Rb750G act as a layer 2 firewall like a netscreen or ASA?

jerryroy1 · March 25, 2011, 4:55pm

Can a RB750G switch act as a layer 2 firewall where I can just drop into a network transparently?

fewi · March 25, 2011, 4:59pm

Yes. You can either turn on IP firewall filters for bridged traffic (under “/interface bridge”), or you can use bridge filters directly. On a 750G you will have to turn off the switch chip for that to work - that traffic isn’t processed by the CPU. You’ll have to software bridge things (which doesn’t perform as well).

jerryroy1 · March 25, 2011, 5:16pm

For clarification. Does the switch chip work only for “IP firewall filters for bridged traffic (under “/interface bridge”)” and not “bridge filters directly” or it is not utilized in either method?

fewi · March 25, 2011, 5:23pm

It isn’t utilized with either method. There is very rudimentary filtering on the switch chip, but nothing that approaches a firewall (and the rule set size is very limited). If it’s processed by the switch chip, it isn’t seen by the CPU. Both IP and bridge rules run in CPU.

jerryroy1 · March 26, 2011, 1:06am

Can you tell me what I have wrong here?

I want to allow only IPsec-esp, ssh, isakmp 500 and 4500. But I am unable to BLOCK ssh as a test.

[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU

0 R ether1-gateway ether 1500 1526
1 R ether2-local-master ether 1500 1524
2 ether3-local-slave ether 1500 1524
3 ether4-local-slave ether 1500 1524
4 R ether5-local-slave ether 1500 1524
5 R bridge1 bridge 1500 1524
[admin@MikroTik] > interface bridge print
Flags: X - disabled, R - running
0 R name=“bridge1” mtu=1500 l2mtu=1524 arp=enabled mac-address=00:0C:42:57:11:78 protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
[admin@MikroTik] > interface bridge filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward out-interface=ether2-local-master action=accept in-interface=ether1-gateway mac-protocol=ip
src-address=0.0.0.0/0 dst-address=70.42.209.128/27 ip-protocol=ipsec-esp

1 chain=forward out-interface=ether2-local-master action=accept in-interface=ether1-gateway mac-protocol=ip
src-address=0.0.0.0/0 dst-address=70.42.209.128/27 src-port=500 dst-port=500 ip-protocol=udp

2 chain=forward out-interface=ether2-local-master action=accept in-interface=ether1-gateway mac-protocol=ip
src-address=0.0.0.0/0 dst-address=70.42.209.128/27 dst-port=4500 ip-protocol=udp

3 X chain=forward out-interface=ether2-local-master action=accept in-interface=ether1-gateway mac-protocol=ip
src-address=0.0.0.0/0 dst-address=70.42.209.128/27 dst-port=22 ip-protocol=tcp
[admin@MikroTik] >

jerryroy1 · April 20, 2011, 12:49am

Can someone tell me what I did wrong with these filter rules?

I want to allow only IPsec-esp, ssh, isakmp 500 and 4500. But I am unable to BLOCK ssh as a test.

0 chain=forward out-interface=ether2-local-master action=accept in-interface=ether1-gateway mac-protocol=ip
src-address=0.0.0.0/0 dst-address=70.42.209.128/27 ip-protocol=ipsec-esp

1 chain=forward out-interface=ether2-local-master action=accept in-interface=ether1-gateway mac-protocol=ip
src-address=0.0.0.0/0 dst-address=70.42.209.128/27 src-port=500 dst-port=500 ip-protocol=udp

2 chain=forward out-interface=ether2-local-master action=accept in-interface=ether1-gateway mac-protocol=ip
src-address=0.0.0.0/0 dst-address=70.42.209.128/27 dst-port=4500 ip-protocol=udp

3 X chain=forward out-interface=ether2-local-master action=accept in-interface=ether1-gateway mac-protocol=ip
src-address=0.0.0.0/0 dst-address=70.42.209.128/27 dst-port=22 ip-protocol=tcp

elgo · April 20, 2011, 8:30am

Did you put a general drop rule at bottom of your list?