switch - rule - redirect to cpu issue?

Spirch · January 12, 2020, 7:50pm

I might be doing it all wrong but I’m trying to send switch packet to the firewall and it seem that the only way i’m able to do that is to use the switch rule redirect to CPU

(everything is in one bridge under hardware offloading)

when I create this rule;

/interface ethernet switch rule
add ports=interface-LAN1 redirect-to-cpu=yes src-address=192.168.75.249 switch=switch1

the moment that I create this rule ping between 192.168.75.100 and 192.168.75.249 stop working (the .100 is on another port if that matter or not but in the same bridge)

if I disable that switch rule, it work again

I have no rule in the firewall to block that ping and i’m not seeing anything in the log

one thing; 192.168.75.249 can still access the internet and ping google.com with or without that rule

what i’m doing wrong? i would like to keep the ping working.

Spirch · January 12, 2020, 8:17pm

one thing i’m noticing is that i can see it in the raw prerouting firewall but not in the input/forward/output

something tell me that I am missing something here …

pe1chl · January 12, 2020, 8:51pm

You are missing most of your config in the above posting!
Of course you should at least post config of switch, bridge, and IP addresses.
As it is now it is impossible to see if this traffic is switched, bridged or routed.

Spirch · January 12, 2020, 9:01pm

which part of the config you are interested in? i don’t really want to manually remove all noise and thing that I dont want to give like password, name, mac address, etc

also, I added

/ip firewall nat
add action=redirect chain=dstnat dst-address=192.168.75.100 log=yes log-prefix="DEBUG NAT REDIRECT" src-address=192.168.75.249

and now ping respond but http request doesnt (i was hopping that by fixing ping the http/etc request would work)

Spirch · January 12, 2020, 9:27pm

sorry i misread your text, here is the relevant section

/interface bridge
add admin-mac=xxx auto-mac=no name=bridge-LAN protocol-mode=none

/interface ethernet
set [ find default-name=ether2 ] name=interface-LAN1
set [ find default-name=ether3 ] name=interface-LAN2
set [ find default-name=ether4 ] name=interface-LAN3
set [ find default-name=ether5 ] name=interface-LAN4
set [ find default-name=ether1 ] name=interface-WAN

/interface bridge port
add bridge=bridge-LAN interface=interface-WLAN1
add bridge=bridge-LAN interface=interface-WLAN2
add bridge=bridge-LAN interface=interface-LAN4
add bridge=bridge-LAN interface=interface-LAN2
add bridge=bridge-LAN interface=interface-LAN3
add bridge=bridge-LAN interface=interface-LAN1

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip dhcp-server network
add address=192.168.75.0/24 dns-server=192.168.75.1 gateway=192.168.75.1 ntp-server=192.168.75.1

/ip address
add address=192.168.75.1/24 interface=bridge-LAN network=192.168.75.0

route, all default / dynamic / managed by the router

pe1chl · January 13, 2020, 11:59am

Ok so it looks like both the source and destination system are in the same subnet, so the traffic would be bridged or switched.
But earlier you wrote:

(the .100 is on another port if that matter or not but in the same bridge)

That appears to be inconsistent with the config you posted.

When everything is in the same bridge but you want the CPU to handle the traffic, it could be required to use proxy-arp, not sure in this case because bridge is also CPU processed and of course proxy-arp is not required for forwarding via the bridge.

When there really is a different bridge, the traffic is routed and of course you will need proxy arp.
A cleaner solution would be to setup a different local network and have the traffic being routed.

mrtn · December 30, 2021, 1:00am

I’m having the same problem:
I have a bridge with 2 ports and HW offloading enabled, i.e., the device works just as a switch.
I want to redirect specific traffic to the CPU to pass it through bridge filter or IP filter rules.

Port 1 is the gateway, port 2 to my PC.

On the PC, I start ping 8.8.8.8. Then I add a Switch Rule:

0 switch=switch1 ports=ether3-pc protocol=icmp copy-to-cpu=no redirect-to-cpu=yes mirror=no

I’d expect that the ping continues, but is handled by the CPU and not the switch chip anymore.
However, the ping stops working. Seems like the same behavior the OP saw.

The docs on switch ACL rules and the option redirect-to-cpu are quite limited so I’m not sure I’m using it correctly.

When I disable hardware offloading for port 2, the ping works, but then I guess all traffic goes to the CPU, which is not what I want.

Thanks!

pe1chl · December 30, 2021, 10:00am

It could well be that the combination of “switch port rules” and “bridge with hardware acceleration” is not supported, or not supported on all hardware.
This switch configuration dates from the days when the bridge was not mandatory and you could directly connect a switch to the router config.
Now a bridge has become mandatory and much of switch config has moved to bridge config, and the remaining switch config options are of course in conflict with what you do on switch level.
It would not surprise me when in the end all possible config is moved into bridge and the switch menu disappears entirely.