I have a group of ports (not in a range) that I need to block and a group of users that I want to let through. I would like to filter on MAC address. What’s the easiest way to do this? can you make a MAC address list, I only see how to do ip list. When specifying port can you not use , or ; to separate?
I know I can make an individual rule for each port then an individual rule for each user MAC but I would think there is an easier way.
Thanks.
There are no MAC address lists. The firewall filters really are set up to filter on layer 3 (it’s in the IP menu, after all). Why are you trying to filter by MAC address? Is this a layer 2 firewall? If you give more information there may be a workaround.
Also, you can specify multiple ports in a rule, the rule is evaluated as a short circuit OR. Here a quick example that filters all TCP traffic to ports 80, 443, and 8080 going through the router:
/ip firewall filter
add chain=forward protocol=tcp dst-port=80,443,8080 action=drop
Thanks fewi. I guess I’m going crazy. I swear when I tried to use “,” in winbox to separate ports it wouldn’t let me. Maybe I had the wrong filed when I tried before.
The reason I’m looking to use the MAC is it is harder for my users to spoof the MAC compared to just changing there ip address.
The rule I’m setting up is to block http, https, ftp, p2p, etc. for all, then I want to allow the MAC of my servers to have access. If there is not a MAC list I guess I have to input each one individually.
You can prevent users changing IP addresses if you’re willing to deal with some administrative overhead.
If your users have static IPs, add a static ARP entry for their MAC to IP mapping and set the interface ARP mode to “reply only”.
If your users have dynamic IPs, check the “add ARP entry” checkbox on the DHCP server, make all leases static, and set the interface ARP mode to “reply only”.
At that point users can only use the IP address you assigned them statically or via static DHCP leases. Then you can filter by IP address. If they change IPs they can’t get out at all (well, technically they can pass packets through the router, but the router can’t send them any traffic back, so no bidirectional connections can be established).
Thanks again fewi, I’ll give the ARP mode a look. One last question (for now 
) For ip address lists, do they have to be range based? Winbox doesn’t seem to let me use “,”.
Yes, they have to be range based. But you can also specify CIDR masks, and of course address lists can contain more than one entry.
The below, for example, covers 192.168.0.0-192.168.0.127, 192.168.0.150-192.168.0.160, 192.168.0.200 and 192.168.0.220 in the most efficient way. It shows all the different options for address lists.
/ip firewall address-list
add list=myList address=192.168.0.0/25
add list=myList address=192.168.0.150-192.168.0.160
add list=myList address=192.168.0.200
add list=myList address=192.168.0.220
I just ran into another problem. I have a wireless R52Hn card in my RB493AH. I have bridged my wlan and ether2 which is my private network 10.1.1.0. I need them both on the same subnet since I have a few clients that need access to applications on the private network that are not routeable. But I want to block all other wlan connections from seeing my private network.
So I thought I would make a forward rule that would drop packets from interface wlan to ehter2, still giving them internet access through ether1. Then I would create a rule above to allow the clients that need access through.
This doesn’t seem to work. My guess is it’s because of the bridge. So I tried a bride filter with the same rule. Still no luck. Any help on this?
Thanks.
If you want to use the IP firewall filter for bridged interfaces go to “/interface bridge settings” and set use-ip-firewall to ‘yes’.
http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Settings
Even with that option set it does not seem to work for this type of filter under the ip filter (drop packets from interface wlan1 to ehter2). If I set it in the bridge filter it does work. It also looks like the bridge filter has priority over the ip since a rule in the ip filter to grant access for the wireless hosts that need access does not work unless I put that also in the bridge filter. It would be nice to only have to deal with one filter if this is possible.
Thanks.
Bridge filter settings that work (XX:XX:XX:XX:XX:XX = my real mac)
;;; drop wifi from local
chain=forward out-interface=ether2 (private) action=drop
in-interface=wlan1
;;; Dan iPhone access mac
chain=forward action=accept
src-mac-address=XX:XX:XX:XX:XX:XX/FF:FF:FF:FF:FF:F
IP filter settings that don’t work
the “drop wifi from local” doesn’t work so the access rules don’t matter. Also the access rules don’t work if just the drop rule is in the bridge filter.
;;; Dan iPhone access mac
chain=forward action=accept src-mac-address=XX:XX:XX:XX:XX:XX
;;; Dan iPhone access
chain=forward action=accept in-interface=wlan1
out-interface=ether2 (private) src-mac-address=XX:XX:XX:XX:XX:XX
;;; drop wifi from local
chain=forward action=drop in-interface=wlan1
out-interface=ether2 (private)