Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 469
Joined: Wed Feb 24, 2016 5:19 pm

/ip firewall NAT on bridge with use-ip-firewall not working

Sun Jul 07, 2019 8:32 pm

I'm using use-ip-firewall on bridges and if I add any NAT rule that affects traffic on bridge it basically gets blackholed. Why is that? It only happens when there's no IP address on bridge. Would bridge NAT work in such scenario? I want to redirect port 53 to local DNS server on bridge level since I'm dropping any DNS traffic not destined to LAN on bridge firewalls so it doesn't reach core router which would normally perform NAT.
MTCNA, MTCRE, MTCINE
 
anav
Forum Guru
Forum Guru
Posts: 2938
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: /ip firewall NAT on bridge with use-ip-firewall not working

Sun Jul 07, 2019 11:03 pm

Concur with the approach of simply stating the requirements in terms of desired functionality users will experience without mention of config/settings.
I have users x and users y, I want to ensure that users X access the internet with the following limitations...................., I want to ensure users y acccess the internet with the following limitations..............
Having an understanding of the requirements without clouding the issue with router setting you may or may not be using (either correctly or appropriately) is optimal to get you to a working useful solution!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 469
Joined: Wed Feb 24, 2016 5:19 pm

Re: /ip firewall NAT on bridge with use-ip-firewall not working

Mon Jul 08, 2019 12:30 am

Concur with the approach of simply stating the requirements in terms of desired functionality users will experience without mention of config/settings.
I have users x and users y, I want to ensure that users X access the internet with the following limitations...................., I want to ensure users y acccess the internet with the following limitations..............
Having an understanding of the requirements without clouding the issue with router setting you may or may not be using (either correctly or appropriately) is optimal to get you to a working useful solution!!
I personally have disabled DNS from DHCP on all my devices because I don't trust ISP DNS servers which are often given by DHCP in most of networks - either directly or indirectly since gateway forwards to ISP servers (starting from fact that they're censored). It's almost never good idea to allow for ISP DNS servers so I try to force 3rd party DNS servers wherever possible. That said this network has DNSSec & DNSEnc enabled caching DNS server forwarding to 8.8.8.8 and I don't want users to send requests to 8.8.8.8 (or in fact any non-DNSSec/DNSEnc enabled server) directly. That's why I want to redirect to local, protected DNS and I don't want users who disallowed DNS from DHCP (including myself lol) to have issues with connectivity.

I use such setup for years however now I noticed issue for the first time since firewall blocks packets only after second bridge (so it works properly for all APs working as bridges that are connected directly to core router but now for the first time I used more than 1 firewalled bridge along the path and it drops packets to 8.8.8.8 when using my usual config)
MTCNA, MTCRE, MTCINE
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5921
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: /ip firewall NAT on bridge with use-ip-firewall not working

Mon Jul 08, 2019 10:57 am

If there is no IP address on an interface, then NAT cannot translate.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 469
Joined: Wed Feb 24, 2016 5:19 pm

Re: /ip firewall NAT on bridge with use-ip-firewall not working

Mon Jul 08, 2019 12:43 pm

If there is no IP address on an interface, then NAT cannot translate.
What are security implications of adding 'dummy' IP address (eg. 1.2.3.4) on interface that is supposed to work as pure L2 bridge, with drop all input on firewall, just to allow for NAT?
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 15 guests