Community discussions

MikroTik App
 
User avatar
gerhard
newbie
Topic Author
Posts: 30
Joined: Mon Dec 24, 2012 10:08 pm
Contact:

Only allow specific IPs to access the network

Wed Aug 21, 2013 8:21 pm

I have created an address list of IPs (bound to specific MAC addresses) which are the only ones allowed to have access on the router.
/ip firewall address-list
add address=192.168.88.2-192.168.88.11 list=employees
The firewall filter looks currently like this:
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add action=drop chain=input src-address-list=!employees
add action=drop chain=forward src-address-list=!employees
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
The IPs in the list cannot connect outside the network (everything works fine inside). What am I missing? Is there a better way of achieving this?
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Only allow specific IPs to access the network

Wed Aug 21, 2013 8:36 pm

I have created an address list of IPs (bound to specific MAC addresses) which are the only ones allowed to have access on the router.
/ip firewall address-list
add address=192.168.88.2-192.168.88.11 list=employees
The firewall filter looks currently like this:
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add action=drop chain=input src-address-list=!employees
add action=drop chain=forward src-address-list=!employees
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
The IPs in the list cannot connect outside the network (everything works fine inside). What am I missing? Is there a better way of achieving this?
What does your NAT table look like? Post your whole config. Also I am pretty sure you don't mean to DROP everything coming in on input...

Can you explain more about your network? What you are trying to do? Etc?

I may be able to explain a better way to do it.
 
User avatar
gerhard
newbie
Topic Author
Posts: 30
Joined: Mon Dec 24, 2012 10:08 pm
Contact:

Re: Only allow specific IPs to access the network

Thu Aug 22, 2013 12:18 am

Yes, you're right, dropping all the input is silly - no idea what I was thinking.

I'm basically trying to ensure that only specific MAC addresses can connect to the network. Currently, anyone plugging an ethernet into the router gets access to anything on the network.

I'm going through the official wiki once again to see what I might have missed.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Only allow specific IPs to access the network

Thu Aug 22, 2013 1:12 am

If you only want to allow certain macs then look into static arp

Sent from my SCH-I545 using Tapatalk 4
 
User avatar
gerhard
newbie
Topic Author
Posts: 30
Joined: Mon Dec 24, 2012 10:08 pm
Contact:

Re: Only allow specific IPs to access the network

Thu Aug 22, 2013 1:55 pm

OK, so the following seems to have done the trick:

I have set ARP on bridge-local to reply-only:
[admin@CH] /ip dhcp-server lease> /interface bridge print
Flags: X - disabled, R - running
 0  R name="bridge-local" mtu=1500 l2mtu=1598 arp=reply-only mac-address=D4:CA:6D:97:6D:D3 protocol-mode=rstp priority=0x8000 auto-mac=no admin-mac=D4:CA:6D:97:6D:D3 max-message-age=20s forward-delay=15s
      transmit-hold-count=6 ageing-time=5m
One thing that I'm not certain about is what happens when the gateway that currently provides internet connectivity assigns a new address to our router (it's not static)? Won't the static ARP on bridge-local prevent the new IP address to be correctly assigned to ethernet-1? ethernet-1 still has ARP enabled.
 
efaden
Forum Guru
Forum Guru
Posts: 1708
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: Only allow specific IPs to access the network

Thu Aug 22, 2013 2:00 pm

OK, so the following seems to have done the trick:

I have set ARP on bridge-local to reply-only:
[admin@CH] /ip dhcp-server lease> /interface bridge print
Flags: X - disabled, R - running
 0  R name="bridge-local" mtu=1500 l2mtu=1598 arp=reply-only mac-address=D4:CA:6D:97:6D:D3 protocol-mode=rstp priority=0x8000 auto-mac=no admin-mac=D4:CA:6D:97:6D:D3 max-message-age=20s forward-delay=15s
      transmit-hold-count=6 ageing-time=5m
One thing that I'm not certain about is what happens when the gateway that currently provides internet connectivity assigns a new address to our router (it's not static)? Won't the static ARP on bridge-local prevent the new IP address to be correctly assigned to ethernet-1? ethernet-1 still has ARP enabled.
The static ARP on the bridge should only affect things it communicates with... ether1 is still ARPing so it shouldn't be affected.
 
User avatar
gerhard
newbie
Topic Author
Posts: 30
Joined: Mon Dec 24, 2012 10:08 pm
Contact:

Re: Only allow specific IPs to access the network

Thu Aug 22, 2013 3:40 pm

Oh, great, thanks for pointing me in the right direction :wink:

Who is online

Users browsing this forum: gigabyte091, itsbenlol, lurker888, Vyizis and 82 guests