Bridge firewall (CRS)

JanJoh · Fri Jun 26, 2015 9:21 am

Hello!

I have been looking in the wiki, and googled and I think what i am after is simple, but i would like to verify.

Basically, I've got a piece of equipment which is suseptible to DOS (Or rather, repeated failed login attempts to SSH makes it hang, and SSH cannot be disabled), out of support and I really cannot motivate the cost to replace it. It is just my own colocated little vmware box on a very old Supermicro Server with a "&%¤"!!! IPMI-module.

So, I want to drop a transparent firewall infront of it. The CRS125 is pretty much the cheapest Rackmountable piece of kit I have come across so I figured it would do nicely.

On the upstream side, I have a /27 network, and the provider will not issue a new link net, hence the need for transparent.

I want a CRS to be manageble on one of my available IP adresses, let all traffic through untouched, except for traffic to one IP in my net, to which access would only be allowed from a specific subnet.

Should be easy enough? Right? But, i am still missing hte eureka moment when i realize just how to set this up.

I guess i should start by defining port 2 as a master, link 3-5 as slaves to two (for the links to the equipment)
I guess i then need to create a bridge between 1 and 2 and assign the bridge my "Management IP"?

How am I thinkin so far?

Fri Jun 26, 2015 4:36 pm

Depends on the load you want to pass through. Maybe using a switch to do bridging firewall is not a good idea due to expected low performance. If it is not your concern, implement the brute force rule set with address lists. Use the search function to find some examples.

JanJoh · Fri Jun 26, 2015 7:05 pm

Depends on the load you want to pass through. Maybe using a switch to do bridging firewall is not a good idea due to expected low performance. If it is not your concern, implement the brute force rule set with address lists. Use the search function to find some examples.

Well, i have a 100Mbps pipe, but usually I see nowhere near that load. And with a handful of rules I think it should cope? Yes, an 1100 would be better. But I have the CRS lying around.

Fri Jun 26, 2015 8:27 pm

Ok.
I am not sure what will be the performance, but most probably you will not be able to pass 100mbits thru.

If you are deciced to use bridge, then set the bridge and enable the firewall on it. In the bridge firewall, do something like described here:

http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

If you can use routing mode instead bridging, it will be much faster, and 100mbits should not be such problem. You need to test to see what fits your needs.

Oh. I have just checked the bridge firewall filter rules and it seems it is not able to use address lists. I am afraid, you cannot use bridge firewall for what you want.

Sat Jun 27, 2015 12:38 am

maybe a rb951g, its cheap, same cpu as crs125 and the integrated switch support rules that in theory can do the job of filtering

i repeat, in theory (i have not tested) at wire speed without use of cpu

beware rb951Ui integrated switch do not support rules

docmarius · Sat Jun 27, 2015 1:55 am

A CRS-125 bridges 100Mbps without problems.
But still, do you really need that bridge?
Don't forget, the switch chip can do some filtering in hardware on the CRS....

Sat Jun 27, 2015 6:23 am

A CRS-125 bridges 100Mbps without problems.
But still, do you really need that bridge?
Don't forget, the switch chip can do some filtering in hardware on the CRS....

how can do switch hw filtering if ACL is not supported on CRS 125? maybe another way?

Sat Jun 27, 2015 9:28 am

A CRS-125 bridges 100Mbps without problems.
But still, do you really need that bridge?
Don't forget, the switch chip can do some filtering in hardware on the CRS....

It's not about bridging performance but about the bridge firewall performance....

docmarius · Sat Jun 27, 2015 11:59 am

@chechito: And this option in the CRS-125 switch menu being what?

Sun Jun 28, 2015 3:33 am

@chechito: And this option in the CRS-125 switch menu being what?

please press the button Apply and see the message displayed

docmarius · Sun Jun 28, 2015 4:56 pm

Yes, you are right. Not supported on this switch chip.
But why did I remember that I could set them on one of the early CRS firmwares?
And why is that menu there in the first place?

Sun Jun 28, 2015 8:12 pm

Yes, you are right. Not supported on this switch chip.
But why did I remember that I could set them on one of the early CRS firmwares?
And why is that menu there in the first place?

is the same as with another products

example rb951Ui integrated switch chip do not support rules but the options its available, only when you try to create a rule appears the message but on rb951G rules apply ok

because that its important to check switch functions available on wiki

JanJoh · Mon Jun 29, 2015 10:06 am

maybe a rb951g, its cheap, same cpu as crs125 and the integrated switch support rules that in theory can do the job of filtering

i repeat, in theory (i have not tested) at wire speed without use of cpu

beware rb951Ui integrated switch do not support rules

Well, I need rack mounted equipment for the coloc to allow it.

JanJoh · Mon Jun 29, 2015 10:26 am

Just realized something...

I may have been loking at this the wrong way. I dont really need bridging. I could change the IP of my IPMI management card, and use the third NIC on the machine for management traffic. Hence, i could nat those two interfaces, and just connect the current NIC straight to the switch. (What i can NOT do is change the IP-config of most of the virtual machines)

Sooo, then (if we're still looking at CRS125.... or maybe a 2011UiAS-RM)

I need Port 1 as master, Port 2 as slave to Port 1. (1 to upstream switch, 2 to the current interface)

Then i need 3 as master, and 4-5 as slaves for my "internal" switch which i connect to the IPMI-interface and the aother nic which now will handle only management traffic for WMWare

Switching 1-2 should be wire-speed, right, and 3-5 should be like any other "Home NAT"... right? Then a few access rules and i should be golden?

Tue Jun 30, 2015 8:10 am

Just realized something...

I may have been loking at this the wrong way. I dont really need bridging. I could change the IP of my IPMI management card, and use the third NIC on the machine for management traffic. Hence, i could nat those two interfaces, and just connect the current NIC straight to the switch. (What i can NOT do is change the IP-config of most of the virtual machines)

Sooo, then (if we're still looking at CRS125.... or maybe a 2011UiAS-RM)

I need Port 1 as master, Port 2 as slave to Port 1. (1 to upstream switch, 2 to the current interface)

Then i need 3 as master, and 4-5 as slaves for my "internal" switch which i connect to the IPMI-interface and the aother nic which now will handle only management traffic for WMWare

Switching 1-2 should be wire-speed, right, and 3-5 should be like any other "Home NAT"... right? Then a few access rules and i should be golden?

rb 2011 gigabit switch support rules, maybe can be useful on your setup

JanJoh · Fri Jul 03, 2015 10:56 am

Anyway...

I received the 2011 UiASRM that I had overnighted from Euro DK. And it appears my "kludge" works nicely. Ports 1-2 as a switch, and the troublesome NIC's behind a NAT.

I'm happy, and it was a cheap solution.

Sun Jul 05, 2015 6:12 am

Anyway...

I received the 2011 UiASRM that I had overnighted from Euro DK. And it appears my "kludge" works nicely. Ports 1-2 as a switch, and the troublesome NIC's behind a NAT.

I'm happy, and it was a cheap solution.

have you used switch rules??? or software bridge??

JanJoh · Fri Jul 10, 2015 1:23 pm

Anyway...

I received the 2011 UiASRM that I had overnighted from Euro DK. And it appears my "kludge" works nicely. Ports 1-2 as a switch, and the troublesome NIC's behind a NAT.

I'm happy, and it was a cheap solution.
have you used switch rules??? or software bridge??

Neither.

Ending up creating a two port switch for upstream and main vmware. Then i used normal NAT for IPMI-interface.