We have a Switch CRS317-1G-16S+ that was working with swOS
We are using a CCR1036 as a CGNAT and even with all those rules checked, some packets are leaving the CGNAT with RFC6598 as src-address.
So, for block this spoof traffic, we created an ACL rule to block CGNAT src-address leaving the CGNAT.
Like this: As you can see, rule is matching and dropping those packets and we could achieve the objective that was to stop this kind of traffic.
Since we migrated to routerOS (using 6.47.4) we created the same scenario:
Here is the export:
Code: Select all
/interface bridge
add ingress-filtering=yes name=SWITCH protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=SWITCH frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=LAG-BORDER-URG
add bridge=SWITCH frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus15
/interface bridge vlan
add bridge=SWITCH tagged=LAG-BORDER-URG,sfp-sfpplus15 vlan-ids=120
Following the Mikrotik Manual, it says that we need to create vlan-filtering to switch rules (ACL) to work. And need to use
Code: Select all
new-dst-ports=""
But even with this well configured, we still see packets with src 100.108.0.0/16 from interface sfp-sfpplus15
Here is the export:
Code: Select all
/interface ethernet switch rule
add mac-protocol=ip new-dst-ports="" ports=sfp-sfpplus15 src-address=100.108.0.0/16 switch=switch1 vlan-header=present vlan-id=120
And, excuse me for that, but I double checked the scenario and rules and should work normally.
Could Mikrotik see why ACL is not working ?
This is only one example of ACL rule not working. We have much more ACLs rules to another switch (CRS328-24P-4S+) with same behavior. Causing lot of trouble, because we used this to improve network security and stability.
Thank you!