Community discussions

MikroTik App
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Packets traversing the Firewall via wrong interface

Sat Nov 19, 2022 9:26 am

Good Morning MikroTik Community,
As always, I apologise if this is a really stupid question with a really obvious answer... have googled around for an answer already, but clearly I'm not using the right search key-words.

Our setup is as follows:
  • We have an RB4011, running ROS7.6
  • Each of the interfaces is a member of its own bridge, and each bridge has its own VLAN assigned. Each interface is then connected to a switch port which is tagged to the same VLAN, and as expected, we have different types of devices on different VLANS (phones on a single VLAN, CCTV on a VAN etc)
Here's the interface/bridge config:
/interface bridge add name=bridgeVLAN10
/interface bridge add name=bridgeVLAN20
/interface bridge add name=bridgeVLAN30
/interface bridge add name=bridgeVLAN40
/interface bridge add name=bridgeVLAN50
/interface bridge add name=bridgeVLAN60
/interface bridge add name=bridgeVLAN70
/interface bridge add name=bridgeVLAN80
/interface bridge add name=bridgeVLAN90
/interface bridge add name=bridgeVLAN100
/interface vlan add interface=bridgeVLAN10 name=VLAN10 vlan-id=10
/interface vlan add interface=bridgeVLAN20 name=VLAN20 vlan-id=20
/interface vlan add interface=bridgeVLAN30 name=VLAN30 vlan-id=30
/interface vlan add interface=bridgeVLAN40 name=VLAN40 vlan-id=40
/interface vlan add interface=bridgeVLAN50 name=VLAN50 vlan-id=50
/interface vlan add interface=bridgeVLAN60 name=VLAN60 vlan-id=60
/interface vlan add interface=bridgeVLAN70 name=VLAN70 vlan-id=70
/interface vlan add interface=bridgeVLAN80 name=VLAN80 vlan-id=80
/interface vlan add interface=bridgeVLAN90 name=VLAN90 vlan-id=90
/interface vlan add interface=bridgeVLAN100 name=VLAN100 vlan-id=100
/interface bridge port add bridge=bridgeVLAN10 interface=ether1
/interface bridge port add bridge=bridgeVLAN20 interface=ether2
/interface bridge port add bridge=bridgeVLAN30 interface=ether3
/interface bridge port add bridge=bridgeVLAN40 interface=ether4
/interface bridge port add bridge=bridgeVLAN50 interface=ether5
/interface bridge port add bridge=bridgeVLAN60 interface=ether6
/interface bridge port add bridge=bridgeVLAN70 interface=ether7
/interface bridge port add bridge=bridgeVLAN80 interface=ether8
/interface bridge port add bridge=bridgeVLAN90 interface=ether9
/interface bridge port add bridge=bridgeVLAN100 interface=ether10

We have various firewall filter rules as one would expect to allow traffic to go from one VLAN to another, and also to prevent traffic going from certain places to certain other places. For example, we have rules in place to prevent the CCTV Cameras and IP Phones from being able to get to the internet. The firewall filter rules currently look like this:
/ip firewall filter add action=accept chain=input comment="Allow established, related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="Drop Invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="Allow SSL VPN" dst-port=443 in-interface-list=WAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="Allow access to WinBox to DH-IT" dst-port=8291 protocol=tcp src-address-list=DH-IT
/ip firewall filter add action=accept chain=input comment="Allow to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="Drop all not coming from LAN" in-interface-list=!INTERNAL log-prefix="DROPPED: "
/ip firewall filter add action=drop chain=input in-interface=pppoe-out1
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked log-prefix="defcon accept"
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=accept chain=forward comment="SIP System" dst-port=8893,5060-5075,32766-65535 protocol=udp src-address-list="BT SIP System"
/ip firewall filter add action=accept chain=forward comment="Allow DNS --> DC" dst-address-list=DHSC-DC3 dst-port=53 in-interface=!pppoe-out1 protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow SNTP --> DC" dst-address-list=DHSC-DC3 dst-port=123 protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow DH-IT" src-address-list=DH-IT
/ip firewall filter add action=accept chain=forward comment="Allow DHSC-DC3 --> External DNS" dst-address-list="External DNS" src-address-list=DHSC-DC3
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="Allow xxx Home Office --> Phone System" dst-address-list=DH-VLAN20 src-address-list=xxx-HomeOffice
/ip firewall filter add action=accept chain=forward comment="Allow DH-STAFF --> Printers" dst-address-list=DH-PRINTERS src-address-list=DH-STAFF
/ip firewall filter add action=accept chain=forward comment="Allow VLAN40 --> Internet + Zoom" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=443,80,8802 protocol=tcp src-address-list=DH-VLAN40
/ip firewall filter add action=accept chain=forward comment="Allow VLAN40 --> Microsoft Teams + Zoom" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=3478-3481,8801 protocol=udp src-address-list=DH-VLAN40
/ip firewall filter add action=accept chain=forward comment="Allow Site Computers --> Internet + Zoom" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=443,80,8802 protocol=tcp src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Site Computers --> Microsoft Teams + Zoom" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=3478-3481,8801 protocol=udp src-address-list=DH-COMPUTERS src-port=""
/ip firewall filter add action=accept chain=forward comment="Allow Server APPS2 --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=443,80 protocol=tcp src-address-list=DHSC-APPS2
/ip firewall filter add action=accept chain=forward comment="Allow Server DC3 --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS dst-port=443,80 protocol=tcp src-address-list=DHSC-DC3
/ip firewall filter add action=accept chain=forward comment="Allow Site Computers --> WiFi Access Points" dst-address-list=DH-ACCESSPOINTS src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Site Computers --> Cameras" dst-address-list=DH-CCTV src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Computers --> Phones" dst-address-list=DH-PHONES src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Computers --> Netgenium" dst-address-list=DH-ACCESSCONTROL src-address-list=DH-COMPUTERS
/ip firewall filter add action=accept chain=forward comment="Allow Netgenium --> DC3" dst-address-list=DHSC-DC3 src-address-list=DHSC-NETGENIUM
/ip firewall filter add action=accept chain=forward comment="Allow Phones  --> APPS2 (Firmware Updates vis HTTP, TFTP)" dst-address-list=DHSC-APPS2 dst-port=80,69 protocol=tcp src-address-list=DH-PHONES
/ip firewall filter add action=accept chain=forward comment="Allow SMC Gateway --> Google DNS" dst-address-list="Google DNS Servers" dst-port=53 protocol=udp src-address-list=DHSC-SMCGATEWAY
/ip firewall filter add action=accept chain=forward comment="Allow SMC Gateway --> Repeater" dst-address-list=DHSC-REPEATER src-address-list=DHSC-SMCGATEWAY
/ip firewall filter add action=accept chain=forward comment="Allow: Repeater --> SMC Gateway" dst-address-list=DHSC-SMCGATEWAY src-address-list=DHSC-REPEATER
/ip firewall filter add action=accept chain=forward comment="Allow: Repeater --> Phone Exchange" dst-address-list=Phone-Exchange src-address-list=DHSC-REPEATER
/ip firewall filter add action=accept chain=forward comment="Allow: Phone Exchange --> Repeater" dst-address-list=DHSC-REPEATER src-address-list=Phone-Exchange
/ip firewall filter add action=accept chain=forward comment="Allow Netgenium --> Milestone" dst-address-list=DHSC-MILESTONE src-address-list=DHSC-NETGENIUM
/ip firewall filter add action=accept chain=forward comment="Allow Mobile Repeaters --> Repeater" dst-address-list=DHSC-REPEATER src-address-list="Mobile Repeaters"
/ip firewall filter add action=accept chain=forward comment="Allow Repeater --> Mobile Repeaters" dst-address-list="Mobile Repeaters" src-address-list=DHSC-REPEATER
/ip firewall filter add action=accept chain=forward comment="Allow Milestone --> Cameras" dst-address-list=DH-CCTV src-address-list=DHSC-MILESTONE
/ip firewall filter add action=accept chain=forward comment="Allow Cameras --> Milestone" dst-address-list=DHSC-MILESTONE src-address-list=DH-CCTV
/ip firewall filter add action=accept chain=forward comment="Allow VLAN10 --> Azure Server" dst-address-list="Azure Servers" src-address-list=DH-VLAN10
/ip firewall filter add action=accept chain=forward comment="PRTG Monitoring (CCTV)" dst-address-list=DH-CCTV log-prefix=PRTG protocol=icmp src-address-list=DHSC-APPS2
/ip firewall filter add action=accept chain=forward comment="PRTG Monitoring (Netgenium Devices)" dst-address-list=DH-ACCESSCONTROL dst-port=3743,80 log-prefix=PRTG protocol=tcp src-address-list=DHSC-APPS2
/ip firewall filter add action=accept chain=forward comment="PRTG Monitoring (WIFI Access Points)" dst-address-list=DH-ACCESSPOINTS protocol=icmp src-address-list=DHSC-APPS2
/ip firewall filter add action=accept chain=forward comment="PRTG Monitoring (Access Points SNMP)" dst-address-list=DH-ACCESSPOINTS dst-port=161 protocol=tcp src-address-list=DHSC-APPS2
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log-prefix="NOT NAT: "
/ip firewall filter add action=drop chain=forward comment="Block access from VLAN10 to VLAN40 (CS: Remove when \"Block Packets on Forward Chain\" is enabled\?)" dst-address-list=DH-VLAN40 log=yes log-prefix="Access attempted from VLAN10 to VLAN40" src-address-list=DH-VLAN10
/ip firewall filter add action=drop chain=forward comment="Block Access to VLAN 10 (CS: Can be removed when \"Block Packets on Forward Chain\" is enabled\?)" dst-address-list=DH-VLAN10 log=yes log-prefix="DROP --> VLAN 10"
/ip firewall filter add action=drop chain=forward comment="Block Wifi/Guest Users from accessing the WiFi Access Points, if not in the DH-IT Group - RW This never going to happen as on same VLAN. AP's need management IP moving into Management network" dst-address-list=DH-ACCESSPOINTS log=yes log-prefix="Access attempted from VLAN40 to Access Points" src-address=192.168.40.0/22 src-address-list=!DH-IT
/ip firewall filter add action=drop chain=forward comment="Block Milestone --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS src-address-list=DHSC-MILESTONE
/ip firewall filter add action=drop chain=forward comment="Block Netgenium --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS src-address-list=DHSC-NETGENIUM
/ip firewall filter add action=drop chain=forward comment="Block VLAN20 --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS src-address-list=DH-VLAN20
/ip firewall filter add action=drop chain=forward comment="Block VLAN30 --> Internet" dst-address-list=!DH-INTERNAL-SUBNETS src-address-list=DH-VLAN30
/ip firewall filter add action=passthrough chain=forward log=yes log-prefix="Uncaught Packet"
/ip firewall filter add action=drop chain=forward comment="Block Packets on Forward Chain" disabled=yes log=yes log-prefix="Drop Forward Chain"
The Passthrough rule at the bottom of the filter list is set to log, and we have the logging for firewall events set to go out via Syslog and I have written my own .NET Windows Service which runs on one of our servers to catch all the syslog messages, parse them and put them into an SQL Database... Essentially, the exercise is to establish what is going on within the network that we're not catching with other rules and either create a rule to allow it, or leave it as it will be caught by the general "Drop Forward Chain" rule (which is currently disabled) when we enable this rule.

What's my problem:
  • The logging exercise is showing up packets hitting the logging rule at the bottom of the filter list that are destined to go places but via interfaces which have nothing to do with the destination IP address.
For Example:
  • VLAN10 is where all the computers, servers etc are connected.
  • Internet comes in via the SFP interface and a PPPoE client (the PPPoE is called "pppoe-out1" in the config)
What I'm confused about is why I'm finding loads of packets hitting the logging rule similar to this:
  • In Interface: bridgeVLAN10
  • Source IP: 192.168.10.31 (which is one of our on-site computers)
  • Destination IP: 52.143.80.xxx (which is clearly an external IP somewhere on the internet)
  • Out Interface: bridgeVLAN30
  • Destination Port: 443
This is just an example. It's not just one device doing this, its loads of devices and it's not all to the same destination and not always external, sometimes it's to internal addresses.
What I'm confused about in this specific example is why this packet isn't being cause by the "DH-Computers --> Internet" rule, as that's much higher up in the filter list than the passthrough rule.
And also why the packet is showing up as exiting the firewall via what to me looks to be the wrong interface.

My questions are really, do I need to worry about this, or is this fairly normal and in fact the packets aren't really going anywhere? The Routing in the firewall just has the normal dynamically created routes for the IP Addresses that exist in IP--> Addresses.
I've tried using the PING Tool from within RouterOS and it's not possible to ping any of the internal devices via any interface other than the one to which they are connected... so that at least is working. I also can't ping external addresses (that respond to a ping, like google's 8.8.8.8 server) via any interface other than the pppoe-out1 interface, so that appears to be working.
I can of course put some DROP rules in the filter list for packets where the DstIP doesn't belong to an IP Pool that's assigned to the interface through which the packet is trying to exit the firewall, but before I do this, I'd like to understand what's happening (and maybe why) and to know if it's really a problem.

Again, apologies if this is a really dumb thing to ask. Hopefully I've put enough detail here for the issue to be understood (if it is indeed an issue and not just normal behaviour).

Thanks for your time...

Colin
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Packets traversing the Firewall via wrong interface

Sat Nov 19, 2022 11:23 am

It is something to worry about.

You have to check (or post here) also whole IP config (addresses, routes) and NAT. Without it we can only guess ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Packets traversing the Firewall via wrong interface

Sat Nov 19, 2022 8:20 pm

One bridge, when you get there let me know......KISS
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Packets traversing the Firewall via wrong interface

Sun Nov 20, 2022 12:41 am

take a look of this

Manual:Layer2 misconfiguration
https://wiki.mikrotik.com/wiki/Manual:L ... n_a_bridge

not only that topic, the whole page

and yes, you only need a single bridge
 
killersoft
Member Candidate
Member Candidate
Posts: 235
Joined: Mon Apr 11, 2011 2:34 pm
Location: Victoria, Australia

Re: Packets traversing the Firewall via wrong interface

Sun Nov 20, 2022 9:18 am

I've been there in my very early days millions of years ago!! with that vlan / interface port per bridge thing, and its WRONG, very wrong..( Yes it works, but at a big cost(readability + CPU load )

Via the bridge menu you should ONLY be, and do ALL of that inside there...!!!
Then do your FIREWALLING in the bridge->firewall.

Also to note( and a great tip for beginners ): when you 1st create a bridge without any interface ports bonded to it, there is a default MAC address. COPY that ADDRESS and paste it into the Admin MAC address and save it before you do anything further.. It will save your ass later when you bond eth or other mac addresses to the bridge, and by doing so changes the bridge mac to that of one of the eth interface mac addresses, and is probably not what you want especially if dynamic things(e.g capsman) occur on your links,,

Not only is it more complex!, but it is the correct way to configure in RouterOS, and later when/if you need to do more complex stuff, you will then appreciate it more (notably capsman in a campus environment with vlans per virtual APs)...

Take a look at :
https://wiki.mikrotik.com/wiki/Manual:B ... _switching

and then https://wiki.mikrotik.com/wiki/Manual:I ... e_Firewall
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: Packets traversing the Firewall via wrong interface

Sun Nov 20, 2022 12:38 pm

This bridge config is completely wrong!
For this purpose you do not even need a bridge!
Make a single port on the switch which is configured to have all your VLANs as tagged, connect it to a single port of the router, and there (e.g. ether1) you configure the VLAN subinterfaces with the correct tags.
Like:
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan20 vlan-id=20

Then use those vlan interfaces in your router config.
In your case you could even just use the ether ports directly for the different networks, no need for bridge or vlan as the switch already delivers the traffic untagged.
Of course when you somehow want to connect the other ethernet ports to the same networks, you will need a bridge.

Now, there is a point in having a separate bridge on each port, between the router and the external world. I use this in some complex situations.
Each bridge has only a single external interface, and there is no VLAN config on the bridge, it just passes the untagged traffic.
There even is a special mode in bridges to make this more efficient, as it does not need to keep a hosts table and do MAC lookups: all traffic goes either to the local CPU or to the external port.
The advantage of having this, is that you can do bridge filtering (e.g. to control what you do with ARP requests), and also that you can more easily transfer a config to another device which has a different port layout and/or naming for e.g. SFP ports. All of the config only refers to the bridge names, and only the mapping of bridge name (which would be some internal network name) to physical port has to be changed when you migrate to another router which has different optimal port layout.
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Re: Packets traversing the Firewall via wrong interface

Sun Nov 20, 2022 1:48 pm

Hi Everyone,
Firstly - thanks for the replies. I feel I should just mention at this stage (although it obvious with me saying) I'm not a networking specialist, so sorry if some of the stuff I post is a bit basic - my background: I have a PhD in chemistry, my thesis was on making artificial bone graft material and I now work for a company in R&D making X-Ray spectrometers, so if anyone ever wants to know about this, just ask :-). Everything that I do in an IT sense is as a volunteer for The Scouts (in fact, the firewall in question is based at the scout campsite where I'm a member of the team that run and maintain the site)...

The use of bridges came from trying to translate what was setup in our previous firewall (a Sonicwall) into MikroTik - the previous system had a concept of "Zones" where each physical interface was by default in its own "Zone" and you then setup rules in the firewall to allow traffic to go from zone-to-zone as necessary. Anyway, that's the past, what I did was wrong... I'm moving on :-)

So... in response to the comments, I have done the following:
1. Disabled all the stuff to do with bridges (wasn't brave enough to delete yet, but once everything is working, I'll delete them so they're not in the config at all):
/interface bridge add disabled=yes name=bridgeVLAN10
/interface bridge add disabled=yes name=bridgeVLAN20
/interface bridge add disabled=yes name=bridgeVLAN30
/interface bridge add disabled=yes name=bridgeVLAN40
/interface bridge add disabled=yes name=bridgeVLAN50
/interface bridge add disabled=yes name=bridgeVLAN60
/interface bridge add disabled=yes name=bridgeVLAN70
/interface bridge add disabled=yes name=bridgeVLAN80
/interface bridge add disabled=yes name=bridgeVLAN90
/interface bridge add disabled=yes name=bridgeVLAN100
/interface bridge port add bridge=bridgeVLAN10 disabled=yes interface=ether1
/interface bridge port add bridge=bridgeVLAN20 disabled=yes interface=ether2
/interface bridge port add bridge=bridgeVLAN30 disabled=yes interface=ether3
/interface bridge port add bridge=bridgeVLAN40 disabled=yes interface=ether4
/interface bridge port add bridge=bridgeVLAN50 disabled=yes interface=ether5
/interface bridge port add bridge=bridgeVLAN60 disabled=yes interface=ether6
/interface bridge port add bridge=bridgeVLAN70 disabled=yes interface=ether7
/interface bridge port add bridge=bridgeVLAN80 disabled=yes interface=ether8
/interface bridge port add bridge=bridgeVLAN90 disabled=yes interface=ether9
/interface bridge port add bridge=bridgeVLAN100 disabled=yes interface=ether10

2. Defined the VLANs against the interfaces (I know we might not need this at all, but one step at a time - from a youtube video I watched on the topic of setting up VLANs etc, it looks like this is as was suggested in one of the responses, not needed but shouldn't do any harm, it's just a bit overkill as the switch will already deliver packets with the correct VLAN-ID in the header):
/interface vlan add interface=ether1 name=VLAN10 vlan-id=10
/interface vlan add interface=ether2 name=VLAN20 vlan-id=20
/interface vlan add interface=ether3 name=VLAN30 vlan-id=30
/interface vlan add interface=ether4 name=VLAN40 vlan-id=40
/interface vlan add interface=ether5 name=VLAN50 vlan-id=50
/interface vlan add interface=ether6 name=VLAN60 vlan-id=60
/interface vlan add interface=ether7 name=VLAN70 vlan-id=70
/interface vlan add interface=ether8 name=VLAN80 vlan-id=80
/interface vlan add interface=ether9 name=VLAN90 vlan-id=90
/interface vlan add interface=ether10 name=VLAN100 vlan-id=100

3. The other tidying up bits and pieces like re-assigning the network addresses to interfaces, redefining the interface on which the hotspot is running etc (the full config is attached).

Having wiped the database of the log entries and let it start again (after making the above config changes), I can see that things have improved a bit... but still not 100% correct... seems that there are still what I think are mis-matched packets, where the DstIP doesn't belong to the address range of the network assigned to the out-interface.
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10185
Joined: Mon Jun 08, 2015 12:09 pm

Re: Packets traversing the Firewall via wrong interface

Sun Nov 20, 2022 2:10 pm

It is still wrong. Read what I wrote above. When you use VLANs, put them all on a single interface. When using multiple interfaces this way, do not use VLANs.

VLANs are a mechanism to have several networks on a single interface and still separate them. A VLAN "tag" is a label put on each packet to tell for what VLAN it is.
When all networks are on different interfaces, it does not make sense to use VLANs.
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Re: Packets traversing the Firewall via wrong interface

Sun Nov 20, 2022 3:20 pm

VLAN stuff is all disabled:
/interface vlan add disabled=yes interface=ether1 name=VLAN10 vlan-id=10
/interface vlan add disabled=yes interface=ether2 name=VLAN20 vlan-id=20
/interface vlan add disabled=yes interface=ether3 name=VLAN30 vlan-id=30
/interface vlan add disabled=yes interface=ether4 name=VLAN40 vlan-id=40
/interface vlan add disabled=yes interface=ether5 name=VLAN50 vlan-id=50
/interface vlan add disabled=yes interface=ether6 name=VLAN60 vlan-id=60
/interface vlan add disabled=yes interface=ether7 name=VLAN70 vlan-id=70
/interface vlan add disabled=yes interface=ether8 name=VLAN80 vlan-id=80
/interface vlan add disabled=yes interface=ether9 name=VLAN90 vlan-id=90
/interface vlan add disabled=yes interface=ether10 name=VLAN100 vlan-id=100

Wiped the log database again after doing this... but still the same problem. Here's a short extract from the logging database to show what I mean:
InInterface ; SrcIP ; SrcHost ; OutInterface ; DstIP ; dstPort
ether1 ; 192.168.10.31 ; DHSC-STAFFHUT ; ether3 ; 93.184.221.240 ; 80
ether1 ; 192.168.10.31 ; DHSC-STAFFHUT ; ether3 ; 93.184.221.240 ; 80
ether1 ; 192.168.10.31 ; DHSC-STAFFHUT ; ether3 ; 93.184.221.240 ; 80
ether1 ; 192.168.10.31 ; DHSC-STAFFHUT ; pppoe-out1 ; 93.184.221.240 ; 80
ether1 ; 192.168.10.31 ; DHSC-STAFFHUT ; ether3 ; 52.168.112.67 ; 443
ether1 ; 192.168.10.31 ; DHSC-STAFFHUT ; pppoe-out1 ; 52.168.112.67 ; 443
ether1 ; 192.168.10.31 ; DHSC-STAFFHUT ; ether3 ; 52.168.112.67 ; 443
ether1 ; 192.168.10.31 ; DHSC-STAFFHUT ; pppoe-out1 ; 52.168.112.67 ; 443
(sorry for the rubbish formatting, there wasn't an easy way to put a grid in the post).

Unless I'm being really stupid here, everything in my list above should have pppoe-out1 as the OutInt (as that's where our internet connection is connected), because the DstIP are all external to our network... or have I just fundamentally misunderstood something?

Full config is attached again.
You do not have the required permissions to view the files attached to this post.
 
ColinSlater
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Sun Sep 12, 2021 2:32 pm

Re: Packets traversing the Firewall via wrong interface  [SOLVED]

Sat Nov 26, 2022 2:25 pm

Thanks for the replies... bridge setup and all the VLAN stuff has been amended as described and the problem is solved.

Who is online

Users browsing this forum: karlisi and 97 guests