Community discussions

MikroTik App
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

ACL firewall problem (missing L2 EtherType)

Thu Jun 25, 2020 9:08 pm

On router hAP ac^2 I monitored the traffic using "Tools / Torch" in the GUI and added all observed L2 EtherTypes via ACL into the rule table of the switch-chip.
But as soon as I activate the last rule by setting disabled=no then Internet stops functioning. What other EtherType is highly likely missing below?

(Btw, interface ether5 is intentionally excluded for safety reasons, ie. to be able to login to the router via that interface in case the other interfaces get blocked by these rules)
[admin@AP1] /interface ethernet switch rule export 
# jun/25/2020 18:47:18 by RouterOS 7.0beta8
# software id = I2LK-MU5N
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXX
/interface ethernet switch rule
add comment=mgmt-interface ports=ether5 switch=switch1
add comment="L3+4 TCP" mac-protocol=ip ports=ether1,ether2,ether3,ether4 protocol=tcp switch=switch1
add comment="L3+4 UDP" mac-protocol=ip ports=ether1,ether2,ether3,ether4 protocol=udp switch=switch1
add comment="L3 ICMP" mac-protocol=ip ports=ether1,ether2,ether3,ether4 protocol=icmp switch=switch1
add comment="L2 EthType 0x806 (arp)" mac-protocol=arp ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x8035 (rarp)" mac-protocol=rarp ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x4 (802.2)" mac-protocol=802.2 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x8808 (Ethernet flow control)" mac-protocol=0x8808 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x88cc (Link Layer Discovery Protocol, LLDP)" mac-protocol=lldp ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x88e1 (homeplug-av)" disabled=no mac-protocol=homeplug-av ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x8912 (mediaxtream protocols)" disabled=no mac-protocol=0x8912 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="block all other" disabled=yes new-dst-ports="" ports=ether1,ether2,ether3,ether4 switch=switch1


[admin@AP1] /ip address export                    
/ip address
add address=192.168.127.254/17 interface=ether2 network=192.168.0.0
add address=192.168.254.253/24 interface=ether1 network=192.168.254.0
add address=192.168.200.254/24 comment=mgmt-interface interface=ether5 network=192.168.200.0
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Thu Jun 25, 2020 11:58 pm

I've now added all documented mac-protocols I could find in the wiki pages, ie.
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan)

And the behavior is still the same! It blocks as soon as the last rule gets activated! (cf. OP).
I think this means that RouterOS uses either an L2 protocol that is undocumented yet, or there is a BUG in ACL.
(Btw, if it's not a bug then it must be an L2 protocol, not a higher protocol as they all are included by the above.)

SOS MikroTik! Need help ASAP, else can't continue with my work here.

Here my latest attempt with ALL the documented mac-protocols:
# jun/25/2020 22:01:31 by RouterOS 7.0beta8
# software id = I2LK-MU5N
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXXXXXX
/interface ethernet switch rule
add comment=mgmt-interface ports=ether5 switch=switch1
add comment="L3 all IP protocols" mac-protocol=ip ports=\
    ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x806 (arp)" mac-protocol=arp ports=\
    ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x8035 (rarp)" mac-protocol=rarp ports=\
    ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x4 (802.2)" mac-protocol=802.2 ports=\
    ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x8808 (Ethernet flow control)" mac-protocol=0x8808 \
    ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x88cc (Link Layer Discovery Protocol, LLDP)" \
    mac-protocol=lldp ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x88e1 (homeplug-av)" mac-protocol=homeplug-av ports=\
    ether1,ether2,ether3,ether4 switch=switch1
add comment="L2 EthType 0x8912 (mediaxtream protocols)" mac-protocol=0x8912 \
    ports=ether1,ether2,ether3,ether4 switch=switch1
add comment=TEST mac-protocol=ipv6 ports=ether1,ether2,ether3,ether4 switch=\
    switch1
add comment=TEST mac-protocol=ipx ports=ether1,ether2,ether3,ether4 switch=\
    switch1
add comment=TEST mac-protocol=loop-protect ports=ether1,ether2,ether3,ether4 \
    switch=switch1
add comment=TEST mac-protocol=mpls-multicast ports=\
    ether1,ether2,ether3,ether4 switch=switch1
add comment=TEST mac-protocol=mpls-unicast ports=ether1,ether2,ether3,ether4 \
    switch=switch1
add comment=TEST mac-protocol=packing-compr ports=ether1,ether2,ether3,ether4 \
    switch=switch1
add comment=TEST mac-protocol=packing-simple ports=\
    ether1,ether2,ether3,ether4 switch=switch1
add comment=TEST mac-protocol=pppoe ports=ether1,ether2,ether3,ether4 switch=\
    switch1
add comment=TEST mac-protocol=pppoe-discovery ports=\
    ether1,ether2,ether3,ether4 switch=switch1
add comment=TEST mac-protocol=service-vlan ports=ether1,ether2,ether3,ether4 \
    switch=switch1
add comment=TEST mac-protocol=vlan ports=ether1,ether2,ether3,ether4 switch=\
    switch1
add comment="block all other" disabled=yes new-dst-ports="" ports=\
    ether1,ether2,ether3,ether4 switch=switch1

It seems there is a bug in ACL b/c I did use the "Tools / PacketSniffer" tool over interfaces=all, but all the mac-protocols it lists are already present in the ACL...
 
mducharme
Trainer
Trainer
Posts: 981
Joined: Tue Jul 19, 2016 6:45 pm

Re: ACL firewall problem (missing L2 EtherType)

Fri Jun 26, 2020 2:13 am

It seems there is a bug in ACL b/c I did use the "Tools / PacketSniffer" tool over interfaces=all, but all the mac-protocols it lists are already present in the ACL...
Packet Sniffer runs on CPU, not hardware. You will need to temporarily disable hardware acceleration on the port(s) that you wish to sniff, otherwise you will only capture the packets that hit the CPU rather than the packets that are being switched by the switch chip.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Fri Jun 26, 2020 2:54 pm

It seems there is a bug in ACL b/c I did use the "Tools / PacketSniffer" tool over interfaces=all, but all the mac-protocols it lists are already present in the ACL...
Packet Sniffer runs on CPU, not hardware. You will need to temporarily disable hardware acceleration on the port(s) that you wish to sniff, otherwise you will only capture the packets that hit the CPU rather than the packets that are being switched by the switch chip.
Ok, thanks, I'll consider this fact and try to disable hw accel for the test.

I now performed this test:
added a "redirect-to-cpu" rule as the first rule (actually 2nd in my case) to pass all traffic to the CPU (ie. effectively disabling HW acceleration/offloading).
This rule works (ie. is effective) b/c enabling the last rule to "block all other" does not block anymore as it's not executed due to this redirect-to-cpu rule.
And so now I collected new data using the Sniffer tool.
But: there is nothing new of a mac-protocol. Ie. this way it's not possible to find the error.
Any new ideas to pinpoint the error?

Below is the result of the Packet Sniffer session (all the mac-protocols (below they are in decimal) are already in the ACL, so nothing new in the data):
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 5383
Joined: Mon Dec 04, 2017 9:19 pm

Re: ACL firewall problem (missing L2 EtherType)

Fri Jun 26, 2020 4:43 pm

A wild guess here... there is a bug in the bridge filter rules, where the bytes in the 16-bit values of the ethertype field in the 802.1Q headers are swapped on some CPU architectures, and arm (which is the architecture of hAP ac²) is one of these whereas mipsbe is not affected by that; however, there is another bug, in the ppp handling of CCP protocol, which looks similar to me (again, 16-byte value is handled wrong), but this time mipsbe is affected and arm is not.

Hence I can imagine that handling of endianness may be a general issue in various parts of the code, so you might want to set the ethertypes in your switch rules as hex values in swapped byte order, to see whether it changes anything about the behaviour.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Fri Jun 26, 2020 7:22 pm

A wild guess here... there is a bug in the bridge filter rules, where the bytes in the 16-bit values of the ethertype field in the 802.1Q headers are swapped on some CPU architectures, and arm (which is the architecture of hAP ac²) is one of these whereas mipsbe is not affected by that; however, there is another bug, in the ppp handling of CCP protocol, which looks similar to me (again, 16-byte value is handled wrong), but this time mipsbe is affected and arm is not.

Hence I can imagine that handling of endianness may be a general issue in various parts of the code, so you might want to set the ethertypes in your switch rules as hex values in swapped byte order, to see whether it changes anything about the behaviour.
Man, sindy! You seem to be right! After reading your above reply, I wanted to test this, and:
indeed it seems that there is/are such endian errors in the RouterOS code as I just finished my first test with also such byte-swapped mac-protocol numbers,
and it now worked flawlessly when I enabled the final "block all other" rule!
I'll post shortly my test script for inspection/verification. It has 58 ACL switch rules in total.

Ok, here's my test script. The last rule is disabled by default.
After emptying "/interface ethernet switch rule" and doing "/import myACL.rsc" I use the following command to be on the safe side for such testing:
"enable numbers=57 ; /delay 20 ; disable numbers=57" :-)

BUT: it is still unknown yet which of the mac-protocols is/are affected by this endian-bug --> one needs to do some more tests...
.
######################################################################
# myACL.rsc
#
# mac-protocols listed in MikroTik documentation (wiki):
#
#   802.2 - 802.2 Frames (0x0004)
#   arp - Address Resolution Protocol (0x0806)
#   homeplug-av - HomePlug AV MME (0x88E1)
#   ip - Internet Protocol version 4 (0x0800)
#   ipv6 - Internet Protocol Version 6 (0x86DD)
#   ipx - Internetwork Packet Exchange (0x8137)
#   lldp - Link Layer Discovery Protocol (0x88CC)
#   loop-protect - Loop Protect Protocol (0x9003)
#   mpls-multicast - MPLS multicast (0x8848)
#   mpls-unicast - MPLS unicast (0x8847)
#   packing-compr - Encapsulated packets with compressed IP packing (0x9001)
#   packing-simple - Encapsulated packets with simple IP packing (0x9000)
#   pppoe - PPPoE Session Stage (0x8864)
#   pppoe-discovery - PPPoE Discovery Stage (0x8863)
#   rarp - Reverse Address Resolution Protocol (0x8035)
#   service-vlan - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
#   vlan - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)
#   
#   ?? length - Packets with length field (0x0000-0x05DC)
#
# Sources of the above table:
#   https://wiki.mikrotik.com/wiki/Manual:Tools/Packet_Sniffer#Quick_mode
#   https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Properties_2



#######
:global myPorts "ether1,ether2,ether3,ether4"

/interface ethernet switch rule

add comment="mgmt-interface"   ports=ether5 switch=switch1
add comment="redir_all_to_cpu" ports=$myPorts redirect-to-cpu=yes switch=switch1 disabled=yes


# PART 1: via original mac-protocol name:
add switch=switch1 ports=$myPorts mac-protocol=802.2
add switch=switch1 ports=$myPorts mac-protocol=arp
add switch=switch1 ports=$myPorts mac-protocol=homeplug-av
add switch=switch1 ports=$myPorts mac-protocol=ip
add switch=switch1 ports=$myPorts mac-protocol=ipv6
add switch=switch1 ports=$myPorts mac-protocol=ipx
add switch=switch1 ports=$myPorts mac-protocol=lldp
add switch=switch1 ports=$myPorts mac-protocol=loop-protect
add switch=switch1 ports=$myPorts mac-protocol=mpls-multicast
add switch=switch1 ports=$myPorts mac-protocol=mpls-unicast
add switch=switch1 ports=$myPorts mac-protocol=packing-compr
add switch=switch1 ports=$myPorts mac-protocol=packing-simple
add switch=switch1 ports=$myPorts mac-protocol=pppoe
add switch=switch1 ports=$myPorts mac-protocol=pppoe-discovery
add switch=switch1 ports=$myPorts mac-protocol=rarp
add switch=switch1 ports=$myPorts mac-protocol=service-vlan
add switch=switch1 ports=$myPorts mac-protocol=vlan


# PART 2: via mac-protocol number:
add switch=switch1 ports=$myPorts mac-protocol=0x0004 comment="EthType 0x0004 (802.2)"
add switch=switch1 ports=$myPorts mac-protocol=0x0806 comment="EthType 0x0806 (arp)"
add switch=switch1 ports=$myPorts mac-protocol=0x88E1 comment="EthType 0x88E1 (homeplug-av)"
add switch=switch1 ports=$myPorts mac-protocol=0x0800 comment="EthType 0x0800 (ip)"
add switch=switch1 ports=$myPorts mac-protocol=0x86DD comment="EthType 0x86DD (ipv6)"
add switch=switch1 ports=$myPorts mac-protocol=0x8137 comment="EthType 0x8137 (ipx)"
add switch=switch1 ports=$myPorts mac-protocol=0x88CC comment="EthType 0x88CC (lldp)"
add switch=switch1 ports=$myPorts mac-protocol=0x9003 comment="EthType 0x9003 (loop-protect)"
add switch=switch1 ports=$myPorts mac-protocol=0x8848 comment="EthType 0x8848 (mpls-multicast)"
add switch=switch1 ports=$myPorts mac-protocol=0x8847 comment="EthType 0x8847 (mpls-unicast)"
add switch=switch1 ports=$myPorts mac-protocol=0x9001 comment="EthType 0x9001 (packing-compr)"
add switch=switch1 ports=$myPorts mac-protocol=0x9000 comment="EthType 0x9000 (packing-simple)"
add switch=switch1 ports=$myPorts mac-protocol=0x8864 comment="EthType 0x8864 (pppoe)"
add switch=switch1 ports=$myPorts mac-protocol=0x8863 comment="EthType 0x8863 (pppoe-discovery)"
add switch=switch1 ports=$myPorts mac-protocol=0x8035 comment="EthType 0x8035 (rarp)"
add switch=switch1 ports=$myPorts mac-protocol=0x88A8 comment="EthType 0x88A8 (service-vlan)"
add switch=switch1 ports=$myPorts mac-protocol=0x8100 comment="EthType 0x8100 (vlan)"
#
# others:
add switch=switch1 ports=$myPorts mac-protocol=0x8808 comment="EthType 0x8808 (Ethernet flow control)"
add switch=switch1 ports=$myPorts mac-protocol=0x8912 comment="EthType 0x8912 (mediaxtream protocols)"


# PART 3: via byte-swapped mac-protocol number:
add switch=switch1 ports=$myPorts mac-protocol=0x0400 comment="EthType 0x0400 (802.2, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x0608 comment="EthType 0x0608 (arp, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0xE188 comment="EthType 0xE188 (homeplug-av, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x0008 comment="EthType 0x0008 (ip, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0xDD86 comment="EthType 0xDD86 (ipv6, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x3781 comment="EthType 0x3781 (ipx, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0xCC88 comment="EthType 0xCC88 (lldp, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x0390 comment="EthType 0x0390 (loop-protect, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x4888 comment="EthType 0x4888 (mpls-multicast, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x4788 comment="EthType 0x4788 (mpls-unicast, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x0190 comment="EthType 0x0190 (packing-compr, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x0090 comment="EthType 0x0090 (packing-simple, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x6488 comment="EthType 0x6488 (pppoe, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x6388 comment="EthType 0x6388 (pppoe-discovery, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x3580 comment="EthType 0x3580 (rarp, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0xA888 comment="EthType 0xA888 (service-vlan, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x0081 comment="EthType 0x0081 (vlan, byte-swapped)"
#
# others:
add switch=switch1 ports=$myPorts mac-protocol=0x0888 comment="EthType 0x0888 (Ethernet flow control, byte-swapped)"
add switch=switch1 ports=$myPorts mac-protocol=0x1289 comment="EthType 0x1289 (mediaxtream protocols, byte-swapped)"


# IMPORTANT: the last rule must block all other traffic:
add switch=switch1 ports=$myPorts new-dst-ports="" comment="block all other"  disabled=yes
#add switch=switch1 ports=$myPorts new-dst-ports="" comment="block all other"  disabled=no




Here's the export after the import:
[admin@AP1] /interface/ethernet/switch/rule> export
# jun/26/2020 18:37:35 by RouterOS 7.0beta8
# software id = I2LK-MU5N
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXXXXX
/interface ethernet switch rule
add comment=mgmt-interface ports=ether5 switch=switch1
add comment=redir_all_to_cpu disabled=yes ports=ether1,ether2,ether3,ether4 redirect-to-cpu=yes switch=switch1
add mac-protocol=802.2 ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=arp ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=homeplug-av ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=ip ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=ipv6 ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=ipx ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=lldp ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=loop-protect ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=mpls-multicast ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=mpls-unicast ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=packing-compr ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=packing-simple ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=pppoe ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=pppoe-discovery ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=rarp ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=service-vlan ports=ether1,ether2,ether3,ether4 switch=switch1
add mac-protocol=vlan ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0004 (802.2)" mac-protocol=802.2 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0806 (arp)" mac-protocol=arp ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x88E1 (homeplug-av)" mac-protocol=homeplug-av ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0800 (ip)" mac-protocol=ip ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x86DD (ipv6)" mac-protocol=ipv6 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x8137 (ipx)" mac-protocol=ipx ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x88CC (lldp)" mac-protocol=lldp ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x9003 (loop-protect)" mac-protocol=loop-protect ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x8848 (mpls-multicast)" mac-protocol=mpls-multicast ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x8847 (mpls-unicast)" mac-protocol=mpls-unicast ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x9001 (packing-compr)" mac-protocol=packing-compr ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x9000 (packing-simple)" mac-protocol=packing-simple ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x8864 (pppoe)" mac-protocol=pppoe ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x8863 (pppoe-discovery)" mac-protocol=pppoe-discovery ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x8035 (rarp)" mac-protocol=rarp ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x88A8 (service-vlan)" mac-protocol=service-vlan ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x8100 (vlan)" mac-protocol=vlan ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x8808 (Ethernet flow control)" mac-protocol=0x8808 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x8912 (mediaxtream protocols)" mac-protocol=0x8912 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0400 (802.2, byte-swapped)" mac-protocol=0x400 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0608 (arp, byte-swapped)" mac-protocol=0x608 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0xE188 (homeplug-av, byte-swapped)" mac-protocol=0xE188 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0008 (ip, byte-swapped)" mac-protocol=802.2 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0xDD86 (ipv6, byte-swapped)" mac-protocol=0xDD86 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x3781 (ipx, byte-swapped)" mac-protocol=0x3781 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0xCC88 (lldp, byte-swapped)" mac-protocol=0xCC88 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0390 (loop-protect, byte-swapped)" mac-protocol=0x390 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x4888 (mpls-multicast, byte-swapped)" mac-protocol=0x4888 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x4788 (mpls-unicast, byte-swapped)" mac-protocol=0x4788 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0190 (packing-compr, byte-swapped)" mac-protocol=0x190 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0090 (packing-simple, byte-swapped)" mac-protocol=0x90 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x6488 (pppoe, byte-swapped)" mac-protocol=0x6488 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x6388 (pppoe-discovery, byte-swapped)" mac-protocol=0x6388 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x3580 (rarp, byte-swapped)" mac-protocol=0x3580 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0xA888 (service-vlan, byte-swapped)" mac-protocol=0xA888 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0081 (vlan, byte-swapped)" mac-protocol=0x81 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x0888 (Ethernet flow control, byte-swapped)" mac-protocol=0x888 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="EthType 0x1289 (mediaxtream protocols, byte-swapped)" mac-protocol=0x1289 ports=ether1,ether2,ether3,ether4 switch=switch1
add comment="block all other" disabled=yes new-dst-ports="" ports=ether1,ether2,ether3,ether4 switch=switch1



And this is the print output:
[admin@AP1] /interface/ethernet/switch/rule> print 
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; mgmt-interface
      switch=switch1 ports=ether5 copy-to-cpu=no redirect-to-cpu=no mirror=no 

 1 X  ;;; redir_all_to_cpu
      switch=switch1 ports=ether1,ether2,ether3,ether4 copy-to-cpu=no redirect-to-cpu=yes mirror=no 

 2    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=802.2 copy-to-cpu=no redirect-to-cpu=no mirror=no 

 3    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=arp copy-to-cpu=no redirect-to-cpu=no mirror=no 

 4    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=homeplug-av copy-to-cpu=no redirect-to-cpu=no mirror=no 

 5    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=ip copy-to-cpu=no redirect-to-cpu=no mirror=no 

 6    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=ipv6 copy-to-cpu=no redirect-to-cpu=no mirror=no 

 7    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=ipx copy-to-cpu=no redirect-to-cpu=no mirror=no 

 8    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=lldp copy-to-cpu=no redirect-to-cpu=no mirror=no 

 9    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=loop-protect copy-to-cpu=no redirect-to-cpu=no mirror=no 

10    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=mpls-multicast copy-to-cpu=no redirect-to-cpu=no mirror=no 

11    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=mpls-unicast copy-to-cpu=no redirect-to-cpu=no mirror=no 

12    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=packing-compr copy-to-cpu=no redirect-to-cpu=no mirror=no 

13    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=packing-simple copy-to-cpu=no redirect-to-cpu=no mirror=no 

14    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=pppoe copy-to-cpu=no redirect-to-cpu=no mirror=no 

15    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=pppoe-discovery copy-to-cpu=no redirect-to-cpu=no mirror=no 

16    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=rarp copy-to-cpu=no redirect-to-cpu=no mirror=no 

17    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=service-vlan copy-to-cpu=no redirect-to-cpu=no mirror=no 

18    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=vlan copy-to-cpu=no redirect-to-cpu=no mirror=no 

19    ;;; EthType 0x0004 (802.2)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=802.2 copy-to-cpu=no redirect-to-cpu=no mirror=no 

20    ;;; EthType 0x0806 (arp)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=arp copy-to-cpu=no redirect-to-cpu=no mirror=no 

21    ;;; EthType 0x88E1 (homeplug-av)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=homeplug-av copy-to-cpu=no redirect-to-cpu=no mirror=no 

22    ;;; EthType 0x0800 (ip)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=ip copy-to-cpu=no redirect-to-cpu=no mirror=no 

23    ;;; EthType 0x86DD (ipv6)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=ipv6 copy-to-cpu=no redirect-to-cpu=no mirror=no 

24    ;;; EthType 0x8137 (ipx)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=ipx copy-to-cpu=no redirect-to-cpu=no mirror=no 

25    ;;; EthType 0x88CC (lldp)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=lldp copy-to-cpu=no redirect-to-cpu=no mirror=no 

26    ;;; EthType 0x9003 (loop-protect)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=loop-protect copy-to-cpu=no redirect-to-cpu=no mirror=no 

27    ;;; EthType 0x8848 (mpls-multicast)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=mpls-multicast copy-to-cpu=no redirect-to-cpu=no mirror=no 

28    ;;; EthType 0x8847 (mpls-unicast)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=mpls-unicast copy-to-cpu=no redirect-to-cpu=no mirror=no 

29    ;;; EthType 0x9001 (packing-compr)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=packing-compr copy-to-cpu=no redirect-to-cpu=no mirror=no 

30    ;;; EthType 0x9000 (packing-simple)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=packing-simple copy-to-cpu=no redirect-to-cpu=no mirror=no 

31    ;;; EthType 0x8864 (pppoe)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=pppoe copy-to-cpu=no redirect-to-cpu=no mirror=no 

32    ;;; EthType 0x8863 (pppoe-discovery)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=pppoe-discovery copy-to-cpu=no redirect-to-cpu=no mirror=no 

33    ;;; EthType 0x8035 (rarp)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=rarp copy-to-cpu=no redirect-to-cpu=no mirror=no 

34    ;;; EthType 0x88A8 (service-vlan)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=service-vlan copy-to-cpu=no redirect-to-cpu=no mirror=no 

35    ;;; EthType 0x8100 (vlan)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=vlan copy-to-cpu=no redirect-to-cpu=no mirror=no 

36    ;;; EthType 0x8808 (Ethernet flow control)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x8808 copy-to-cpu=no redirect-to-cpu=no mirror=no 

37    ;;; EthType 0x8912 (mediaxtream protocols)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x8912 copy-to-cpu=no redirect-to-cpu=no mirror=no 

38    ;;; EthType 0x0400 (802.2, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x400 copy-to-cpu=no redirect-to-cpu=no mirror=no 

39    ;;; EthType 0x0608 (arp, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x608 copy-to-cpu=no redirect-to-cpu=no mirror=no 

40    ;;; EthType 0xE188 (homeplug-av, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0xE188 copy-to-cpu=no redirect-to-cpu=no mirror=no 

41    ;;; EthType 0x0008 (ip, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=802.2 copy-to-cpu=no redirect-to-cpu=no mirror=no 

42    ;;; EthType 0xDD86 (ipv6, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0xDD86 copy-to-cpu=no redirect-to-cpu=no mirror=no 

43    ;;; EthType 0x3781 (ipx, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x3781 copy-to-cpu=no redirect-to-cpu=no mirror=no 

44    ;;; EthType 0xCC88 (lldp, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0xCC88 copy-to-cpu=no redirect-to-cpu=no mirror=no 

45    ;;; EthType 0x0390 (loop-protect, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x390 copy-to-cpu=no redirect-to-cpu=no mirror=no 

46    ;;; EthType 0x4888 (mpls-multicast, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x4888 copy-to-cpu=no redirect-to-cpu=no mirror=no 

47    ;;; EthType 0x4788 (mpls-unicast, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x4788 copy-to-cpu=no redirect-to-cpu=no mirror=no 

48    ;;; EthType 0x0190 (packing-compr, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x190 copy-to-cpu=no redirect-to-cpu=no mirror=no 

49    ;;; EthType 0x0090 (packing-simple, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x90 copy-to-cpu=no redirect-to-cpu=no mirror=no 

50    ;;; EthType 0x6488 (pppoe, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x6488 copy-to-cpu=no redirect-to-cpu=no mirror=no 

51    ;;; EthType 0x6388 (pppoe-discovery, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x6388 copy-to-cpu=no redirect-to-cpu=no mirror=no 

52    ;;; EthType 0x3580 (rarp, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x3580 copy-to-cpu=no redirect-to-cpu=no mirror=no 

53    ;;; EthType 0xA888 (service-vlan, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0xA888 copy-to-cpu=no redirect-to-cpu=no mirror=no 

54    ;;; EthType 0x0081 (vlan, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x81 copy-to-cpu=no redirect-to-cpu=no mirror=no 

55    ;;; EthType 0x0888 (Ethernet flow control, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x888 copy-to-cpu=no redirect-to-cpu=no mirror=no 

56    ;;; EthType 0x1289 (mediaxtream protocols, byte-swapped)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=0x1289 copy-to-cpu=no redirect-to-cpu=no mirror=no 

57 X  ;;; block all other
      switch=switch1 ports=ether1,ether2,ether3,ether4 copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports="" 

 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Fri Jun 26, 2020 11:00 pm

ATTN MikroTik developers & ACL users:

After some lengthy testing, the error finally has been found! :

The endian-error is with the mac-protocol "arp" (EtherType 0x0806).
It can be an endian-error or a simple parsing error from the string "arp" to the right EthType numeric value, maybe mixed up with "rarp".

If one disables rule #20, which was added via mac-protocol NUMBER,
then ping (and all other traffic) is not possible (effective only after about 15 seconds!... :-)) eventhough rule #3 should still work, but it actually doesn't:
...
 3    switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=arp copy-to-cpu=no redirect-to-cpu=no mirror=no 
...

20    ;;; EthType 0x0806 (arp)
      switch=switch1 ports=ether1,ether2,ether3,ether4 mac-protocol=arp copy-to-cpu=no redirect-to-cpu=no mirror=no 
...

To summarize: there is a difference whether one adds via mac-protocol name or via mac-protocol number! Ie.:
add switch=switch1 ports=$myPorts mac-protocol=arp  
add switch=switch1 ports=$myPorts mac-protocol=0x0806 comment="EthType 0x0806 (arp)"  
The first one (the official one) seems to be buggy, ie. not working; the second variant does work.

I'll do some more tests to see whether this byte-swapped 3rd variant is necessary too:
add switch=switch1 ports=$myPorts mac-protocol=0x0608 comment="EthType 0x0608 (arp, byte-swapped)"
Update: the said byte-swapped 3rd variant is not necessary. So then the error is definitely located as shown above.
 
sindy
Forum Guru
Forum Guru
Posts: 5383
Joined: Mon Dec 04, 2017 9:19 pm

Re: ACL firewall problem (missing L2 EtherType)

Fri Jun 26, 2020 11:27 pm

It's strange. On my hAP ac² (running 6.45.9), if I add the rule with mac-protocol=0x0806, it is both printed and exported with mac-protocol=arp, i.e. the conversion seems to work both ways. So I don't get why in your case there is a difference in behaviour when you add it as "arp" and when you add it as "0x0806".
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Fri Jun 26, 2020 11:47 pm

It's strange. On my hAP ac² (running 6.45.9), if I add the rule with mac-protocol=0x0806, it is both printed and exported with mac-protocol=arp, i.e. the conversion seems to work both ways. So I don't get why in your case there is a difference in behaviour when you add it as "arp" and when you add it as "0x0806".
No there is no differrence, in my case it is the same if you compare the "print" as well the "export" output above: it says in both cases "arp".
But the real error is what EthType number it internally has assigned to "arp", ie. add by name (which we can't see, only guess: but surely it can't be the 0x0806).
As I tried to explain, it very much looks like a "parsing and assigning error". Maybe the parsing of "arp" lands in the table item of "rarp", ie. maybe using the EthType number of rarp for arp :-)

Btw, this same error is present also in the RouterOS 6.47 version, as I upgraded to that 7.0beta8 b/c of that error, but unfortunately it's in at least both versions.
 
sindy
Forum Guru
Forum Guru
Posts: 5383
Joined: Mon Dec 04, 2017 9:19 pm

Re: ACL firewall problem (missing L2 EtherType)

Sat Jun 27, 2020 12:47 am

My chain of thinking is the following:
  • if you enter a protocol name, at some point it gets converted to a protocol number, as the switch chip hardware understands only numbers. And because not every protocol number has a name assigned in the code, it is logical to store the numbers internally, and only do the number<=>name conversion when interacting with the user.
  • if the above assumption is correct, then if you enter 0x0806, it gets stored as such; when you print or export the rule, the number is found in the number<=>name mapping table, and "arp" is shown at the UI rather than the 0x0806.
  • another assumption is that even if there are separate number=>name and name=>number mapping tables (as configuration manipulation need not be lightning-fast, there is no actual need to have names indexed by numbers and numbers indexed by names), one of them is most likely generated from the other, as I cannot imagine a sane programmer to put both to the code manually
  • based on all the above, I assume that when you use the number when creating the rule, and you get back the correct name when displaying the rule, the number<=>name mapping is correct, and thus when you use the name when creating the rule, it is converted to a correct number.
So something in the above assumptions has to be wrong so that creating the rule using the name and creating it using the number would lead to different numbers being used in the hardware table in the switch chip, but both would be translated to the same name when displayed to the user.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Sat Jun 27, 2020 1:05 am

@sindy, I understand, it's really mysterious.

Here's another mystery to add to the confusion list:
in my print list the rule #41 gets interpreted as another "802.2" though it has a totally different EthType (0x0008).
The correct "802.2" has EtherType 0x0004 (rule #19 and #2 in the print list).

I think it could also be be a hashing issue, ie. where hashing is used for fast-locating (or even direct-access) items in a collection, instead of other forms of fast-locating like bsearch etc.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Sat Jun 27, 2020 2:19 am

New insights:

Both are necessary! arp via name as well via number.
Then this can only mean that "arp by name" uses another essential (undocumented) EtherType.

Otherwise it does not make any sense, IMO.
Unless there is a memory problem caused by "double free'ing", "use after free", or overwriting other data, or so...

Can a MikroTik developer not simply take a look in the source code and enlighten us?
Or better make the code snippet available for study/debugging?
 
anav
Forum Guru
Forum Guru
Posts: 4659
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: ACL firewall problem (missing L2 EtherType)

Sat Jun 27, 2020 2:32 am

Open a ticket and send tech support a 'supout' along with your documented evidence and hopefully they will respond.
My question is ,,,, will this 'bug' affect normal usage?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Sat Jun 27, 2020 2:43 am

Open a ticket and send tech support a 'supout' along with your documented evidence and hopefully they will respond.
My question is ,,,, will this 'bug' affect normal usage?
I already did enough, made them aware of a severe bug and even located the bug. I'm not going to make any more. Enough is enough.
Without fixing this bug the whole ACL cannot be used.
ACL is important for wire-speed firewalling.

It seems under the official mac-protocol names they internally use multiple EtherType codes, maybe not with all of them, but with some.
One comes to that conclusion after testing, analyzing and thinking deep about the observed results.
Because using the numerical versions alone is not sufficient to function correctly... Ie. there is not a 1:1 mapping between names and their EtherType numbers.

Another possible mystery is whether the Packet Sniffer is perhaps hiding some EtherTypes...
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Sat Jun 27, 2020 4:28 am

More insights:

Besides mac-protocol=arp also mac-protocol=ip has problems, as it does not map to its EtherType 0x0800.

This means one needs both the name variant as well the number variant when adding these rules into the rule table.

About the reasons one can only speculate...
 
sindy
Forum Guru
Forum Guru
Posts: 5383
Joined: Mon Dec 04, 2017 9:19 pm

Re: ACL firewall problem (missing L2 EtherType)

Sat Jun 27, 2020 9:53 am

Open a ticket and send tech support a 'supout' along with your documented evidence and hopefully they will respond.
I already did enough, made them aware of a severe bug and even located the bug. I'm not going to make any more. Enough is enough.
If you haven't open a support ticket, you actually haven't done enough. This is a forum where users help each other, not a channel to report bugs. But when reporting the bug by sending an e-mail to support@mikrotik.com, it is enough to provide a link to this topic instead of describing the details again. However, the supout.rif taken when it does not work as expected is a mandatory attachment to the support case - they won't proceed with handling the case until you provide it.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
sindy
Forum Guru
Forum Guru
Posts: 5383
Joined: Mon Dec 04, 2017 9:19 pm

Re: ACL firewall problem (missing L2 EtherType)

Sat Jun 27, 2020 6:18 pm

Only now, as looking for the difference between your setup and mine, I have noticed that you are setting the rules using ROS 7.0beta8 - it can only be seen in the export header, you don't mention that anywhere in the text.

On long-term (6.45.9), I've just tried the following rules:
[me@MyTik] > interface ethernet switch rule print where !disabled
Flags: X - disabled, I - invalid, D - dynamic
 0    switch=switch1 ports=ether5 mac-protocol=arp copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=switch1-cpu
 1    switch=switch1 ports=ether5 mac-protocol=ip copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=switch1-cpu
 2    switch=switch1 ports=ether5 copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=""
And it just works - if I disable the "accept arp" rule or the "accept ip" rule, it is not possible any more to ping the device connected to ether5; as soon as both are enabled, pinging works again.

So your findings are definitely an important feedback for the ROS 7 development team, but for normal production deployment, there is no issue.

Do you have any special reason why you need to use a ROS 7 beta for the task requiring use of switch chip rules?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 743
Joined: Wed Mar 25, 2020 4:04 am

Re: ACL firewall problem (missing L2 EtherType)

Sat Jun 27, 2020 9:13 pm

Only now, as looking for the difference between your setup and mine, I have noticed that you are setting the rules using ROS 7.0beta8 - it can only be seen in the export header, you don't mention that anywhere in the text.

On long-term (6.45.9), I've just tried the following rules:
[me@MyTik] > interface ethernet switch rule print where !disabled
Flags: X - disabled, I - invalid, D - dynamic
 0    switch=switch1 ports=ether5 mac-protocol=arp copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=switch1-cpu
 1    switch=switch1 ports=ether5 mac-protocol=ip copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=switch1-cpu
 2    switch=switch1 ports=ether5 copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=""
And it just works - if I disable the "accept arp" rule or the "accept ip" rule, it is not possible any more to ping the device connected to ether5; as soon as both are enabled, pinging works again.

So your findings are definitely an important feedback for the ROS 7 development team, but for normal production deployment, there is no issue.

Do you have any special reason why you need to use a ROS 7 beta for the task requiring use of switch chip rules?

@sindy, in posting #9 viewtopic.php?f=2&t=162887&p=802939#p802830 in reply to you I wrote this sentence:
Btw, this same error is present also in the RouterOS 6.47 version, as I upgraded to that 7.0beta8 b/c of that error, but unfortunately it's in at least both versions.
Just try also with the latest stable version 6.47 and tell me that it functions. It doesn't, much like the current 7.0beta8.

Btw, I found just another severe bug with switch rules (ACL): viewtopic.php?f=1&t=162969

Who is online

Users browsing this forum: Baidu [Spider], Google [Bot] and 75 guests