Community discussions

MikroTik App
  4. RouterOS
  5. General

switch - rule - redirect to cpu issue?

Post Reply
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 9:50 pm

I might be doing it all wrong but I'm trying to send switch packet to the firewall and it seem that the only way i'm able to do that is to use the switch rule redirect to CPU

(everything is in one bridge under hardware offloading)

when I create this rule;
Code: Select all
/interface ethernet switch rule
add ports=interface-LAN1 redirect-to-cpu=yes src-address=192.168.75.249 switch=switch1
the moment that I create this rule ping between 192.168.75.100 and 192.168.75.249 stop working (the .100 is on another port if that matter or not but in the same bridge)

if I disable that switch rule, it work again

I have no rule in the firewall to block that ping and i'm not seeing anything in the log

one thing; 192.168.75.249 can still access the internet and ping google.com with or without that rule

what i'm doing wrong? i would like to keep the ping working.
Top
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 10:17 pm

one thing i'm noticing is that i can see it in the raw prerouting firewall but not in the input/forward/output

something tell me that I am missing something here ...
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 10:51 pm

You are missing most of your config in the above posting!
Of course you should at least post config of switch, bridge, and IP addresses.
As it is now it is impossible to see if this traffic is switched, bridged or routed.
Top
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 11:01 pm

You are missing most of your config in the above posting!
Of course you should at least post config of switch, bridge, and IP addresses.
As it is now it is impossible to see if this traffic is switched, bridged or routed.

which part of the config you are interested in? i don't really want to manually remove all noise and thing that I dont want to give like password, name, mac address, etc


also, I added
Code: Select all
/ip firewall nat
add action=redirect chain=dstnat dst-address=192.168.75.100 log=yes log-prefix="DEBUG NAT REDIRECT" src-address=192.168.75.249
and now ping respond but http request doesnt (i was hopping that by fixing ping the http/etc request would work)
Top
 
Spirch
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Sat May 03, 2014 5:04 am

Re: switch - rule - redirect to cpu issue?

Sun Jan 12, 2020 11:27 pm

You are missing most of your config in the above posting!
Of course you should at least post config of switch, bridge, and IP addresses.
As it is now it is impossible to see if this traffic is switched, bridged or routed.
sorry i misread your text, here is the relevant section
Code: Select all
/interface bridge
add admin-mac=xxx auto-mac=no name=bridge-LAN protocol-mode=none

/interface ethernet
set [ find default-name=ether2 ] name=interface-LAN1
set [ find default-name=ether3 ] name=interface-LAN2
set [ find default-name=ether4 ] name=interface-LAN3
set [ find default-name=ether5 ] name=interface-LAN4
set [ find default-name=ether1 ] name=interface-WAN

/interface bridge port
add bridge=bridge-LAN interface=interface-WLAN1
add bridge=bridge-LAN interface=interface-WLAN2
add bridge=bridge-LAN interface=interface-LAN4
add bridge=bridge-LAN interface=interface-LAN2
add bridge=bridge-LAN interface=interface-LAN3
add bridge=bridge-LAN interface=interface-LAN1

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip dhcp-server network
add address=192.168.75.0/24 dns-server=192.168.75.1 gateway=192.168.75.1 ntp-server=192.168.75.1

/ip address
add address=192.168.75.1/24 interface=bridge-LAN network=192.168.75.0
route, all default / dynamic / managed by the router
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: switch - rule - redirect to cpu issue?

Mon Jan 13, 2020 1:59 pm

Ok so it looks like both the source and destination system are in the same subnet, so the traffic would be bridged or switched.
But earlier you wrote:
(the .100 is on another port if that matter or not but in the same bridge)
That appears to be inconsistent with the config you posted.

When everything is in the same bridge but you want the CPU to handle the traffic, it could be required to use proxy-arp, not sure in this case because bridge is also CPU processed and of course proxy-arp is not required for forwarding via the bridge.

When there really is a different bridge, the traffic is routed and of course you will need proxy arp.
A cleaner solution would be to setup a different local network and have the traffic being routed.
Top
 
mrtn
just joined
Posts: 8
Joined: Thu Dec 30, 2021 2:35 am

Re: switch - rule - redirect to cpu issue?

Thu Dec 30, 2021 3:00 am

I'm having the same problem:
I have a bridge with 2 ports and HW offloading enabled, i.e., the device works just as a switch.
I want to redirect specific traffic to the CPU to pass it through bridge filter or IP filter rules.

Port 1 is the gateway, port 2 to my PC.

On the PC, I start `ping 8.8.8.8`. Then I add a Switch Rule:
Code: Select all
0 switch=switch1 ports=ether3-pc protocol=icmp copy-to-cpu=no redirect-to-cpu=yes mirror=no
I'd expect that the ping continues, but is handled by the CPU and not the switch chip anymore.
However, the ping stops working. Seems like the same behavior the OP saw.

The docs on switch ACL rules and the option `redirect-to-cpu` are quite limited so I'm not sure I'm using it correctly.

When I disable hardware offloading for port 2, the ping works, but then I guess *all* traffic goes to the CPU, which is not what I want.

Thanks!
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10240
Joined: Mon Jun 08, 2015 12:09 pm

Re: switch - rule - redirect to cpu issue?

Thu Dec 30, 2021 12:00 pm

It could well be that the combination of "switch port rules" and "bridge with hardware acceleration" is not supported, or not supported on all hardware.
This switch configuration dates from the days when the bridge was not mandatory and you could directly connect a switch to the router config.
Now a bridge has become mandatory and much of switch config has moved to bridge config, and the remaining switch config options are of course in conflict with what you do on switch level.
It would not surprise me when in the end all possible config is moved into bridge and the switch menu disappears entirely.
Top
Post Reply

Who is online

Users browsing this forum: techcomtecnico and 132 guests
  4. RouterOS
  5. General