Firewall Filter

InfoSolTech · March 9, 2011, 8:54pm

Hi there,
please help me with Firewall filtering in which i can bound a specific ip with specific mac only..
If anyone of them changes, the connection is rejected.

like i want to allow 192.168.4.39 with 00:1A:5D:60:71:93 MAC only, so if any other mac tries to use this ip OR the mac tries to use other ip..their connection is blocked…

Thank you very much. Hope i get the answer soon

Feklar · March 9, 2011, 9:06pm

You can specify the Source MAC address in a filter rule that will accept that IP and MAC combination and then another rule that will drop everything else. If you want that for each IP, that will be a lot of rules to make though.

What exactly is it you are trying to accomplish with that rule? With what you are asking, I believe you are just making more work for yourself. You are not really adding any security to anything and it really doesn’t give you any extra functionality that I can see.

Chupaka · March 9, 2011, 11:09pm

just use arp=reply-only on the interface, and create static ARP entries

InfoSolTech · March 10, 2011, 4:58am

Yes I dont ve any problem to make entry again every user.

Please send me the Code which allow specific ip to be used by a specific mac only.. and if any1 of them changed, internet stops working.

And except the entries, other requests are also blocked.

I need it urgently..

Would be great full to you..

InfoSolTech · March 10, 2011, 6:16am

OR … my requirement can be fulfilled by setting speeds limits on MAC address. What ever IP they use i dont ve any problem.
As my users start changing their IP addresses to get out of the limitations.

Secondly.. all the entries made in firewall should be allowed to use the service while all other unknown addresses are blocked.

Thanks

Chupaka · March 10, 2011, 6:10pm

so what’s with ARP mode? why don’t you like it?

InfoSolTech · March 10, 2011, 6:23pm

hmm .. i dont ve any problem to use that.. please tell me how i work for that.. ?

secondly … unknown ip’s should be blocked… which are not listen in dhcp or firewall.. wht to do for them..

Chupaka · March 11, 2011, 12:05am

if you use static ARP table (reply-only), then the only entries working will be static entries (plus DHCP addresses, if you check ‘Add ARP for Leases’ in DHCP Server)

so make your ARP entries static and then set ARP to ‘reply-only’ for your LAN interface

usmany · March 14, 2011, 10:12am

Why not try this:

/ip dhcp-server lease
add address=192.168.4.39 client-id=1:0:1A:5D:60:71:93 comment=“” disabled=no
mac-address=00:1A:5D:60:71:93 server=dhcp1 use-src-mac=yes

I am sure above will assign you ip address to that same mac not to any system anymore