How can I:
- Select that an interface/bridge should just bypass the firewall (so that fast path can be activated)
- Add multiple interfaces/bridges to a firewall rule
- By fasttrack action.
- You cannot.
Then I would still need to add multiple rules, just so that some ports do not get filtered at all.
If I have the LAN in the 2 switches and these in one bridge, is it enough to fasttrack the bridge?
It looks like the only choice for in-interface is the bridge.
I am still getting worse performance downloading if the port is in switch+bridge than if it is connected straight to routing.
Do you have switch chip on your RB? You can offload switching to hw and avoid software bridge interface. Put fasttrack rule on plain (master) iface and try performance.
I have 2 switches in my RB2011, that’s why I have to use a bridge.
But the problem is with routing when a port is in the bridge.
I need the port in the bridge so that multicast DNS will work.
You should normally secure your network against wan interfaces, not against the lan interfaces. In case your lan is on some bridge, use that bridge as the only interface when refering to lan. All other rules that secure the router itself should be without any interface condition in order to apply to all interfaces.
Normally there is no need to duplicate firewall filter rules unless you have more wan or more lan interfaces. From what you have written I think you have one wan and one lan (bridge1).