RB3011 Full bridge filter

SoTech57 · September 21, 2020, 7:35am

I use the RB3011 in full bridge mode to avoid double nat with an operator box,
I cannot block an eth5 interface which should not communicate with the outside but only with eth4 interface

I try first to block all traffic from eth5

without success I do not know how to do thank you for your help

# sep/20/2020 21:14:04 by RouterOS 6.47.3
# software id = 7VTY-P195
#
# model = RouterBOARD 3011UiAS
# serial number = 783D08A5134C
/interface bridge
add name=bridge1 protocol-mode=none
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge nat
add action=drop chain=srcnat out-bridge=bridge1 out-interface=ether5
add action=drop chain=dstnat in-bridge=bridge1 in-interface=ether5
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/system clock
set time-zone-name=Europe/Paris
/system routerboard settings
set auto-upgrade=yes silent-boot=yes

techlord · September 21, 2020, 11:39am

Hi!

I’m no expert in mikrotik so I may be wrong but what I see is you have this setting:
“set use-ip-firewall=yes”
From what I know that makes the bridge traffic be sent to the IP firewall process of the box which is under IP → Firewall so it’s there where you should create the rules not under Interface → Bridge → NAT

Second thing is, I would say to put a rule under IP-> Firewall on chain Forward with IN interface eth5 and OUT interface !eth4 (! eth4 means any other interface than eth4), drop, and maybe a second for traffic from !eth4 to eth5.

WeWiNet · September 22, 2020, 2:17pm

1st you do not use NAT under bridge, but FILTER!!!

2nd:
Does ETH5 has access to the router and get DHCP from it?
if its a port exposed to “outside” its dangerous to keep it on same bridge than the others. But maybe it is only to limit
some PC to not be exposed to outside?

3rd
Put in bridge filter rule something like:

chain forward in-interface ETH5 out-interface !ETH4 action drop