Community discussions

 
DonMcCoy
just joined
Topic Author
Posts: 1
Joined: Sun Sep 01, 2019 3:56 pm

invalid traffic on a bridge

Sun Sep 01, 2019 4:45 pm

Hi all,

I have the following network as seen on the attached diagram.
Mikrotik has a bridge called br-vlan428 tagged on eth4 (the VLAN trunk to the Alcatel switch) and untagged at eth5 to the Aruba switch:

Creating VLAN 428:
/interface vlan add name=vlan-428 vlan-id=428 interface=ether4 disabled=no

Creating Bridge:
/interface bridge add name=br-vlan428 disabled=no

Adding Ports to the Bridge:
/interface bridge port add interface="vlan-428" bridge="br-vlan428" disabled=no
/interface bridge port add interface="ether5" bridge="br-vlan10" disabled=no

Assigning IP to the Bridge:
/ip address set address=10.129.128.1/24 interface=br-vlan428 disabled=no

Route of 10.129.140.0/24
/ip route
add check-gateway=ping distance=1 dst-address=10.129.140.0/24 gateway=10.129.128.254

Now my problem is, when i try to ping from 10.129.128.5 the SIP server to the Operator PC 10.129.140.11 the ICMP packet is delivered normally, but when i try the other way around from the Operator PC to the SIP server i trigger the invalid firewall rule:

add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid log=yes log-prefix="invalid: "
  
firewall,info invalid:  forward: in:br-vlan428 out:br-vlan428, src-mac 00:0c:29:56:b8:ef, proto ICMP (type 0, code 0), 10.129.128.5->10.129.140.253, len 60
So it seems that traffic has reached the SIP Server but on the way back it triggered the rule.

Any idea why the traffic is being marked as invalid in this case and how to go around that without disabling the invalid rule.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot] and 35 guests