Block internet access for devices by mac-address & schedule

RouterOS General
1

Hi,

On my network I want to block internet access for a group of devices that, identified by mac-address and during a an certain time of the day (say between 20:00-08:00 everyday) by schedule.

How can I accomplish this in my Mikrotik with RouterOS 6.24?

The “plan” I’m getting stuck at is:

  1. creating the address list based on mac-addresses
  2. creating the schedule for blocking
  3. creating the firewall rule to block/drop access to wan based on 1 and 2
  4. adding the src-ip-address and what external ip-address and ports they want to visit to a list to review.
2

You don’t need a schedule. Firewall rules can be set to apply between a particular time interval.

However, address lists can’t use MAC addresses (yet?), so you need to add an individual firewall rule for each MAC address.

You can make the rule for example do masquerade only at the allowed time OR make a rule that drops an otherwise valid packet at the prohibited time.

Going with the second option, for each MAC address, run the following:

/ip firewall filter add chain=forward action=drop time="20:00:00-12h,mon,tue,wed,thu,fri,sat,sun" src-mac-address=00:00:00:00:00:00

(replace the MAC address accordingly)

The “time” argument you’ll notice takes the form of “time since 00:00:00 today”, dash, “duration since starting time”. The interval between 20:00:00 and 8:00:00 the next day is 12 hours, hence the above.

3

Very nice, this helped a lot. So thanks.

4

I guess the difference between the two is that with the masquerading rule only wan-access is blocked but the internal network can be used and the “drop-rule” makes sure that networking is not possible at all?

No. In both cases, the internal network would work.

The only difference I can think of is that with the masquerade variant, you can still ping LAN IPs from a WAN neighbor to the router (IF that neighbor is clever enough to route LAN IPs to your router…), while with the drop rule, you can’t. Very esoteric…

5

Somehow the time settings are giving me a failure “start time bigger than end time”. So I guess I have to break tem up in two rules. Onde for the time between 20:00-23:59 and one for the time 00:00-08:00.

6

How to block mac address completely without giving them internet access?

Regards,
Alex

7

If you are assigning IP addresses for each MAC by DHCP, than go to IP - DHCP Server - Leases and you have a list of all active IP addresses, double click on the address and enabled Block access option.

8

BTW all this wont work on most new phones like Samsung etc as they by default generate new MAC address every time they connected, just keep that in mind..

9

Xiaomi phones as well.

10

At least on Samsung it is possible to disable this “feature” on per-SSID basis … after gadget successfully connects to SSID.

11

It’s android feature, not manufacturer based.

I’m really interested how to block this. Maybe by using host name?

12

Host name can only be used in conjunction with DHCP server that can update DNS server records while assigning new address lease to a device. DHCP server on ROS can’t do it automatically (and DHCP lease data can’t be directly used in firewall rules).