Wed Mar 17, 2021 6:57 pm
Ok you want to have the SFP1 on the "internal" side and then trunked to the switch. I understood that it would be the uplink to an existing network with VLANs.
When you want to do that it is possible to omit that VLAN aware bridge and use only VLAN subinterfaces on the SFP1 interface, then handle all traffic on those.
That is much easier to understand. Like this:
/interface vlan
add interface=sfp1 name=sfp1.vlan2 vlan-id=2
add interface=sfp1 name=sfp1.vlan6 vlan-id=6
add interface=sfp1 name=sfp1.vlan27 vlan-id=27
etc. Then put IP addresses on them:
/ip address
add address=192.168.2.1/24 interface=sfp1.vlan2
add address=192.168.6.1/24 interface=sfp1.vlan6
etc.
now you have a router that will by default pass everything.
you can now add rules in the ip firewall forward chain to block what you do not want, or rules to allow what you want and then a rule that blocks everything else.
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=sfp1.vlan2 out-interface=sfp1.vlan6
...
add action=drop chain=forward
You can setup "interface lists" when you want to group some interfaces together when they are to be handled the same way.
An interface list attaches a name to a set of interfaces and can be used like:
add action=accept chain=forward in-interface-list=management ....
Remember: chain=forward only affects what is forwarded by the router, chain=input affects what is sent to the router and handled by it (like the management), there is no need to have input rules to match traffic that you are forwarding.
Last edited by
pe1chl on Wed Mar 17, 2021 7:00 pm, edited 1 time in total.