Community discussions

MikroTik App
 
Buckeye
just joined
Topic Author
Posts: 17
Joined: Tue Sep 11, 2018 2:03 am

Is there any SwOS ACL documentation with example?

Sun Aug 09, 2020 1:23 am

This is a request for some documentation about how the ACLs work in SwOS with some example cases.
https://wiki.mikrotik.com/wiki/SwOS/CSS106-VLAN-Example provides a good overview of how to setup VLANs for the most common cases. I know about https://wiki.mikrotik.com/wiki/SwOS/CSS106#ACL and unfortunately, it gives only a single line description of some of the items on the ACL setup screen, but not enough for me to make sense of.
There was a question on the Ubiquiti forum asking about distributing a /29 to five "customers" in a business park, and limiting each customer to be able to use only a specific IP address from the block. https://community.ui.com/questions/Edge ... 36c55c5cc3, and I think a switch with ACL would be the best solution, but I am not sure if the CSS106 ACL could do that or not.
I can't find any documentation with an example of how the ACL works on SwOS, specifically on the CSS106-5G-1S, but any SwOS example would be better than what I have been able to find.
I've searched the SwOS forum with the query "ACL" but the threads it finds don't have any examples.
I did see that the latest version (2.12) of SwOS for the CSS106-5G-1S reportedly fixes an issue with ACLs on the CSS106,
viewtopic.php?f=21&t=163657
scroll down to see this:
*) CSS106: fixed ACL, sometimes it did not work if MAC & IP address matchers were used at same time (or when Allow-From address was specified);
I also used Google to search for CSS106 SwOS ACL and CSS106 SwOS ACL example, but the second only finds vlan examples. I can't find anything on youtube either (at least not in English, and the ones I did see appear to be for RouterOS.
 
Buckeye
just joined
Topic Author
Posts: 17
Joined: Tue Sep 11, 2018 2:03 am

Re: Is there any SwOS ACL documentation with example?

Sun Aug 09, 2020 3:01 am

It seems that the ACLs could be a very useful feature in specific cases, but without better documentation, the feature isn't very useful.
The SWoS issue - ACL, how to block all BUT specified destination thread viewtopic.php?f=17&t=70175 is the best documentation I could find, specifically this post viewtopic.php?t=70175#p441846
Also this https://wiki.mikrotik.com/wiki/Manual:S ... Rule_Table has some more hints, but that's about what they are, hints without any real specifics.
One thing that is confusing to me is that in both the ACL "documentation" and the Rule_Table info, it says that a mask can be applied to the mac address. But there is no info about how this mask is specified.
A mask implies it should be possible to match on any frame with the multicast bit (lsb of first octet, the first bit of the mac dst put on wire after the SFD), which should match all broadcasts and multicast frames. It also implies it should be possible to match on a specific OUI.
Do you specify the mac mask as a 48 bit mask, e.g. to match multicast bit 01:00:00:00:00:00 and to match 3 byte OUI ff:ff:ff:00:00:00 ?
What is the way you specify the mask? Or is this just a documentation error, and masks are not supported for mac addresses?
Some things that the ACL documentation "suggests" would be possible.
  • mac or OUI based vlan
  • vlan translation/mapping
  • limit port to specific mac or ip
  • change vlan priority
If these are indeed possible, there should be a document similar to the one for vlans that shows how to do these and possibly other things with the ACL feature.
 
User avatar
k6ccc
Long time Member
Long time Member
Posts: 628
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Is there any SwOS ACL documentation with example?

Mon Aug 10, 2020 2:08 am

I use SwitchOS quite a bit, but I have never needed to use ACL. My suggestion would be to play with the options and see what works. Then post it here so maybe someone else will know too...
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission

Warning: I know enough to be dangerous...

Jim
 
Buckeye
just joined
Topic Author
Posts: 17
Joined: Tue Sep 11, 2018 2:03 am

Re: Is there any SwOS ACL documentation with example?

Mon Aug 10, 2020 11:29 pm

I use SwitchOS quite a bit, but I have never needed to use ACL. My suggestion would be to play with the options and see what works. Then post it here so maybe someone else will know too...
Thanks for the suggestion.
I did play around a bit with a spare CSS106-5G-1S updated to 2.12, limiting my ACL to affect only a single port so I wouldn't lock myself out.
I was able to allow a single ip through and lock other lock stuff out, but then I wasn't able to get the device to obtain a dhcp address, even though I put an entry that I thought would allow ethernet broadcasts.
Since the ACL is apparently an ordered list (because they allow you to insert or append), I assume that order is significant. But there is no "order of operations" document or even a good description of what the redirect to ports does when it is not checked. There is the hint that if you want to block something, the method is to redirect to the null set of ports (i.e. check redirect to, but select no target ports).
But nothing is said about what happens if a rule doesn't match; in most ACLs (Cisco) or firewalls (Vyatta/VyOS/EdgeOS) the list is scanned until a match is found and then that action is applied and scanning stops. Here, I can't find any documentation.
What happens when a packet matches no ACL, I assume it is just processed "normally".
Since this isn't something I need, I am not going to spend a lot of time messing with it trying to "black box" reverse engineer what it does.
The posts I see range from "I have done some interesting things with ACL." viewtopic.php?f=17&t=118907&p=586800&hilit=ACL#p586800 to this post viewtopic.php?f=17&t=144105&p=709290&hilit=ACL#p709290 that essentially says the same thing as I am. The SwOS ACL documentation is insufficient to be used without reverse engineering.
The underlying switch chip AR8327 has a lot of features according to this post viewtopic.php?f=17&t=73392&p=550711&hilit=ACL#p550639
Here's another thread viewtopic.php?f=17&t=54590#p278115 and post viewtopic.php?f=17&t=54590#p285029 that was useful, but it is for a very simple case (filter out all ipv4 multicast from specified ports).
So if you need features of the ACL, don't buy this switch unless you have lots of time to mess with it, and what you want to do may not even be possible.
The switch is good as long as you don't need the ACL features; I liked mine enough that I bought a second CSS106-5G-1S (and I also have a (10 year old?) RB250GS and my reasonably good experience with it was the reason I bought the first RB260GS/CSS106-5G-1S).
But without better documentation, trying to use the ACL may be a big time sink, and I don't have time to do this without a specific need myself.

Who is online

Users browsing this forum: No registered users and 4 guests