Community discussions

MikroTik App
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Is there a "use-ip-firewall" setting also for non-bridge setup?

Wed Apr 29, 2020 11:46 pm

The following command prints the settings for a/the bridge:
/interface/bridge/settings/print
use-ip-firewall: no
use-ip-firewall-for-vlan: no
use-ip-firewall-for-pppoe: no
allow-fast-path: yes
....
Is there another such/similar command for the non-bridge part or setup? (I think I saw such a command somewhere, but can't find it anymore :-( )
Ie. for disabling/enabling the firewall, or the fast-path.
And: is such a central setting available also for disabling/enabling fasttrack (besides doing it in the firewall rules itself)?

I tried "/export verbose", but it crashes in my 7.0beta5 :-( --> viewtopic.php?f=1&t=160251
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Thu Apr 30, 2020 2:14 am

 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Thu Apr 30, 2020 2:47 am

 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Thu Apr 30, 2020 2:00 pm

https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
this is really fundamental if you want to understand how it works. Look me a while and still not 100%.

my understanding for use-ip-firewall, is bridged traffic, by default, does not go through the firewall. by ticking this box, you asking such traffic to go through the firewall, therefore involve more CPU and lower performance. but there are cases where you make the decision that you have to inspect bridged traffic using firewall, knowing the cost is CPU time

however, many tasks can be done by Bridge - Filter

non-bridge traffic, likely to be traffic between different subnet or vlan, are IP traffic or encapsulated traffic, therefore go through firewall anyway

Looking forward to hearing from other exports
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Thu Apr 30, 2020 3:48 pm

my understanding for use-ip-firewall, is bridged traffic, by default, does not go through the firewall. by ticking this box, you asking such traffic to go through the firewall, therefore involve more CPU and lower performance. but there are cases where you make the decision that you have to inspect bridged traffic using firewall, knowing the cost is CPU time
This is really confusing b/c my device is in Bridge Mode (all interfaces in same one bridge), and I have the said use-ip-firewall setting not enabled, and I have placed my firewall stuff under "/ip firewall filter", but the firewall is still functioning (!), (although not that perfect, or even correct :-) yet for my taste; surely a firewall setup issue. But firewall documentation (or the snippets spread all over the wiki, help, forum, the web...) and the reality somehow don't match, IMHO... :-))

I would suggest that MT should better publish a comprehensive & professional RouterOS Technical Reference Manual, where everything is documented centrally in a PDF-book.
I for me have unfortunately a hard time to find the necessary information spread all over many web sites (wiki, help, forum, web, blogs, ...), of which none is complete by itself, just snippets/crumbs everywhere :-(
Last edited by mutluit on Thu Apr 30, 2020 3:57 pm, edited 3 times in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Thu Apr 30, 2020 3:53 pm

FIrewall is always used for traffic being routed ... meaning between different IP subnets. The use-ip-firewall=yes option only affects traffic passing bridge which would otherwise skip CPU (because it is within same IP subnet).

Regarding mismatch between reality and documentation: if you think that is so, post firewall filter rule list and describe how it should work in your opinion. There's always possibility of a mismatch between administrators desires and reality ...
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Fri May 01, 2020 11:37 am

FIrewall is always used for traffic being routed ... meaning between different IP subnets. The use-ip-firewall=yes option only affects traffic passing bridge which would otherwise skip CPU (because it is within same IP subnet).

Regarding mismatch between reality and documentation: if you think that is so, post firewall filter rule list and describe how it should work in your opinion. There's always possibility of a mismatch between administrators desires and reality ...
I will post my settings, but it is so much to post: address-list(s), firewall rules, the other settings relating the modus of the device it is operating in, and of course screenshots (more than 1) that show the mentioned discrepancies between documentation, logical expectation, and the actual behavior (effect, result) of the device in reality.
I'll now prepare that all and post it hopefully later today for everybody to study/verify/check. Thx.
 
solar77
Long time Member
Long time Member
Posts: 586
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Fri May 01, 2020 12:45 pm

run
/ ip firewall export
from Mikrotik Terminal
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Fri May 01, 2020 1:27 pm

FIrewall is always used for traffic being routed ... meaning between different IP subnets.
Generally yes, but I would say that a firewall can also be used inside a closed environment within just the same one subnet, without any uplink.
Do you think this doesn't make any sense? IMO it very well does.
The use-ip-firewall=yes option only affects traffic passing bridge which would otherwise skip CPU (because it is within same IP subnet).
Sorry, I have some difficulties understanding that statement (the "skipping CPU" part) . Can you or someone else pls clarify/elaborate?
There's always possibility of a mismatch between administrators desires and reality ...
Sure. But you must admit that there is also always possibility of mismatch between the intention of the documentation/spec and the reality; usually called bug(s)... :-)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Fri May 01, 2020 2:05 pm

FIrewall is always used for traffic being routed ... meaning between different IP subnets.
Generally yes, but I would say that a firewall can also be used inside a closed environment within just the same one subnet, without any uplink.
Do you think this doesn't make any sense? IMO it very well does.
You're mixing things. First things first: a typical MT does two distinct things: a) routing b) firewalling

Routing process is involved always where source and destination of a packet are not within same IP subnet. And it doesn't matter if one of those subnets is on the other side of Earth (i.e. internet) and the other subnet is your own LAN ... or if you have multiple LAN subnets (all within your premises) and you want to move packets between those IP subnets ... it is still routing.
And then you can have a firewall between two parts of network (either same IP subnet or different IP subnets) ... firewall inspects packets passing and according to rules it either passes packet or drops it (optionally informing sender about that). By default in MT, firewall is placed between different IP subnets connecting to the MT device, by enabling "use-ip-firewall" on bridge means placing firewall to a certain point within IP subnet (and that point is bridge in MT device).

A typical MT device does 'all-in-one' and it seems as if both functionalities are somehow blended. But they are not, if one is careful, it can identify which entity (router or firewall) handles a packet at certain point ... it is true that there's some meta information from router available for firewall (e.g. in-interface), but at no point can firewall directly affect the routing (other than e.g. via packet marks).

So when I wrote "FIrewall is always used for traffic being routed ... meaning between different IP subnets." I chose my words carefully and considering the LAN-to-LAN case as well.

The use-ip-firewall=yes option only affects traffic passing bridge which would otherwise skip CPU (because it is within same IP subnet).
Sorry, I have some difficulties understanding that statement (the "skipping CPU" part) . Can you or someone else pls clarify/elaborate?
At this point it is necessary to understand the OSI 7layer model.
Let's consider ethernet only ... layer 1 is physical layer (i.e. modulated electrical signals over UTP cable or modulated light over optical fibre), layer 2 is ethernet encapsulation (MAC layer), layer 3 is IP packets (or IPv6 or ...), and then further on.
Bridge is a layer2 entity spanning member interfaces in the same way as usual ethernet switch does. As L2 entity it only processes MAC addresses ... which in devices with switch chips actually happen in switch chip hardware. In devices without switch chip (or in special cases in devices with switch chip) traffic between ports actually does travel to main CPU and back, but the software, impelmenting the bridge, does only the beforementioned simple processing.
And device-to-device communication is done as follows: device's L3 stack (e.g. IP stack) determines it needs to send a packet to another device which is within same L3 subnet. Which means the destination is reachable within same L2 segment and thet id can use destination's MAC address as destination of that packet. When a switch or MT bridge sees L2 frame with destination MAC address other than its own, it forwards the frame to the output port where destination device is connected.
When sending device determines that L3 destination is outside its own L3 subnet, it uses an L3 gateway (IP router). So now it uses gatway's MAC address as L2 destination address and sends off the frame. When router receives L2 frame with its own MAC address, it takes it, decapsulates L3 payload and considers L3 destination address.

If you set 'use-ip-firewall' on bridge entity, then usual L2 processing of frames by ROS doesn't happen, rather all frames passing bridge get forwarded to CPU to process.
This is where routing (L3) process starts to unroll ... and with Mikrotiks, this process is entirely done by software run by CPU. Routing can involve complex operations (and firewalling on top of it). And this is the part which I was referring to by "skipping the CPU part"...

There's always possibility of a mismatch between administrators desires and reality ...
Sure. But you must admit that there is also always possibility of mismatch between the intention of the documentation/spec and the reality; usually called bug(s)... :-)
Sure, that's possible as well. To determine which it is, it is necessary to thoroughly understand theory of networking (I don't claim I do :wink:), good knowledge of how device works is necessary as well. One has to be able to do some engineering-grade testing (most of home users are not, surprisingly high share of proffesionals are not either). And only then one can judge if description from manual really diverges from devices' behaviour.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Fri May 01, 2020 5:57 pm

@mkx, thanks for the explanation, but unfortunately there are still many points unclear, but as already said, I'll detail and summarize them in a later posting here.

But to clarify: I'm not a home user as you might wrongly have assumed. I'm mainly a professional senior SW developer (C/C++ plus some more unimportant languages), but at the same time also a system and network admin in Linux environments (with a few Windows machines; years ago even with old Novell NetWare systems). I've ordinary educations with graduations for the two/three jobs (system and network administration and SW-development) I do in parallel. I've even some (now outdated) certifications like CCNA, MCSE+Internet and some more, albeit they are at least 15 years old... So, neither the OSI-stack nor the TCP/IP stack is alien to me :-). Sure you couldn't know.
But I do admit that up until now I've very little experience with Enterprise network devices (the biggest switches I had had about 24 ports, actually 26); I rather have more experience with SOHO and consumer-grade network devices in small environments/divisions with less than 100 users in their corporate LAN or subnet.
I'm also remote-administering some Internet servers that are hosted at a server hosting company, ie. mail, web, file, domain etc. servers.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Fri May 01, 2020 10:29 pm

Thanks mkx and I also gained some new insights. Looking in the wiki I found this in the bridge page:
/interface bridge port
set [f] horizon=1
And first thought the "f" stood for false but doing a bit of scripting in RouterOS saw that that it standing for find. It would be so nice that the manual would be not that unclear because it is there to help and putting an 'enigma' in you explanation is not helpful from the side of Mikrotik.

Clearer would be then:
/interface bridge port
set [find] horizon=1
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Fri May 01, 2020 10:59 pm

@msatter, I fully agree. I also find articles and posts, where authors use shorthened commands, most annoying. It hurts readability a lot and I guess it only serves authors to position themselves as some hotshots.

@mutluit: if I knew your background, I would word my posts only slightly differently. After all, besides aiding OP posts serve as source of information for other users with wide range of background. In addition, personally I often find some more descriptive posts very enlightening as they help me to tidy up a part of my knowledge and understanding even if they were present before I read those posts. My personal hero on this forum for this very reason is @sindy.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 4:38 pm

Ok, I had promised to post this stuff yesterday. I'm sorry for being a little bit late, but had something else to do.

Ok, let's start. On this page the 3 chains are explained as follows:
https://wiki.mikrotik.com/wiki/Manual:I ... ter#Chains
There are three predefined chains, which cannot be deleted:
input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain

Ok, then here my firewall rules (in this version the fasttrack stuff is defined only in the forward chain, and also some more of the other restrictions I have omitted to keep it still relatively simple to study):
/ip firewall filter
add action=accept chain=input comment="untracked can be made in raw table (optional, advanced)" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="drop all invalid srcIPs" src-address-list=bad_srcIPs_in_input_chain
add action=drop chain=input comment="drop all invalid dstIPs" dst-address-list=bad_dstIPs_in_input_chain
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=input dst-port=443 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp
add action=accept chain=input dst-port=53 protocol=udp
add action=accept chain=input dst-port=53 protocol=tcp
add action=accept chain=input dst-port=123 protocol=udp
add action=accept chain=input dst-port=123 protocol=tcp
add action=jump chain=input jump-target=icmp protocol=icmp
add action=drop chain=input comment="deny all other"
add action=accept chain=output comment="untracked can be made in raw table (optional, advanced)" connection-state=established,related,untracked
add action=drop chain=output connection-state=invalid
add action=drop chain=output comment="drop all other invalid srcIPs" src-address-list=bad_srcIPs_in_output_chain
add action=drop chain=output comment="drop all invalid dstIPs" dst-address-list=bad_dstIPs_in_output_chain
add action=accept chain=output dst-port=80 protocol=tcp
add action=accept chain=output dst-port=443 protocol=tcp
add action=accept chain=output dst-port=22 protocol=tcp
add action=accept chain=output dst-port=53 protocol=udp
add action=accept chain=output dst-port=53 protocol=tcp
add action=accept chain=output dst-port=123 protocol=udp
add action=accept chain=output dst-port=123 protocol=tcp
add action=jump chain=output jump-target=icmp protocol=icmp
add action=drop chain=output comment="deny all other"
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward comment="untracked can be made in raw table (optional, advanced)" connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="drop other invalid srcIPs" src-address-list=bad_srcIPs_in_forward_chain
add action=drop chain=forward comment="drop other invalid dstIPs" dst-address-list=bad_dstIPs_in_forward_chain
add action=accept chain=forward dst-port=80 protocol=tcp
add action=accept chain=forward dst-port=443 protocol=tcp
add action=accept chain=forward dst-port=22 protocol=tcp
add action=accept chain=forward dst-port=53 protocol=udp
add action=accept chain=forward dst-port=53 protocol=tcp
add action=accept chain=forward dst-port=123 protocol=udp
add action=accept chain=forward dst-port=123 protocol=tcp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=forward comment="deny all other"
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other"

Now, I can tell you that most of the traffic is accepted in the output chain and to a fraction in the input chain, but there is nothing in the forward chain.
Hello! What about the forward chain? Cf. the documentation above: that's exactly the discrepancy between documentation and reality I mean!... :-)

Another mystery is: there is more data and packets accepted in the output chain than in input, and as already said: nothing in the forward.
But this can't be true as there is no service here that sends that much data out: the input chain has to be bigger than the output, but which is actually only a fraction of the output chain.

Here are screenshots to show the counters that verify/confirm what I just said:
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 4:52 pm

When fast-track is enabled, then counters don't account for majority of traffic in forward chain ... that's how effective is shortcut called fast-track.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 5:05 pm

When fast-track is enabled, then counters don't account for majority of traffic in forward chain ... that's how effective is shortcut called fast-track.
but take a look at the comment for the implicit rule 0. It says "special dummy rule to show fasttrack counters"
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 5:13 pm

Start by disabling fast track, then we can have a look at the counters. https://www.youtube.com/watch?v=6LaqhDm6PHI

Also try to understand this page as well.
https://help.mikrotik.com/docs/display/ ... n+RouterOS
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 5:23 pm

Start by disabling fast track, then we can have a look at the counters. https://www.youtube.com/watch?v=6LaqhDm6PHI
No, problem, ok, I'll throw out that rule and see...
Ok, I now did throw the fasttrack rule out and did a fresh import of all the firewall rules. I already can tell you: the result is the same as before. There is nothing in the forward chain. I'll shortly post also a new screenshot to demonstrate it.
Also try to understand this page as well.
https://help.mikrotik.com/docs/display/ ... n+RouterOS
So, you still really think I did not understand something? So then feel free and just tell me/us what I allegedly did not understand.

But isn't it glass-clear that I very well did understand it, but the doc/wiki, or even the ROS FW code, is simply wrong?
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 5:37 pm

To me it very much looks like that the output chain should be the input chain, and vice-versa... ie. something in the code could be mixed-up...
And the description/explanation of these default 3 chains in the wiki above seems to be totally wrong.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 5:43 pm

Reminds me of accounting, I'm in the black, no you are in the red, I have assets, no you have liabilities, that is income, no it is profit. Accounting is a construct engineered to be counter intuitive, until you join the accounting borg. Same with ROS, its seemingly counter intuitive until you join the Latvian Borg. ;-)
In other words, until you understand the concepts, your brain will feel like a pretzel. You will be assimilated, its only a matter of time! :-)
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 5:47 pm

Ok, here new screenshots after disabling fasttrack, deleting all the FW rules and re-importing the new FW rules, and waiting some minutes to collect data.
On my laptop attached to this switch, VLC is running in the background streaming music from Internet all the time, so there is traffic.
You do not have the required permissions to view the files attached to this post.
Last edited by mutluit on Sat May 02, 2020 7:10 pm, edited 1 time in total.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 5:52 pm

Reminds me of accounting, I'm in the black, no you are in the red, I have assets, no you have liabilities, that is income, no it is profit. Accounting is a construct engineered to be counter intuitive, until you join the accounting borg. Same with ROS, its seemingly counter intuitive until you join the Latvian Borg. ;-)
In other words, until you understand the concepts, your brain will feel like a pretzel. You will be assimilated, its only a matter of time! :-)
Cool! I feel like one of those to be assimilated into the collective, but I want to keep my independence and freedom :-)
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?  [SOLVED]

Sat May 02, 2020 6:14 pm


Now, I can tell you that most of the traffic is accepted in the output chain and to a fraction in the input chain, but there is nothing in the forward chain.
Hello! What about the forward chain? Cf. the documentation above: that's exactly the discrepancy between documentation and reality I mean!... :-)
So, going over the previous posts, as you have a single bridge containing all interfaces the IP forward chain will not be used as there is no layer 3 forwarding. If you want to force bridged / layer 2 traffic through the IP forward chain it requires use-ip-firewall=yes or you can use bridge filters, although these have different capabilities to IP filters. Note that using either IP or bridge filters requires the traffic to reach the CPU to be processed per the packet flow diagram this does not happen if hardware offloading is enabled.

Disabling the switch hardware offload will result in rubbish performance, the CRS devices are intended to operate as hardware switches with a few odd services provided by the CPU. You can filter hardware-offloaded traffic using switch ACLs but they have less functionality than IP and bridge filters.
Another mystery is: there is more data and packets accepted in the output chain than in input, and as already said: nothing in the forward.
But this can't be true as there is no service here that sends that much data out: the input chain has to be bigger than the output, but which is actually only a fraction of the output chain.
From the screenshot you are connected to the device Webfig service - the output chain traffic refreshing the display will be significantly more than the input chain, predominantly TCP ACKs, traffic.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 6:27 pm

If there is noe solution, start with a default configuration, delete fast track. Then add inn one and one rule.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 6:32 pm

@tdw, very informative your analysis, thx. I'll respond later in detail. But for now I will add just this to the discussion:
the device operates in its default settings. Ie. I've got that that device as a new device, RouterOS was installed, and it said and says it operates in Bridge Mode as opposed to Router Mode (= selectable).
I've not changed anything in bridge stuff or switch stuff; they are all still default settings.
So, I'm using practically the factory defaults; I just upgraded to the latest 7.0beta5 because that new version sees/detects/recognizes & uses also the 2nd CPU core.
It is this CRS device https://mikrotik.com/product/CRS326-24G-2SplusRM

And: the said "use-ip-firewall" setting under "/interface/bridge/settings/" is still the default as well, ie its value is "no":
use-ip-firewall: no
Last edited by mutluit on Sat May 02, 2020 7:04 pm, edited 2 times in total.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 6:49 pm

Just an updated screenshot (this time all on a single page, just zoom-out/in via CTRL and + and - keys or so). Nothing in the FW was changed since last posting.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 7:18 pm

I'll soon/shortly generate much more test traffic with incoming (WAN-to-LAN) as well outgoing (LAN-to-WAN) traffic with the iperf2 tool.
First I've to set-up/activate these iperf2-servers (already set up some time ago, need just to restart them, and open the port(s) on the WAN router as well of course also in this my very MT firewall config :-))...

Hmm. I forgot: iperf2 I had compiled myself as it isn't available in the Debian repository for my (now old v8) OS version. I had compiled on LAN machines, but not yet on the WAN machines... I mean this can take some time...
Before iperf2 I had used iperf from the Debian repo, but it lacks a working "bind to IP" feature, so then I found iperf2 which works ok. Btw, there is also iperf3, but which can handle only a single connection at a time, ie. it's just a single thread application, practically a useless thing; I can recommend iperf2 over iperf and iperf3.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sat May 02, 2020 11:33 pm

There seems to be something even really much bigger fishy with this firewall in general:
I now have set up a traffic server in LAN1 (that is outside of LAN2 the switch does manage), and I do connect from within LAN2 to that outside server in LAN1, ie.
LAN1: 192.168.254.0/24
|
Router: allows outbound traffic from LAN2 to LAN1
|
MT-Switch: LAN2: 192.168.127.0/17, IP=192.168.88.1
iperf server is in LAN1 @ 192.168.254.3:8451
iperf client is in LAN2 @ 192.168.20.1:x (FYI: the client is the initiator and sender of the data)

I have not changed the firewall on MT since my last posting of them, so the MT firewall should definitely block outgoing traffic to dstPort 8451 (cf. firewall rules). BUT IT DOES NOT! :-)
How is that possible? And why? Where is the error?
It seems to me that the traffic is just passed-through through the switch, without even counting the data and packets.

What other config settings data is required to analyze this issue?
Hints / tips / comments?
.
$ iperf -c 192.168.254.3 -p 8451 -P 3 -t 60 -w 1M
------------------------------------------------------------
Client connecting to 192.168.254.3, TCP port 8451
TCP window size: 416 KByte (WARNING: requested 1.00 MByte)
------------------------------------------------------------
[ 5] local 192.168.20.1 port 13566 connected with 192.168.254.3 port 8451
[ 4] local 192.168.20.1 port 13568 connected with 192.168.254.3 port 8451
[ 3] local 192.168.20.1 port 13564 connected with 192.168.254.3 port 8451
[ ID] Interval Transfer Bandwidth
[ 5] 0.0-60.0 sec 2.21 GBytes 316 Mbits/sec
[ 4] 0.0-60.0 sec 2.24 GBytes 321 Mbits/sec
[ 3] 0.0-60.0 sec 2.15 GBytes 307 Mbits/sec
[SUM] 0.0-60.0 sec 6.60 GBytes 944 Mbits/sec

The firewall counters in the MT switch were all resetted before the above test traffic started. The result is attached. Ie. this traffic has neither been blocked nor been counted by the firewall...:
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:09 am

RouterOS was installed, and it said and says it operates in Bridge Mode as opposed to Router Mode (= selectable).
So you are using the device as a switch?
If so you have to turn on use ip firewall for the switch.
If not, nothing will pass trough the filter rules, if I am correct.
/interface/bridge/settings/print
use-ip-firewall: no
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:17 am

If I understand your LAN setup, then currently CRS is switching not routing. And while it's switching, none of traffic hits firewall.

If you really want to use your swirch as firewall, you have to:
  • disable HW offload ... it is done per-port in /interface bridge port by setting hw=no
    This setting will force traffic to travel through CPU bridge, without it remains inside switch chip.
  • set use-ip-firewall=yes on /interface bridge
    This setting will force traffic, handled by CPU bridge, to pass firewall as well

As @tdw already explained, this kind of setup will turn your supersonic switch into crawling traffic counter.

BTW, if you want to see amount of traffic passing switch port, you can always check ether port statistics ...
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:19 am

RouterOS was installed, and it said and says it operates in Bridge Mode as opposed to Router Mode (= selectable).
So you are using the device as a switch?
If so you have to turn on use ip firewall for the switch.
If not, nothing will pass trough the filter rules, if I am correct.
/interface/bridge/settings/print
use-ip-firewall: no
As I said I need just the switch functionality plus firewall. The bridge was already defined by default when the device arrived here brand new.
Can I safely delete the bridge? And how?
.
/interface/bridge/print
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=C4:AD:34:78:E1:88 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no
admin-mac=C4:AD:34:78:E1:88 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
Last edited by mutluit on Sun May 03, 2020 12:22 am, edited 1 time in total.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:22 am

This is really confusing b/c my device is in Bridge Mode (all interfaces in same one bridge), and I have the said use-ip-firewall setting not enabled, and I have placed my firewall stuff under "/ip firewall filter", but the firewall is still functioning (!), (although not that perfect, or even correct :-)
I'll try to answer this also based on other information I've read in the topic.

What is functioning is rules in the input and output chains. As you already cited above, these are for traffic destined to or originated from the router itself. Such traffic is never bridged/switched by the very definition of what bridging is. I really hope you understand this. If not... Well, then please-please go back to school and stop wasting the others time.

Now the forward chain. Bridged traffic bypasses this chain by default. And will continue doing so until you enable use-ip-firewall option. And you, apparently, haven't done it yet:
And: the said "use-ip-firewall" setting under "/interface/bridge/settings/" is still the default as well, ie its value is "no":
use-ip-firewall: no

PS. What's the point in asking so many questions if you are not willing to listen the answers...
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:29 am

RouterOS was installed, and it said and says it operates in Bridge Mode as opposed to Router Mode (= selectable).
So you are using the device as a switch?
If so you have to turn on use ip firewall for the switch.
If not, nothing will pass trough the filter rules, if I am correct.
Dear Jotne, yes, I just want to use this device as a switch with firewall functionality. So then be so kind and just tell me how to turn the firewall on for this switch.
Last edited by mutluit on Sun May 03, 2020 12:34 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:31 am

Dear Jotne, yes, I just want to use this device as a switch. So then be so kind and just tell me how to turn the firewall on for this switch.
So you decided to completely ignore my last post (just below @jotne's you're quoting). Fine, remind me to add you on my ignore list as well ...
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:32 am

PS. What's the point in asking so many questions if you are not willing to listen the answers...
Which answer was the solution to this problem? Maybe I must have overlooked, which I doubt; just show me.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:32 am

I,m trying to follow this thread but do not understand what firewall filter allows the traffic to port 8451 on LAN1 from LAN2.

Traffic seems not to pass through the router function (logical if all interfaces are on the same bridge) and so does not pass through the firewall with the current settings.


However subnet 192.168.254.0/24 and subnet 192.168.0.0/17 need routing to communicate, unless some devices have a different (e.g. /16) subnet defined, or something else is used to make them connect directly.

Sorry I missed some of the latest added posts, they come very fast, so this might be doubled information.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11438
Joined: Thu Mar 03, 2016 10:23 pm

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:36 am

However subnet 192.168.254.0/24 and subnet 192.168.0.0/17 need routing to communicate, unless some devices have a different (e.g. /16) subnet defined, or something else is used to make them connect directly.
OP's post #28 includes some ASCII-art LAN scheme and there's a router between both subnets. And it's not the CRS switch he's bragging about, it's another device.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:38 am

@bpwl, attached is the Webfig QuickSet page which shows the gateway and other settings:
You do not have the required permissions to view the files attached to this post.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:41 am

Dear Jotne, yes, I just want to use this device as a switch. So then be so kind and just tell me how to turn the firewall on for this switch.
So you decided to completely ignore my last post (just below @jotne's you're quoting). Fine, remind me to add you on my ignore list as well ...
It just came in, I'm still analyzing the content and verifying it with some doc/wiki pages I had read... Takes some time to confirm... Be patient... I'm interested in a satisfactory solution to this problem.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 12:45 am

Just came to my mind: why does the software allow to define firewall rules when the firewall is not used (or cannot be used) at all for such a device configuration?... Makes no sense, IMO.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 1:04 am

Ok, Plan B: as was suggested, now I'm going to keep the bridge and activate the firewall on that very bridge, and put my firewall rules under /interface/bridge/filter/ and see how much the CPU load will rise, hopefully not much.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 1:06 am

@bpwl, attached is the Webfig QuickSet page which shows the gateway and other settings:
OK this defines that the bridge itself has an IP address in LAN2.

Where is LAN1? Not in webfig, because a webfig with a device in "bridge" mode will not define the IP subnets for the LAN's.

Can you make some extracts of the interfaces (Not the verbose thing, and only some parts)
Like:
/ip route export
/interface export
/ip address export
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 1:20 am

@bpwl, attached is the Webfig QuickSet page which shows the gateway and other settings:
OK this defines that the bridge itself has an IP address in LAN2.

Where is LAN1? Not in webfig, because a webfig with a device in "bridge" mode will not define the IP subnets for the LAN's.
LAN1 is totally independent of LAN2; on the MT device it's just indirectly referenced/reached via the gateway-router. Ie. the router in the middle knows where to route to the packets it gets...
Can you make some extracts of the interfaces (Not the verbose thing, and only some parts)
Like:
/ip route export
/interface export
/ip address export
Yes, here they are. As already said, these are the device defaults, I haven't changed anything in the bridge nor interface settings yet. I just added a Dot1x server for ether3 for experimenting, but which is still unused/untested (ie. there is nothing attached to ether3 yet):
[admin2@MikroTik] /interface/bridge/filter> /interface export
# may/03/2020 00:10:06 by RouterOS 7.0beta5
# software id = QXVZ-VVPX
#
# model = CRS326-24G-2S+
# serial number = xxxxxxxF5
/interface bridge
add admin-mac=C4:AD:34:78:E1:88 auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
/interface dot1x server
add comment=accounted interface=ether3 interim-update=30s
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
[admin2@MikroTik] /interface/bridge/filter>
[admin2@MikroTik] /interface/bridge/filter>
[admin2@MikroTik] /interface/bridge/filter>
[admin2@MikroTik] /interface/bridge/filter> /ip route export
# may/03/2020 00:10:13 by RouterOS 7.0beta5
# software id = QXVZ-VVPX
#
# model = CRS326-24G-2S+
# serial number = xxxxxxxxxF5
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.127.254
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 1:35 am

OK. Very clear now. A little bit what I expected to see.

1. This CRS device handles traffic that travels in the subnet 192.168.0.0/17 only. All is one subnet. All is bridged.
This also means ALL devices talk directly to each other on IP level (L3) (by converting IP addresses to MAC addresses via ARP requests
Your test to 192.168.254.3 goes actually to 192.168.127.254 (and that is in the same subnet)
There is NO routing involved in this CRS device.
The default gateway is only used for its own communication (input/output) not for the communication of the client device (192.168.1.20) to its defined gateway (192.168.127.254)
The CRS does L2 traffic between its ports, and uses the switch chip to do that.

2; Some detail remarks
Interfaces on bridge ports have no network characteristics . Adding them to different interface lists does not help.
If you really want ether1 to be a WAN interface, remove it from the bridge ports, and give it its own IP address and gateway. There will be routing between ether1 and the bridge.

3. I think you wanted to simulate a Cisco Catalyst with access filters. The only thing you seem to want with the firewall is limit the usable ports in UDP, TCP and ICMP. for the clients.
In that case this might be what you need ...
Switch Rules (ACL)
Access Control List contains of ingress policy and egress policy engines. See this table on how many rules each device supports (limited by RouterOS). It is advanced tool for wire-speed packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.

from: https://wiki.mikrotik.com/wiki/Manual:C ... s_switches
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 1:55 am

@bpwl, thx for the analysis. LAN2 is managed by this switch. Yes, what I want is simply a switch with a firewall on it for centrally configuring/controlling via this central firewall the whole inbound and outbound traffic to and from LAN2.

Regarding separating the ether1 WAN port: yes, can be done, but I'm afraid then I possibly need to add extra routing rules on this switch, whereas in this default configuration it just works as is: it was told what the gateway is and it learns internally/automatically. After moving the firewall to the bridge I'll have some time to think further about this WAN port separation.

and: under your given link the following is written:
https://wiki.mikrotik.com/wiki/Manual:I ... Offloading
the bridge hardware offloading feature will allow you to use the built-in switch chip to forward packets, this allows you to achieve higher throughput, if configured correctly.
So, exactly that route I'll try to go, but of course with firewall enabled on the bridge.

Thx.
Last edited by mutluit on Sun May 03, 2020 2:04 am, edited 2 times in total.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 2:01 am

@bpwl, thx for the analysis. LAN2 is managed by this switch. Yes, what I want is simply a switch with a firewall on it for centrally configuring/controlling via this central firewall the whole inbound and outbound traffic to and from LAN2.

Regarding separating the ether1 WAN port: yes, can be done, but I'm afraid then I possibly need to add extra routing rules on this switch, whereas in this default configuration it just works as is: it was told what the gateway is and it learns internally/automatically. After moving the firewall to the bridge I'll have some time to think further about this WAN port separation.
Enabling Use-IP-Firewall will only work the way you want if all ports have hardware acceleration off. Turning off hardware acceleration will limit that switch to approx 1Gbps total. Use-IP-Firewall will limit it even more. Hardware acceleration will also need to be off in order for bridge filter to work.

As stated above you should use switch ACL's instead as they are handled by the switch chip instead: https://wiki.mikrotik.com/wiki/Manual:C ... _.28ACL.29
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 2:10 am

As stated above you should use switch ACL's instead as they are handled by the switch chip instead: https://wiki.mikrotik.com/wiki/Manual:C ... _.28ACL.29
The Switch ACL stuff looks indeed very interesting. I'll try out all options. Thx @tdw, @bpwl and you making me aware of this alternative feature.

Yes, @tdw has said all these things as first, as it seems. Thx everybody. There's light at the end of the tunnel :-)
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 2:48 am

Oh man, this is a so much complicated and insecure thing that I think a dedicated firewall is the cleanest, securest, and safest solution.
But a dedicated firewall with 24x Gigabit ports plus 2x 10G ports I have yet to see :-) --> forget it, I must solve it with this CRS device only...
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 4:06 am

Oh man, this is a so much complicated and insecure thing that I think a dedicated firewall is the cleanest, securest, and safest solution.
But a dedicated firewall with 24x Gigabit ports plus 2x 10G ports I have yet to see :-) --> forget it, I must solve it with this CRS device only...
Why do you need each port firewalled individually? If you can explain why, there may be an alternative solution that you haven't considered that works better.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 9:14 am

It seems that you try to do some that its not common to do (firewall in local lan). Why?
It may be better to use different subnet.

Your next post should be a diagram, and also do /export hide-sensitive so we get the whole picture.

Also stop spamming the forum with post
Do not multipost. If you have more to say, edit your post if no one has posted in between.
Button is a pencil symbol above the post.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 4:44 pm

Oh man, this is a so much complicated and insecure thing that I think a dedicated firewall is the cleanest, securest, and safest solution.
But a dedicated firewall with 24x Gigabit ports plus 2x 10G ports I have yet to see :-) --> forget it, I must solve it with this CRS device only...
Why do you need each port firewalled individually? If you can explain why, there may be an alternative solution that you haven't considered that works better.

Thx for the offer. I would be glad to hear about alternatives.

My basic requirements for a central firewall on a 24+ port LAN switch:
1) Firewall for incoming traffic to the LAN, for outgoing traffic from the LAN, as well for local traffic inside the LAN.
2) Firewall decision making over all OSI layer-2 to layer-4 protocols ( https://en.wikipedia.org/wiki/OSI_model ).
3) Both the switch and firewall should of course be as fast as possible.
User-defined routing on the switch not necessarily needed, except maybe defining an uplink/gateway port or IP for the whole switch/bridge.
This is intended for independent in-house LAN(s), so (W)ISP, WAN etc. not involved; it's about the LAN only.

Update:
As already was mentioned, using ACL seems to be the best way to fulfill these requirements: https://wiki.mikrotik.com/wiki/Manual:C ... _.28ACL.29
Switch Rules (ACL)
Access Control List contains of ingress policy and egress policy engines. See this table on how many rules each device supports (limited by RouterOS). It is advanced tool for wire-speed packet filtering, forwarding and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions. ...
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 6:23 pm

It is unusual to want to firewall at wire speed within a layer 2 network. At this level isolation is often for devices, rather than specific services on a device, and implemented with split-horizon or port isolation. ACLs will provide some of the functionality you are looking for but they operate per-packet and are stateless, unlike IP firewalls which are usually stateful and provide connection tracking to handle rules for a conversation of packets back-and-forth.

Typically you would group devices requiring the same/similar IP access rules together in a subnet on top of a layer 2 network - they have wire-speed access to each other, and maybe some simple hardware-based ACLs for traffic between them, but the routed IP traffic between any of them and other devices is handled by a software-based stateful firewall.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Sun May 03, 2020 9:05 pm

Thx for the offer. I would be glad to hear about alternatives.

My basic requirements for a central firewall on a 24+ port LAN switch:
1) Firewall for incoming traffic to the LAN, for outgoing traffic from the LAN, as well for local traffic inside the LAN.
2) Firewall decision making over all OSI layer-2 to layer-4 protocols ( https://en.wikipedia.org/wiki/OSI_model ).
3) Both the switch and firewall should of course be as fast as possible.
User-defined routing on the switch not necessarily needed, except maybe defining an uplink/gateway port or IP for the whole switch/bridge.
This is intended for independent in-house LAN(s), so (W)ISP, WAN etc. not involved; it's about the LAN only.
I agree with @tdw, it is highly unusual to want to firewall between everything and everything else, and to do this on a layer 2 level. As @tdw also says, typically what you would do is place groups of hosts into separate VLANs and assign them different subnets etc. based on the role they have and whether you need to control access to them. For instance you might place trusted PCs on one VLAN, guests on another VLAN, servers on another VLAN, etc. Then you can set up firewall rules on your router as to what should be allowed between trusted PCs VLAN and servers VLAN, between guests VLAN and servers VLAN, etc. Any traffic within a VLAN will not be firewalled, so you would make as many VLANs as you need to have the separation you want. That is normal practice. What you are trying to do right now is not.

The only exception to that normal practice is on larger levels like ISP cable modem networks where you need to have per-customer blocking but assigning a VLAN per customer is not necessarily a viable option. In this case, a typical approach is to enable something called "local proxy arp" on the router and adding isolation rules to block individual customers from being able to talk to each other. When this is enabled, the router will pretend to be the receiving device and reply to ARP requests on behalf of the receiving device, and so the sender will send the packet to the router instead of to the receiver directly, then the router sends the packet along to the receiver. The result is that all traffic effectively becomes routed within that subnet instead of bridged, and therefore the firewall rules on the router can be used to block this traffic. Again this is not typically done outside of the ISP use case that I've detailed, but it can be a good option if the alternative is setting up several hundred different VLANs.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Mon May 04, 2020 1:50 pm

Just an update: after testing Plan B (using the bridge filter rules, ie. '/interface bridge filter') a while, now abandoned this attempt as well (similar result as with 1st attempt with '/ip firewall filter').
Now Plan C, the final attempt, is to try to use the device's ACL features, as was suggested by many.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19103
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Mon May 04, 2020 2:15 pm

Just an update: after testing Plan B (using the bridge filter rules, ie. '/interface bridge filter') a while, now abandoned this attempt as well (similar result as with 1st attempt with '/ip firewall filter').
Now Plan C, the final attempt, is to try to use the device's ACL features, as was suggested by those with actual experience using Mikrotik products and decades of networking experience.
Fixed it for ya
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Mon May 04, 2020 2:25 pm

Just an update: after testing Plan B (using the bridge filter rules, ie. '/interface bridge filter') a while, now abandoned this attempt as well (similar result as with 1st attempt with '/ip firewall filter').
Now Plan C, the final attempt, is to try to use the device's ACL features, as was suggested by many.
Bridge filter is NOT switch filter I hope. Bridge seems at least also CPU based. (You can set bridge filters in MKT devices without switch chip)
I see "IP Firewall - Bridge filter - Switch Rules", but Mikrotik is not always clear if bridge filters use the switch settings to some extend. (They warn that some bridge filter modifications will restart the switch). The switch flow is not very well documented in what I can find: https://wiki.mikrotik.com/wiki/Manual:P ... theros8316
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Is there a "use-ip-firewall" setting also for non-bridge setup?

Mon May 04, 2020 2:40 pm

Just an update: after testing Plan B (using the bridge filter rules, ie. '/interface bridge filter') a while, now abandoned this attempt as well (similar result as with 1st attempt with '/ip firewall filter').
Now Plan C, the final attempt, is to try to use the device's ACL features, as was suggested by those with actual experience using Mikrotik products and decades of networking experience.
Fixed it for ya
I stand corrected. Thanks! :-)

Who is online

Users browsing this forum: 0xAA55, mszru and 49 guests