AUTOMATIC BRIDGE FILTER

PeterDoBrasil · September 28, 2015, 1:55am

How I can make a auto script to add Clients which pings (icmp 8-0) my Network to bridge Filter? I mean, firewall filter detect icmp reuest-> script find client mac add to bridge filter with action drop and after 6 hours remove the rule!

marrold · September 28, 2015, 6:24am

Can you advise why you’re trying to achieve this?

PeterDoBrasil · September 29, 2015, 2:29am

Ping Request is only for Network admin, icmp use to spoofing, try to find other user mac’s and IP’s, I do not Allow icmp Requests on my Network’Iám the Admin from my Hotspot !!!

PeterDoBrasil · October 24, 2015, 10:22pm

Resolved, now runs fine

Block Bad Host Name

host-name, edit t1 -> t15

then add the script to scheduler and run every two minutes

Mikrotik RouterOS v6.33rc30

:foreach i in=[/ip dhcp-server lease find host-name="t1" || host-name="t2" || host-name="t3"
|| host-name="t4" || host-name="t5" || host-name="t6" || host-name="t7"
|| host-name="t8" || host-name="t9" || host-name="t10" || host-name="t11"
|| host-name="t12" || host-name="t13" || host-name="t14" || host-name="t15" ] do={
:local ip [/ip dhcp-server lease get $i address ];
:local mac [/ip dhcp-server lease get $i mac-address ];
:local host [/ip dhcp-server lease get $i host-name ];
/ip dhcp-server lease make-static [ find ];
/ip dhcp-server lease set [ find where dynamic=no mac-address=$mac ] use-src-mac=yes client-id="1:$mac"
server=dhcp1 block-access=yes comment=BadHost
:log warning ("Bad Host Name $host " . "with Mac $mac " . "and IP $ip blocked on dhcp server lease ")
}

\

Remove Bad Host Name

then add the script to scheduler and run every 12 hours

Mikrotik RouterOS v6.33rc30

:foreach i in=[/ip dhcp-server lease find comment=BadHost ] do={
:local ip [/ip dhcp-server lease get $i address ];
:local mac [/ip dhcp-server lease get $i mac-address ];
:local host [/ip dhcp-server lease get $i host-name ];
/ip dhcp-server lease remove [ find where comment=BadHost ];
:log warning ("Bad Host Name $host " . "with Mac $mac " . "and IP $ip Removing from dhcp server lease ")
}

Other Option to Block bad Elements is with Bridge Filter

Block Bad Host Name, ARP Spoofing etc.

host name, edit t1 -> t15

then add the script to scheduler and run every two minutes

Mikrotik RouterOS v6.33rc30

:foreach i in=[/ip dhcp-server lease find host-name="t1" || host-name="t2" || host-name="t3"
|| host-name="t4" || host-name="t5" || host-name="t6" || host-name="t7"
|| host-name="t8" || host-name="t9" || host-name="t10" || host-name="t11"
|| host-name="t12" || host-name="t13" || host-name="t14" || host-name="t15" ] do={
:local ip [/ip dhcp-server lease get $i address ];
:local mac [/ip dhcp-server lease get $i mac-address ];
:local host [/ip dhcp-server lease get $i host-name ];
:if ([/interface bridge filter find src-mac-address="$mac/FF:FF:FF:FF:FF:FF" ] = "") do={
/interface bridge filter add chain=input src-mac-address="$mac/FF:FF:FF:FF:FF:FF"
mac-protocol=ip action=drop comment=BadHost
/interface bridge filter add chain=output src-mac-address="$mac/FF:FF:FF:FF:FF:FF"
mac-protocol=ip action=drop comment=BadHost
/interface bridge filter add chain=forward src-mac-address="$mac/FF:FF:FF:FF:FF:FF"
mac-protocol=ip action=drop comment=BadHost
:log warning ("Bad Host Name $host " . "with Mac $mac " . "and IP $ip add to bridge filter ")
}
}

chechito · October 25, 2015, 5:05am

you know

to spoof you only need arp protocol not ping

docmarius · October 25, 2015, 5:33am

Now this is something new
BTW, any correct crafted UDP packet can also be used for getting that information…
Wouldn’t it be easier to block icmp responses (which still leaves the ARP issue open as chechito states)?

PeterDoBrasil · October 25, 2015, 11:15am

???

PeterDoBrasil · October 25, 2015, 11:23am

Echo Reply

/ip firewall filter
add action=jump chain=forward comment="JUMP TO PING" dst-address-list=5G
icmp-options=0 in-interface=bridge jump-target=ping log=yes log-prefix=
Ping protocol=icmp src-address-list=5G_Client_Addresses
add action=add-src-to-address-list address-list="deny ping from ->"
address-list-timeout=15m chain=ping comment=" PING ACTION" in-interface=
bridge
add action=add-dst-to-address-list address-list="deny ping to <-"
address-list-timeout=15m chain=ping comment=" PING ACTION" in-interface=
bridge
add action=drop chain=ping comment=" PING ACTION" in-interface=bridge

icmp options=0, is this right?

PeterDoBrasil · October 25, 2015, 11:41am

chechito, my Network configuration for wds is
interface-bridge=arp-reply only
dhcp-server=arp enabled=yes
I've a little Hotspot Network, my Clients are only Android Phones, Tablets and Notebooks
I doesn't have Problems with client IP manual configuration because Devices manual confugured doesn't connect !
hotspot remove dynamic clients without arp getted from dhcp
/ip hotspot host remove [/ip hotspot host find dynamic=yes] (scheduler run every 30 seconds)
this configuration works very well here

scheduler run every 40 seconds

:local addr
:local toaddr
:foreach i in=[/ip hotspot host find] do={
:set addr [/ip hotspot host get $i address]
:set toaddr [/ip hotspot host get $i to-address]

:log info "address = $addr and to-address = $toaddr"

:if ($addr != $toaddr) do={

we found one to clear

:log info "clear address = $addr and to-address = $toaddr with # $i"
/ip hotspot host rem $i
}
}

The internet of mobile telephony providers only offer a maximum of 10kb/ps here. There still using analogiga technology. I took advantage from this fact and provides the slowest plane with 512 kb/bs and fastest with 5m/ps
My Town is a little Town with +- 20.000 inhabitants, Brasil Central !!
I've got a Friend, he is Owner from one of the local ISP, he sold me 36 Mega/ps to share with my clients!