allow by mac address

amsteen · November 2, 2009, 4:09am

Dear Sir’s

If we block a pc from internet with web-proxy (with its IP)
is it possible to allow iternet for it by mac address (from firewall filter)

thanks
Eng. Amgad

amsteen · November 4, 2009, 9:11am

There no one know how to deliver internet by mac address
or it is not possible

Please try to help me

chronos · November 4, 2009, 6:58pm

I dont understand you question but basicly you can block or better allow certain clients by firewall rules identified either by IP address or MAC address. So there is a problem?

cyph3r · November 5, 2009, 3:38pm

ip firewall filter add chain=input src-mac-address=00:0C:29:32:E6:92 action=accept (Allow User )
ip firewall filter add chain=input src-mac-address=00:0C:29:32:E6:93 action=accept (Allow User )
ip firewall filter add chain=input src-mac-address=00:0C:29:32:E6:94 action=accept (Allow User )
ip firewall filter add chain=input src-address=192.168.139.0/24 action=drop (all users deny)

Try this in same sequence

amsteen · November 7, 2009, 7:37am

A great thanks to Mr. cyph3r

Yes it work

thanks again

Eng. Amgad

cyph3r · November 8, 2009, 2:44pm

Its ok Bro

zahiy · December 14, 2009, 11:15pm

I want to add somthing else to his questions hoping somebody can help, accodring to cyph3r 's solution, how can I block all MACs and allow specific MACs without refering to ip address?

fewi · December 14, 2009, 11:20pm

Qualify by something else, for example the interface traffic came in on.

ip firewall filter add chain=input src-mac-address=00:0C:29:32:E6:92 action=accept (Allow User )
ip firewall filter add chain=input src-mac-address=00:0C:29:32:E6:93 action=accept (Allow User )
ip firewall filter add chain=input src-mac-address=00:0C:29:32:E6:94 action=accept (Allow User )
ip firewall filter add chain=input src-address=192.168.139.0/24 action=drop (all users deny)

Turns into

ip firewall filter add chain=input src-mac-address=00:0C:29:32:E6:92 action=accept (Allow User )
ip firewall filter add chain=input src-mac-address=00:0C:29:32:E6:93 action=accept (Allow User )
ip firewall filter add chain=input src-mac-address=00:0C:29:32:E6:94 action=accept (Allow User )
ip firewall filter add chain=input in-interface=[name of customer interface] action=drop (all users deny)

zahiy · December 14, 2009, 11:36pm

Thanks! I will tring it

zahiy · December 16, 2009, 4:30pm

Works fine.

henrygrik · December 17, 2009, 10:03am

Hi,
It has been quite interesting. It was simply mind blowing, thanks for providing such a wonderful information.

hansel84 · January 11, 2016, 4:49pm

Very useful post, but is there any way I can block a bunch of MAC Addresses in only one rule on the same way we can create IP-Address-List ? That will save a lot of CPU usage …
Tnx in advance

gazdi · February 23, 2016, 8:51am

Hello

How can I create and use a MAC list as input for packet marking ? At prerouting /mangle I would like to use it.

Thanks in advance !