I’ve seen a few discussions on blocking private mac addresses as they bypass restrictions based on MAC address but no real solutions. I know that private MAC addresses follow this pattern:
x2:xx:xx:xx:xx:xx
x6:xx:xx:xx:xx:xx
xA:xx:xx:xx:xx:xx
xE:xx:xx:xx:xx:xx
So I thought a bridge filter to drop all MAC addresses matching this filter might work but they all still have internet access even though the filter shows matches. What am I missing?
do u have use ip firewal ticked?
It is not checked. I guess I’m not knowledgeable enough to know the ramifications of enabling that. My setup is basically router on a stick (Audience) but I’m really only concerned with keeping private Mac address from getting internet access from the wifi.
can u do the same thing on ip filter, see what u can get
Precise export of the filters?
If I do not remember bad, for match all private MAC must be suffice one with MAC 02:00:00:00:00:00 and mask 02.00:00:00:00:00
I don’t see any option to mask a MAC address in ip filter like there is in bridge filter.
I'm not about using sure IP firewall. I'd listen to @rextended here.
The mask part is critical, unlike IP, the private MAC address use the 7th bit in 1st octal to indicate this. But it's why the mask is 02.00:00:00:00:00.
A export of the bridge filters might be helpful if that doesn't work...
Here is the export of my bridge filters.
/interface bridge filter
add action=drop chain=forward disabled=yes log=yes log-prefix=PrivMAC src-mac-address=02:00:00:00:00:00/0F:00:00:00:00:00
add action=drop chain=forward disabled=yes log=yes log-prefix=PrivMAC src-mac-address=0E:00:00:00:00:00/0F:00:00:00:00:00
add action=drop chain=forward disabled=yes log=yes log-prefix=PrivMAC src-mac-address=0A:00:00:00:00:00/0F:00:00:00:00:00
add action=drop chain=forward disabled=yes log=yes log-prefix=PrivMAC src-mac-address=06:00:00:00:00:00/0F:00:00:00:00:00
Edit: Just want to clarify these filters are disabled now because they don’t work. They were enabled when I was testing.
It’s because mask (0F:00:00:00:00:00 on all rules) is wrong. Fix the first rule according to what @rextended wrote …
because 0F at start match “00001111” = any value on first 4 bit (bo-b4) on 1st octect, match also legit unicast and multicast and not only private MACSs
Instead 02 is “00000010” and match only when the private bit is set (the 2nd (b1 on image), x & 0 = false, 0 & 1 = false, 1 & 1 = true),
and no matter the combination of other bits (for example 06 = 00000110 still have the 2nd bit = 1 (b1 on image), etc.)
So, only one rule for the two chain that chechk that bit suffice:
/interface bridge filter
add action=drop chain=input log=yes log-prefix="IN-DROP Private MAC" src-mac-address=02:00:00:00:00:00/02:00:00:00:00:00
add action=drop chain=forward log=yes log-prefix="FW-DROP Private MAC" src-mac-address=02:00:00:00:00:00/02:00:00:00:00:00
So, it match only when private bit is set.
Firewall work at layer 3, bridge filter to layer 2, so if you block correctly @ bridge level, is not needed the firewall later.
Thank you! In addtion to the mask needing to be 02:00:00:00:00:00 and not 0F:00:00:00:00:00, the key to making it work is that it has to be in both the forward and input chains. I did not realize that. All works now.
/interface bridge filter
add action=drop chain=forward log=yes log-prefix=PrivMAC src-mac-address=02:00:00:00:00:00/02:00:00:00:00:00
add action=drop chain=input log=yes log-prefix=PrivMAC src-mac-address=02:00:00:00:00:00/02:00:00:00:00:00
Edit: Removed other filters showing 0A, 0E, 06.