Community discussions

MikroTik App
  4. RouterOS
  5. General

bridge filter

Post Reply
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

bridge filter

Thu May 10, 2007 5:00 am

Hi, if using bridge filter on a router with 4 interfaces, with the intention of blocking all traffic between 3 interfaces. Should I block forward and input traffic or just forward. to block all traffic?
Top
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:
Contact sergejs

Thu May 10, 2007 3:06 pm

Forward filters traffic for hosts connected to the router, input filter traffic that is destined directly to the router itself.
Top
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Fri May 11, 2007 12:56 am

Thats strange as traffic still seems to pass when only forward is dropped. For example I can ping and use winbox through the filter which is on an AP with a 5ghz interface and a 2.4ghz interface with the filter blocking forward between the two. This filter is on the 5ghz card which links other AP's and also has a 2.4ghz AP too. It is connected by wire to core router. Could the core router forward packets so the AP would only see it go in and out to the core router and back out to another client?
Top
 
sten
Forum Veteran
Forum Veteran
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

Fri May 11, 2007 4:25 pm

perhaps you used the bridge ip as default gateway for some of the users? if traffic is routed and gateway ip is a bridge member, then the traffic will show up in "input" bridge filter chain.
Top
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Thu May 24, 2007 1:33 pm

No it's just a bridge. The IP used for testing is just one local IP not NATed. and certainly packets are not being dropped from one interface to another?

I have traffic dropped on Forward between:

wlan 1 - wlan 2 forward drop
wlan 2 - wlan 1 forward drop

traffic is dropped between 1 and 2 but not 2 and 1??
Top
 
sten
Forum Veteran
Forum Veteran
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

Re: bridge filter

Sat May 26, 2007 3:54 pm

export your bridge filter rules?
probably you can reduce the bridge member<->bridge member rules into a single rule.
Top
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Re: bridge filter

Tue May 29, 2007 9:15 pm

Here is a jpg of my rules in winbox:

Image

Thanks for your time my friend.. :)
Top
 
sten
Forum Veteran
Forum Veteran
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

Re: bridge filter

Wed May 30, 2007 9:42 am

aside from the rules i already know about, it says nothing.
you *are* aware of the "Print Screen" keys function in windows, right?
Try this in terminal:

/ interface bridge filter export

Which interface is your upstream?
Top
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Re: bridge filter

Wed May 30, 2007 12:52 pm

No i'm not aware of print screen! Try not to use windows too much!! Not quite sure what you mean as the terminal is the same information as the info in winbox, here it is anyway and thanks again for your help:

/ interface bridge filter
add chain=forward in-interface=wlan1 out-interface=wlan2 action=drop \
comment="" disabled=no
add chain=forward in-interface=wlan1 out-interface=wlan3 action=drop \
comment="" disabled=no
add chain=forward in-interface=wlan2 out-interface=wlan1 action=drop \
comment="" disabled=no
add chain=forward in-interface=wlan2 out-interface=wlan3 action=drop \
comment="" disabled=no
add chain=forward in-interface=wlan3 out-interface=wlan1 action=drop \
comment="" disabled=no
add chain=forward in-interface=wlan3 out-interface=wlan2 action=drop \
comment="" disabled=no

My WAN is ether1.
Top
 
sten
Forum Veteran
Forum Veteran
Posts: 919
Joined: Tue Jun 01, 2004 12:10 pm

Re: bridge filter

Thu May 31, 2007 11:02 am

remove those rules and add this one and you'll have the desired effect;
(paste in terminal)
Code: Select all
/ interface bridge filter add chain=forward in-interface=!ether1 out-interface=!ether1 action=drop
The logic of that rule is as follows:

If packet is neither entering ether1 (i.e wlan1) nor exiting ether1 (i.e wlan2) then drop.
It wont affect traffic that either enters ether1 (from the internet to one of the wlans) or exits ether1 (to the internet from one of the wlans).
Does this work for you?
Top
 
spire2z
Long time Member
Long time Member
Topic Author
Posts: 516
Joined: Mon Feb 14, 2005 2:48 am

Re: bridge filter

Tue Jun 19, 2007 3:30 am

No but this did in chain order:

/ interface bridge filter add chain=forward in-interface=!ether1 out-interface=ether1 action=accept

/ interface bridge filter add chain=forward in-interface=ether1 out-interface=!ether1 action=accept

/ interface bridge filter add chain=forward action=drop

The reason my original rules did not work as I found was because of WDS dynamic interfaces. I wrongly assumed that filtering the master interface would block it but no. Thanks for your assistance too my good fellow wisper.
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], clinttt, Majestic-12 [Bot], sid5632 and 155 guests
  4. RouterOS
  5. General