Community discussions

MikroTik App
User avatar
Member Candidate
Member Candidate
Topic Author
Posts: 148
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil

CRS 3xx + Vlan Filtering [ ACL Rules not working (BUG?) ]

Sun Oct 18, 2020 6:45 am


We have a Switch CRS317-1G-16S+ that was working with swOS

We are using a CCR1036 as a CGNAT and even with all those rules checked, some packets are leaving the CGNAT with RFC6598 as src-address.

So, for block this spoof traffic, we created an ACL rule to block CGNAT src-address leaving the CGNAT.
Like this:
As you can see, rule is matching and dropping those packets and we could achieve the objective that was to stop this kind of traffic.

Since we migrated to routerOS (using 6.47.4) we created the same scenario:
Here is the export:
/interface bridge
add ingress-filtering=yes name=SWITCH protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=SWITCH frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=LAG-BORDER-URG
add bridge=SWITCH frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus15

/interface bridge vlan
add bridge=SWITCH tagged=LAG-BORDER-URG,sfp-sfpplus15 vlan-ids=120
Hardware offloading is enabled.

Following the Mikrotik Manual, it says that we need to create vlan-filtering to switch rules (ACL) to work. And need to use
to drop packages.
But even with this well configured, we still see packets with src from interface sfp-sfpplus15

Here is the export:
/interface ethernet switch rule
add mac-protocol=ip new-dst-ports="" ports=sfp-sfpplus15 src-address= switch=switch1 vlan-header=present vlan-id=120
Since we can't see if rule is matching packages and rules has no log possibility, we can't really know what is wrong.
And, excuse me for that, but I double checked the scenario and rules and should work normally.

Could Mikrotik see why ACL is not working ?

This is only one example of ACL rule not working. We have much more ACLs rules to another switch (CRS328-24P-4S+) with same behavior. Causing lot of trouble, because we used this to improve network security and stability.

Thank you!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], Bionic, jh75707, martix77 and 88 guests