Two bridges - firewall rules not working

RouterOS Beginner Basics
1

Hello there,

guys please give me an advice in order to Firewall and bridges on RouterOS.

For explanation i have:

bridge-local
bridge-public

Also i have Wireless 1 with bridge-local and i have second wireless network via Virtual AP with bridge-public. There are two subnets. ( 192.168.2.0/24 and 10.6.1.0/24 )

Also i have Firewall rules:

1 chain=forward action=drop src-address=10.6.1.0/24
dst-address=192.168.2.0/24 log=yes log-prefix=""

2 chain=forward action=drop src-address=192.168.2.0/24
dst-address=10.6.1.0/24 log=yes log-prefix=""
...
Also i have srcnat

4 chain=srcnat action=masquerade src-address=10.6.1.0/24
out-interface=Gateway - O2 ( this is GATEWAY interface - provider ) log=no log-prefix=""

The problem is: From public WIFI network i can still ping the 192.168.2.1 - My question is WHY? Pleease

There is aditional info:

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU

0 R Gateway - O2 ether 1500 1598 2028
5 RS wireless-tentononc wlan 1500 1600
6 S wlan1 wlan 1500 1600
7 R bridge-local bridge 1500 1598
8 R bridge-public bridge 1500 1598




/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=3d name=
dhcp1

add address-pool=pool-PublicWifi disabled=no interface=bridge-public name=
dhcp-public



add address=10.5.1.0/24 dns-server=8.8.8.8 gateway=10.5.1.1
add address=10.6.1.0/24 dns-server=8.8.8.8 gateway=10.6.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1

What am i missing? Thanks a lot

2

Hi,

/interface bridge settings set use-ip-firewall=yes
3

Hi,

thanks a lot for reply. I have done it. BUT i am still able to ping gateways. From network 10.6.1.0 i can ping 192.168.2.1

Is that normal?

4

Yes, it is normal.
As far as I understand, 192.168.2.1 is your routers local address.
You only applied the drop rules in the forward chain. This affects all traffic trespassing your router. Traffic terminating in your router is not affected.
Add it to the input chain and it should work:

/ip firewall filter
add chain=input action=drop src-address=10.6.1.0/24 dst-address=192.168.2.1
add chain=input action=drop src-address=192.168.2.0/24 dst-address=10.6.1.1

-Chris