Community discussions

MUM Europe 2020
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Filtering traffic on a bridge interface

Fri Aug 15, 2008 12:48 am

I got a bridge1 between lan1 and lan2 interface.
I ve selected the firewall option enabled
What rules do I need to use to let it pass only the udp packets?
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Mon Aug 18, 2008 6:05 am

Anyone?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8319
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Filtering traffic on a bridge interface

Mon Aug 18, 2008 1:10 pm

/ip fi fi add action=drop(reject?) chain=forward disabled=no protocol=!udp
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Tue Aug 19, 2008 1:10 am

/ip fi fi add action=drop(reject?) chain=forward disabled=no protocol=!udp
But this is for every interface? where is specified bridge port? or interface.
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Wed Aug 20, 2008 6:00 am

I need an updated bridge interface documentation
Why the manual for 3.x is so incompleted?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Filtering traffic on a bridge interface

Fri Aug 22, 2008 2:06 pm

something like ...
[normis@demo2.mt.lv] /interface bridge filter> add out-interface=ether1 ip-protocol=!udp action=drop
or better - if you have checked "use ip firewall" then you can make a new rule in the IP FIREWALL FILTER (as chupaka suggested) and use the "out-bridge-port" parameter for example.
No answer to your question? How to write posts
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Mon Aug 25, 2008 9:07 am

something like ...
[normis@demo2.mt.lv] /interface bridge filter> add out-interface=ether1 ip-protocol=!udp action=drop
[admin@GwPm] /interface bridge filter> add out-interface=lan ip-protocol=!udp action=drop
chain: forward
failure: ip matchers valid only for ip ethernet protocol

What is wrong?
or better - if you have checked "use ip firewall" then you can make a new rule in the IP FIREWALL FILTER (as chupaka suggested) and use the "out-bridge-port" parameter for example.
is this fine?

50 ;;; Allow udp bridged
chain=forward action=accept protocol=udp out-bridge-port=bridge1

52 ;;; Drop Bridge
chain=forward action=drop out-bridge-port=bridge1
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Filtering traffic on a bridge interface

Mon Aug 25, 2008 9:20 am

out-bridge-port should be name of the port (ether1), not name of the bridge itself
No answer to your question? How to write posts
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Tue Aug 26, 2008 3:19 am

wich?
my bridge1 got lan & wifi

should i use lan or wifi -_-?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24317
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Filtering traffic on a bridge interface

Tue Aug 26, 2008 11:26 am

LOL :D

it depends on what you want to do :)

which traffic do you want to filter with this particular rule? the one that goes out the WAN port, or the LAN port? probably you need both, one in each rule.
No answer to your question? How to write posts
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Wed Aug 27, 2008 9:42 pm

What about this?

50 ;;; Allow udp bridged wifi to lan
chain=forward action=accept protocol=udp in-bridge-port=wifi-eliminateur
out-bridge-port=lan

51 ;;; Allow udp bridged lan to wifi
chain=forward action=accept protocol=udp in-bridge-port=lan
out-bridge-port=wifi-eliminateur

52 ;;; Log bridge drop wifi to lan
chain=forward action=log in-bridge-port=wifi-eliminateur
out-bridge-port=lan log-prefix="DROP BRIDGE FORWARD WIFI TO LAN"

53 ;;; Log bridge drop lan to wifi
chain=forward action=log in-bridge-port=lan
out-bridge-port=wifi-eliminateur
log-prefix="DROP BRIDGE FORWARD LAN TO WIFI"

54 ;;; Drop Bridge lan to wifi
chain=forward action=drop in-bridge-port=lan
out-bridge-port=wifi-eliminateur

55 ;;; Drop Bridge wifi to lan
chain=forward action=drop in-bridge-port=wifi-eliminateur
out-bridge-port=lan
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1722
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Filtering traffic on a bridge interface

Thu Aug 28, 2008 10:12 am

This looks good - but I'm not really sure you need to log all this stuff.
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Fri Sep 19, 2008 5:10 pm

I want to log, to debug later...

I got a problem.

I got an adsl modem connected to ether1, router os uses it with a pppoe client session,
When the bridge(Bridge1) between ether1 and wifi is active, the pppoe session dies and it will not connect anymore till i disable the bridge or the wifi port

What is happening there?

In wifi there are another adsl modem but that one doesn't dies.

Do I need another rule to ignore the modem traffic?
 
netrat
Member
Member
Posts: 403
Joined: Thu Jun 07, 2007 1:16 pm
Location: Virginia

Re: Filtering traffic on a bridge interface

Fri Sep 19, 2008 5:16 pm

Why is ether1 and wlan1 bridge if the ADSL modem is on ether1? You have your PPPoE session and LAN/WLAN traffic on all the same bridge? Why don't you put the ADSL modem on a separate interface?

You could disable forwarding pppoe-discovery and pppoe-session traffic to/from the WLAN interface.
/interface bridge filter
add action=drop chain=forward comment="" disabled=no mac-protocol=0x8863 out-interface=wlan1
add action=drop chain=forward comment="" disabled=no mac-protocol=0x8864 out-interface=wlan1
add action=drop chain=forward comment="" disabled=no mac-protocol=0x8863 in-interface=wlan1
add action=drop chain=forward comment="" disabled=no mac-protocol=0x8864 in-interface=wlan1
Last edited by netrat on Fri Sep 19, 2008 5:26 pm, edited 1 time in total.
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Fri Sep 19, 2008 5:25 pm

Why is ether1 and wlan1 bridge if the ADSL modem is on ether1? You have your PPPoE session and LAN/WLAN traffic on all the same bridge? Why don't you put the ADSL modem on a separate interface?

You could disable forwarding pppoe-discovery and pppoe-session traffic to the WLAN interface.
I'm out of interfaces right now.
Thats why I'm using the same of lan

Isn't already disabled with the rules above?
 
netrat
Member
Member
Posts: 403
Joined: Thu Jun 07, 2007 1:16 pm
Location: Virginia

Re: Filtering traffic on a bridge interface

Fri Sep 19, 2008 5:28 pm

I want to log, to debug later...

I got an adsl modem connected to ether1, router os uses it with a pppoe client session,

In wifi there are another adsl modem but that one doesn't dies.
How many ADSL modems do you have?
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Fri Sep 19, 2008 7:40 pm

2 adsl modem,
1 is local connected eth1

the other is remote, and its connected to trough wifi,

I will try your rules
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Fri Sep 19, 2008 7:46 pm

Isn't work
 
netrat
Member
Member
Posts: 403
Joined: Thu Jun 07, 2007 1:16 pm
Location: Virginia

Re: Filtering traffic on a bridge interface

Fri Sep 19, 2008 7:49 pm

I don't understand your setup. Why/how is there an ADSL modem on the WLAN interface? What is the purpose of bridging ether1 and wlan1? Do both ADSL modems do PPPoE?
 
HellMind
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Jun 26, 2006 11:58 pm

Re: Filtering traffic on a bridge interface

Fri Sep 19, 2008 8:03 pm

It's complex

My home got a router os with eth1 wifi1 and wifi2

adsl -> eth1

wifi1 is the wifi link ( 2 rb400 bridged wds) that connect to a friend's home

he got just an iface, lan, (now i remember he got an adsl modem but its connected to the router/siwch gw interface so maybe having 2 adsl modem on a lan isnt the problem)

I need the bridge because i need the broadcast packets for games and other kind of stuff, and I dont connect the wifi link directly to lan because i don't want to give it full access to the lan.

Who is online

Users browsing this forum: No registered users and 73 guests