Page 1 of 1

Filtering traffic on a bridge interface

Posted: Fri Aug 15, 2008 12:48 am
by HellMind
I got a bridge1 between lan1 and lan2 interface.
I ve selected the firewall option enabled
What rules do I need to use to let it pass only the udp packets?

Re: Filtering traffic on a bridge interface

Posted: Mon Aug 18, 2008 6:05 am
by HellMind
Anyone?

Re: Filtering traffic on a bridge interface

Posted: Mon Aug 18, 2008 1:10 pm
by Chupaka
/ip fi fi add action=drop(reject?) chain=forward disabled=no protocol=!udp

Re: Filtering traffic on a bridge interface

Posted: Tue Aug 19, 2008 1:10 am
by HellMind
/ip fi fi add action=drop(reject?) chain=forward disabled=no protocol=!udp
But this is for every interface? where is specified bridge port? or interface.

Re: Filtering traffic on a bridge interface

Posted: Wed Aug 20, 2008 6:00 am
by HellMind
I need an updated bridge interface documentation
Why the manual for 3.x is so incompleted?

Re: Filtering traffic on a bridge interface

Posted: Fri Aug 22, 2008 2:06 pm
by normis
something like ...
[normis@demo2.mt.lv] /interface bridge filter> add out-interface=ether1 ip-protocol=!udp action=drop
or better - if you have checked "use ip firewall" then you can make a new rule in the IP FIREWALL FILTER (as chupaka suggested) and use the "out-bridge-port" parameter for example.

Re: Filtering traffic on a bridge interface

Posted: Mon Aug 25, 2008 9:07 am
by HellMind
something like ...
[normis@demo2.mt.lv] /interface bridge filter> add out-interface=ether1 ip-protocol=!udp action=drop
[admin@GwPm] /interface bridge filter> add out-interface=lan ip-protocol=!udp action=drop
chain: forward
failure: ip matchers valid only for ip ethernet protocol

What is wrong?
or better - if you have checked "use ip firewall" then you can make a new rule in the IP FIREWALL FILTER (as chupaka suggested) and use the "out-bridge-port" parameter for example.
is this fine?

50 ;;; Allow udp bridged
chain=forward action=accept protocol=udp out-bridge-port=bridge1

52 ;;; Drop Bridge
chain=forward action=drop out-bridge-port=bridge1

Re: Filtering traffic on a bridge interface

Posted: Mon Aug 25, 2008 9:20 am
by normis
out-bridge-port should be name of the port (ether1), not name of the bridge itself

Re: Filtering traffic on a bridge interface

Posted: Tue Aug 26, 2008 3:19 am
by HellMind
wich?
my bridge1 got lan & wifi

should i use lan or wifi -_-?

Re: Filtering traffic on a bridge interface

Posted: Tue Aug 26, 2008 11:26 am
by normis
LOL :D

it depends on what you want to do :)

which traffic do you want to filter with this particular rule? the one that goes out the WAN port, or the LAN port? probably you need both, one in each rule.

Re: Filtering traffic on a bridge interface

Posted: Wed Aug 27, 2008 9:42 pm
by HellMind
What about this?

50 ;;; Allow udp bridged wifi to lan
chain=forward action=accept protocol=udp in-bridge-port=wifi-eliminateur
out-bridge-port=lan

51 ;;; Allow udp bridged lan to wifi
chain=forward action=accept protocol=udp in-bridge-port=lan
out-bridge-port=wifi-eliminateur

52 ;;; Log bridge drop wifi to lan
chain=forward action=log in-bridge-port=wifi-eliminateur
out-bridge-port=lan log-prefix="DROP BRIDGE FORWARD WIFI TO LAN"

53 ;;; Log bridge drop lan to wifi
chain=forward action=log in-bridge-port=lan
out-bridge-port=wifi-eliminateur
log-prefix="DROP BRIDGE FORWARD LAN TO WIFI"

54 ;;; Drop Bridge lan to wifi
chain=forward action=drop in-bridge-port=lan
out-bridge-port=wifi-eliminateur

55 ;;; Drop Bridge wifi to lan
chain=forward action=drop in-bridge-port=wifi-eliminateur
out-bridge-port=lan

Re: Filtering traffic on a bridge interface

Posted: Thu Aug 28, 2008 10:12 am
by macgaiver
This looks good - but I'm not really sure you need to log all this stuff.

Re: Filtering traffic on a bridge interface

Posted: Fri Sep 19, 2008 5:10 pm
by HellMind
I want to log, to debug later...

I got a problem.

I got an adsl modem connected to ether1, router os uses it with a pppoe client session,
When the bridge(Bridge1) between ether1 and wifi is active, the pppoe session dies and it will not connect anymore till i disable the bridge or the wifi port

What is happening there?

In wifi there are another adsl modem but that one doesn't dies.

Do I need another rule to ignore the modem traffic?

Re: Filtering traffic on a bridge interface

Posted: Fri Sep 19, 2008 5:16 pm
by netrat
Why is ether1 and wlan1 bridge if the ADSL modem is on ether1? You have your PPPoE session and LAN/WLAN traffic on all the same bridge? Why don't you put the ADSL modem on a separate interface?

You could disable forwarding pppoe-discovery and pppoe-session traffic to/from the WLAN interface.
/interface bridge filter
add action=drop chain=forward comment="" disabled=no mac-protocol=0x8863 out-interface=wlan1
add action=drop chain=forward comment="" disabled=no mac-protocol=0x8864 out-interface=wlan1
add action=drop chain=forward comment="" disabled=no mac-protocol=0x8863 in-interface=wlan1
add action=drop chain=forward comment="" disabled=no mac-protocol=0x8864 in-interface=wlan1

Re: Filtering traffic on a bridge interface

Posted: Fri Sep 19, 2008 5:25 pm
by HellMind
Why is ether1 and wlan1 bridge if the ADSL modem is on ether1? You have your PPPoE session and LAN/WLAN traffic on all the same bridge? Why don't you put the ADSL modem on a separate interface?

You could disable forwarding pppoe-discovery and pppoe-session traffic to the WLAN interface.
I'm out of interfaces right now.
Thats why I'm using the same of lan

Isn't already disabled with the rules above?

Re: Filtering traffic on a bridge interface

Posted: Fri Sep 19, 2008 5:28 pm
by netrat
I want to log, to debug later...

I got an adsl modem connected to ether1, router os uses it with a pppoe client session,

In wifi there are another adsl modem but that one doesn't dies.
How many ADSL modems do you have?

Re: Filtering traffic on a bridge interface

Posted: Fri Sep 19, 2008 7:40 pm
by HellMind
2 adsl modem,
1 is local connected eth1

the other is remote, and its connected to trough wifi,

I will try your rules

Re: Filtering traffic on a bridge interface

Posted: Fri Sep 19, 2008 7:46 pm
by HellMind
Isn't work

Re: Filtering traffic on a bridge interface

Posted: Fri Sep 19, 2008 7:49 pm
by netrat
I don't understand your setup. Why/how is there an ADSL modem on the WLAN interface? What is the purpose of bridging ether1 and wlan1? Do both ADSL modems do PPPoE?

Re: Filtering traffic on a bridge interface

Posted: Fri Sep 19, 2008 8:03 pm
by HellMind
It's complex

My home got a router os with eth1 wifi1 and wifi2

adsl -> eth1

wifi1 is the wifi link ( 2 rb400 bridged wds) that connect to a friend's home

he got just an iface, lan, (now i remember he got an adsl modem but its connected to the router/siwch gw interface so maybe having 2 adsl modem on a lan isnt the problem)

I need the bridge because i need the broadcast packets for games and other kind of stuff, and I dont connect the wifi link directly to lan because i don't want to give it full access to the lan.