Unexpected behavior from rb1100ahx2 switch/firewall.

RouterOS General
1

Hi guys, have an 1100ahx2 running 6.27.

Have it configured as a switch with a firewall to filter traffic to some web hosting servers.

I noticed that my rules for blocking were not being followed by some of my machines.

Turns out it was the machines plugged into the first switch group that were not getting filtered, I have it configured thusly;

port 1 is master for ports 2-5, port 6 is master for ports 7-10. ports 1 and 6 are in the bridge. bridge is set to use firewall. port 1 is my uplink port, tho symptoms persist if uplink is plugged into any port on switch group 1.

Any machine plugged into the first switch group does not obey firewall rules. I am using the forward chain. second port switch group works fine. here is an example line in my firewall;

30 ;;; The dude
chain=forward action=accept protocol=udp dst-address=redactedip
dst-port=5678 log=no log-prefix=“”

31 ;;; allow related connections
chain=forward action=accept connection-state=related log=no
log-prefix=“”

32 ;;; allow established connections
chain=forward action=accept connection-state=established log=no
log-prefix=“”
33 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=“”

34 ;;; Drop everything else
chain=forward action=drop dst-address=mysubnet/24 log=no
log-prefix=“”



Am I missing some fundamental architecture issue with this routerboard?

2

Actually you do :laughing:

Having port 1 master for 2-5 and 6 as master for 7-10 you create 2 “dumb” switches with no filtering applying to their own ports, and the bridge will filter the traffic between their master ports only. This is what you actually created:
Network Diagram(1).png
To obtain the results you need, leave port 1 as stand alone port, set port 2 as master for 3-5 and 6 as master for 7-10.
Than place in the bridge ports 1, 2 and 6.

This should do the trick. But take care, filtering will still NOT occur inside the switches, meaning no filtering between ports 2-5 and between 6-10.

To have filtering active between ALL ports, you have to place them individually in the bridge.

3

ah that makes sense. I should make the master port 2 and add 1 and 2 to the bridge so it crosses the CPU before it hits the internet.

Not sure how i missed that.

Probably because I never use the switch chips in any of my deployments, Im an all CPU kind of guy.