Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Mac-address filtering on CRS305. Help to understand how to do it properly  [SOLVED]

Post Reply
 
quietgear
just joined
Topic Author
Posts: 3
Joined: Tue Jan 18, 2022 2:51 pm

Mac-address filtering on CRS305. Help to understand how to do it properly

Tue Jan 18, 2022 10:11 pm

Hi everyone,

This is my first post to this forum and it's my first experience with Mikrotik so please bear with me on this :)
I'm more used to manage Juniper devices.

You will find below a network diagram of my current setup.
Right now, even if the crs305-1g-4s+in is running router OS 7.1, I'm only using switching capabilities.
At the moment everything is running in a flat layer 2, so it's the same broadcast domain on all ports.

Image


My goal is that I'd like PC1 (with mac-address AA:AA:AA:AA:AA:AA to be able to only reach the Gateway with mac-address BB:BB:BB:BB:BB:BB in a bi-directionnal manner and that's it).

I've setup the mikrotik switch this way.

I have one bridge called "bridge"
Code: Select all
[admin@sw01.home] > interface/bridge/ print
Flags: X - disabled, R - running
 0 R ;;; defconf
     name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=reply-only arp-timeout=auto mac-address=08:55:31:XX:XX:XX
     protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=08:55:31:XX:XX:XX ageing-time=5m
     priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100
     pvid=1 frame-types=admit-all ingress-filtering=yes dhcp-snooping=no
All ports are in the bridge and untagged in vlan 11. I've re-named the intefaces in the Juniper style.
Code: Select all
[admin@sw01.home] > interface/bridge/port print
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON
#    INTERFACE  BRIDGE  HW   PVID  PRIORITY  PATH-COST  INTERNAL-PATH-COST  HORIZON
;;; defconf
0  H ge-0/1/0   bridge  yes    11  0x80           1000                1000  none
;;; defconf
1  H xe-0/0/0   bridge  yes    11  0x80             10                  10  none
;;; defconf
2 IH xe-0/0/1   bridge  yes    11  0x80             10                  10  none
;;; defconf
3 IH xe-0/0/2   bridge  yes    11  0x80             10                  10  none
;;; defconf
4  H xe-0/0/3   bridge  yes    11  0x80             10                  10  none

[admin@sw01.home] > interface/bridge/vlan/ print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge        11  bridge          ge-0/1/0
                                      xe-0/0/3
                                      xe-0/0/0
1 D bridge         1                  bridge
The Mikrotik switch management IP Address is vlan.11 so it's not bound to a single interface.
Code: Select all
[admin@sw01.home] > interface/vlan/ print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
#   NAME      MTU  ARP      VLAN-ID  INTERFACE
;;; Management Interface
0 R vlan.11  1500  enabled       11  bridge

[admin@sw01.home] > ip/address/ print
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS         NETWORK      INTERFACE
0 192.168.1.6/24  192.168.1.0  vlan.11
I thought what I wanted to achieve would need to be done in the interface/bridge/filter/ section of the configuration.
So just to test this, I've create rules that doesn't drop anything, but just count packets.
The forward chains doesn't log anything when PC1 reaches anything on another switch port.
The input/output chains matches traffic to and from the mikrotik control plane (it gets incremented when PC1 pings the mikrotik management interface).

Why the forward chains doesn't see anything ?
Code: Select all
[admin@sw01.home] > interface/bridge/filter/ print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; Accept everything from PC1 to switch, count packets only
     chain=input action=accept in-interface=xe-0/0/0 in-bridge=bridge
     src-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""

 1   ;;; Accept everything from PC1 that needs forwarding, count packets only
     chain=forward action=accept src-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""

 2   ;;; Accept anything to PC1 that needs forwarding, count packets only
     chain=forward action=accept dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""

 3   ;;; Accept everything to PC1 from switch, count packets only
     chain=output action=accept dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF log=no log-prefix=""

[admin@sw01.home] > interface/bridge/filter/ print stats
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN    ACTION  BYTES  PACKETS
;;; Accept everything from PC1 to switch, count packets only
0 input    accept   3452       30
;;; Accept everything from PC1 that needs forwarding, count packets only
1 forward  accept      0        0
;;; Accept anything to PC1 that needs forwarding, count packets only
2 forward  accept      0        0
;;; Accept everything to PC1 from switch, count packets only
3 output   accept   2044       25
[admin@sw01.home] >
I actually found a work around that does what I want but it's not pretty and it's not quite a filtering.
In the interface/ethernet/switch/rule/ configuration section, I actually allow traffic from the gateway to PC1 and from PC1 to the gateway, and rewrite the vlan ID for everything else regarding PC1 so the traffic gets lost.

What I'm actually doing is :
- I allow the gateway mac-address to pass when traffic arrive on port xe-0/0/3.
- Everything else from this port going to PC1 gets re-written to vlan 666 so it doesn't get to PC1 which is in vlan 11
- Everything from the ge-0/1/0 port going to PC1 gets re-written as well so it doesn't get to PC1 which is in vlan 11

Actually PC1 could send packets to anyone but won't get the response.

This is a quick and dirty fix that needs some improvement but I would love to understand how to use the bridge filter section because I think I should be doing my config there.
Code: Select all
[admin@sw01.home] > interface/ethernet/switch/rule/ print
Flags: X - disabled, I - invalid; D - dynamic
 0    switch=switch1 ports=xe-0/0/3 src-mac-address=BB:BB:BB:BB:BB:BB/FF:FF:FF:FF:FF:FF copy-to-cpu=no
      redirect-to-cpu=no mirror=no

 1    switch=switch1 ports=xe-0/0/3 dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF copy-to-cpu=no
      redirect-to-cpu=no mirror=no new-vlan-id=666

 2    switch=switch1 ports=ge-0/1/0 dst-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF copy-to-cpu=no
      redirect-to-cpu=no mirror=no new-vlan-id=666
Can someone help me understand this ?

Thank you.
Last edited by quietgear on Thu Jan 27, 2022 5:21 pm, edited 4 times in total.
Top
 
quietgear
just joined
Topic Author
Posts: 3
Joined: Tue Jan 18, 2022 2:51 pm

Re: Mac-address filtering on CRS305. Help to understand how to do it properly

Thu Jan 20, 2022 11:22 am

Anyone have an idea on this ?
Top
 
quietgear
just joined
Topic Author
Posts: 3
Joined: Tue Jan 18, 2022 2:51 pm

Re: Mac-address filtering on CRS305. Help to understand how to do it properly  [SOLVED]

Thu Jan 27, 2022 1:51 pm

Alright, I found the answer after doing some tests and reading Mikrotik wiki.

It looks like the forward chain in `interface/bridge/filter` only works when hw offloading in disabled which is so sad :-( because the performance hit is way to important.

So it looks like that the way of doing hardware Mac-address filtering is to do it in `interface/ethernet/switch/rule/` and to do VLAN rewrite.

At least I have my answer, I hope this will help people in the future looking at this.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], mszru and 34 guests
  4. RouterOS
  5. Beginner Basics