Trying to configure stateful firewall on bridge

RouterOS General
1

I am trying to get a RB750Gr3 running RouterOS 7.20 to provide stateful firewall services on a bridge which has 3 ports joined.

This is a basic summary of the setup and the goals

interface bridge purpose firewall objectives
ether1-LAN-mgmt n/a management of Router, not part of bridge n/a
ether2-protected-connectivity protected-bridge provide connectivity for protected-bridge allow established ingress, allow any egress, default deny
ether3-protected-device1 protected-bridge provide transparent firewall to device 1 allow any
ether4-protected-device2 protected-bridge provide transparent firewall to device 2 allow any

Other notes

  • ether2 is on the untrusted side
  • ether3 and ether4 are on the trusted side
  • hardware offload is disabled for ether2-4 as part of being members of protected-bridge

Things I've tried and Problems I've found

Bridge Filter approach

/interface bridge filter
add action=drop chain=forward comment="default deny" log=yes

  • I can't find a way to get bridge filter rules to incorporate a state(to allow established etc.), so that traffic from the untrusted side can respond to connections initiated from the trusted side
Firewall rules approach
using interface lists

/interface list
add name=protected-external
add name=protected-internal
/interface list member
add interface=ether2-protected-connectivity list=protected-external
add interface=ether3-protected-hpvr list=protected-internal
add interface=ether4-protected-spare list=protected-internal

/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="allow all egress from protected-external" log=yes out-interface-list=protected-external
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked in-interface-list=protected-external log=yes
add action=drop chain=forward comment="default drop" in-interface-list=protected-external log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN

  • pings can be initiatited from devices on protected-external side, so above rules have no effect
directly selecting interfaces

/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip firewall filter
# in/out-interface matcher not possible when interface (ether2-protected-connectivity) is slave - use master instead (protected)
add action=accept chain=forward comment="allow all egress from protected-external" log=yes out-interface=ether2-protected-connectivity
# in/out-interface matcher not possible when interface (ether2-protected-connectivity) is slave - use master instead (protected)
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked in-interface=ether2-protected-connectivity log=yes
# in/out-interface matcher not possible when interface (ether2-protected-connectivity) is slave - use master instead (protected)
add action=drop chain=forward comment="default drop" in-interface=ether2-protected-connectivity log=yes

  • I'm unable to directly configure an outbound interface for those interfaces that are in a bridge

Overall I'm not sure what my options are, I haven't used transparent firewall configurations on a RouterOS before.

Have I missed something or are there limitations I might not be aware of?

Thanks in advance for any suggestions.

2

Please note that the performance on your hEX RB750Gr3 will not be great if you do the following (you won't reach 1Gbps throughput), but this is what you can try:

  • Turn on Use IP Firewall in the global Bridge -> Settings:

    image
    image523×382 11.3 KB

  • Write your firewall filter rules but, use these conditions for the port selection instead of in-interface/in-interface-list/out-interface/out-interface-list:

    image
    image616×333 9.15 KB

Also, place your custom rules below the standard "accept established,related, untracked" rule for better performance. Don't put you custom accept or drop rules above that rule! And you also don't need the custom "accept established,related, untracked" with the extra condition, use the default one is enough.

You actually only need one drop rule (placed below the below the standard "accept established,related, untracked" rule) on the forward chain to drop packets with in-bridge-port=ether2 and out-bridge-port-list=ETH3_ETH4, with ETH3_ETH4 containing the relevant ether3 and ether4 interfaces.

Also please note that the rule I wrote use the in / out direction based on the rules that you've written above. But they are actually the reverse of what you textually describe in the table. Please decide if you want to block packets leaving the router through ether2 to the outside, or if you want to block the packets coming from the outside, through ether2, to the router?

2 Likes
3

Thanks for your advice, I can see my config approach needs some development based on your comments and some basic testing I've subsequently done.

I'll also have to consider the CPU bottleneck issue a bit further and maybe revisit my design.

4

Forget about bridge filters for starters, usually for advanced specific uses not general cases. All can be done with regulare firewall rules.
Decide whether you want two subnets ( one on bridge, one off bridge ) or vlans and all on bridge except ether1. Are we assuming ether5 is wan?