After looking at the following, I'd like to know if anyone is using a switch rule with redirect-to-cpu that works as expected.There is a lot of useful info on viewtopic.php?t=194824 which I used to verify that I can at least get the packets to the firewall when I disable hardware offload for the specific ethernet port.
Specifically trying to send only one VLAN's traffic to the firewall:
I've tried to make the rule also change the VLAN ID to match the bridge VLAN ID, to ID 1 and ID 0 (just because). As soon as I enable the switch rule, a ping across the interface to another in the bridge stops working, but the packet sniffer on the router starts to see packets on ether1. Then they just vanish. I can't capture them on the bridge and a firewall forward rule using IP address and not interfaces does not match anything.
I can do what I want if I disable hardware offload on the ports, but since I only really need very low bandwidth traffic to be firewalled I'd prefer to make this work in the same way I do for a CSS switch that is configured to forward all packets for a specific VLAN out to the port connected to the router.
Specifically trying to send only one VLAN's traffic to the firewall:
Code:
# RB5009/interface bridgeadd dhcp-snooping=yes fast-forward=no frame-types=admit-only-vlan-tagged name=bridge_lan port-cost-mode=short pvid=1111 vlan-filtering=yes/interface bridge settingsset use-ip-firewall=yes use-ip-firewall-for-vlan=yes/interface bridge portadd bridge=bridge_lan interface=ether1 internal-path-cost=10 path-cost=10 pvid=2000# And others/interface vlanadd interface=bridge_lan name=vlan_dodgy_3000 vlan-id=3000# And others/interface ethernet switch ruleadd ports=ether1 redirect-to-cpu=yes vlan-id=3000 switch=switch1I've tried to make the rule also change the VLAN ID to match the bridge VLAN ID, to ID 1 and ID 0 (just because). As soon as I enable the switch rule, a ping across the interface to another in the bridge stops working, but the packet sniffer on the router starts to see packets on ether1. Then they just vanish. I can't capture them on the bridge and a firewall forward rule using IP address and not interfaces does not match anything.
I can do what I want if I disable hardware offload on the ports, but since I only really need very low bandwidth traffic to be firewalled I'd prefer to make this work in the same way I do for a CSS switch that is configured to forward all packets for a specific VLAN out to the port connected to the router.
Statistics: Posted by FHTheron — Sat Feb 17, 2024 7:03 pm