Port 3 is upstream to my CoLoc (just the way it got wired up)
Port 2 is connected to the primary interface of a vmware-box.
Port 5 is connected to the IPMI interface of my box.
Port 1-3 is assigned to “bridge-outside” and all seem well.
What I would like to do now is:
Be able to use bridge firewall to only allow access to some ports from certain IP’s (In other word, filter vmware management trafic)
Be able to NAT traffic to the IPMI On Port 5
But, I cannot find a definitive guide on Bridging firewalls. At least not one that I can follow.
I started by enabling ip-firewall but that seemed to block all traffic (Thanks safe mode )
That won’t work. Some VMs have static IPs that simply can not be changed. The MT has been dropped in front of the machine to filter traffic as some of the VMs are exploitable.
OK, I thought I either needed to use a NAT or a route or bridge to filter.
So, what SHOULD I do to, for instance block all incoming traffic to port 53 (traffic enters on ether 3 and exits on ether 2 both members on bridge-outside.
Nope, NATing can be used for various things, most commonly it is to mask an internal (private) IP address with an external (Public) IP address. Bridges, on Mikrotiks, are like SVI’s on Cisco. It allows you to create a virtual interface and assign an IP address to it. You can then “slave” vlans/ports to it to create a traffic flow within a subnet. At least that is how I have done it on my CCR1009.
My understanding of your network is that you have multiple subnets, correct?
If that is the case you only need to create firewall rules. These rules will use the chain=forward rule and you can annotate source IP/network / destination IP/network and port. There are many more options to dig into for filter via the built in firewall. You can use the input/output for bridge interfaces, just not necessary.
The forwarding chain rule applies to traffic that is not destined to or sourced from the router itself. So if you are trying to deny DNS traffic to say 10.10.10.0/24 it would look something like this:
So with the code above all traffic destined for the network 10.10.10.0/24 on port 53 would be denied, other traffic would be permitted unless additional rules were created.
If you can provide more details on your network, we can give you better advice on how to achieve your desired goals.
I have a single /240 with a single upstream IP provided by my coloc provider.
All virtual machines are using the Coloc upstream as gateway. And for reasons I cannot go into changing the addresses on certain machines simply is not an option. So, what is required is a “transparent” firewall that can still allocate an IP for management. And provide NAT functionality for a second internal subnet.
There is a way to do this with layer3 forwarding and not having to renumber anything.
The ethernet interface which is connected to the servers can work as an unnumbered interface. Let’s say ether2 is this interface, and ether1 is the ISP interface. On these two interfaces, set arp=proxy-arp
Configure ether1 as normal, and configure NAT for the rest of the LAN as normal, but then for each IP address on ether2, create a static route:
x.x.x.4/32 gateway=ether2
x.x.x.6/32 gateway=ether2
etc.
The /29 will still officially live on ether1, but the /32 “exceptions” can live on ether2 in this manner.
Firewalling in this approach is just a normal layer 3 thing - just as any forwarded packets would be filtered.
All this solution does is make the router answer ARP requests to the hosts on behalf of the real ISP router, and on behalf of any of your other public iP addresses. What’s interesting about this solution is that it doesn’t even have to be done on the same router - 192.0.2.2 can be 5 hops away from 192.0.2.3 and the hosts will communicate just fine. (of course, all 5 hops need the /32 route pointing toward every “roaming” host.)
A traceroute from 192.0.2.2 to 192.0.2.3 could look like this:
Tracing the route to 192.0.2.3 over a maximum 255 hops:
10.14.201.98 - 3ms 3ms 4ms
10.14.175.18 - 6ms 5ms 6ms
10.21.94.5 - 8ms 9ms 7ms
192.0.2.3 - 9ms 9ms 7ms
Done
Isn’t that funny? This happens because (in this example) when 192.0.2.2 sends an ARP request for 192.0.2.3, then the router 10.14.201.98 answers the ARP request, and so .2 hands the packet to the router. At this point, normal routing takes over and the router sees a packet from .2 with a destination of .3, and finds that in the routing table, there is a /32 for .3 which goes to 10.14.175.18 so it just forwards the packet. It doesn’t even think it’s doing something sneaky - it’s just forwarding packets.
When 192.0.2.3 receives the packet, it replies to 192.0.2.2, and so it sends an ARP request for 192.0.2.2 - where the router at hop 3 replies with its own MAC address (in proxy for the real 192.0.2.2) and the same process happens going the other way. If you were to look at the ARP cache in 192.0.2.3, you would see that all 5 IPs of its local network hosts have the same MAC address - the router’s MAC address.
Ok… Now i feel silly, but i found the problem with my original bridging firewall. I just needed a catch-all rule for the bridge to allow all traffic that was not blocked by previous rules… I messed up my sequencing of rules..
)