Mikrotik – Using bridge for WAN/DMZ

by

I’m not sure I’m going about this the right way….

I have 3 static IP’s from my ISP that are all in the same subnet with the same gateway. One address is used for the router (RB3011 – 6.43.8) on a bridge, ports 1-3. ISP is plugged into port 1. Ports 2 and 3 are for a webserver and an email server. LAN is on port 5 and a seperate LAN for my workbench (customer’s equipment) is on a bridge using ports 6-8.

I cannot get IP-Filter rules to work. I’d like to set filter rules to only allow traffic to designated ports on the web server and email server while blocking all ports to the LAN subnets.

what am I doing wrong?

/interface bridge 
add name=bridge1-Internet 
add name=bridge2-WorkRoom 
/interface wireless security-profiles 
set [ find default=yes ] supplicant-identity=MikroTik
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1-Internet interface=ether1
add bridge=bridge1-Internet interface=ether2
add bridge=bridge1-Internet interface=ether3
add bridge=bridge2-WorkRoom interface=ether6
add bridge=bridge2-WorkRoom interface=ether7
add bridge=bridge2-WorkRoom interface=ether8
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=10.10.99.5/24 interface=ether5 network=10.10.99.0
add address=10.10.97.1/25 interface=bridge2-WorkRoom network=10.10.97.0
add address=207.174.237.157/24 interface=bridge1-Internet network=207.174.237.0
/ip firewall filter
add action=accept chain=input connection-state=established,related\
        in-interface=bridge1-Internet
add action=accept chain=input dst-address=207.174.237.241 dst-port=25,80,443,995\
        in-interface=bridge1-Internet protocol=tcp
add action=accept chain=input in-interface=bridge1-Internet protocol=icmp
add action=drop chain=input in-interface=bridge1-Internet
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1-Internet
add action=dst-nat chain=dstnat dst-address=207.174.237.157\
        dst-port=80 protocol=tcp to-addresses=10.10.99.8
/ip route
add distance=1 gateway=207.174.237.1
/tool user-manager database
set db-path=user-manager

Answer

It’s because set use-ip-firewall=yes ‘Force bridged traffic to also be processed by prerouting, forward and postrouting sections of IP routing’ (Bridge_Settings)

Using bridge is like using hardware switch with 4 ports (isp-eth2-eth3-router) before your router. add action=accept chain=input dst-address=207.174.237.241 dst-port=25,80,443,995 in-interface=bridge1-Internet protocol=tcp – this rule allow tcp for router and take no effect inside bridge.

Attribution
Source : Link , Question Author : com-guy , Answer Author : dash1121

Leave a Comment