Authenticating clients through MAC address

RouterOS General
1

I have a Mikrotik that uses ether1 for WAN, ether6 as LAN.
ether6 has dhcp server running.

I want to only allow network traffic/internet access to MAC addresses that are somehow authenticated to the router. Is there any way to do this?

In a better scenario I’d know how to configure a vlan on top of that but one thing at a time I guess.

How to Bypass Hotspot Usage Counters for Specific Subnets
Limiting Access on LAN RB433AH
2

Here’s one approach that’s relatively simple:

  1. Configure the router to add an ARP entry when it hands out leases by setting ‘add-arp’ to ‘yes’.
    http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#General

add-arp (yes | no; Default: no) Whether to add dynamic ARP entry. If set to no either ARP mode should be enabled on that interface or static ARP entries should be administratively defined in /ip arp submenu.

  1. Turn off dynamic ARP learning on the ether6 interface by setting ‘arp’ to ‘reply-only’.
    http://wiki.mikrotik.com/wiki/Manual:Interface/Ethernet#Properties
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled)	Address Resolution Protocol mode
  1. Turn off the IP pool on the DHCP server and configure static leases for all valid clients, assigning an IP address to their MAC address.

Now clients that don’t have a hard coded DHCP lease can no longer receive a DHCP address. Also, the router will not learn about ARP mappings of MAC to IP addresses unless the client received a DHCP lease. Clients can send traffic to the router, but the router doesn’t know how to send traffic back to the client unless it’s a DHCP lease client, and all traffic to non-DHCP clients is dropped.

Other approaches would include a Hotspot with MAC address authentication, or PPPoE.