Hi!
I have Mikrotik based on arm64 (12XS-2XQ). I'm setting up simple isolated network using a bridge with added interfaces.
RouterOS newest -> 7.13.2 (stable)
I would like to filer out any traffic that could appear - now it is only DHCP Discovery from servers' NICs.
I read about Bridge filter option, but cannot get it to work.
I have setup bridge to use:
Use IP Firewall -> Enabled
Allow Fast Path -> Enabled
And created filter rule:
Bridge -> Filters:
Chain=input action=drop in-interface-list=stream bridge (but also is the same without this) mac-protocol=ip src-address=0.0.0.0/0 dst-port=67-68 ip-protocol=udp
That's all.
I have counter of packets that are related to the rule -> and it increases, so it looks like working.
However I'm checking the arrival traffic on one of the NICs by wireshark - and the packets are incoming there despite of the rule.
The amount of packets is the same as in counter in the filter.
How to have this option working? That would be the simplest for me in order to filter this traffic.
By the way - how is possible to disable support for ICMPv6? Can it be done also by filter rules on the bridge?
Thanks, best regards
I have Mikrotik based on arm64 (12XS-2XQ). I'm setting up simple isolated network using a bridge with added interfaces.
RouterOS newest -> 7.13.2 (stable)
I would like to filer out any traffic that could appear - now it is only DHCP Discovery from servers' NICs.
I read about Bridge filter option, but cannot get it to work.
I have setup bridge to use:
Use IP Firewall -> Enabled
Allow Fast Path -> Enabled
And created filter rule:
Bridge -> Filters:
Chain=input action=drop in-interface-list=stream bridge (but also is the same without this) mac-protocol=ip src-address=0.0.0.0/0 dst-port=67-68 ip-protocol=udp
That's all.
I have counter of packets that are related to the rule -> and it increases, so it looks like working.
However I'm checking the arrival traffic on one of the NICs by wireshark - and the packets are incoming there despite of the rule.
The amount of packets is the same as in counter in the filter.
How to have this option working? That would be the simplest for me in order to filter this traffic.
By the way - how is possible to disable support for ICMPv6? Can it be done also by filter rules on the bridge?
Thanks, best regards
Statistics: Posted by UserMT — Sat Jan 20, 2024 1:22 am