This is my first post to this forum and it's my first experience with Mikrotik so please bear with me on this
I'm more used to manage Juniper devices.
You will find below a network diagram of my current setup.
Right now, even if the crs305-1g-4s+in is running router OS 7.1, I'm only using switching capabilities.
At the moment everything is running in a flat layer 2, so it's the same broadcast domain on all ports.
My goal is that I'd like PC1 (with mac-address AA:AA:AA:AA:AA:AA to be able to only reach the Gateway with mac-address BB:BB:BB:BB:BB:BB in a bi-directionnal manner and that's it).
I've setup the mikrotik switch this way.
I have one bridge called "bridge"
Code: Select all
[admin@sw01.home] > interface/bridge/ print
Flags: X - disabled, R - running
0 R ;;; defconf
name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=reply-only arp-timeout=auto mac-address=08:55:31:XX:XX:XX
protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=08:55:31:XX:XX:XX ageing-time=5m
priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100
pvid=1 frame-types=admit-all ingress-filtering=yes dhcp-snooping=no
Code: Select all
[admin@sw01.home] > interface/bridge/port print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
;;; defconf
0 H ge-0/1/0 bridge yes 11 0x80 1000 1000 none
;;; defconf
1 H xe-0/0/0 bridge yes 11 0x80 10 10 none
;;; defconf
2 IH xe-0/0/1 bridge yes 11 0x80 10 10 none
;;; defconf
3 IH xe-0/0/2 bridge yes 11 0x80 10 10 none
;;; defconf
4 H xe-0/0/3 bridge yes 11 0x80 10 10 none
[admin@sw01.home] > interface/bridge/vlan/ print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 bridge 11 bridge ge-0/1/0
xe-0/0/3
xe-0/0/0
1 D bridge 1 bridge
Code: Select all
[admin@sw01.home] > interface/vlan/ print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
# NAME MTU ARP VLAN-ID INTERFACE
;;; Management Interface
0 R vlan.11 1500 enabled 11 bridge
[admin@sw01.home] > ip/address/ print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.1.6/24 192.168.1.0 vlan.11
So just to test this, I've create rules that doesn't drop anything, but just count packets.
The forward chains doesn't log anything when PC1 reaches anything on another switch port.
The input/output chains matches traffic to and from the mikrotik control plane (it gets incremented when PC1 pings the mikrotik management interface).
Why the forward chains doesn't see anything ?
Code: Select all
[admin@sw01.home] > interface/bridge/filter/ print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Accept everything from PC1 to switch, count packets only
chain=input action=accept in-interface=xe-0/0/0 in-bridge=bridge
src-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""
1 ;;; Accept everything from PC1 that needs forwarding, count packets only
chain=forward action=accept src-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""
2 ;;; Accept anything to PC1 that needs forwarding, count packets only
chain=forward action=accept dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""
3 ;;; Accept everything to PC1 from switch, count packets only
chain=output action=accept dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""
[admin@sw01.home] > interface/bridge/filter/ print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN ACTION BYTES PACKETS
;;; Accept everything from PC1 to switch, count packets only
0 input accept 3452 30
;;; Accept everything from PC1 that needs forwarding, count packets only
1 forward accept 0 0
;;; Accept anything to PC1 that needs forwarding, count packets only
2 forward accept 0 0
;;; Accept everything to PC1 from switch, count packets only
3 output accept 2044 25
[admin@sw01.home] >
In the interface/ethernet/switch/rule/ configuration section, I actually allow traffic from the gateway to PC1 and from PC1 to the gateway, and rewrite the vlan ID for everything else regarding PC1 so the traffic gets lost.
What I'm actually doing is :
- I allow the gateway mac-address to pass when traffic arrive on port xe-0/0/3.
- Everything else from this port going to PC1 gets re-written to vlan 666 so it doesn't get to PC1 which is in vlan 11
- Everything from the ge-0/1/0 port going to PC1 gets re-written as well so it doesn't get to PC1 which is in vlan 11
Actually PC1 could send packets to anyone but won't get the response.
This is a quick and dirty fix that needs some improvement but I would love to understand how to use the bridge filter section because I think I should be doing my config there.
Code: Select all
[admin@sw01.home] > interface/ethernet/switch/rule/ print
Flags: X - disabled, I - invalid; D - dynamic
0 switch=switch1 ports=xe-0/0/3 src-mac-address=BB:BB:BB:BB:BB:BB/FF:FF:FF:FF:FF:FF copy-to-cpu=no
redirect-to-cpu=no mirror=no
1 switch=switch1 ports=xe-0/0/3 dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF copy-to-cpu=no
redirect-to-cpu=no mirror=no new-vlan-id=666
2 switch=switch1 ports=ge-0/1/0 dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF copy-to-cpu=no
redirect-to-cpu=no mirror=no new-vlan-id=666
Thank you.