After looking at the following, I’d like to know if anyone is using a switch rule with redirect-to-cpu that works as expected.
- http://forum.mikrotik.com/t/switch-rules-redirect-to-cpu/143596/1
- http://forum.mikrotik.com/t/switch-rule-redirect-to-cpu-issue/136032/1
There is a lot of useful info on http://forum.mikrotik.com/t/firewall-rules-for-vlans-using-their-interface-name/165455/1 which I used to verify that I can at least get the packets to the firewall when I disable hardware offload for the specific ethernet port.
Specifically trying to send only one VLAN’s traffic to the firewall:
# RB5009
/interface bridge
add dhcp-snooping=yes fast-forward=no frame-types=admit-only-vlan-tagged name=bridge_lan port-cost-mode=short pvid=1111 vlan-filtering=yes
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge port
add bridge=bridge_lan interface=ether1 internal-path-cost=10 path-cost=10 pvid=2000
# And others
/interface vlan
add interface=bridge_lan name=vlan_dodgy_3000 vlan-id=3000
# And others
/interface ethernet switch rule
add ports=ether1 redirect-to-cpu=yes vlan-id=3000 switch=switch1
I’ve tried to make the rule also change the VLAN ID to match the bridge VLAN ID, to ID 1 and ID 0 (just because). As soon as I enable the switch rule, a ping across the interface to another in the bridge stops working, but the packet sniffer on the router starts to see packets on ether1. Then they just vanish. I can’t capture them on the bridge and a firewall forward rule using IP address and not interfaces does not match anything.
I can do what I want if I disable hardware offload on the ports, but since I only really need very low bandwidth traffic to be firewalled I’d prefer to make this work in the same way I do for a CSS switch that is configured to forward all packets for a specific VLAN out to the port connected to the router.