I got a bridge1 between lan1 and lan2 interface.
I ve selected the firewall option enabled
What rules do I need to use to let it pass only the udp packets?

Anyone?

Code: Select all

/ip fi fi add action=drop(reject?) chain=forward disabled=no protocol=!udp

But this is for every interface? where is specified bridge port? or interface.

I need an updated bridge interface documentation
Why the manual for 3.x is so incompleted?

something like ... or better - if you have checked "use ip firewall" then you can make a new rule in the IP FIREWALL FILTER (as chupaka suggested) and use the "out-bridge-port" parameter for example.

something like ...

Code: Select all

[normis@demo2.mt.lv] /interface bridge filter> add out-interface=ether1 ip-protocol=!udp action=drop

[admin@GwPm] /interface bridge filter> add out-interface=lan ip-protocol=!udp action=drop
chain: forward
failure: ip matchers valid only for ip ethernet protocol

What is wrong?

or better - if you have checked "use ip firewall" then you can make a new rule in the IP FIREWALL FILTER (as chupaka suggested) and use the "out-bridge-port" parameter for example.

is this fine?

50 ;;; Allow udp bridged
chain=forward action=accept protocol=udp out-bridge-port=bridge1

52 ;;; Drop Bridge
chain=forward action=drop out-bridge-port=bridge1

out-bridge-port should be name of the port (ether1), not name of the bridge itself

wich?
my bridge1 got lan & wifi

should i use lan or wifi -_-?

LOL

it depends on what you want to do

which traffic do you want to filter with this particular rule? the one that goes out the WAN port, or the LAN port? probably you need both, one in each rule.

What about this?

50 ;;; Allow udp bridged wifi to lan
chain=forward action=accept protocol=udp in-bridge-port=wifi-eliminateur
out-bridge-port=lan

51 ;;; Allow udp bridged lan to wifi
chain=forward action=accept protocol=udp in-bridge-port=lan
out-bridge-port=wifi-eliminateur

52 ;;; Log bridge drop wifi to lan
chain=forward action=log in-bridge-port=wifi-eliminateur
out-bridge-port=lan log-prefix="DROP BRIDGE FORWARD WIFI TO LAN"

53 ;;; Log bridge drop lan to wifi
chain=forward action=log in-bridge-port=lan
out-bridge-port=wifi-eliminateur
log-prefix="DROP BRIDGE FORWARD LAN TO WIFI"

54 ;;; Drop Bridge lan to wifi
chain=forward action=drop in-bridge-port=lan
out-bridge-port=wifi-eliminateur

55 ;;; Drop Bridge wifi to lan
chain=forward action=drop in-bridge-port=wifi-eliminateur
out-bridge-port=lan

This looks good - but I'm not really sure you need to log all this stuff.

I want to log, to debug later...

I got a problem.

I got an adsl modem connected to ether1, router os uses it with a pppoe client session,
When the bridge(Bridge1) between ether1 and wifi is active, the pppoe session dies and it will not connect anymore till i disable the bridge or the wifi port

What is happening there?

In wifi there are another adsl modem but that one doesn't dies.

Do I need another rule to ignore the modem traffic?

Why is ether1 and wlan1 bridge if the ADSL modem is on ether1? You have your PPPoE session and LAN/WLAN traffic on all the same bridge? Why don't you put the ADSL modem on a separate interface?

You could disable forwarding pppoe-discovery and pppoe-session traffic to/from the WLAN interface.

Why is ether1 and wlan1 bridge if the ADSL modem is on ether1? You have your PPPoE session and LAN/WLAN traffic on all the same bridge? Why don't you put the ADSL modem on a separate interface?

You could disable forwarding pppoe-discovery and pppoe-session traffic to the WLAN interface.

I'm out of interfaces right now.
Thats why I'm using the same of lan

Isn't already disabled with the rules above?

I want to log, to debug later...

I got an adsl modem connected to ether1, router os uses it with a pppoe client session,

In wifi there are another adsl modem but that one doesn't dies.

How many ADSL modems do you have?

2 adsl modem,
1 is local connected eth1

the other is remote, and its connected to trough wifi,

I will try your rules

Isn't work

I don't understand your setup. Why/how is there an ADSL modem on the WLAN interface? What is the purpose of bridging ether1 and wlan1? Do both ADSL modems do PPPoE?

It's complex

My home got a router os with eth1 wifi1 and wifi2

adsl -> eth1

wifi1 is the wifi link ( 2 rb400 bridged wds) that connect to a friend's home

he got just an iface, lan, (now i remember he got an adsl modem but its connected to the router/siwch gw interface so maybe having 2 adsl modem on a lan isnt the problem)

I need the bridge because i need the broadcast packets for games and other kind of stuff, and I dont connect the wifi link directly to lan because i don't want to give it full access to the lan.