Hello,

I am having a dreadful time getting results from a bridge firewall rule. I have my computer pinging 8.8.8.8 on ether3 and I have net on ether5. With the following bridge firewall filter, I expect to have a pause in my pinging but I do not. I have tried different IN and OUT interfaces, but this more general rule should include all traffic on the bridge... I think. I usually use firewall in a routed scenario but need to filter traffic to an IP phone via a bridge config so that I don't add an additional NAT. The configuration follows:

/interface bridge
add name=bridge1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge filter
add action=drop chain=forward
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0

This seem like it should be simple. Any thoughts or suggestions are very helpful!

Interesting thought! I will give that a shot and report back!

I do not see any reason to use Bridge Firewall so that you block access to the Internet... Just use Firewall Filter...
By enabling the firewall filter in the Bridge you just force the Bridge traffic to pass through prerouting, forward and postrouting chains...
There are specific reasons to enable the Bridge filter...

I was not successful by turning off bridge firewall. On another note, I was not successful with IP firewall either. I actually tried that method first. I will retry IP Firewall and post the config later today.

There are many ways you could do that on Firewall filter, one would be: With the above rule firewall will drop any attempt originated from the host 192.168.30.254 coming from the Bridge interface and has as exit interface my WAN ether1...
In case your computer is connected to a non Bridged port then you could as well:

I have no idea what your requirements are based on the first post.
how many groups of users,
what are the use cases (what should they be able to do)
How are they related to the port structure you setup.

Here is your error:
/interface bridge filter
add action=drop chain=forward...
Hardware offload can be an error as @sindy indicated, as long as Hardware offload is active e.g. when you see the H flag...

Unlike what we would use on IP Firewall Filter, notice that in case of the Bridge, when a host tries to access or communicate with e.g. 8.8.8.8 this is not a Forward action, at least not for the Bridge, since the destination is not another port of the bridge itself... Packet Flow Diagram can help you on that... https://help.mikrotik.com/docs/display/ ... n+RouterOS

Using Forward chain in the Firewall filter means we mark packets passing through the Router, routing decision takes place...
Using Forward Chain in the Bridge filter means we mark packets passing through the Bridge, bridging decision takes place...

So the correct chain here is the input...
For example The above rule will block any communication with the dst-address specified...

Take a look at the example from https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
You see that our in interface is the port2 from the bridge and destination is our wan port, PPPoE in that case...
What we see is that as far as the Bridge is concerned this is an input traffic...

Yes best if the smarter people stop guessing and let the OP explain his requirements more fully . ;-P

Yes best if the smarter people stop guessing and let the OP explain his requirements more fully . ;-P

I just felt lucky... i like guessing some times...

Yes but only rich people can afford to guess LOL,