How can I allow only one specific ethernet device to be connected in one of the Mikrotik ethernet port and block any other device ?
The aim is to exclude any other device to connect onto that ethernet port.
Add a static ARP entry for the desired device on the appropriate Ethernet port.
Set this ethernet ports ARP mode to reply-only.
-Chris
Right Chris. Merci vielmal !!
the problem is that i already use the reply-only option on DHCP server and on the network bridge, so that only the devices logged through my DHCP server are accepted on the network. this blocks devices with static addresses.
if i use your config, then all devices connected on the port i want to restrict, will get a DHCP lease and arp entry and if i configure the ethernet port as reply-only , then all devices will be accepted via DHCP whereas i only want to accept ONE specific device on that specific ethernet port with its MAC own address…
tricky ?
Is there a reason not to just use “Src MAC Address” (on the Advanced tab when using WinBox) as part of a firewall rule?
Ah, I didn’t realize that ethernet port is a bridge member.
In this case I’d suggest a bridge filter like this:
/interface bridge filter
add action=drop chain=forward in-bridge=<your bridge> in-interface=ether6 src-mac-address=!00:00:05:00:00:02/FF:FF:FF:FF:FF:FF
This drops all traffic on this port NOT coming from the specified MAC address.
-Chris
errors :
in/out-bridge-port matcher not possible when interface (bridge1) is not slave
in/out-interface matcher not possible wheninterface (ether2) is slave - use master instead (bridge1)
in-bridge-port matcher not possible when bridge use-ip-firewall is disabled
Error 1: is related to error 2, fixed below:
Error 2: For this scenario, ether2 has to be a direct member of the bridge, remove its master port and bind it to the bridge.
Error 3: activate IP firewall in bridge settings. (In Winbox: Bridge → Settings)
Good luck!
-Chris
found the solution, you need to put the rule in the filter rules of the bridge !
Ok, next question :
Now the ethernet port filters and allows a device with a specific MAC addess. That’s good.
But if that device is itself bridged with other devices, the filter blocks those other devices.
How can I configure so that these bridged devices are not blocked ?
Now this is getting tricky as we’re now leaving the way L2 is designed to work.
If you’re really in desperate need of this, I think the only way is scripting.
Remove the static ARP entry from your ARP table and let DHCP handle this address (can still be set to static but DHCP needs to handle it).
Now create a scheduler script - or even better, a netwatch item, like this:
“Check this MAC addresses interface in ARP table and if it’s either not present or on a wrong interface, block all MAC addresses on ether2 but this one.
As soon as it’s back on this interface, allow all MAC addresses on ether2”.
-Chris
I have a Video Intercom Door Station. It’s on ethernet 23. I would like to block any attempt of connection throught that cable that does not belong to my intercom.
I have set:
/interface bridge filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop in-interface=ether23-slave-local
in-bridge=bridge-local
src-mac-address=!00:00:05:00:00:02/FF:FF:FF:FF:FF:FF log=no log-prefix=“”
This is not it’s mac (i have it copied from here). But i still can see the image from it and am able to connect to it.
Any ideas?
I’d say the rule has to be in chain=input, not chain=forward, if the destination MAC of the frame is the Mikrotik itself, i.e. if the Mikrotik routes the stream from the camera somewhere else. chain=forward would be correct if the Mikrotik was just bridging the stream from the camera to another device on the same bridge.
Plus a hint - protection by MAC address is not enough. If I wanted to barge into your network this way, learning the MAC address of the door station would be among the first items on my ToDo list. So you must treat the door station as a malicious device and let it only send data where you want it to. And still, unless there is a certificate-based authentication between the door station and the monitor, the bad guy will be able to feed your video surveillance system with a movie of your friend waiting at the door if he replaces the door station with a player sending the stream to the same destination from the same MAC address.
Maybe include a minimum connection up time to be required to allow data to pass from the MAC on that ether port.
0ther options could include a trigger script on ethernet connection that checks for a correct telnet,ssh,web response to enable the port.
is it possible to allow two MAC adresses on one port with bridge filter ?
regards, Richard
Sure. Bridge filter rules work the same way like all other rules in the system, they are evaluated one by one, first to last, until the first one matches or the list gets exhausted.
I have hex poe with pretty default configuration powering on my 3 outdoor cameras. Ether1 plugged to my network and ether 2,3 and 5 connected to cameras.
I was thinking about restricting those ports to my devices MAC only so if anyone unplugs my camera and connects other device it won’t get thru. What is the best way to achieve that? Firewall rules based on MAC?
Against stupid attackers, a bridge firewall filter linking MAC address to a port is sufficient. A clever attacker will copy the camera’s MAC address to his device, so only 802.1X is a safe method, unless the attacker can extract the password for 802.1X from the camera. The question is whether your cameras support 802.1X.
I see IEEE 802.1X enable checkbox on my hikvision cam along with some parameters like protocol, version, user, password, so I assume it is supported.
What now?
Should I find tutorial how to setup IEEE 802.1X on mikrotik yes?
Is it better to set it directly on hex poe managing only those 3 cams, or better on my central router which holds capsman as well?