Community discussions

MikroTik App
 
User avatar
azurtem
Trainer
Trainer
Topic Author
Posts: 217
Joined: Mon May 16, 2011 5:35 pm
Location: Nice, France
Contact:

Bridge filter blocking NAS SMB

Mon Nov 30, 2015 10:43 am

Hi

A client of mine has an RB750GL (6.29.1)
Uplinks are on ports 1 and 5
Ports 2, 3 and 4 are bridged:
ether2 Synology NAS (DS211)
ether3 LAN
ether4 VPN router (SDSL)

Unfortunately, for now, the VPN router is on the same subnet as the LAN

I want to protect the VPN link trafic and avoid unnecessary noise so I enabled, on Saturday evening, the bridge firewall and created a filter to block forwarding all trafic to the VPN router unless it is destined for the remote PMS server

[RB750GL] > interface bridge filter pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop out-interface=ether4 - Op\E9ra mac-protocol=ip
dst-address=!192.168.1.21/32 log=no log-prefix=""

This morning the users called me because they can't access their shares on the NAS

They can ping the NAS, they can even access the NAS WEB console but hey can't communicate via SMB with the NAS

SMB shares with other devices on the network e.g. other Windows workstation and servers work fine

I disabled the firewall on the bridge and all is back to normal

Why is the bridge filter blocking SMB commuinications on the LAN, i.e. between port 2 and port 3 ?

thanks
yann
 
noib
Member Candidate
Member Candidate
Posts: 285
Joined: Fri Jan 25, 2013 6:04 pm
Location: France
Contact:

Re: Bridge filter blocking NAS SMB

Mon Nov 30, 2015 10:56 am

You applied your drop rule on ether4 which is part of the bridge, so i think your rule is finally applied to the whole bridge, blocking all traffic to your NAS. All rules should be applied on the bridge itself, not the ports.
I'm afraid the only clean solution is to separate networks.
 
User avatar
azurtem
Trainer
Trainer
Topic Author
Posts: 217
Joined: Mon May 16, 2011 5:35 pm
Location: Nice, France
Contact:

Re: Bridge filter blocking NAS SMB

Mon Nov 30, 2015 6:31 pm

Thanks for your answer

If what you say is correct, why would one be able to select an individual out-interface ?

Why are other SMB shares operational ?

Everything else works fine for that matter

Just the Synology NAS SMB is blocked !
Last edited by azurtem on Mon Nov 30, 2015 8:35 pm, edited 2 times in total.
 
noib
Member Candidate
Member Candidate
Posts: 285
Joined: Fri Jan 25, 2013 6:04 pm
Location: France
Contact:

Re: Bridge filter blocking NAS SMB

Mon Nov 30, 2015 6:50 pm

probably because Router OS is very rich and flexible, and some other functionality than IP firewall is using it.

Who is online

Users browsing this forum: Bing [Bot], codered1983, Google [Bot], Majestic-12 [Bot] and 95 guests