Community discussions

MikroTik App
 
mikcsek
just joined
Topic Author
Posts: 3
Joined: Mon Jan 23, 2023 9:18 pm

Block traffic from switch

Mon Jan 23, 2023 9:35 pm

Hi,
I would like to find the answer to a phenomenon that i have an ac2 router with a switch connected to it and from this switch 400 mbps traffic is coming back to the mikrotik router and how to block this traffic completely, so that nothing comes back from the switch.

The switch is connected to the eth 3 port of the mikrotik router, and the basic bridge is assigned.
No matter how I try, I can't block the incoming RX traffic on the eth 3 port, I tried filter rules, bridge filter.

Does anyone have any ideas? i would really appreciate it.
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1
 5    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx dst-port=8291 log=no log-prefix="" 

 6    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx  dst-port=8291 log=no log-prefix="" 

 7    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx  dst-port=8291 log=no log-prefix="" 

 8    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx  dst-port=8291 log=no log-prefix="" 

 9    chain=input action=accept protocol=tcp src-address=xx.xx.xx.xx  dst-port=8291 log=no log-prefix="" 

10    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

11    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

12    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

13    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

14    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

15    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

16    chain=forward action=drop src-address=10.10.10.10 in-interface-list=LAN log=no log-prefix="" 

17    chain=forward action=drop src-address=10.10.80.60 in-interface-list=LAN log=no log-prefix="" 

18    chain=forward action=drop src-address=16.16.16.16 in-interface-list=LAN log=no log-prefix="" 

19    chain=forward action=drop src-address=192.168.2.0/24 in-interface-list=LAN log=no log-prefix="" 

20    chain=forward action=drop src-address=192.168.3.0/24 in-interface-list=LAN log=no log-prefix="" 

21    chain=forward action=drop src-address=192.168.20.0/24 in-interface-list=LAN log=no log-prefix="" 

22    chain=forward action=drop src-address=192.168.88.0/24 in-interface-list=LAN log=no log-prefix="" 

23    chain=forward action=drop src-address=192.168.100.0/24 in-interface-list=LAN log=no log-prefix="" 

24    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 

25    chain=output action=drop dst-address=xx.xx.xx.xx  out-interface=ether1 log=no log-prefix=""
Last edited by BartoszP on Mon Jan 23, 2023 11:25 pm, edited 1 time in total.
Reason: Use proper tags: quote to quote, code for code - keep forum tidy
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19109
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Block traffic from switch

Mon Jan 23, 2023 11:30 pm

Remove the ethernet cable from ether3 solved..........
 
mikcsek
just joined
Topic Author
Posts: 3
Joined: Mon Jan 23, 2023 9:18 pm

Re: Block traffic from switch

Tue Jan 24, 2023 8:04 am

Wonderful comment thank you, but there is a reason why the switch is connected. I need to pass something from the router to the switch, but i need to prevent a lot of data from going backwards.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2865
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Block traffic from switch  [SOLVED]

Tue Jan 24, 2023 9:22 am

There is no way to block incoming traffic from a switch. You can filter it and do let pass it to the rest of network. Not more.
This traffic is as a crowd waiting to enter the venue. You can pass only validated ones but you can not stop the new ones to clog gates trying to get into without tickets :)
 
mikcsek
just joined
Topic Author
Posts: 3
Joined: Mon Jan 23, 2023 9:18 pm

Re: Block traffic from switch

Sun Jan 29, 2023 5:38 pm

Thank you for your reply. It is clear. Then I guess there is no way to prevent traffic on the interface where the switch is connected, just filter out what it needs and let it pass, but it will still show 400 Mbit traffic on the interface. I tried prerouting, it solved the excessive cpu usage, but the traffic was still present on the interface.

Since then, by the way, the switch has been configured to not allow outbound traffic on that port.
There is no way to block incoming traffic from a switch. You can filter it and do let pass it to the rest of network. Not more.
This traffic is as a crowd waiting to enter the venue. You can pass only validated ones but you can not stop the new ones to clog gates trying to get into without tickets :)

Who is online

Users browsing this forum: artone, benshirazi, Bing [Bot], Jörg and 78 guests