Code: Select all
Jan 6 19:37:43 192.168.10.6 firewall,info crs326: X_X val-net: in:ether12 out:(unknown 0), src-mac 00:90:f5:e5:26:14, proto UDP, 192.168.4.6:1716->255.255.255.255:1716, len 978
Code: Select all
# jan/06/2019 23:24:43 by RouterOS 6.43.2
# software id = TY91-A3R5
#
# model = CRS326-24G-2S+
# serial number = 763C08DC0959
/interface bridge
add admin-mac=CC:2D:E0:51:8E:E0 auto-mac=no name=br-hardware protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether2 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether3 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether4 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether5 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether6 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether7 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether8 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether9 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether10 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether11 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether12 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether13 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether14 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether15 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether16 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether17 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether18 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether19 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether20 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether21 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether22 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether23 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=ether24 ] l2mtu=9112 mtu=9000 speed=100Mbps
set [ find default-name=sfp-sfpplus1 ] l2mtu=9112 mtu=9000 speed=10Gbps
set [ find default-name=sfp-sfpplus2 ] l2mtu=9112 mac-address=CC:2D:E0:51:8E:F8 mtu=9000 speed=10Gbps
/interface vlan
add interface=br-hardware name=vlan10-ccr vlan-id=1002
/interface bonding
add mode=balance-xor mtu=9000 name=bond-crs slaves=sfp-sfpplus1,sfp-sfpplus2 transmit-hash-policy=layer-3-and-4
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether17 pvid=10
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether18 pvid=11
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether19 pvid=12
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether20 pvid=13
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether21 pvid=14
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether22 pvid=15
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether23 pvid=16
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether24 pvid=17
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1 pvid=99
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=99
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=99
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=99
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=301
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=302
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=303
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=304
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 pvid=401
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 pvid=402
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether11 pvid=403
add bridge=br-hardware frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether12 pvid=404
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether15 pvid=18
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether16 pvid=19
add bridge=br-hardware interface=bond-crs pvid=2
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether13 pvid=3
add bridge=br-hardware frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether14 pvid=4
/interface bridge vlan
add bridge=br-hardware tagged=br-hardware,bond-crs vlan-ids=1002
add bridge=br-hardware tagged=ether13 untagged=ether9 vlan-ids=401
add bridge=br-hardware tagged=ether14 untagged=ether10 vlan-ids=402
add bridge=br-hardware tagged=ether13 untagged=ether11 vlan-ids=403
add bridge=br-hardware tagged=ether14 untagged=ether12 vlan-ids=404
add bridge=br-hardware tagged=ether13 untagged=ether5 vlan-ids=301
add bridge=br-hardware tagged=ether14 untagged=ether6 vlan-ids=302
add bridge=br-hardware tagged=ether13 untagged=ether7 vlan-ids=303
add bridge=br-hardware tagged=ether14 untagged=ether8 vlan-ids=304
add bridge=br-hardware untagged=ether1,ether2,ether3,ether4 vlan-ids=99
add bridge=br-hardware tagged=bond-crs untagged=ether15,ether16 vlan-ids=4000,4001,4002,4003,4004,4005,4006,4007,4008,4009
add bridge=br-hardware tagged=bond-crs untagged=ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24 vlan-ids=4030,4031,4032,4033,4034,4035,4036,4037,4038,4039
/interface list member
add interface=vlan10-ccr list=discover
I tried to replicate alert but it doesn't seem to be regular issue. It looks like for some reason just this one particular packet got forwarded to CPU for some reason and triggered alert on input firewall. Is it possible that VLAN filtering actually passes every-nth packet to CPU for some statistics purpose or something like that? Fact that it's not reproducible bothers me even more than if it was regular issue. It makes me feel lack of control and mistrust regarding owned hardware....
I can't tell if it's first occurance of alert ever because we configured firewall and rsyslog in switch just few weeks ago (and switch is operational since around June 2017) so it bothers me even more because I assumed switch was secure since traffic from other VLANs than management can't reach it anyways... Actually the only reason I eventually decided to copy firewall config from routers to switch was to have uniform config for easier synchronization...
