I have a bridge with multiple vlans (vlan filtering enabled).
I have firewall rules and queue tree setup for wan routed traffic (different vlans have different wan bandwidth limit and priorities).
Question:
I have “use-ip-firewall” active on the bridge. Is this necessary or not? My feeling is not, but I have it enabled anyway. Can anyone clarify.
I have drop rules between vlans (based on the vlan ip-range in address-list) that seems to work even when “use-ip-firewall-for-vlan” is not active. What is the use case for “use-ip-firewall-for-vlan”?
use-ip-firewall means that all traffic within same subnet and passing bridge will be subject to ip firewall filter rules. Similarly use-ip-firewall-for-vlan affects traffic within VLANs.
Unless one wants to filter traffic between nodes members of same subnet/VLAN … and that is not the case very often … it is not needed to use these options. Quite probably firewall rules (not set with such use in mind) either won’t block anything or will block everything. Even if they don’t block anything it will have effect on CPU load …
I can’t overstate the importance of this comment. I had misconfigured my setup using ip-firewall-for-vlan and when I corrected it, the impact on latency (not measured) was noticeable to say the least. It has a cpu and performance impact. I also think it can cause odd intermittent behaviour if used incorrectly.