Community discussions

MUM Europe 2020
 
Spirch
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat May 03, 2014 5:04 am

switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 9:50 pm

I might be doing it all wrong but I'm trying to send switch packet to the firewall and it seem that the only way i'm able to do that is to use the switch rule redirect to CPU

(everything is in one bridge under hardware offloading)

when I create this rule;
/interface ethernet switch rule
add ports=interface-LAN1 redirect-to-cpu=yes src-address=192.168.75.249 switch=switch1
the moment that I create this rule ping between 192.168.75.100 and 192.168.75.249 stop working (the .100 is on another port if that matter or not but in the same bridge)

if I disable that switch rule, it work again

I have no rule in the firewall to block that ping and i'm not seeing anything in the log

one thing; 192.168.75.249 can still access the internet and ping google.com with or without that rule

what i'm doing wrong? i would like to keep the ping working.
 
Spirch
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat May 03, 2014 5:04 am

Re: switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 10:17 pm

one thing i'm noticing is that i can see it in the raw prerouting firewall but not in the input/forward/output

something tell me that I am missing something here ...
 
pe1chl
Forum Guru
Forum Guru
Posts: 6175
Joined: Mon Jun 08, 2015 12:09 pm

Re: switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 10:51 pm

You are missing most of your config in the above posting!
Of course you should at least post config of switch, bridge, and IP addresses.
As it is now it is impossible to see if this traffic is switched, bridged or routed.
 
Spirch
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat May 03, 2014 5:04 am

Re: switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 11:01 pm

You are missing most of your config in the above posting!
Of course you should at least post config of switch, bridge, and IP addresses.
As it is now it is impossible to see if this traffic is switched, bridged or routed.

which part of the config you are interested in? i don't really want to manually remove all noise and thing that I dont want to give like password, name, mac address, etc


also, I added
/ip firewall nat
add action=redirect chain=dstnat dst-address=192.168.75.100 log=yes log-prefix="DEBUG NAT REDIRECT" src-address=192.168.75.249
and now ping respond but http request doesnt (i was hopping that by fixing ping the http/etc request would work)
 
Spirch
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sat May 03, 2014 5:04 am

Re: switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 11:27 pm

You are missing most of your config in the above posting!
Of course you should at least post config of switch, bridge, and IP addresses.
As it is now it is impossible to see if this traffic is switched, bridged or routed.
sorry i misread your text, here is the relevant section
/interface bridge
add admin-mac=xxx auto-mac=no name=bridge-LAN protocol-mode=none

/interface ethernet
set [ find default-name=ether2 ] name=interface-LAN1
set [ find default-name=ether3 ] name=interface-LAN2
set [ find default-name=ether4 ] name=interface-LAN3
set [ find default-name=ether5 ] name=interface-LAN4
set [ find default-name=ether1 ] name=interface-WAN

/interface bridge port
add bridge=bridge-LAN interface=interface-WLAN1
add bridge=bridge-LAN interface=interface-WLAN2
add bridge=bridge-LAN interface=interface-LAN4
add bridge=bridge-LAN interface=interface-LAN2
add bridge=bridge-LAN interface=interface-LAN3
add bridge=bridge-LAN interface=interface-LAN1

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip dhcp-server network
add address=192.168.75.0/24 dns-server=192.168.75.1 gateway=192.168.75.1 ntp-server=192.168.75.1

/ip address
add address=192.168.75.1/24 interface=bridge-LAN network=192.168.75.0

route, all default / dynamic / managed by the router
 
pe1chl
Forum Guru
Forum Guru
Posts: 6175
Joined: Mon Jun 08, 2015 12:09 pm

Re: switch - rule - redirect to cpu issue?

Mon Jan 13, 2020 1:59 pm

Ok so it looks like both the source and destination system are in the same subnet, so the traffic would be bridged or switched.
But earlier you wrote:
(the .100 is on another port if that matter or not but in the same bridge)
That appears to be inconsistent with the config you posted.

When everything is in the same bridge but you want the CPU to handle the traffic, it could be required to use proxy-arp, not sure in this case because bridge is also CPU processed and of course proxy-arp is not required for forwarding via the bridge.

When there really is a different bridge, the traffic is routed and of course you will need proxy arp.
A cleaner solution would be to setup a different local network and have the traffic being routed.

Who is online

Users browsing this forum: Bing [Bot], LinusN and 147 guests