Community discussions

MUM Europe 2020
 
wombat
newbie
Topic Author
Posts: 27
Joined: Thu May 14, 2015 10:12 pm

L2TP client firewall rules

Mon Oct 03, 2016 12:57 pm

Hi,

I have L2TP tunnel with my two objects.. It works "good" But in first object I have IPTV (IGMP proxy) and when I watch TV so to tunnel go unnecessary traffic.. How can I filter it via firewall?

Thank you.
 
tarikin
newbie
Posts: 33
Joined: Sat Sep 24, 2016 11:55 pm
Location: Russia, Moscow

Re: L2TP client firewall rules

Mon Oct 03, 2016 1:11 pm

Plz describe better your setup
/interface ethernet print
/interface bridge print
Print out your igmp-proxy setup
/routing igmp-proxy export
MTCNA MTCRE MTCTCE MTCWE MTCUME MTCSE MTCIPv6E
Mikrotik Consultant status since September 2016
 
wombat
newbie
Topic Author
Posts: 27
Joined: Thu May 14, 2015 10:12 pm

Re: L2TP client firewall rules

Mon Oct 03, 2016 1:24 pm

[admin@MK] > /interface ethernet print
Flags: X - disabled, R - running, S - slave 
 #    NAME              MTU MAC-ADDRESS       ARP        MASTER-PORT           SWITCH          
 0 R  ether1           1500 00:0C:42:FD:0F:E1 enabled    none                  switch1         
 1 RS ether2/PC_Z      1500 00:0C:42:FD:0F:E2 enabled    none                  switch1         
 2 RS ether3/NAS       1500 00:0C:42:FD:0F:E3 enabled    none                  switch1         
 3  S ether4/STUL_Z    1500 00:0C:42:FD:0F:E4 enabled    none                  switch1         
 4  S ether5/POSTEL_Z  1500 00:0C:42:FD:0F:E5 enabled    none                  switch1         
 5 RS ether6/VOIP      1500 00:0C:42:FD:0F:E6 enabled    none                  switch2         
 6 RS ether7/TV        1500 00:0C:42:FD:0F:E7 enabled    none                  switch2         
 7    ether8           1500 00:0C:42:FD:0F:E8 enabled    none                  switch2         
 8    ether9           1500 00:0C:42:FD:0F:E9 enabled    none                  switch2         
 9    ether10          1500 00:0C:42:FD:0F:EA enabled    none                  switch2         
10  S sfp1             1500 00:0C:42:FD:0F:E0 enabled    none                  switch1         
[admin@MK] > /interface bridge print          
Flags: X - disabled, R - running 
 0  R name="bridge1" mtu=1500 actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto 
      mac-address=00:0C:42:FD:0F:E2 protocol-mode=rstp priority=0x8000 auto-mac=no 
      admin-mac=00:0C:42:FD:0F:E2 max-message-age=20s forward-delay=15s transmit-hold-count=6 
      ageing-time=5m 
[admin@MK] > /routing igmp-proxy export
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan/IPTV upstream=yes
add interface=bridge1
 
tarikin
newbie
Posts: 33
Joined: Sat Sep 24, 2016 11:55 pm
Location: Russia, Moscow

Re: L2TP client firewall rules

Mon Oct 03, 2016 1:57 pm

/interface bridge port print
MTCNA MTCRE MTCTCE MTCWE MTCUME MTCSE MTCIPv6E
Mikrotik Consultant status since September 2016
 
wombat
newbie
Topic Author
Posts: 27
Joined: Thu May 14, 2015 10:12 pm

Re: L2TP client firewall rules

Mon Oct 03, 2016 2:01 pm

[admin@MK] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                           BRIDGE                          PRIORITY  PATH-COST    HORIZON
 0 I  ether4/STUL_Z                       bridge1                             0x80         10       none
 1 I  ether5/POSTEL_Z                     bridge1                             0x80         10       none
 2    ether6/VOIP                         bridge1                             0x80         10       none
 3 I  sfp1                                bridge1                             0x80         10       none
 4    wlan1                               bridge1                             0x80         10       none
 5    ether7/TV                           bridge1                             0x80         10       none
 6    ether3/NAS                          bridge1                             0x80         10       none
 7    ether2/PC_Z                         bridge1                             0x80         10       none
 8  D l2tp-tunnel                         bridge1                             0x80         10       none
 
tarikin
newbie
Posts: 33
Joined: Sat Sep 24, 2016 11:55 pm
Location: Russia, Moscow

Re: L2TP client firewall rules

Mon Oct 03, 2016 2:14 pm

[admin@MK] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE                           BRIDGE                          PRIORITY  PATH-COST    HORIZON
 0 I  ether4/STUL_Z                       bridge1                             0x80         10       none
 1 I  ether5/POSTEL_Z                     bridge1                             0x80         10       none
 2    ether6/VOIP                         bridge1                             0x80         10       none
 3 I  sfp1                                bridge1                             0x80         10       none
 4    wlan1                               bridge1                             0x80         10       none
 5    ether7/TV                           bridge1                             0x80         10       none
 6    ether3/NAS                          bridge1                             0x80         10       none
 7    ether2/PC_Z                         bridge1                             0x80         10       none
 8  D l2tp-tunnel                         bridge1                             0x80         10       none
Got it!
The l2tp-tunnel is bridged to bridge1
Try to remove l2tp-tunnel from bridge1 or you have to use ip firewall on your bridge to filter outgoing multicast traffic on you l2tp interface.
Here is a good howto:
https://u-to-l.blogspot.se/2012/06/deal ... ic-on.html
MTCNA MTCRE MTCTCE MTCWE MTCUME MTCSE MTCIPv6E
Mikrotik Consultant status since September 2016
 
wombat
newbie
Topic Author
Posts: 27
Joined: Thu May 14, 2015 10:12 pm

Re: L2TP client firewall rules

Mon Oct 03, 2016 2:31 pm

Ok, now it good. Thank you. Perfect ;-)

Who is online

Users browsing this forum: MSN [Bot] and 126 guests