Howto filter traffic via BRIDGE in Mikrotik RouterOS / RB
Scenario # 1
# Network A is running VPN server with DHCP server having ip pool 172.16.0.0/16 series.
# Network B is running PPPoE server with DHCP server having ip pool 10.0.0.0/xx series.
Now Network A wants to merge with Network B and the Operator A wants to use his own DHCP rather then using Network B DHCP. As we all know that we cannot run two DHCP parallel in same network. Following is an workaround to accomplish the task.Create BRIDGE in mikrotik and block DHCP traffic. See the following rules. These are CLI commands , but you can use the GUI to do the same.
First Add bridge port.
/interface bridge add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1522 \ max-message-age=20s mtu=1500 name=ds-bridge priority=0x8000 protocol-mode=none transmit-hold-count=6
Now Add Ethernet ports in bridge, For example we want to use Port No 2 and 3 for bridge.
[ Port 2 is connected with Network A and port 3 is connected with Network B ]
/interface bridge port add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 point-to-point=\ auto priority=0x80 add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether3 path-cost=10 point-to-point=\ auto priority=0x80
Now enable firewall filtering for this bridge.
/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=n
Now your BRIDGE is ready to pass traffic to both networks.
Add firewall filter rules to block DHCP traffic, You can use the same topology to filter any traffic from passing by, For example common virus ports or any specific port you like to block , you can simply add it in filter rules.
/ip firewall filter add action=drop chain=forward disabled=no dst-port=67 protocol=udp add action=drop chain=forward disabled=no dst-port=68 protocol=udp add action=drop chain=input disabled=no dst-port=67 protocol=udp add action=drop chain=input disabled=no dst-port=68 protocol=udp add action=drop chain=output disabled=no dst-port=67 protocol=udp add action=drop chain=output disabled=no dst-port=68 protocol=udp
I dont remember exactly but I guess one or two rules in above are not necessary, i guess OUTPUT rules are not necessary. Just check the packets counting and remove un unnecessary rules.