I use a CCR2116 unit with V7.4 as a bridge filtering only device for added security at the office.
I pass traffic through two ports on the same bridge with firewall rules applied to the bridge.
No Fast-Foward or HW offload or Fast-Track being used. Only Use-IP-Firewall on the bridge.
I load some IPs to filter with rules like the IP drop below. To sites like known Phishing sites.
However, I want to whitelist some domains that main be sharing the same IP so I put an accept rule higher on the list of raw rules with the specific domain to accept.
/ip firewall filter raw
add action=accept chain=prerouting comment=Whitelist_domain content=dontblockme.com dst-port=80,443 in-interface-list=BR_ALL protocol=tcp
.
.
.
add action=drop address-list=PhishList chain=prerouting comment="Phishing" in-interface-list=BR_ALL
However, MT always matches the IP rule before the one above it using the content=dontblockme.com . Despite the fact that the accept rules is much higher on the list.
Looking at the packet_flow diagram in https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
This case would fall under the Bridging diagram. But its not clear if this is how things are supposed to work.
Any comments?