Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Difference between /interface bridge filter and /ip filter?

Tue Mar 06, 2018 11:44 pm

What is difference between /interface bridge filter and /ip firewall filter with ip firewall enabled in bridge settings? I mean more technically - is bridge filter hardware accelerated or something? I'm currently using /ip firewall filter for all filtering including L3 filtering between individual bridge ports but I wonder if it'd be maybe worth to migrate to /interface bridge filter at least for filtering between individual bridge ports.
MTCNA, MTCRE, MTCINE
 
tholderbaum
newbie
Posts: 33
Joined: Thu Jan 23, 2014 3:34 am
Location: Tampa, Florida
Contact:

Re: Difference between /interface bridge filter and /ip filter?

Wed Mar 07, 2018 8:35 pm

For starters, you need to understand that from a networking perspective. Bridges work just like a switch. When you create a bridge, and add to interfaces together, you are saying that those interfaces are link together as if they were plugged into a same switch. This commonly referred too as a layer 2 device.

With that understanding, a bridge filter controls the type of traffic allowed on the bridge. For instance, I I want to set up a filter rule to block all ping traffic to any device on the interface, then I would setup a bridge filter to all icmp packets and drop them.

IP filtering filters traffic based on a specific interface or IP. It is what you would normally use to allow or drop traffic too and from a single IP subnet, Host or interface. IP traffic is commonly referred to as Layer 3

So why would you use bridge filters instead of IP filters? Not all traffic is IP. Broadcasts, like ARP, DHCP and other kinds of traffic like that are layer 2 and would not be blocked by IP filters.

There are no performance benefits from either approach, but for simplicity, I would use IP filters unless you had a specific reason for bridge filters.
Have Mikrotik Questions? We can help
Rapid Technology Solutions
rtssupport@rapidts.com
727-482-3933
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Re: Difference between /interface bridge filter and /ip filter?

Wed Mar 07, 2018 8:46 pm

Does MikroTik allow hardware ACLs? Because performance of ROS firewall is okay for internet/DMZ traffic but for LAN it's not really there yet. I mean yeah sure I actually use CCR1009 and use it as bridge with firewall to handle multi gigabit firewall but it sounds like terrible misuse of device. So I wonder whether MikroTik supports some wire-speed filtering in switch devices. Preferably statefull. Also do I need full blown switch for that or routers with switch chip will do as well?
MTCNA, MTCRE, MTCINE
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Re: Difference between /interface bridge filter and /ip filter?

Wed Mar 07, 2018 9:31 pm

Stateful wirespeed hardware firewall in switch chip? Are you sure? If you need such functionality, only software running on really powerful hardware can provide that. Or you have to lower your requirements...
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 470
Joined: Wed Feb 24, 2016 5:19 pm

Re: Difference between /interface bridge filter and /ip filter?

Wed Mar 07, 2018 9:37 pm

Stateful wirespeed hardware firewall in switch chip? Are you sure? If you need such functionality, only software running on really powerful hardware can provide that. Or you have to lower your requirements...
I was afraid of that. Welp. Seems I'll need to continue using CCRs as op software bridges with fw :|
Latency is quite high tho in software. Or I'll need some acl-fu to imitate stateful with stateless rules...
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: canvcol and 28 guests