Switch rules

Hyunckel · September 21, 2024, 3:22am

Hello,

I’m trying to add a switch rule but I’m not sure I’m using it correctly.

I want to drop forward packets, I was using the Bridge filter before. but after I enabled HW-offload it stopped working.

The bridge filter rule that I was using:

/interface bridge filter
add action=drop chain=forward comment="Drop unauthorized access" dst-address=\
    10.10.0.0/22 in-bridge=bridge1 mac-protocol=ip out-bridge=bridge1 \
    src-address=10.10.4.0/22

The switch rule I added:

/interface ethernet switch rule
add dst-address=10.10.0.0/22 ports=ether5 redirect-to-cpu=yes \
    src-address=10.10.4.0/22 switch=switch1

The switch rule seems to be working. But I’m not an expert and want to ensure it’s the correct configuration.

sindy · September 21, 2024, 11:55am

As-is, the rule does not drop the matching frames but redirects them to CPU. To actually drop them, you should use new-dst-ports=“” instead of redirect-to-cpu=yes.

Hyunckel · September 22, 2024, 6:47am

I used new-dst-ports=“” and I had to add another rule before this one to allow users to reach the router 10.10.0.1

Thank you

sindy · September 22, 2024, 7:16am

Ah, sorry - new-dst-ports=switch1-cpu is what you need. I forgot that you only needed to drop traffic from one external port to another.

Hyunckel · September 23, 2024, 4:22am

I removed the accept rule and edited the original with “new-dst-ports=switch1-cpu” and now it works as intended.

Thank you, good sir.