Hi,
I would like to know if there is a way to block unknown devices by mac address from my local wired lan.
I mean if someone connect cable to my local port (wired) today he is getting dhcp pool ip and have access to my network, there is a way to block it ?
the idea is as follows:
All known DHCP clients are placed in WhiteList, and then in firewall droping all not WhiteList’ed source addressed clients in local bridge
/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0
/ip firewall filter
add action=drop chain=forward comment="DROP all not WhiteListed clients" disabled=no in-interface=bridge src-address-list=!WhiteList
I may be missing the intention of this but how would the list distinguish between genuine DHCP clients and rogue clients though?
PPPoE could possibly be an option?
just make static genius clients.
this command adds genuine clients to static and adding to WhiteList
/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0
You could go into bridge-filters and add all known mac addresses and permit those while droping the rest. Just make sure to input all the devices you own, obviously 
Sent from Tapatalk
THANKS MAN! It worked like a charm! Now I can easily block any unknown user in WiFi/ LAN!
Also for more security changed ARP from enabled to reply-only and statically assigned all of the IP in ARP List