Community discussions

 
User avatar
greek
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Thu Nov 04, 2010 11:37 pm
Location: Russia, 78rus

Easy firewall rule doesn't work

Wed Oct 08, 2014 9:52 pm

Good day.

Default configuration.
WAN = ether1, LAN = Bridge1, NAT

Rule:
/ip firewall mangle
add chain=forward in-interface=ether1 log=yes out-bridge-port=wlan1 out-interface=bridge1


Counter of packets = 0, log is empty.

Laptop is connected to wlan1, internet works fine.

Why it's not work?

ps:
/ip firewall mangle
add chain=forward in-interface=ether1 log=yes out-bridge-port=wlan1


doesn't work too.


Config:

ros code

/ip address
add address=192.168.113.1/24 comment="default configuration" interface=bridge1 network=192.168.113.0
add address=84.5*.*.*/26 interface=ether1 network=84.5*.*.*

/interface bridge
add admin-mac=D4:CA:6D:63:35:5A auto-mac=no mtu=1500 name=bridge1 protocol-mode=none

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether8

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.113.0/24
 
natoer23
Trainer
Trainer
Posts: 8
Joined: Mon Jan 09, 2012 3:11 pm

Re: Easy firewall rule doesn't work

Thu Oct 09, 2014 10:31 am

Can you please tell us what you are trying to do?

If you want to see the traffic from your laptop to another port in the bridge than you need to use:
/ip firewall mangle
add chain=forward in-bridge-port=wlan1 out-bridge-port=ether2 log=yes
However if you are trying to log traffic between your internal network (bridge) and the internet you don't need the bridge firewall.
You simply use this:
/ip firewall filter
add chain=forward in-interface=bridge1 out-interface=ether1 action=passthrough log=yes
If you need to reverse direction just swap the in and out interfaces.

Make sure not to leave the default action of accept otherwise you will accept all traffic either way!
Passthrough will work or you can choose the action log as well.
 
User avatar
greek
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Thu Nov 04, 2010 11:37 pm
Location: Russia, 78rus

Re: Easy firewall rule doesn't work

Thu Oct 09, 2014 3:24 pm

Can you please tell us what you are trying to do?
Global target is different shaping of ports-in-bridge.

I want to mark packets from WAN side to specific port-in-bridge (and back).

I use simple rule for this purpose.

ros code

/ip firewall mangle
add chain=forward in-interface=ether1 log=yes out-bridge-port=wlan1 out-interface=bridge1
But it's not work.

(I am not mark packets in this rule, i just want to see their count, as first step to global target)

Who is online

Users browsing this forum: No registered users and 81 guests