Page 1 of 1

Bug in RC11 Bridge

Posted: Tue Dec 04, 2007 11:54 am
by ddlan
H(a)i,

Konfig related for Problem:

/interface eoip
add arp=enabled comment="" disabled=no mac-address=00:00:5E:80:00:06 mtu=1500 name="eoip-tunnel4" remote-address=10.0.9.1 tunnel-id=4

/interface bridge
name="HOTSPOT" priority=0x8000 protocol-mode=rstp transmit-hold-count=6
/interface bridge port
add bridge=HOTSPOT comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=eoip-tunnel5 path-cost=10 point-to-point=auto priority=0x80

/ip dhcp-server
add address-pool=NAT authoritative=after-2sec-delay bootp-support=static disabled=no interface=HOTSPOT lease-time=2h30m name="HotSpot"
/ip dhcp-server network
add address=192.168.222.0/24 comment="" dns-server=192.168.222.1 domain="ddlan.local" gateway=192.168.222.1 netmask=24

/ip address
add address=192.168.222.1/24 broadcast=192.168.222.255 comment="hotspot network" disabled=no interface=HOTSPOT network=192.168.222.0

/ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid disabled=no protocol=tcp
add action=accept chain=input comment="established related" connection-state=established disabled=no protocol=tcp
add action=accept chain=input comment="" connection-state=related disabled=no protocol=tcp
add action=accept chain=input comment="ICMP ratenlimitiert" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="" disabled=no protocol=icmp
add action=accept chain=input comment="DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment="DHCP" disabled=no dst-port=67-68 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=67-68 protocol=udp
add action=drop chain=input comment="drop all" disabled=no

over the tunnel works DHCP, DNS works only when last firewall rule is disabled.

/interface bridge settings> pr
use-ip-firewall: yes
use-ip-firewall-for-vlan: no

/interface bridge settings> pr
use-ip-firewall: no
use-ip-firewall-for-vlan: no

no changes by problem

mfg
Thomas Böttcher

sorry for my english

Re: Bug in RC11 Bridge

Posted: Wed Dec 05, 2007 12:12 pm
by michalkos
Hmm, I have same problem, FW rules not work very well with bridge !

I can't control interfaces included in bridge ! 2.9.xx versions work well. I turn on IP firewall on bridge settings.

Bug is not only in the Bridge

Posted: Thu Dec 06, 2007 10:15 am
by ddlan
Same problem on ether1,

/ip firewall filter
add action=accept chain=input comment="DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=53 protocol=udp
add action=drop chain=input comment="drop all" disabled=no

no Access to DNS when drop rule enabled

Re: Bug in RC11 Bridge

Posted: Thu Dec 06, 2007 11:47 am
by janisk
have you set
 /interface bridge> settings set use-ip-firewall=yes 
is that vaule is still no and your bridge is bypassing all the ip filter rules?

Re: Bug in RC11 Bridge

Posted: Thu Dec 06, 2007 11:56 am
by michalkos
YES ! I have checked this options :o)

Solved: Bug in RC11 Bridge

Posted: Sun Dec 09, 2007 5:05 pm
by ddlan
Hi,

i added the red line and this works

/ip firewall filter
add action=accept chain=input comment="" connection-state=established disabled=no protocol=udp
add action=accept chain=input comment="DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=53 protocol=udp
add action=drop chain=input comment="drop all" disabled=no

mfg
THomas Böttcher