H(a)i,
Konfig related for Problem:
/interface eoip
add arp=enabled comment="" disabled=no mac-address=00:00:5E:80:00:06 mtu=1500 name="eoip-tunnel4" remote-address=10.0.9.1 tunnel-id=4
/interface bridge
name="HOTSPOT" priority=0x8000 protocol-mode=rstp transmit-hold-count=6
/interface bridge port
add bridge=HOTSPOT comment="" disabled=no edge=auto external-fdb=auto horizon=none interface=eoip-tunnel5 path-cost=10 point-to-point=auto priority=0x80
/ip dhcp-server
add address-pool=NAT authoritative=after-2sec-delay bootp-support=static disabled=no interface=HOTSPOT lease-time=2h30m name="HotSpot"
/ip dhcp-server network
add address=192.168.222.0/24 comment="" dns-server=192.168.222.1 domain="ddlan.local" gateway=192.168.222.1 netmask=24
/ip address
add address=192.168.222.1/24 broadcast=192.168.222.255 comment="hotspot network" disabled=no interface=HOTSPOT network=192.168.222.0
/ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid disabled=no protocol=tcp
add action=accept chain=input comment="established related" connection-state=established disabled=no protocol=tcp
add action=accept chain=input comment="" connection-state=related disabled=no protocol=tcp
add action=accept chain=input comment="ICMP ratenlimitiert" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="" disabled=no protocol=icmp
add action=accept chain=input comment="DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=53 protocol=udp
add action=accept chain=input comment="DHCP" disabled=no dst-port=67-68 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=67-68 protocol=udp
add action=drop chain=input comment="drop all" disabled=no
over the tunnel works DHCP, DNS works only when last firewall rule is disabled.
/interface bridge settings> pr
use-ip-firewall: yes
use-ip-firewall-for-vlan: no
/interface bridge settings> pr
use-ip-firewall: no
use-ip-firewall-for-vlan: no
no changes by problem
mfg
Thomas Böttcher
sorry for my english
Re: Bug in RC11 Bridge
Hmm, I have same problem, FW rules not work very well with bridge !
I can't control interfaces included in bridge ! 2.9.xx versions work well. I turn on IP firewall on bridge settings.
I can't control interfaces included in bridge ! 2.9.xx versions work well. I turn on IP firewall on bridge settings.
Bug is not only in the Bridge
Same problem on ether1,
/ip firewall filter
add action=accept chain=input comment="DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=53 protocol=udp
add action=drop chain=input comment="drop all" disabled=no
no Access to DNS when drop rule enabled
/ip firewall filter
add action=accept chain=input comment="DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=53 protocol=udp
add action=drop chain=input comment="drop all" disabled=no
no Access to DNS when drop rule enabled
Re: Bug in RC11 Bridge
have you set
is that vaule is still no and your bridge is bypassing all the ip filter rules?
Code: Select all
/interface bridge> settings set use-ip-firewall=yes 
)Solved: Bug in RC11 Bridge
Hi,
i added the red line and this works
/ip firewall filter
add action=accept chain=input comment="" connection-state=established disabled=no protocol=udp
add action=accept chain=input comment="DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=53 protocol=udp
add action=drop chain=input comment="drop all" disabled=no
mfg
THomas Böttcher
i added the red line and this works
/ip firewall filter
add action=accept chain=input comment="" connection-state=established disabled=no protocol=udp
add action=accept chain=input comment="DNS" disabled=no dst-port=53 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=53 protocol=udp
add action=drop chain=input comment="drop all" disabled=no
mfg
THomas Böttcher