Community discussions

MikroTik App
 
sergis
just joined
Topic Author
Posts: 16
Joined: Tue Apr 05, 2005 5:09 pm

Bridge drop arp

Fri Jun 03, 2005 4:35 pm

Hello all.I will allow behind my brige only ip what i allow..I know nice feature is arp-reply only but this is not for me - clients change nics and mac adreses.. :cry: i try to use bridge firewall on my bridge eth1 - input;eth2 output..

My setup

/ interface bridge filter
add chain=forward in-interface=ether2 mac-protocol=arp \
arp-src-address=!10.10.10.249/32 action=drop comment="" disabled=no

this working - 1pc connected to router

/ interface bridge filter
add chain=forward in-interface=ether2 mac-protocol=arp \
arp-src-address=!10.10.10.248/32 action=drop comment="" disabled=no
/ interface bridge filter
add chain=forward in-interface=ether2 mac-protocol=arp \
arp-src-address=!10.10.10.249/32 action=drop comment="" disabled=no

not working :oops:

But i need to add 10clients to mo router and allow to use him only his ip adresses to avoid ip conflicts..

HELP!! :cry:
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sat Jun 04, 2005 3:45 pm

I think this is because the first rule cuts off all other cases, like this:
Lets assume the client address in question is 10.10.10.249, which I assume
you want to allow. But the first rule matches on !10.10.10.248, and
10.10.10.249 surely matches !10.10.10.248/32, so it immediately drops and
the following rule never gets evaluated.

Looks like you'd be better of with a list of explicit permit rules per IP, finally
followed by a final deny-all rule.

--Tom

Who is online

Users browsing this forum: marioth727, mlow, PeterFreeman and 128 guests