Code: Select all
src.addr
Thanks.
src.addr
I'm having a hard time following what you're trying to say, but, if the last line is meant to sum it up… Interfaces are named to coordinate IP addressing in both IPv4 and IPv6. So it's easier just assigning them a number than some meaning. Whatever the case, I understand that rule processing end when traffic is accepted, I also know that in Mikrotik traffic can be fed from once chain into another, and that input chain is traffic going toward the firewall itself, so accepting traffic in the forward chain to RFC1918, even though it covers all IP addresses of the firewall, should not match traffic going to the firewall, specially since I put the firewall-bound rules always first (y'know, for safety).Is very hard to follow any reasoning if you have all interface and items numbered like 0011.
I lost all context of every instruction.
You have configured the device, you know that.
The export is a rebus full of thing to remember at memory.
Even the screenshots without context they make it appear as if
you don't know that, in the firewall, if you accept it, you can no longer drop it later with another rule.
Thanks for answering and for your patience!Lets recap.
You have configured:Are you sure that IPv6 isn't used for your tests?
- 20 vlans on ether1 that is renamed to z0001/trunk
- every vlan has a 10.x.y.y network, with x as the number of den VLAn interface (not Vlan ID)
- you have ipv4-dhcp server for some VLANs, eg interface 0009
- you have ipv6-dhcp server for some VLANs and /ipv6 nd prefix set, include the 0009 and
- your first 3 firewall filters have the comment "accept if0009" and accept all traffics form 0003, 0006 and 0009 in the forward chain
- you have no IPv6 filter set
- you have no input firewall rules
...the traffic source address is 10.0.0.32 which will match src-address-list 'rfc1918' referenced in rule #1 and be accepted, so never reaches rules #4 or #5...
you don't know that, in the firewall, if you accept it, you can no longer drop it later with another rule.
Source address?! What do you—hold on a sec while my mind settles down.The configuration posted and screenshots don't correspond exactly, however the rules are working as expected - in the image 'Screen Shot 2021-08-04 at 04.33.00.png' the traffic source address is 10.0.0.32 which will match src-address-list 'rfc1918' referenced in rule #1 and be accepted, so never reaches rules #4 or #5.