Firewwall Rule to block unwanted mac address

muppet62 · July 13, 2023, 9:52pm

Hi,

We are installing a new payroll and time attendance system network. We have a computer that is listening on port 8081 for time attedance clocks punches and a port fordwarding rule working pointing to this computer.

I need to only allow connections from our clocks.
Clocks are pointing our public ip and using port 8081 UDP from dynamic ISP modems from different Intermet providers so filter by static ip is not possible. Right now all clocks are sending all punch information without any problem but I want to add another layer of security filtering by clock mac addresses (or maybe using dsl modems mac adresses).

The questions is how can I filter connections on port 8081 by clock mac address? I have a full list of clocks mac address to be used for this matter (also have a list of modems mac addresses).

Thanks in advance!

tangent · July 13, 2023, 10:23pm

You can’t. MAC addresses are visible at the LAN level only. Each time a packet crosses a router, the source MAC is rewritten with the outbound LAN interface of that router. All of your clocks will appear to be sending from the MAC of the ISP-facing equipment your server LAN is connecting through. (Your modem, ONT, gateway router, etc.)

MAC address filtering is amateur-hour security in any case, especially for UDP packets. It is like replacing your corporate IDs with those “My name is…” party stickers. Want to get into the C-suite bathroom? Look up the corporate leadership page on the web site and write down the CEO’s name. Walk right in.

Wanna know how proper UDP authentication looks? Study a protocol designed by experts, something like QUIC; don’t try to roll your own.

muppet62 · July 13, 2023, 10:38pm

Thanks for your replay! I have a typo is not UDP is TCP sorry!

tangent · July 13, 2023, 11:07pm

While MAC spoofing is more difficult with TCP, the first part of my reply remains valid for TCP as well. You still don’t see the remote source MAC for TCP connections across the Internet.

For TCP, I would substitute TLS as an authentication protocol, using client-side certificates.

anav · July 14, 2023, 2:32pm

Your best bet is to assign dyndns configurations to each site.
You can get free ones as well as paid.
In this manner each site will have a known IP at the Mikrotik. It will resolve the IPs for you in order to create a firewall address list of allowed IPs.
/ip firewall address-list
add dyndnsname-site1 list=Authorized
add dyndnsname-site2 list=Authorized
add dyndnsname-site3 list=Authorized
add dyndnsname-siteX list=Authorized

/ip firewall filter
add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat

/ip nat
add chain=dstnat action=dst-nat dst-address=staticpublicIP dst-port=8081 protocol=udp? to-address=PC-clockserver