Bridge Filtering doesn't work

RouterOS General
1

I am trying to filter mobile phones from getting DHCP ips from the DHCP server,
I have made Mikrotik port 10 as a trunk port directly connected to Cisco Core switch, and we have 50 vlans, all of them take IP address from the correct pool and everything is fine .

Then To filter the phones I made a simple script that reads from the DHCP lease list for any device that has a name of “android” “iPhone” .. etc on it, then take that mac address of the device and place it dynamically in a Bridge filter rule in the input chain with that src-mac-addresss

The script just for convince " it works perfectly fine"

:foreach i in= [/ip dhcp-server lease find] do= {/ip dhcp-server lease; :set $host [get $i host]; :set $mac [get $i mac-address]; :if ([:find $host "Phone"]  >= 0 || [:find $host "android"]  >= 0 || [:find $host "Galaxy"]  >= 0 || [:find $host "HUAWE"]  >= 0 || || [:find $host "Honor"]  >= 0)  do={:if ([:len [/interface bridge filter find src-mac-address=($mac."/FF:FF:FF:FF:FF:FF")]] <= 0) do={/interface bridge filter add chain=input action=drop src-mac-address=($mac."/FF:FF:FF:FF:FF:FF")  log=yes}}}

Now the problem I get logged of the filter rules normally but all of the devices are taking Ip addresses still with no problem :
Rules looks like this in the Bridge filter :

chain=input action=drop src-mac-address=B4:BF:F6:46:5C:8D/FF:FF:FF:FF:FF:FF log=yes

I tried multiple combinations, for type=broadcast enabling ip filters on the bridge disabling it .. etc , at the logs I see matches, But absolutely nothing is happening .

Some log matches :
https://gyazo.com/804c58b0386a0c0dc210dec2fdd3d8aa

Thank you in advance

2

Your script is too late to prevent those phones from obtaining IP address - it is checking the already acqired leases. Your script just places a filter which is supposed to block further communication of those devices with router itself (so they actually can’t release active leases … I guess they can still communicate with other devices on same subnet but not internet or other subnets). Does this part work as intended?

3

I know its too late, the first time the devices will take an IP address .. no problem, but it should never again, the router is placed in a hospital its very congested, Im making the lease time to 30 minutes only to get rid quickly from the roaming mobile phones that are coming in.

And yes they can still communicate with the other devices in the subnet for the first 30 minutes if they came fresh for the first time ever to the network, but after that they should “never” get a new ip address, after like 3 hours or so the Filtering table reaches around 400 devices listed with their rules, they can enjoy their first 30 minutes no problem, but practically we can get rid of 90% of the phones at least this way .

Though the problem is still the filter doesn’t even work, after 30 minutes they renew their IPs normally like nothing is there, I tried ip filters before the bridge filtering , also the hits on the rules happens, but no effect .

Thanks

4

At least anyone ever filtered DHCP packets for a specific mac address ? by any kind of rules ? would be very helpful

Thanks

5

anyone has a clue ? :slight_smile:

thanks