Hi all,

I'm facing a problem which drives me crazy. I've got a bridge with two interfaces in order to bridge the WAN traffic between my ISP and our DMZ in which we use public IPs. Everything works very well EXCEPT a specific part of firewalling the traffic. It is about being able to apply rules on the bridge according to input/output interfaces.

The firewall entry dialogue allows to define In. Bridge Port as well as Out. Bridge Port. My understanding is that this can be used to define the specific interface - as it is part of the bridge - for which the rule should be applied. But what ever I do, the firewall rule using this "matcher" does not get applied and is being ignored. In short, bridge in/out port seems not to work.

Did I get it wrong or could that be a problem/bug? I'm running RouterOS Level 6, version 6.37.1 on this device: CCR1036-8G-2S+

I would be very thankfull for any kind of advice/hint which helps to get this running, thanks.

Best regards.

dialsc

In bridge settings did you set the option to force bridge traffic through the firewall?

Yes, I think so. I activated "Use IP Firewall" in the bridge settings.

Been a while since I've done a filtered bridge. Maybe try and do a simple filter by just ip with logging and see what the log says the ports are, then go from there.

I tried that but the actual interface does not seem to be set. Only the bridge it self is set as out interface...

If that particular traffic is routed at all by that router and not just passing through the bridge, it would do that.

In other words, if the traffic is not just flowing through this single bridge, input and output interface are not available to the firewall/filter. Did I get the right?

The In-Bridge-Port and Out-Bridge-Port aren't set in that case. Interface will still be set, but to the incoming/outgoing bridges (or actual interfaces if they're not bridged.)

Okay, at least I know that I can stop working in that direction now. Honestly, I do not understand why it works that way as it would be soooo cool to have that information. Maybe that's a candidate for a feature request...

Anyway, thanks a lot for your help!

Greetings.

dialsc