I’m not sure I’m going about this the right way….
I have 3 static IP’s from my ISP that are all in the same subnet with the same gateway. One address is used for the router (RB3011 – 6.43.8) on a bridge, ports 1-3. ISP is plugged into port 1. Ports 2 and 3 are for a webserver and an email server. LAN is on port 5 and a seperate LAN for my workbench (customer’s equipment) is on a bridge using ports 6-8.
I cannot get IP-Filter rules to work. I’d like to set filter rules to only allow traffic to designated ports on the web server and email server while blocking all ports to the LAN subnets.
what am I doing wrong?
/interface bridge add name=bridge1-Internet add name=bridge2-WorkRoom /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /tool user-manager customer set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw /interface bridge port add bridge=bridge1-Internet interface=ether1 add bridge=bridge1-Internet interface=ether2 add bridge=bridge1-Internet interface=ether3 add bridge=bridge2-WorkRoom interface=ether6 add bridge=bridge2-WorkRoom interface=ether7 add bridge=bridge2-WorkRoom interface=ether8 /interface bridge settings set use-ip-firewall=yes /ip address add address=10.10.99.5/24 interface=ether5 network=10.10.99.0 add address=10.10.97.1/25 interface=bridge2-WorkRoom network=10.10.97.0 add address=207.174.237.157/24 interface=bridge1-Internet network=207.174.237.0 /ip firewall filter add action=accept chain=input connection-state=established,related\ in-interface=bridge1-Internet add action=accept chain=input dst-address=207.174.237.241 dst-port=25,80,443,995\ in-interface=bridge1-Internet protocol=tcp add action=accept chain=input in-interface=bridge1-Internet protocol=icmp add action=drop chain=input in-interface=bridge1-Internet /ip firewall nat add action=masquerade chain=srcnat out-interface=bridge1-Internet add action=dst-nat chain=dstnat dst-address=207.174.237.157\ dst-port=80 protocol=tcp to-addresses=10.10.99.8 /ip route add distance=1 gateway=207.174.237.1 /tool user-manager database set db-path=user-manager
Answer
It’s because set use-ip-firewall=yes
‘Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing’ (Bridge_Settings)
Using bridge is like using hardware switch with 4 ports (isp-eth2-eth3-router) before your router. add action=accept chain=input dst-address=207.174.237.241 dst-port=25,80,443,995 in-interface=bridge1-Internet protocol=tcp
– this rule allow tcp for router and take no effect inside bridge.
Attribution
Source : Link , Question Author : com-guy , Answer Author : dash1121