I'm pretty new to RouterOS and I don't manage filtering rules getting applied to a bridge on my RB5009UG+S+ (ROS 7.1.1).
So I've got a few crappy devices in my network that do "support" IPv6, but stop working properly, once they gain v6 connectivity. Neveltheless I want those devices to be in my regular L2 network.
So I have my regular vlan10 for all my devices with full IPv4 and IPv6 support. Now I was trying set up another vlan14, which I wanted to bridge with my regular vlan10, yet I was setting up filter rules, that drop any ipv6 packets by ethertype.
In other words:
Code: Select all
# jan/04/2022 19:00:00 by RouterOS 7.1.1
# model = RB5009UG+S+
#
/interface bridge
add fast-forward=no name=lan protocol-mode=none
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan14 vlan-id=14
/interface bridge port
add bridge=lan hw=no interface=vlan10
add bridge=lan hw=no interface=vlan14
/interface bridge filter
add action=drop chain=forward in-bridge=lan mac-protocol=ipv6 in-interface=vlan14
add action=drop chain=forward out-bridge=lan mac-protocol=ipv6 out-interface=vlan14
# add action=drop chain=forward comment="drop all" log=yes log-prefix=bridge-drop
/interface bridge settings
set allow-fast-path=no use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
# set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/interface ethernet switch port-isolation
# set 0 forwarding-override=switch1-cpuAnd it works nicely - just that no filter rules apply at all. I've been commenting out a few variations above that I also tried, yet the result is alway the same:
All traffic is being forwarded, even when I drop ALL traffic in the forward chain for bridging. All kinds of cpu-offloading by hardware is turned off and yet all traffic goes through, all rule counters are stuck at zero. Yet when I remove/disable one of the vlan-"ports" in either bridge or iterfaces, the traffic will stop. Thus I assume the traffic is indeed actively bridged by the cpu.
I've done similar setups before using ebtables directly on a linux box, and it always worked nicely. Thus I assumed I could do the same using ROS.
EDIT: Abusing the Bridge-NAT tables for filtering still results in all traffic passing through without any effect:
Code: Select all
/interface bridge nat
add action=drop chain=srcnat log=yes log-prefix=snat-drop mac-protocol=ipv6 out-bridge=lan out-interface=vlan14
add action=drop chain=dstnat in-bridge=lan in-interface=vlan14 log=yes log-prefix=dnat-drop mac-protocol=ipv6EDIT2: I just didn't get over it and got me some random arch linux box laying around and it worked right away as expected:
Code: Select all
ip link add name lan type bridge
ip link add link eth0 name vlan10 type vlan id 10
ip link add link eth0 name vlan14 type vlan id 14
ip link set dev eth0 up
ip link set dev vlan10 up
ip link set dev vlan14 up
ip link set dev lan up
ebtables -P FORWARD DROP
ebtables -A FORWARD --protocol ARP -j ACCEPT
ebtables -A FORWARD --protocol IPv4 -j ACCEPT
ip link set vlan10 master lan
ip link set vlan14 master lanWhat setting am I missing, so that my filter rules don't apply at all?
What am I messing up using ROS when I can easily manage using a regular linux distro?
I'm kinda lost and any help or suggestions are highly appreciated.
