Community discussions

MikroTik App
 
User avatar
dlynes
newbie
Topic Author
Posts: 32
Joined: Tue Apr 12, 2016 9:08 pm
Location: Hamilton, Canada
Contact:

Bridge Filters Don't Seem to be working

Thu Sep 02, 2021 3:19 pm

It doesn't seem to matter what I put into the bridge filters for 7.0b4 or 7.1rc2. Hardware offloading or no hardware offloading. Fast forward or no fast forward. Allow fast path or disallow fast path. Block by destination MAC address, or block by destination IP address. Input or forward. Adding a switch rule from one port to another port (that are in the bridge) and copy to the cpu.

Nothing seems to help block the traffic bound for a particular public IP on a device that's on the bridge. The device is connected directly to the bridge. It is not connected via another switch. The Internet feed is also connected directly to the bridge.

I've followed every example i can find on the forums for RouterOS 6 to no avail. What worked on RouterOS 6 does not appear to work for RouterOS 7.

Thanks for any help.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: Bridge Filters Don't Seem to be working

Thu Sep 02, 2021 3:24 pm

This works fine on ROSv7.1rc2 (ping request timed out):

/interface bridge filter
add action=drop chain=forward dst-mac-address=E4:8D:8C:B0:DE:37/FF:FF:FF:FF:FF:FF

Could you share a code example and your test setup?
 
User avatar
dlynes
newbie
Topic Author
Posts: 32
Joined: Tue Apr 12, 2016 9:08 pm
Location: Hamilton, Canada
Contact:

Re: Bridge Filters Don't Seem to be working

Thu Sep 02, 2021 3:51 pm

# sep/02/2021 05:42:10 by RouterOS 7.1rc2
# software id = MXUY-2KEQ
#
# model = CCR2004-16G-2S+
# serial number = HAW073H26RE
/interface bridge
add name=bridge-wan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-to-navigata
set [ find default-name=ether3 ] disabled=yes name=ether3-to-billing-server
set [ find default-name=ether16 ] name=ether16-to-backside
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge filter
add action=drop chain=forward comment="Drop all" dst-mac-address=\
00:14:5E:17:5E:24/FF:FF:FF:FF:FF:FF log=yes log-prefix=BILLING
/interface bridge host
add bridge=bridge-wan comment="Billing Server" interface=ether3-to-billing-server \
mac-address=00:14:5E:17:5E:24
/interface bridge port
add bridge=bridge-wan hw=no ingress-filtering=no interface=ether1-to-navigata
add bridge=bridge-wan hw=no ingress-filtering=no interface=ether2
add bridge=bridge-wan hw=no ingress-filtering=no interface=ether3-to-billing-server
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set tcp-syncookies=yes
/interface ethernet switch rule
add copy-to-cpu=yes disabled=yes ports=ether1-to-navigata,ether3-to-billing-server \
switch=switch1
/interface l2tp-server server
set enabled=yes l2tpv3-circuit-id="" l2tpv3-cookie-length=0 \
l2tpv3-digest-hash=md5 use-ipsec=yes
/interface sstp-server server
set enabled=yes pfs=yes
/ip address
add address=10.1.1.4/24 interface=ether16-to-backside network=10.1.1.0
add address=5.0.0.4/26 interface=bridge-wan network=5.0.0.0
/ip dns
set servers=8.8.8.8,4.2.2.4
/ip firewall address-list
add address=1.0.0.0 comment="Hammer Software VPN" list=admin-list
add address=2.0.0.0 comment="Hammer Software Virtual Hosting Server" \
list=admin-list
add address=3.0.0.0 comment="Head office" list=admin-list
add address=4.0.0.0 comment="Head office" list=admin-list
add address=5.0.0.2 comment="Other VPN" list=admin-list
add address=5.0.0.62 comment="Other Firewall" list=admin-list
add address=172.16.254.0/24 comment="temporary VPN" list=\
admin-list
/ip firewall filter
add action=jump chain=input comment="Control access to router from Internet" \
dst-address=5.0.0.4 in-interface=bridge-wan jump-target=WAN
add action=accept chain=WAN comment=\
"Allow ICMP access to router from anywhere" protocol=icmp
add action=accept chain=WAN comment="Allow SSTP from anywhere" dst-port=443 \
protocol=tcp
add action=accept chain=WAN comment="ESTABLISHED, RELATED" connection-state=\
established,related
add action=accept chain=WAN comment=\
"Allow access to privileged TCP ports from whitelisted IPs" dst-port=\
20,21,22,23,53,80,161,443,2000,8291,8728,8729 protocol=tcp \
src-address-list=admin-list
add action=accept chain=WAN comment=\
"Allow access to privileged UDP ports from whitelisted IPs" dst-port=\
53,161,2000 protocol=udp src-address-list=admin-list
add action=accept chain=WAN comment="Allow access to L2TP/ipsec" dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=WAN comment="Allow access to ipsec" protocol=\
ipsec-esp
add action=drop chain=WAN comment="Drop everything else"
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
5.0.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=172.16.254.1 name=dlynes remote-address=172.16.254.2
/system clock
set time-zone-name=America/Vancouver
/system identity
set name="Core Router"
/system package update
set channel=testing
/tool sniffer
set file-limit=100000KiB file-name=comvida.pcap filter-interface=bridge-wan
 
User avatar
dlynes
newbie
Topic Author
Posts: 32
Joined: Tue Apr 12, 2016 9:08 pm
Location: Hamilton, Canada
Contact:

Re: Bridge Filters Don't Seem to be working

Thu Sep 02, 2021 6:38 pm

Export has been sanitized.

Brief diagram of how it's connected
Internet -> [ether1 BRIDGE ether3] -> Billing Server

I want to block everything on the billing server except HTTPS.
 
User avatar
dlynes
newbie
Topic Author
Posts: 32
Joined: Tue Apr 12, 2016 9:08 pm
Location: Hamilton, Canada
Contact:

Re: Bridge Filters Don't Seem to be working

Thu Sep 02, 2021 6:39 pm

I've got it working after I enabled 'use ip firewall' in the bridge settings, and now I'm using the raw ip firewall table.

However, I have to wonder which is the better way of getting it to work.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: Bridge Filters Don't Seem to be working

Fri Sep 03, 2021 9:50 am

I've got it working after I enabled 'use ip firewall' in the bridge settings, and now I'm using the raw ip firewall table.

However, I have to wonder which is the better way of getting it to work.

The problem with use-ip-firewall is that it affects only the traffic that goes through the CPU and does not affect hardware bridging. Take a look at switch ACL rules instead (/in/eth/switch/rule). ACL rules are offloaded to the hardware and, therefore, are applied by the switch chip and do not use the CPU resources.

EDIT: Sorry, I didn't pay attention that you are using CCR2004-16G-2S+. It has 88E6191X switch chip, which, unfortunately, does not support ACL rule offloading.
 
kormenator
just joined
Posts: 4
Joined: Thu Sep 02, 2021 4:51 pm

Re: Bridge Filters Don't Seem to be working

Fri Oct 29, 2021 7:15 am

I'm having exactly the same problem with CCR2004-16G-2S+ and RouterOS 7.1rc5; no matter what I put into the bridge filters, nothing gets filtered, I also tried HW Offloading on/off Fast Path on/off etc.

The IP firewall filtering works, so I'm using that for now, but I would like to filter by dst MAC, and I can't do that with ip firewall.
 
Knoblauch
just joined
Posts: 6
Joined: Sun Dec 02, 2018 2:28 pm

Re: Bridge Filters Don't Seem to be working

Tue Nov 16, 2021 8:16 pm

The same here using v7.1rc5 on CCR2004-16G-2S+

I have bridge filters allowing IPv6 for some destination MAC addresses on a VLAN out-interface and dropping everything else.

The counter stays on 0 (zero)...I switch back to v6.49 and everything is fine.

MT please investigate...Thank you!
 
User avatar
dlynes
newbie
Topic Author
Posts: 32
Joined: Tue Apr 12, 2016 9:08 pm
Location: Hamilton, Canada
Contact:

Re: Bridge Filters Don't Seem to be working

Tue Nov 16, 2021 10:38 pm

Hello Raymond,

Is this why bridge filter doesn't work? i.e. because it's a switch chip? If so, why is the bridge filter section visible if it's not usable?
I've got it working after I enabled 'use ip firewall' in the bridge settings, and now I'm using the raw ip firewall table.

However, I have to wonder which is the better way of getting it to work.

The problem with use-ip-firewall is that it affects only the traffic that goes through the CPU and does not affect hardware bridging. Take a look at switch ACL rules instead (/in/eth/switch/rule). ACL rules are offloaded to the hardware and, therefore, are applied by the switch chip and do not use the CPU resources.

EDIT: Sorry, I didn't pay attention that you are using CCR2004-16G-2S+. It has 88E6191X switch chip, which, unfortunately, does not support ACL rule offloading.
 
Mackila
just joined
Posts: 3
Joined: Fri Oct 01, 2021 9:45 pm

Re: Bridge Filters Don't Seem to be working

Sun Nov 21, 2021 3:54 am

Hi,

Same problem here. Bridge filter rules not working on a CCR2004-16G-2S+.
I use them to change VLAN CoS of DHCP paquets from the DHCP client on WAN side of the router (ISP requires it).
/interface bridge
add fast-forward=no name=WAN-BRIDGE
[...]
/interface vlan
add interface=sfp1-WAN name="VLAN832 - WAN" vlan-id=832
[...]
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes \
    log-prefix="Set CoS 6 on DHCP requests" mac-protocol=ip new-priority=6 \
    out-bridge=WAN-BRIDGE passthrough=yes
[...]
/interface bridge port
add bridge=WAN-BRIDGE ingress-filtering=no interface="VLAN832 - WAN"
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
[...]
Exact same configuration works flawlessly on a HexS (but HexS does not have 10G ports...).

For now, I use a CRS305 connected to SFP1 of CCR2004 to handle the change (running SwitchOS, using an ACL rule).
I tried setting simple rules, so I could see counters. Whatever rule I add, whatever settings (fast path y/n, fast forward y/n, IP firewall y/n) I use, counters stay at 0. No bridge filter rule are working.

CCR2004-16G-2S+ is currently running ROS 7.1rc6.

- Mackila
 
dmfr
newbie
Posts: 44
Joined: Thu Oct 15, 2020 11:14 am

Re: Bridge Filters Don't Seem to be working

Mon Nov 22, 2021 2:02 pm

Interesting.
I've reported same issue for RB4011 as well :
viewtopic.php?t=167633

However, for this device (RB4011) at least, it is now working from rc3.
 
Knoblauch
just joined
Posts: 6
Joined: Sun Dec 02, 2018 2:28 pm

Re: Bridge Filters Don't Seem to be working

Wed Dec 22, 2021 9:55 am

v7.2rc1 on CCR2004-16G-2S+ does still not filter the bridge.
I have a VLAN interface added to a bridge and try to drop IPv6 MAC protocol on that Out. Interface using bridge filter. The counters stay on zero and nothing gets droped. Because it is working fine in v6.49 I do assume it is related to the v7 internal bridge filter handling. Would be nice if Mikrotik can test and give a short reply if someone looks into it .. at least the final v7 should be able to handle this task. Thanks CK
 
kormenator
just joined
Posts: 4
Joined: Thu Sep 02, 2021 4:51 pm

Re: Bridge Filters Don't Seem to be working

Wed Feb 02, 2022 9:57 am

Change log in 7.2rc2 claims that this issue has been fixed
*) bridge - fixed bridge filter and NAT rules on ARM64 and TILE devices;


will take a few days until I can test this with mine.
 
Knoblauch
just joined
Posts: 6
Joined: Sun Dec 02, 2018 2:28 pm

Re: Bridge Filters Don't Seem to be working

Sat Feb 12, 2022 3:45 pm

Its working now on my brand new CCR2116-12G-4S+ under 7.2rc3

But this hardware has a nice switch chip so I don't need it anymore ;-)
My older CCR2004-1G-12S+2XS could not handle switch ACL.

Actually I opened a MT ticket after my last post here and got the following reply:
"We have managed to reproduce the issue locally in our labs and look forward to fixing it on upcoming RouterOS versions..."

So there was some positive action on it...
 
User avatar
dlynes
newbie
Topic Author
Posts: 32
Joined: Tue Apr 12, 2016 9:08 pm
Location: Hamilton, Canada
Contact:

Re: Bridge Filters Don't Seem to be working

Sat Feb 12, 2022 4:53 pm

Now if only L2TP/IPsec got fixed on both routeros 7 and Windows 10/11. Then we'd all be happy :)

Who is online

Users browsing this forum: No registered users and 12 guests