Community discussions

MikroTik App
  4. RouterOS
  5. General

Bridge Firewall

Post Reply
 
losi29a
just joined
Topic Author
Posts: 12
Joined: Wed Jul 06, 2005 3:25 pm

Bridge Firewall

Thu Jul 07, 2005 12:17 pm

Hello!
I am interested how does the Bridge Firewall works. I have read the documentation, but theres still some questions remaining.

If there is for example 6 interface, and i want that 1,2,3,4,5 interfaces should not send ARP request to interface 6 except to 10.0.0.1 and 10.0.0.2 adresses.
How should i do it? /should i write to the firewall rule the mac adresses of 10.0.0.1 and 10.0.0.2?/

The problem was that i made a rule to
drop all arp
accept 10.0.0.1 arp
accept 10.0.0.2 arp and it didnt worked... if i used only one "accept" it was ok. and it seems that the order is important of the rules.
Thanks for help Gabor from Hungary.
Top
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Thu Jul 07, 2005 10:06 pm

Gabor

In the bridge properties you need to set it to pass ARP.

Then, in the firewall rules you need the accept commands before the deny. The order is important as rules are parsed top to bottom.

Regards

Andrew
Top
 
losi29a
just joined
Topic Author
Posts: 12
Joined: Wed Jul 06, 2005 3:25 pm

Fri Jul 08, 2005 11:21 am

Hello!

I have looked for the things you wrote, but its still not working...
When it "worked" it was because of my PC's ARP table :(
So could you tell me how is the bridge firewall works?
What is the depth it is exploreing ethernet packets? Or ARP packets?
Thanks a lot: Gabor
Top
 
User avatar
Roman
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Wed Oct 06, 2004 11:24 am

Fri Jul 08, 2005 1:23 pm

the problem is in your rules order: first you need to accept traffic you want and then drop everything else
if you do the other way (like you already did ;)) there will be nothing to accept -- everything already will be dropped
Top
 
losi29a
just joined
Topic Author
Posts: 12
Joined: Wed Jul 06, 2005 3:25 pm

Fri Jul 08, 2005 1:38 pm

i have changed the order but it still not works
so please tell me what is the depth of the inspection by bridge firewall? in ethernet level? or arp level?
arp is a boradcast message, but my goal is that nobody could send an arp request to 10.0.0.0 , except to two stations, .1 and .2 is it possible?
Top
 
User avatar
Roman
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Wed Oct 06, 2004 11:24 am

Fri Jul 08, 2005 2:57 pm

Code: Select all
/interface bridge firewall add mac-protocol=arp src-address=10.0.0.1/32 action=accept
/interface bridge firewall add mac-protocol=arp src-address=10.0.0.2/32 action=accept
/interface bridge firewall add mac-protocol=arp src-address=10.0.0.0/24 action=drop
should work
Top
 
sten
Forum Veteran
Forum Veteran
Posts: 923
Joined: Tue Jun 01, 2004 12:10 pm

Fri Jul 08, 2005 5:15 pm

would that be in v2.9 only?
Top
 
User avatar
Roman
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Wed Oct 06, 2004 11:24 am

Mon Jul 11, 2005 11:26 am

it's in 2.8 also
Top
Post Reply
  4. RouterOS
  5. General