Ok, I have a RB2011UiAS
Port 3 is upstream to my CoLoc (just the way it got wired up)
Port 2 is connected to the primary interface of a vmware-box.
Port 5 is connected to the IPMI interface of my box.
Port 1-3 is assigned to "bridge-outside" and all seem well.
What I would like to do now is:
1. Be able to use bridge firewall to only allow access to some ports from certain IP's (In other word, filter vmware management trafic)
2. Be able to NAT traffic to the IPMI On Port 5
But, I cannot find a definitive guide on Bridging firewalls. At least not one that I can follow.
I started by enabling ip-firewall but that seemed to block all traffic (Thanks safe mode )
[admin@MikroTik] > export
# feb/05/2016 00:34:48 by RouterOS 6.34
# software id = UN2F-4MM3
#
/interface bridge
add admin-mac=E4:8D:8C:1E:41:56 auto-mac=no name=bridge-local
add name=bridge-outside
/interface ethernet
set [ find default-name=ether1 ] comment=Upstream name=ether1-gateway
set [ find default-name=ether2 ] comment="wmnic0 - vmware Prod" master-port=\
ether1-gateway name=ether2-vmware
set [ find default-name=ether3 ] name=ether3-AxbyteUpstream
set [ find default-name=ether5 ] comment=wmic1 disabled=yes
set [ find default-name=ether6 ] comment=IPMI name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
ether10-slave-local
/ip neighbor discovery
set ether1-gateway comment=Upstream discover=no
set ether2-vmware comment="wmnic0 - vmware Prod"
set ether5 comment=wmic1
set ether6-master-local comment=IPMI
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-outside interface=ether1-gateway
add bridge=bridge-outside interface=ether2-vmware
add bridge=bridge-outside interface=ether3-AxbyteUpstream
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
bridge-local network=192.168.88.0
add address=46.27.120.142/28 interface=bridge-outside network=46.27.120.128
add address=192.168.89.0/24 interface=ether4 network=192.168.89.0
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.89.0 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment=SNMP-access dst-port=161 protocol=udp src-address=\
46.27.120.128/28
add chain=input comment="default configuration" connection-state=\
established,related
add chain=input dst-port=28291 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
bridge-outside
add chain=forward comment="default configuration" connection-state=\
established,related
add action=drop chain=forward comment="default configuration" connection-state=\
invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=\
bridge-outside
/ip firewall nat
# in/out-interface matcher not possible when interface (ether1-gateway) is slave -
use master instead (bridge-outside)
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
# in/out-interface matcher not possible when interface (ether1-gateway) is slave -
use master instead (bridge-outside)
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-gateway \
protocol=tcp src-address=94.234.170.167 to-addresses=192.168.88.254 \
to-ports=80
# in/out-interface matcher not possible when interface (ether1-gateway) is slave -
use master instead (bridge-outside)
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-gateway \
protocol=tcp src-address=94.234.170.167 to-addresses=192.168.88.254 \
to-ports=443
/ip route
add distance=1 gateway=46.27.120.129
/ip service
set winbox port=28291
/lcd pin
set pin-number=[removed before post]
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-vmware
add interface=ether3-AxbyteUpstream
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-vmware
add interface=ether3-AxbyteUpstream
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=bridge-local
/tool romon port
add
[admin@MikroTik] >