Vlan with IP Firewall

plankanater · October 14, 2013, 7:48pm

I have a mikrotik with a config that takes 2 vlans off of a bridge and untags them onto a port using another bridge. My config is outlined below. I do rate-limiting by packet marking the ports of the bridges. My issue is if I check the “use ip firewall” in the bridge setting the router quits passing traffic over the vlan. If I disable this setting the vlan starts working. ( Its the last setting in the config)

I need to do rate-limiting on a port that is on a bridge and using this is the only way I know how but it seems to be blocking the vlan.

/interface bridge
add l2mtu=1594 name=“Vlan - 18 - Bridge”
add l2mtu=1594 name=“Vlan - 29 - Bridge”
add l2mtu=1598 name=“WAN Bridge”

/interface vlan
add interface=“WAN Bridge” l2mtu=1594 name=vlan18 vlan-id=18
add interface=“WAN Bridge” l2mtu=1594 name=vlan29 vlan-id=29

/interface bridge port
add bridge=“WAN Bridge” interface=“1 - Backhaul”
add bridge=“WAN Bridge” interface=“4”
add bridge=“WAN Bridge” interface=“10”
add bridge=“Vlan - 18 - Bridge” interface=vlan18
add bridge=“Vlan - 18 - Bridge” interface=“5”
add bridge=“WAN Bridge” interface=“6”
add bridge=“Vlan - 29 - Bridge” interface=“7A”
add bridge=“Vlan - 29 - Bridge” interface=vlan29

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

efaden · October 14, 2013, 8:18pm

What does your firewall look like.

Sent from my SCH-I545 using Tapatalk

plankanater · October 14, 2013, 8:54pm

My firewall rules are actually empty. The only reason I tell it to use firewall rules is because thats the only way I can get the queue tree to notice the packet marks.

plankanater · November 7, 2013, 3:13pm

Any help anyone?

deimos · August 18, 2014, 5:49pm

This has been broken since v6.xx and is a Royal PITA. Clearly enabling “Use IP Firewall” in the Bridge Settings should not stop forwarding of L3 packets, but that is what is happening. Either no one else is using VLANs, or there is just some fundamental misunderstanding here. The configuration that this breaks is ridiculously simple. Have a tagged packet enter the router. Untag the packet and send out another interface. Works fine until you enable “Use IP Firewall”.

Perhaps some can explain why this is a good idea …

deimos · September 8, 2014, 5:24pm

See http://forum.mikrotik.com/t/use-ip-firewall-in-bridge-6-1-bug/74480/4

Problem verified, solution unknown.