all ports.
My goal is that I’d like PC1 (with mac-address AA:AA:AA:AA:AA:AA to be able to only reach the Gateway with mac-address BB:BB:BB:BB:BB:BB in a bi-directionnal manner and that’s it).
I’ve setup the mikrotik switch this way.
I have one bridge called “bridge”
[admin@sw01.home] > interface/bridge/ print
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=reply-only arp-timeout=auto mac-address=08:55:31:XX:XX:XX
protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=08:55:31:XX:XX:XX ageing-time=5m
priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100
pvid=1 frame-types=admit-all ingress-filtering=yes dhcp-snooping=no
All ports are in the bridge and untagged in vlan 11. I’ve re-named the intefaces in the Juniper style.
[admin@sw01.home] > interface/bridge/port print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
;;; defconf
0 H ge-0/1/0 bridge yes 11 0x80 1000 1000 none
;;; defconf
1 H xe-0/0/0 bridge yes 11 0x80 10 10 none
;;; defconf
2 IH xe-0/0/1 bridge yes 11 0x80 10 10 none
;;; defconf
3 IH xe-0/0/2 bridge yes 11 0x80 10 10 none
;;; defconf
4 H xe-0/0/3 bridge yes 11 0x80 10 10 none
[admin@sw01.home] > interface/bridge/vlan/ print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge 11 bridge ge-0/1/0
xe-0/0/3
xe-0/0/0
1 D bridge 1 bridge
The Mikrotik switch management IP Address is vlan.11 so it’s not bound to a single interface.
[admin@sw01.home] > interface/vlan/ print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
# NAME MTU ARP VLAN-ID INTERFACE
;;; Management Interface
0 R vlan.11 1500 enabled 11 bridge
[admin@sw01.home] > ip/address/ print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.1.6/24 192.168.1.0 vlan.11
I thought what I wanted to achieve would need to be done in the interface/bridge/filter/ section of the configuration.
So just to test this, I’ve create rules that doesn’t drop anything, but just count packets.
The forward chains doesn’t log anything when PC1 reaches anything on another switch port.
The input/output chains matches traffic to and from the mikrotik control plane (it gets incremented when PC1 pings the mikrotik management interface).
Why the forward chains doesn’t see anything ?
[admin@sw01.home] > interface/bridge/filter/ print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Accept everything from PC1 to switch, count packets only
chain=input action=accept in-interface=xe-0/0/0 in-bridge=bridge
src-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""
1 ;;; Accept everything from PC1 that needs forwarding, count packets only
chain=forward action=accept src-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""
2 ;;; Accept anything to PC1 that needs forwarding, count packets only
chain=forward action=accept dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""
3 ;;; Accept everything to PC1 from switch, count packets only
chain=output action=accept dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""
[admin@sw01.home] > interface/bridge/filter/ print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN ACTION BYTES PACKETS
;;; Accept everything from PC1 to switch, count packets only
0 input accept 3452 30
;;; Accept everything from PC1 that needs forwarding, count packets only
1 forward accept 0 0
;;; Accept anything to PC1 that needs forwarding, count packets only
2 forward accept 0 0
;;; Accept everything to PC1 from switch, count packets only
3 output accept 2044 25
[admin@sw01.home] >
I actually found a work around that does what I want but it’s not pretty and it’s not quite a filtering.
In the interface/ethernet/switch/rule/ configuration section, I actually allow traffic from the gateway to PC1 and from PC1 to the gateway, and rewrite the vlan ID for everything else regarding PC1 so the traffic gets lost.
What I’m actually doing is :
- I allow the gateway mac-address to pass when traffic arrive on port xe-0/0/3.
- Everything else from this port going to PC1 gets re-written to vlan 666 so it doesn’t get to PC1 which is in vlan 11
- Everything from the ge-0/1/0 port going to PC1 gets re-written as well so it doesn’t get to PC1 which is in vlan 11
Actually PC1 could send packets to anyone but won’t get the response.
This is a quick and dirty fix that needs some improvement but I would love to understand how to use the bridge filter section because I think I should be doing my config there.
[admin@sw01.home] > interface/ethernet/switch/rule/ print
Flags: X - disabled, I - invalid; D - dynamic
0 switch=switch1 ports=xe-0/0/3 src-mac-address=BB:BB:BB:BB:BB:BB/FF:FF:FF:FF:FF:FF copy-to-cpu=no
redirect-to-cpu=no mirror=no
1 switch=switch1 ports=xe-0/0/3 dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF copy-to-cpu=no
redirect-to-cpu=no mirror=no new-vlan-id=666
2 switch=switch1 ports=ge-0/1/0 dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF copy-to-cpu=no
redirect-to-cpu=no mirror=no new-vlan-id=666
Can someone help me understand this ?
Thank you.
because the performance hit is way to important.