Dear All,
On a router every interface has a vrrp interface, which is the gateway for those interface's subnet. I would like to make separated firewall rules like this:
ip firewall filter add chain=forward out-interface=<?which_if?> action=jump jump-target=fwd_subnet_1
My question is what interface should i use as outgoing interface? The vrrp or the real one?
thank you
-
-
StubArea51
Trainer
- Posts: 1739
- Joined:
- Location: stubarea51.net
- Contact:
Re: vrrp
It should be the real one...VRRP only answers ARP for the common MAC address and passes the traffic to the real interface. IIRC outbound traffic should originate from the physical interface.
-
-
marypoppins
newbie
- Posts: 30
- Joined:
Re: vrrp
Dear All,
However everybody tell me I should use the 'real' interface, but it seems that does not want to work. The playground:
pc1 ---ether1@TheBox@ether5/vrrp5 --- pc2
TheBox:
ether1 - 192.168.90.1/24
ether5 - 192.168.99.99/24
vrrp5 - 192.168.99.100/24 (on ether5)
The filter chain:
chain=forward action=accept protocol=icmp in-interface=ether1
A)) chain=forward action=accept in-interface=vrrp5
B)) chain=forward action=accept in-interface=ether5
chain=forward action=drop
----------------------------------------
When only B)) is enabled there is no icmp traffic, while when A)) is enabeld it work like the charm [ in this case B)) is unnecessary/disabled].
Another example:
I would like to make separate forward chains for ethernet interfaces, like this:
chain=forward action=jump jump-target=eth5 out-interface=ether5
The "chain=eth5 action=accept" does not work until I changed the out-interface from ether5 to vrrp5.
Could somebody explain it, please?
Thank you very much.
System resources:
version: 6.46.2 (stable)
architecture-name: mmips
board-name: hEX
However everybody tell me I should use the 'real' interface, but it seems that does not want to work. The playground:
pc1 ---ether1@TheBox@ether5/vrrp5 --- pc2
TheBox:
ether1 - 192.168.90.1/24
ether5 - 192.168.99.99/24
vrrp5 - 192.168.99.100/24 (on ether5)
The filter chain:
chain=forward action=accept protocol=icmp in-interface=ether1
A)) chain=forward action=accept in-interface=vrrp5
B)) chain=forward action=accept in-interface=ether5
chain=forward action=drop
----------------------------------------
When only B)) is enabled there is no icmp traffic, while when A)) is enabeld it work like the charm [ in this case B)) is unnecessary/disabled].
Another example:
I would like to make separate forward chains for ethernet interfaces, like this:
chain=forward action=jump jump-target=eth5 out-interface=ether5
The "chain=eth5 action=accept" does not work until I changed the out-interface from ether5 to vrrp5.
Could somebody explain it, please?
Thank you very much.
System resources:
version: 6.46.2 (stable)
architecture-name: mmips
board-name: hEX
-
-
marypoppins
newbie
- Posts: 30
- Joined:
Re: vrrp
Another test:
I have these interfaces with these ip addresses. I have forward filter which includes only the interface ether5 (not vrrp5). I begin to ping the target, and during the echo request/reply I change the service ip between the real and vrrp interface with command:
/ip address disable number=4; /ip address enable number=3
I also added a log rule in the forwarding chain at the first place.
2 192.168.99.99/24 192.168.99.0 ether5
3 X 192.168.99.100/24 192.168.99.0 vrrp5
4 192.168.99.100/24 192.168.99.0 ether5
This is the log during icmp echo request, while I change the ip "location":
The log shows: (log is the first passthrough rule in the forward chain)
05:02:11 firewall,info forward eleje forward: in:ether1 out:ether5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:11 firewall,info forward eleje forward: in:ether5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
05:02:12 firewall,info forward eleje forward: in:ether1 out:ether5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:12 firewall,info forward eleje forward: in:vrrp5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
05:02:13 firewall,info forward eleje forward: in:ether1 out:vrrp5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:13 firewall,info forward eleje forward: in:vrrp5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
05:02:14 firewall,info forward eleje forward: in:ether1 out:vrrp5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:14 firewall,info forward eleje forward: in:vrrp5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
First in the first three line the traffic pass between ether1 and ether5. After I activate the vrrp ip with the above mentioned command the ether5 becomes vrrp5. However the traffic is flowing (because it is established already), after I start a new icmp request, the filter drop it because ether5 interface in the rules has changed to vrrp5....
The forward rules:
1 chain=forward action=passthrough log=yes log-prefix="forward eleje"
2 chain=forward action=accept connection-state=established,related
3 chain=forward action=jump jump-target=eth5 out-interface=ether5
5 chain=forward action=drop
6 chain=eth5 action=accept
I have these interfaces with these ip addresses. I have forward filter which includes only the interface ether5 (not vrrp5). I begin to ping the target, and during the echo request/reply I change the service ip between the real and vrrp interface with command:
/ip address disable number=4; /ip address enable number=3
I also added a log rule in the forwarding chain at the first place.
2 192.168.99.99/24 192.168.99.0 ether5
3 X 192.168.99.100/24 192.168.99.0 vrrp5
4 192.168.99.100/24 192.168.99.0 ether5
This is the log during icmp echo request, while I change the ip "location":
The log shows: (log is the first passthrough rule in the forward chain)
05:02:11 firewall,info forward eleje forward: in:ether1 out:ether5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:11 firewall,info forward eleje forward: in:ether5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
05:02:12 firewall,info forward eleje forward: in:ether1 out:ether5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:12 firewall,info forward eleje forward: in:vrrp5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
05:02:13 firewall,info forward eleje forward: in:ether1 out:vrrp5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:13 firewall,info forward eleje forward: in:vrrp5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
05:02:14 firewall,info forward eleje forward: in:ether1 out:vrrp5, src-mac 00:1b:21:9a:2f:a6, proto ICMP (type 8, code 0), 192.168.90.1->192.168.99.1, len 84
05:02:14 firewall,info forward eleje forward: in:vrrp5 out:ether1, src-mac cc:2d:e0:d8:b9:2a, proto ICMP (type 0, code 0), 192.168.99.1->192.168.90.1, len 84
First in the first three line the traffic pass between ether1 and ether5. After I activate the vrrp ip with the above mentioned command the ether5 becomes vrrp5. However the traffic is flowing (because it is established already), after I start a new icmp request, the filter drop it because ether5 interface in the rules has changed to vrrp5....
The forward rules:
1 chain=forward action=passthrough log=yes log-prefix="forward eleje"
2 chain=forward action=accept connection-state=established,related
3 chain=forward action=jump jump-target=eth5 out-interface=ether5
5 chain=forward action=drop
6 chain=eth5 action=accept
Re: vrrp
Vrrp interfaces should have single address(es), i.e. with /32 netmask. If you use same netmask as parent interface has, it usually seems to work, at least at first, but it does strange things. And I keep forgetting the explanation what exactly happens.
And yes, if something is coming to vrrp interface, either to IP address on it, ot its MAC address (e.g. when something uses vrrp IP address as gateway), then in-interface=<vrrp interface> is correct.
And yes, if something is coming to vrrp interface, either to IP address on it, ot its MAC address (e.g. when something uses vrrp IP address as gateway), then in-interface=<vrrp interface> is correct.
-
-
marypoppins
newbie
- Posts: 30
- Joined:
Re: vrrp
Sorry for delay and thank you for your answer!
Could you explain why a vrrp ip should be /32? I have read this, but what does it mean?
Could you explain why a vrrp ip should be /32? I have read this, but what does it mean?
thank you"Note: address on VRRP interface must have /32 netmask if address configured on VRRP is from the same subnet as on router's any other interface."
Who is online
Users browsing this forum: Amazon [Bot], Google [Bot] and 38 guests