RB5009 switch ACL ports=switch1-cpu not filtering

Shazhenla · January 8, 2024, 4:43pm

Hi all.

Filtering of the switch1-cpu port on the RB5009 does not work. Before this I used RB850Gx2, switch1-cpu filtering works.

Filtering ether1-ether8 works fine. Uses RoS 7.13 and brige vlan filtering hardware offload.

Is there a solution to the problem?

mkx · January 8, 2024, 8:21pm

Post your config and explain how you expect it to work. Then we’ll try to find a solution.

Shazhenla · January 8, 2024, 8:53pm

/interface ethernet switch rule
add new-dst-ports="" ports=ether1,switch1-cpu src-address=192.168.0.0/16 switch=switch1

I expect that incoming and outgoing packets will be discarded. Only incoming ether1 are discarded, packets come from switch1-cpu.

anav · January 9, 2024, 11:28am

In view of learning something new, how does this relate to traffic from user to user, user to internet, internet to user, user to device, device to user.
What traffic are you
a. trying to allow?
b. afraid of that you need to block?

Shazhenla · January 9, 2024, 12:54pm

Mikrotik wiki Switch ACL declared filtering of the CPU port. I expect that outgoing packets from the router can be filtered. Now filtering works on ether1-8, not on the CPU port. You have to use RoS Firewall Forward.

/interface ethernet switch rule
add new-dst-ports="" ports=switch1-cpu src-address=192.168.12.1 dst-address=192.168.12.6 switch=switch1

In this example, packets from the router to a device on the network should be blocked by the Switch ACL. Does not work.

/interface ethernet switch rule
add new-dst-ports="" ports=ether1 src-address=192.168.12.6 dst-address=192.168.12.1 switch=switch1

In this example, packets entering the router should be blocked. Works.

Am I in the wrong forum section? Please advise where to ask about the problem.

anav · January 9, 2024, 1:12pm

Ahh okay, you are talking switches, I thought this was a Router discussion.
THus far you are talking gibberish, please give a practical example of what traffic you wish to flow through the ports or not flow through the ports.

Shazhenla · January 9, 2024, 2:20pm

English is not a native language. I use Google Translate.

/interface ethernet switch rule
add new-dst-ports="" ports=ether1 src-address=192.168.0.0/16 switch=switch1
add new-dst-ports="ether5" ports=switch1-cpu src-address=192.168.56.0/24 switch=switch1
add new-dst-ports="" ports=switch1-cpu src-address=192.168.0.0/16 switch=switch1
add new-dst-ports="" ports=ether1 dst-address=192.168.0.0/16 switch=switch1
add new-dst-ports="ether5" ports=switch1-cpu dst-address=192.168.56.0/24 switch=switch1
add new-dst-ports="" ports=switch1-cpu dst-address=192.168.0.0/16 switch=switch1

ether1 = WAN
ether5 = LAN

This set of rules prevents traffic from being redirected without NAT. Prevents leakage of local packets that do not pass NAT.

The set does not work because there is no switch1-cpu filtering.

anav · January 9, 2024, 3:54pm

I dont follow.
So your configuration is based on fear and not facts??

What leakage are you talking about??
If I have a WAN or two, and a LAN with one flat subnet or multiple vlans in subnets.

YOU DECIDE in firewall rules (L3) where traffic is allowed to go.

???

Shazhenla · January 9, 2024, 5:40pm

I don’t need a discussion about network building.

Why doesn’t switch-cpu port filtering work?

Who can answer this question?

anav · January 9, 2024, 6:35pm

Fair enough, good thing my internet traffic is clean and doesn’t need extra filtering
Hopefully someone else will pop-in.

mkx · January 9, 2024, 7:55pm

I guess you’ll have to ask Miktotik (via official support channels, this forum is not one of them). You may have found a bug …

Shazhenla · January 9, 2024, 9:44pm

Wrote to technical support. Waiting for an answer.

Shazhenla · January 16, 2024, 6:58pm

Technical support responded. The lack of filtering of the switch1-cpu port is an error. It is unknown when it will be fixed.

anav · January 16, 2024, 7:50pm

Thanks for the feedback! Good catch.
For knowledge, what would be a good use for switch1-cpu switch filtering USE CASE ??

nikopolis32 · February 5, 2025, 10:33am

Hi there,
I’m trying to do the same with those rules :

/interface ethernet switch rule
add dst-port=67 mac-protocol=ip new-vlan-priority=6 ports=switch1-cpu protocol=udp src-mac-address=YY:YY:YY:YY:YY:YY/FF:FF:FF:FF:FF:FF switch=switch1
add mac-protocol=ipv6 new-vlan-priority=6 ports=switch1-cpu src-mac-address=YY:YY:YY:YY:YY:YY/FF:FF:FF:FF:FF:FF switch=switch1

Same hardware, same error.

The aim is to getIPV4 and IPV6 working with orange in France on the Mikrotik without using the ISP BOX (via SFP+ or ONT GPON). For that you need to filter the traffic in a certain way … Using the switch for that is better than filtering via rules as many would say.

I’m a newbie too so excuse me for not being technical enough in my explanation

Too bad it’s not working yet, i’ll have to go the filter rules way