Community discussions

MikroTik App
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Trouble with the "Out. Bridge Port" filter

Tue Mar 28, 2023 4:35 pm

Good afternoon

I'm trying to set some Queue on the network to prioritize two computers in the network to the WAN. To make it a little more complicated the network is dualstack and the IPv6 prefix is dynamic (thank you ISP). Since the IPv6 Prefix will change, I cannot use a simple queue and assign it to a network, I have to mark the packets in real time and combine it with a queue tree. The computers are both connected to the Mikrotik router directly. My idea was to use the connected ethernet port to identify the computer.

To test this I use a CRS328 (routerOS 7.8 ). Port one is WAN. Port 2-24 are in a bridge. Port 23 is connected to one pc and port 24 is connected to the 2nd pc.
add action=mark-connection chain=forward comment="Mark new connection starting from inside network" connection-state=new new-connection-mark=\
    All_Internet_Connection out-interface=ether1 passthrough=yes
add action=mark-packet chain=forward comment="Mark download packet Destiny" in-interface=ether1 new-packet-mark=Destiny_DL_Packets out-bridge-port=\
    ether24 passthrough=yes
add action=mark-packet chain=forward comment="Mark upload packet Destiny" connection-mark=All_Internet_Connection in-bridge-port=ether24 \
    new-packet-mark=Destiny_UL_Packets out-interface=ether1 passthrough=yes
While packets with as filter "in-bridge-port" get recorder normally. Packets with as filter "out-brige-port" do not get recorded at all. I tried to disable fast path, hardware offload, etc... but it made no difference so I enabled them again. To troubleshoot I also tried a rule with only the out-bridge-port set as filter... this also did not record any package.

I'm really out of ideas right now and I could use some insight of someone else.

Here is the full configuration of the lab router
/interface bridge
add admin-mac=18:FD:74:9B:85:D6 auto-mac=no comment=defconf ingress-filtering=no name=bridge vlan-filtering=yes
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/queue type
add kind=cake name=cake
/queue simple
add disabled=yes dst=ether1 max-limit=100M/100M name=MainQ queue=cake/cake target=192.168.88.0/24
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus3
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus4
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip settings
set max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add interface=ether1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-nat-state="" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=input in-interface=bridge
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=bridge out-interface=ether1
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark new connection starting from outside network" connection-state=new disabled=yes in-interface=\
    ether1 new-connection-mark=All_Internet_Connection passthrough=yes
add action=mark-connection chain=forward comment="Mark new connection starting from inside network" connection-state=new new-connection-mark=\
    All_Internet_Connection out-interface=ether1 passthrough=yes
add action=mark-packet chain=forward comment="Mark download packet Destiny" in-interface=ether1 new-packet-mark=Destiny_DL_Packets out-bridge-port=\
    ether24 passthrough=yes
add action=mark-packet chain=forward comment="Mark upload packet Destiny" connection-mark=All_Internet_Connection in-bridge-port=ether24 \
    new-packet-mark=Destiny_UL_Packets out-interface=ether1 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ipv6 route
add disabled=no dst-address=2000::/3 gateway=2001:470:1f14:127f::1
/system routerboard settings
set boot-os=router-os
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Re: Trouble with the "Out. Bridge Port" filter

Thu Mar 30, 2023 2:53 pm

I did not manage to find out why the Out Bridge Port is not working however I found a better solution to identify my two computers. I mark the connection using the Src. MAC Address from the computers. Afterwards I use this connection marker to mark the corresponding packets the packets.


It looks like this. I'll do the same rule in the IPv6 Firewall. Anything I can do to optimise it?
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark new connection starting from outside network" connection-state=new disabled=yes in-interface=ether1 new-connection-mark=\
    All_Internet_Connection passthrough=yes
add action=mark-connection chain=forward comment="Mark new connection starting from destiny to wan" connection-state=new new-connection-mark=All_Internet_Destiny out-interface=ether1 \
    passthrough=yes src-mac-address=A0:CE:C8:58:97:30
add action=mark-connection chain=forward comment="Mark new connection starting from Pegasus to wan" connection-state=new new-connection-mark=All_Internet_Pegasus out-interface=ether1 \
    passthrough=yes src-mac-address=00:0A:CD:3E:14:6D
add action=mark-connection chain=forward comment="Mark new connection starting from inside network" connection-state=new new-connection-mark=All_Internet_Other out-interface=ether1 \
    passthrough=yes
add action=mark-packet chain=forward comment="Mark download packet Destiny" connection-mark=All_Internet_Destiny in-interface=ether1 new-packet-mark=Destiny_DL_Packets passthrough=no
add action=mark-packet chain=forward comment="Mark upload packet Destiny" connection-mark=All_Internet_Destiny new-packet-mark=Destiny_UL_Packets out-interface=ether1 passthrough=no
add action=mark-packet chain=forward comment="Mark download packet Pegasus" connection-mark=All_Internet_Pegasus in-interface=ether1 new-packet-mark=Pegasus_DL_Packets passthrough=no
add action=mark-packet chain=forward comment="Mark upload packet Pegasus" connection-mark=All_Internet_Pegasus new-packet-mark=Pegasus_UL_Packets out-interface=ether1 passthrough=no
add action=mark-packet chain=forward comment="Mark download packet  other" connection-mark=All_Internet_Connection in-interface=ether1 new-packet-mark=Other_DL_Packets passthrough=no
add action=mark-packet chain=forward comment="Mark upload packet  Other" connection-mark=All_Internet_Connection new-packet-mark=Other_UL_Packets out-interface=ether1 passthrough=no
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Trouble with the "Out. Bridge Port" filter

Thu Mar 30, 2023 8:41 pm

Out. Bridge Port Filter works only when use-ip-firewall in bridge settings is enabled

Bridging and Switching
Bridge Settings
https://help.mikrotik.com/docs/display/ ... geSettings
 
mikey
newbie
Topic Author
Posts: 26
Joined: Mon Dec 20, 2021 1:11 pm

Re: Trouble with the "Out. Bridge Port" filter

Fri Mar 31, 2023 1:11 pm

Out. Bridge Port Filter works only when use-ip-firewall in bridge settings is enabled

Bridging and Switching
Bridge Settings
https://help.mikrotik.com/docs/display/ ... geSettings
Thank you for your answer. Sadly as you can see it is enabled. I tried multiple configuration on the bridge. Also to disable HW and fast path but this had no effect either.
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

Who is online

Users browsing this forum: anav, Andrey05, Bing [Bot] and 99 guests