Specifically trying to send only one VLAN's traffic to the firewall:
Code: Select all
# RB5009
/interface bridge
add dhcp-snooping=yes fast-forward=no frame-types=admit-only-vlan-tagged name=bridge_lan port-cost-mode=short pvid=1111 vlan-filtering=yes
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge port
add bridge=bridge_lan interface=ether1 internal-path-cost=10 path-cost=10 pvid=2000
# And others
/interface vlan
add interface=bridge_lan name=vlan_dodgy_3000 vlan-id=3000
# And others
/interface ethernet switch rule
add ports=ether1 redirect-to-cpu=yes vlan-id=3000 switch=switch1
I've tried to make the rule also change the VLAN ID to match the bridge VLAN ID, to ID 1 and ID 0 (just because). As soon as I enable the switch rule, a ping across the interface to another in the bridge stops working, but the packet sniffer on the router starts to see packets on ether1. Then they just vanish. I can't capture them on the bridge and a firewall forward rule using IP address and not interfaces does not match anything.
I can do what I want if I disable hardware offload on the ports, but since I only really need very low bandwidth traffic to be firewalled I'd prefer to make this work in the same way I do for a CSS switch that is configured to forward all packets for a specific VLAN out to the port connected to the router.