Hello
I have in my network blocked the sites of Facebook and Youtube, but I need to grant access to certain MAC Address. Tried a few rules, but without success.
MAC address matching is only expected to work if you firewall device is a default gateway for the client device in question. Does your setup satisfy this requirement?
Yes, the RB is the default gateway.
Then please post the output of the /ip firewall filter export here, and specify which rules are not working for you.
add action=drop chain=forward comment="DROP FACEBOOK" layer7-protocol=Facebook src-address=0.0.0.0/0
add action=accept chain=forward src-mac-address=00:1D:7D:B2:34:F9
Make sure your accept rule is place before the drop rule.
Perfect, I believe that we’re almost.
I changed my input to foward and src-address for the network address and the allow rule before the drop.
It’s possible to resolve DNS, but does not ping.
Do you have any other firewall rules in place?
Yes
/ip firewall filter
add action=accept chain=forward src-mac-address=XX:XX:XX:XX:XX:XX
add action=drop chain=input comment="BRUTEFORCE LOGIN PREVENTION (FTP: DROP FTP BRUTE FORCERS)" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="Bruteforce login prevention(ftp: 530 Login incorrect to limit dst address)" content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment=\
"Bruteforce login prevention(ftp: 530 Login incorrect to ftp_blacklist)" content="530 Login incorrect" protocol=tcp
add action=add-src-to-address-list address-list=SSH_BlackList_1 address-list-timeout=1m chain=input comment="Drop SSH&TELNET Brute Forcers" connection-state=new dst-port=\
22-23 protocol=tcp
add action=add-src-to-address-list address-list=SSH_BlackList_2 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=\
SSH_BlackList_1
add action=add-src-to-address-list address-list=SSH_BlackList_2 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=\
SSH_BlackList_1
add action=add-src-to-address-list address-list=SSH_BlackList_3 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=\
SSH_BlackList_2
add action=add-src-to-address-list address-list=IP_BlackList address-list-timeout=1d chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=\
SSH_BlackList_3
add action=drop chain=input dst-port=22-23 protocol=tcp src-address-list=IP_BlackList
add action=drop chain=input comment="BRUTEFORCE LOGIN PREVENTION (WINBOX: DROP WINBOX BRUTE FORCERS" dscp=0 dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist address-list-timeout=2w1d chain=input comment=\
"Bruteforce login prevention(Winbox: stage3 to winbox_blacklist)" connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage_3
add action=add-src-to-address-list address-list=winbox_stage_3 address-list-timeout=1m chain=input comment="Bruteforce login prevention(Winbox: stage2 to stage3)" \
connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage_2
add action=add-src-to-address-list address-list=winbox_stage_2 address-list-timeout=6h chain=input comment="Bruteforce login prevention(Winbox: stage1 to stage2)" \
connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage_1
add action=add-src-to-address-list address-list=winbox_stage_1 address-list-timeout=12h chain=input comment="Bruteforce login prevention(Winbox: stage1)" \
connection-state=new dst-port=8291 protocol=tcp
add action=drop chain=forward comment="DROP FACEBOOK" layer7-protocol=FACEBOOK src-address=192.168.4.0/24
add action=drop chain=forward comment=FullVicio layer7-protocol=fullvicio.com src-address=192.168.4.0/24
add action=drop chain=forward comment=Mimp3 layer7-protocol=mimp3s.uno src-address=192.168.4.0/24
add action=drop chain=forward comment="DROP YOUTUBE" layer7-protocol=Youtube src-address=192.168.4.0/24
Add
add chain=forward connection-state=established comment="allow established connections"
add chain=forward connection-state=related comment="allow related connections"
above your drop rules. and move your input rules above your forward rules.
/ip firewall filter
add action=accept chain=forward src-mac-address=9C:D2:1E:EA:6E:AD
add chain=forward comment="allow established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward comment="DROP FACEBOOK" layer7-protocol=FACEBOOK src-address=192.168.4.0/24
add action=drop chain=forward comment=FullVicio layer7-protocol=fullvicio.com src-address=192.168.4.0/24
add action=drop chain=forward comment=Mimp3 layer7-protocol=mimp3s.uno src-address=192.168.4.0/24
add action=drop chain=forward comment="DROP YOUTUBE" layer7-protocol=Youtube src-address=192.168.4.0/24
Now I can access by mobile applications, but not on desktops.
/ip firewall filter
add action=accept chain=forward src-mac-address=9C:D2:1E:EA:6E:AD
add chain=forward comment="allow established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=forward comment="DROP FACEBOOK" layer7-protocol=FACEBOOK src-address=192.168.4.0/24
add action=drop chain=forward comment=FullVicio layer7-protocol=fullvicio.com src-address=192.168.4.0/24
add action=drop chain=forward comment=Mimp3 layer7-protocol=mimp3s.uno src-address=192.168.4.0/24
add action=drop chain=forward comment="DROP YOUTUBE" layer7-protocol=Youtube src-address=192.168.4.0/24
Confirm which device mac address you are allowing? you will need to have the mac addresss of each device you would like to have access.