Switch rule except mac syntax?

cdnet89 · February 9, 2023, 10:39pm

Do anybody know if there is any syntax in Switch rule(not ip firewall) to drop everything except specific mak?
I was expected to see something like an exclamation sign in front of mac !XX.XX.XX.XX.XX:XX/FF:FF:FF:FF:FF:FF
Maybe someone more experienced can clarify if it is possible to obtain this.

Thanks.

chechito · February 10, 2023, 5:19pm

i think another approach can be:
first rule to allow only that mac
second rule to drop any other mac

cdnet89 · February 10, 2023, 5:56pm

I am already aware about this alternative but it is not what I need.
I have more ACL rules under it where I have to allow specific traffic.
It looks like this:

- Permit only one mac. This means: drop any other mac, I do not want any other traffic.
- Allow something more specific next… Since we are here it means we can allow maybe let’s say traffic on port 80
  X) - Allow something more specific next…
Last step: Drop all-> Anything that was not cached by allow rules:Drop it

The situation is more complex, but I hope you understand my scenario.
Thank you.

Buckeye · February 10, 2023, 6:07pm

You don’t specify what device of software is being used.

In SwOS you can use port locking and static mac. Port locking disables learning on the port. Static allows you to preload the mac address and it will not age out of the mac table.

cdnet89 · February 10, 2023, 6:49pm

Apologies, I forgot to mention, I thought that RouterOS zone is dedicated to it, I am using RouterOS 7.6 with CRS326-24G-2S+
I want to benefit of HW acceleration from SwitchChip, this is why I am using Switch rule.

Buckeye · February 10, 2023, 7:07pm

You don’t specify what device or software (firmware) is being used.

ConradPino · February 10, 2023, 11:10pm

I suggest repeating MAC Address in each rule incurs zero performance penalty.

cdnet89 · February 11, 2023, 7:45am

Well, I already taught about that, there should be no problem in regards to copy/paste but let me tell why it is not feasible.
Number of rules in ACL are limited.
If you add the rules in the manner that I explained initially:

drop all unnecessarily mac from port1
drop all unnecessarily mac from port2
drop all unnecessarily mac from port3
drop all unnecessarily mac from port4
allow traffic for port 443 on all tcp ports
allow traffic for port 443 on all udp ports
allow traffic for port 80 on all tcp ports
allow traffic for port 80 on all udp ports
…
drop from all ports

I hope you understand that by having this design, rules 9, 10, 11, 12 and many others after are entered once, they are available for all ports.
By hardcoding mac on these lines means I have to duplicate each line for every single port in the switch.
So each * 24 ports..I think you got it why it is not scalable and feasible.

But in the end I think I got it. It seems RWOS is simply not feasible enough to achieve my needs using hardware acceleration.
I will try to look for another solutions on the market.

For the feature, in case R&D will take an eye on forum and maybe see this post, I suggest the following potential enhancement:
Include ! in the following sections:

Mac: !XX:XX:XX:XX:XX:XX
IP: !XXX.XXX.XXX.XXX
IP PORT: !XXXX

Thank you for your time and suggestions.

ConradPino · February 11, 2023, 4:54pm

The switch rule ports=… allows multiple interfaces.

cdnet89 · February 11, 2023, 6:49pm

I already mentioned IP Port, not switch port which is something else.

Buckeye · February 11, 2023, 9:23pm

Why are you trying to do this filtering on the switch, instead of your BSD based firewall?

I really don’t understand what you are trying to do. The ACL on the switch is going to stop after the first match, so I don’t understand how it would get to the third rule.

I think you are trying to use the wrong tool for the job.

When you were talking about mac addresses, I thought you were interested in port security, but then you started talking about L3 and L4 filtering.

Here’s the documentation for switch rules Switch Rules (ACL)

What is “behind” the mac address? A single host, or a router (that will have traffic from many ip addresses coming from it).

The question you ask isn’t very specific.

cdnet89 · February 12, 2023, 8:43am

Rule 1-> Drop on switch port 1 !6d:48:77:9c:7a:fc
Rule 2-> Drop on switch port 2 !6a:ed:34:dc:d8:cc
Rule 3-> Drop on switch port 3 !3b:10:4d:f7:95:ab
Rule 4-> Allow on tcp ip port 80
Rule 5-> Allow on tcp ip port 443
Rule 6-> Drop all on all switch ports

I hope it is more clear now how it supposed to work and why I asked about exclamation mark.

Buckeye · February 13, 2023, 3:45am

It does appear that at least the QCA8337N switch chip supports inverse check. Where I saw the info. google search for qca8337 programming manual and look on page 48.

So as long as the switch chips all support this “inverse EN”, I agree with you, it should be possible to match !mac
QCA8337N_mac_ACL rule result inverse EN.png

cdnet89 · February 13, 2023, 7:52am

That’s nice
It seems to also support the technique for IPV4 something very very useful

Is there any chance R&D to consider adding support for this in RouterOS & SWOS?
Thank you.
QCA8337N_IPv4_ACL rule result inverse EN.png.png