Switch Rules (ACL)
Switch Rules (ACL)
Section titled “Switch Rules (ACL)”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: drop traffic from a specific source at wire speed.
# Drop all traffic from IP 192.168.1.100 on ether2 (hardware-level)/interface/ethernet/switch/rule/add switch=switch1 ports=ether2 \ src-address=192.168.1.100/32 new-dst-ports=""
# Rate limit a MAC address to 10Mbps/interface/ethernet/switch/rule/add switch=switch1 ports=ether2 \ src-mac-address=AA:BB:CC:DD:EE:FF/FF:FF:FF:FF:FF:FF rate=10M
# Block guest VLAN 10 from accessing internal network/interface/ethernet/switch/rule/add switch=switch1 ports=ether3 \ vlan-id=10 dst-address=192.168.0.0/16 new-dst-ports=""Verify with:
/interface/ethernet/switch/rule/print# Ensure no rules show 'invalid' statusOverview
Section titled “Overview”
What this does: Switch rules provide hardware-level packet filtering that operates at wire speed, without CPU involvement. They can match on Layer 2 (MAC), Layer 3 (IP), and Layer 4 (TCP/UDP ports) header fields to drop, redirect, rate limit, or modify packets.
When to use this:
- Blocking traffic at hardware level (faster than firewall)
- Rate limiting specific hosts or traffic types
- Redirecting traffic to CPU for captive portals
- Port mirroring specific traffic patterns
- VLAN manipulation based on source MAC
- Hardware-level QoS and traffic shaping
Prerequisites:
- Device with compatible switch chip (QCA8337, Atheros8327, 88E6xxx series)
- Understanding of which ports belong to which switch chip
- For VLAN matchers: bridge with
vlan-filtering=yesand hardware offloading enabled
Hardware Requirement
Switch rules only work on devices with supported switch chips. CHR, CCR (non-switching models), and x86 have no switch chip and cannot use these features. Use /interface/ethernet/switch/print to check if your device supports rules.
Configuration Steps
Section titled “Configuration Steps”Step 1: Identify Your Switch Chip
Section titled “Step 1: Identify Your Switch Chip”Check which switch chip your device has and its capabilities:
/interface/ethernet/switch/printExample output:
0 name="switch1" type="QCA8337" ...Not all chips support rules. See the Compatibility Matrix below.
Step 2: Understand Rule Processing
Section titled “Step 2: Understand Rule Processing”
Rules are processed in order (first match wins):
- Rules are evaluated top-to-bottom
- First matching rule triggers; subsequent rules ignored
- A rule without actions = accept the packet
new-dst-ports=""(empty) = drop the packet
Step 3: Create a Basic Drop Rule
Section titled “Step 3: Create a Basic Drop Rule”Drop all traffic from a specific IP address:
/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether2 \ src-address=192.168.1.100/32 \ mac-protocol=ip \ new-dst-ports=""Step 4: Verify Rule Status
Section titled “Step 4: Verify Rule Status”Check that rules are valid and active:
/interface/ethernet/switch/rule/printExpected output:
# SWITCH PORTS ... NEW-DST-PORTS 0 switch1 ether2Rules marked invalid indicate configuration errors or unsupported matchers for your chip.
Common Scenarios
Section titled “Common Scenarios”
Scenario: Block Inter-VLAN Traffic (Hardware)
Section titled “Scenario: Block Inter-VLAN Traffic (Hardware)”Prevent VLAN 10 from reaching the 192.168.20.0/24 network:
/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether2 \ vlan-id=10 \ dst-address=192.168.20.0/24 \ mac-protocol=ip \ new-dst-ports=""VLAN Matchers Requirement
VLAN-based matching requires:
- Bridge with
vlan-filtering=yes - Ports with hardware offloading enabled (check for “H” flag)
Scenario: Rate Limit by Source IP
Section titled “Scenario: Rate Limit by Source IP”Limit a specific IP to 10Mbps ingress:
/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether2 \ src-address=192.168.1.50/32 \ mac-protocol=ip \ rate=10MNote: Rate limiting only works in the first 32 rule slots on most chips.
Scenario: Rate Limit by MAC Address
Section titled “Scenario: Rate Limit by MAC Address”Limit a specific device regardless of IP:
/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether2 \ src-mac-address=64:D1:54:D9:27:E6/FF:FF:FF:FF:FF:FF \ rate=10MScenario: Redirect HTTP to CPU (Captive Portal)
Section titled “Scenario: Redirect HTTP to CPU (Captive Portal)”Send all HTTP traffic to CPU for captive portal processing:
/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether2,ether3,ether4 \ protocol=tcp \ dst-port=80 \ mac-protocol=ip \ redirect-to-cpu=yesScenario: Port Security (MAC-Based)
Section titled “Scenario: Port Security (MAC-Based)”Only allow specific MACs on a port:
# Add allowed MAC to host table/interface/ethernet/switch/host/add switch=switch1 \ ports=ether6 \ mac-address=4C:5E:0C:00:00:01
# Drop traffic from unknown MACs/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether6 \ src-mac-addr-state=sa-not-found \ new-dst-ports=""Scenario: Mirror Specific Traffic
Section titled “Scenario: Mirror Specific Traffic”Mirror only HTTP traffic to a monitoring port:
# Set mirror target port/interface/ethernet/switch/set switch1 mirror-target=ether5
# Mirror HTTP traffic/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether2 \ protocol=tcp \ dst-port=80 \ mac-protocol=ip \ mirror=yesScenario: MAC-Based VLAN Assignment
Section titled “Scenario: MAC-Based VLAN Assignment”Assign VLAN based on source MAC (for device authentication):
/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether7 \ src-mac-address=A4:12:6D:77:94:43/FF:FF:FF:FF:FF:FF \ new-vlan-id=200Note: new-vlan-id only supported on Atheros8316 and 88E6393X chips.
Scenario: Block BPDU on Specific Ports
Section titled “Scenario: Block BPDU on Specific Ports”Drop spanning tree BPDUs to prevent topology manipulation:
/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether1 \ dst-mac-address=01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF \ new-dst-ports=""Scenario: QoS Priority Marking
Section titled “Scenario: QoS Priority Marking”Rewrite VLAN priority for VoIP traffic:
/interface/ethernet/switch/rule/add switch=switch1 \ ports=ether2 \ protocol=udp \ dst-port=5060 \ mac-protocol=ip \ new-vlan-priority=6Note: new-vlan-priority supported on Atheros8327, QCA8337, and Atheros8316.
Verification
Section titled “Verification”Confirm your switch rules are working:
Check 1: List All Rules
Section titled “Check 1: List All Rules”/interface/ethernet/switch/rule/printExpected: Rules listed without invalid flag.
Check 2: View Rule Statistics
Section titled “Check 2: View Rule Statistics”/interface/ethernet/switch/rule/print statsExpected: Counters incrementing for matching traffic.
Check 3: Check Switch Chip Capabilities
Section titled “Check 3: Check Switch Chip Capabilities”/interface/ethernet/switch/printShows chip type and whether rules are supported.
Check 4: Verify VLAN Filtering (for VLAN rules)
Section titled “Check 4: Verify VLAN Filtering (for VLAN rules)”/interface/bridge/printExpected: vlan-filtering=yes on relevant bridge.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| Rules show “invalid” | Matcher not supported by chip | Remove unsupported matcher; check chip capabilities |
| Rule not matching traffic | Wrong port specified | Verify which ports belong to switch chip |
| ARP broken after adding rule | Rule matches all protocols (v7.17+) | Add mac-protocol=ip (or 0x0800) |
| VLAN matcher not working | VLAN filtering disabled | Enable vlan-filtering=yes on bridge |
| Rate limiting not working | Rule not in first 32 slots | Move rate-limiting rules to top of list |
| Traffic leaking during rule change | Normal hardware behavior | Plan rule changes during maintenance windows |
| Rule works but CPU still processes | Wrong action parameter | Use redirect-to-cpu vs copy-to-cpu appropriately |
| New VLAN ID not applied | Chip doesn’t support action | Only Atheros8316 and 88E6393X support new-vlan-id |
Critical: RouterOS 7.17+ ACL Behavior Change
Section titled “Critical: RouterOS 7.17+ ACL Behavior Change”Before v7.17, a rule like this only matched IP traffic:
# This USED to work, now blocks ARP too!/interface/ethernet/switch/rule/add ports=ether2 dst-address=192.168.20.0/24 new-dst-ports=""After v7.17, it matches ALL traffic including ARP, breaking connectivity.
Fix: Always explicitly set mac-protocol:
/interface/ethernet/switch/rule/add ports=ether2 mac-protocol=ip \ dst-address=192.168.20.0/24 new-dst-ports=""Rule Modification Packet Leakage
Section titled “Rule Modification Packet Leakage”When ACL rules are modified (added, removed, disabled, enabled, or reordered), existing rules become inactive briefly. This can cause packet leakage.
Mitigations:
- Plan rule changes during maintenance windows
- Use firewall rules as a backup safety net
- Batch rule changes when possible
Common Mistakes
- Forgetting
mac-protocol=ip- Blocks ARP and breaks connectivity (v7.17+) - Using VLAN matchers without vlan-filtering - Rules won’t match
- Exceeding rule table limits - Rules silently fail or become invalid
- Expecting rule stats on all chips - Not all chips support counters
- Mixing IPv4 and IPv6 matchers - Cannot combine in same rule
- Rate limiting beyond slot 32 - Rate limiting only works in first 32 rule slots
Switch Chip Compatibility Matrix
Section titled “Switch Chip Compatibility Matrix”| Feature | QCA8337 | Atheros8327 | MT7621 | RTL8367 | 88E6393X |
|---|---|---|---|---|---|
| Rule table | 92 rules | 92 rules | No | No | 256+ rules |
| Rate limiting | Yes (slot 1-32) | Yes (slot 1-32) | No | No | Yes |
new-vlan-id | No | No | No | No | Yes |
new-vlan-priority | Yes | Yes | No | No | Yes |
redirect-to-cpu | Yes | Yes | No | No | Yes |
mirror action | Yes | Yes | No | No | Yes |
| IPv6 matchers | No | No | No | No | Yes |
| Rule counters | Limited | Limited | N/A | N/A | Yes |
Devices by switch chip:
| Chip | Devices |
|---|---|
| QCA8337 | hEX (RB750Gr2), cAP ac, hAP ac |
| Atheros8327 | RB2011, RB3011 |
| MT7621 | hEX v3 (RB750Gr3), hAP ac2, hAP ac3 |
| RTL8367 | RB4011, RB5009 |
| 88E6393X | CRS305, CRS309, CRS317, CRS326, CRS328 |
Related Topics
Section titled “Related Topics”Switch Configuration
Section titled “Switch Configuration”- Switch Ports - port configuration and VLAN setup
- Bridge VLAN Filtering - software VLAN configuration
- Bonding/LACP - link aggregation on switches
Security
Section titled “Security”- Firewall Basics - CPU-based packet filtering
- 802.1X - port-based access control
Bandwidth Management
Section titled “Bandwidth Management”- Simple Queues - QoS configuration
- Queue Tree - advanced QoS
Reference
Section titled “Reference”Command Reference
Section titled “Command Reference”| Command | Required Args | Optional Args | Notes |
|---|---|---|---|
/interface/ethernet/switch/rule/add | switch | all matchers, all actions | Create ACL rule |
/interface/ethernet/switch/rule/print | - | stats, detail | Show rules |
/interface/ethernet/switch/rule/remove | [find] or .id | - | Delete rule |
/interface/ethernet/switch/rule/set | [find] or .id | any property | Modify rule |
/interface/ethernet/switch/rule/move | .id, destination | - | Reorder rules |
/interface/ethernet/switch/rule/disable | [find] or .id | - | Disable rule |
/interface/ethernet/switch/rule/enable | [find] or .id | - | Enable rule |
Rule Matchers
Section titled “Rule Matchers”Layer 2 Matchers
Section titled “Layer 2 Matchers”| Property | Type | Description |
|---|---|---|
ports | port list | Ingress ports to match (empty = all switch ports) |
switch | string | Switch chip name |
src-mac-address | MAC/Mask | Source MAC address |
dst-mac-address | MAC/Mask | Destination MAC address |
mac-protocol | enum/hex | Ethernet type (ip, arp, ipv6, vlan, or hex like 0x0800) |
vlan-id | 0-4095 | VLAN ID (requires vlan-filtering=yes) |
vlan-header | present/not-present | Match tagged/untagged frames |
vlan-priority | 0-7 | VLAN priority (802.1p) |
Layer 3 Matchers
Section titled “Layer 3 Matchers”| Property | Type | Description |
|---|---|---|
src-address | IPv4/CIDR | Source IP address (cannot mix with IPv6) |
dst-address | IPv4/CIDR | Destination IP address |
src-address6 | IPv6/Mask | Source IPv6 address (88E6xxx only) |
dst-address6 | IPv6/Mask | Destination IPv6 address |
protocol | enum/number | IP protocol (tcp, udp, icmp, or 0-255) |
dscp | 0-63 | DSCP value |
traffic-class | 0-255 | IPv6 traffic class |
flow-label | 0-1048575 | IPv6 flow label |
Layer 4 Matchers
Section titled “Layer 4 Matchers”| Property | Type | Description |
|---|---|---|
src-port | 0-65535 | Source TCP/UDP port |
dst-port | 0-65535 | Destination TCP/UDP port |
Rule Actions
Section titled “Rule Actions”| Property | Type | Description |
|---|---|---|
new-dst-ports | port list | Override destination; empty = drop |
redirect-to-cpu | yes/no | Send packet to CPU (not forwarded) |
copy-to-cpu | yes/no | Copy packet to CPU (also forwarded) |
mirror | yes/no | Copy to mirror-target port |
rate | integer | Rate limit in bits/second (first 32 rules only) |
new-vlan-id | 0-4095 | Rewrite VLAN ID (limited chip support) |
new-vlan-priority | 0-7 | Rewrite VLAN priority |