Community discussions

 
Tech9282
just joined
Topic Author
Posts: 2
Joined: Thu May 02, 2019 4:51 am

Blocking Vlan routing with new bridge vlan filtering

Thu May 02, 2019 5:01 am

Hi everyone,

I have kind of stumped myself with a recent change i made to my CCR1009 router. I am going to be implementing Capsman in the coming months so i decided to clean up my config and change my existing vlan configuration with multiple bridges to a single bridge using vlan filtering. I have addresses for each vlan assigned to the vlan interface and all of the vlans seem to be working correctly. The issue i am having now is my firewall filter rules seem to have no effect in blocking traffic between the vlans. Even a drop all rule for all vlans doesn't appear to do anything. I feel like i am missing something simple here, i tried turning on the "use filter rules" for the bridge with no improvement. I cant seem to figure out how traffic is routing between the interfaces without the filter rules being able to affect them. I am running the latest stable release. Does anyone have any ideas?
 
mkx
Forum Guru
Forum Guru
Posts: 2446
Joined: Thu Mar 03, 2016 10:23 pm

Re: Blocking Vlan routing with new bridge vlan filtering

Thu May 02, 2019 11:07 am

Post outputs of

/interface bridge export
/interface vlan export
/interface list export
/ip address export (and change/mask public IP addresses)
/ip firewall export (and change/mask public IP addresses)
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3464
Joined: Mon Dec 04, 2017 9:19 pm

Re: Blocking Vlan routing with new bridge vlan filtering

Thu May 02, 2019 12:45 pm

I have a brilliant one - follow the hint in my automatic signature. All the psychics here who can find the issue without seeing the config are currently on vacation.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
mkx
Forum Guru
Forum Guru
Posts: 2446
Joined: Thu Mar 03, 2016 10:23 pm

Re: Blocking Vlan routing with new bridge vlan filtering

Thu May 02, 2019 2:21 pm

All the psychics here who can find the issue without seeing the config are currently on vacation.
Except @sindy, he's around now. But even he prefers to work based on hard facts :-P
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Blocking Vlan routing with new bridge vlan filtering

Thu May 02, 2019 2:34 pm

Sebastia loves to answer questions with minimal explanation. What frightens me is that he often gets it right with hardly any information to work with.
Makes my hair stand up............ (I don't think he's human)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
Tech9282
just joined
Topic Author
Posts: 2
Joined: Thu May 02, 2019 4:51 am

Re: Blocking Vlan routing with new bridge vlan filtering  [SOLVED]

Fri May 03, 2019 3:42 pm

Well despite the sarcastic responses from some individuals i sorted out the issue. In addition to turning on "use-ip-firewall" on the bridge (which doesnt apply to routed traffic i learned), you need to turn on "use-ip-firewall-for-vlan" which did the trick.
 
mkx
Forum Guru
Forum Guru
Posts: 2446
Joined: Thu Mar 03, 2016 10:23 pm

Re: Blocking Vlan routing with new bridge vlan filtering

Fri May 03, 2019 3:57 pm

The settings which you declared to fix the issue ... don't make much sense in the context of original post. My guess is that your settings are still flawed. But then, if you're happy about how things work, who are we to judge?
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3464
Joined: Mon Dec 04, 2017 9:19 pm

Re: Blocking Vlan routing with new bridge vlan filtering

Fri May 03, 2019 5:10 pm

The point is that between VLANs, normally the traffic can be only routed, not switched, so none of the L2-related settings (neither /interface bridge vlan-filtering nor the use-ip-firewall... items of /interface bridge settings) have any effect on it. /interface bridge vlan-filtering is used to control membership of bridge ports in individual VLANs (and dropping, on each port of that bridge, of ingress and egress traffic of all VLANs of which that port is not a member), whereas the topic title mentions explicitly routing and you've also mentioned firewall filter rules blocking traffic between VLANs in the text.

So I've asked for the actual configuration, and yes, I was a bit sarcastic because too many people here expect other people to mysteriously find the mistake in a configuration they haven't seen. You may find this common frustration manifest in various ways here, because you have to be creative when asking the same thing all over again. And the final stage is to simply ignore this kind of questions.

I am in accord with @mkx - it may well be your current configuration has solved the issue, however it is quite likely that your RouterBoard is spending more CPU on the task than actually necessary. Or maybe you actually need to filter traffic between two external devices within the same VLAN, but even if this is the case, better-suited tools exist than use-ip-firewall....

BTW, when using CAPsMAN, you don't need to use VLANs at all in some scenarios - in particular, where no L2 interconnection between wired ports and wireless interfaces is required and where all the traffic of the clients of the cAPs is routed at the CAPsMAN device (i.e. no local forwarding, L2 or L3, is required directly on the cAPs).

So all in all - so far the benefit of this topic for the forum community is zero or less. You have provided insufficient and confusing information about the initial issue, I was sarcastic above your tolerance threshold (and I've sent that response with such a delay that the only noticeable part remained the sarcasm because @mkx has asked for the same but neutrally in the meantime), @Anav has just complained about a person who didn't even take part in the topic, and as a final product we have here a topic which does propose a solution to people coming here via keyword search, but it is most likely a solution of something else than the topic subject.

So shall we try once again and better from the beginning or shall we let the waters close over it?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
anav
Forum Guru
Forum Guru
Posts: 2829
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Blocking Vlan routing with new bridge vlan filtering

Fri May 03, 2019 6:18 pm

As usual brave Sindy, you misinterpret my eloquent and sometimes verbose oratory.
My comment was simply in support of both you and MKX in that the OP should provide a more thorough explanation of the requirements and scenario.
My usual post comments are, please post a diagram and complete config /export hide-sensitive file=yourconfigmay03
They are still valid!!
As to the accuracy of your comments, they are off the mark - I am actually in my 'special way' praising the intellect and prowess of Sebastia in solving OP raised issues with the barest of details! (not complaining at all - well other than he makes us look bad). He treads where few dare tread LOL.
Finally, to set the record straight, I strive to be acerbic not sarcastic. :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 52 guests