Community discussions

MUM Europe 2020
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Wed Sep 16, 2009 2:55 pm

NAT rules hit on bridge

Wed Dec 18, 2013 3:05 am

I have a fully redundant network consisting of 2x rb1100ahx2. Being fully redundant, implies a network loop and use of RST, which again implies the use of bridge where switching otherwise would have been sufficient. (And I love the by-pass functionality!)
The RB's are set as master / standby using VRRP on the lan-bridge.

There is only one public IP-range on each internet access, and some servers for dmz cannot be behind nat, hence there is a wan-bridge and it needs to be firewalled. So firewall is enabled for bridges.

Now the issue: When firewall is enabled for bridges, so is NAT!
With the switch-loop there are some packets towards the master router that passes through the slave. The issue is that the slave applies the NAT-table on these packets with the result that they are routed through the slave rather than the master, or they arrive at the master with wrong dst/src ip.

My question is: How can I apply the firewall filter table to bridge, without applying nat table?
OR: How can I apply firewall to only the one bridge where it's required, and not to the other bridges?
 
jfvelamoscoso
Trainer
Trainer
Posts: 59
Joined: Fri Oct 25, 2013 12:52 am
Location: Arequipa - Peru

Re: NAT rules hit on bridge

Fri Dec 20, 2013 12:33 am

Please can you post the result of

/ip firewall nat export compact
----------------------------------------
jfvelamoscoso@gmail.com
Network Engineer Noc Department
MTCNA, MTCTCE

If it helps please give some karma

Who is online

Users browsing this forum: anom3, Bing [Bot], dalami and 59 guests