Hello
1.Is there any way to filter packets by the sender host name?
2.How to limit communication for only the hosts that are joined to a specific domain?
3.how to integerat mikrotik and active directory and set firewall rule based on domain name of clients?
Not dynamically … as in: here comes a packet from random-never-seen-before source IP address, check if it’s from “somedomain.com”. Some setup commands allow you to enter FQDN instead of IP address and that rule then “dynamically” changes … if FQDN resolves into another IP … but it only does it after DNS TTL expires.
The fact is that firewall is (more or less) L3 stuff and that operates on IP addresses.
See my answer above. If you can construct an address list containing IP addresses of all hosts from a specific domain, then you could construct firewall filter rule using that address list. You can not use domain name as constructor of the list, because usual DNS clients can’t get whole list from DNS servers (that would be zone transfer and most DNS servers are configured such that zone transfers are only allowed for certain DNS servers, most notably secondary DNS servers for same domain).
Another way (not hugely practical) is to construct L7 filter rules. The problem with L7 rules is that they are very CPU intensive and that it’s only possible to use them for a few particular L5 protocols (e.g. http or https) where destination server name is mentioned early in the connection.
AFAIK ROS doesn’t talk LDAP (or AD or whatever), you’d have to use a Radius server which would translate LDAP/AD policies into Radius policies.
Thanks
If i make a list containing all ip of all host from a specific domain, how can i limit dhcp in mikrotik to lease ip for only joined clients? Is it possible to set windows dhcp server for mikrotik clients and control joined clients and give ip only for joined host by dhcp server?
In this situation joined systems have ip and other clients are unable to have ip from a special range. After that we can limit with firewall rule for a specific ip addresses and reject other packets.
What about filtering based on mac address?
For example we can make a list of mac address for joined clients and filter based on this list. Is there any way to export joined clients mac address in AD?
Definitely you can use domain server as DHCP server for the network, just disable/deconfigure DHCP server on mikrotik.
Filtering by MAC addresses is possible as well, but might degrade overall performance of your router.
Just beware that using MAC addresses as access control is not fial safe, it is quite easy to fake MAC address on client machine.
If i use active directory as dhcp server, is it possible for dhcp server to give ip only for joined clients? Is dhcp server able to control on clients?
That’s not possible: station first needs IP address (obtained from DHCP server) so that it can later authenticate with AD controller. The access control can then be done using 802.1X .. which unfortunately is not (yet) supported by ROS … but ultimately solves problem of faked MAC addresses (faking domain authentication is much harder).
So what is the best practice for controlling clients to be joined to a specific domain?
Which domain exactly do you have in mind? DNS domain? Windows domain? Or even IP subnet?
Each of those have its own mechanisms to control membership … and can be all implemented in same service (and no, generally that service is not run by router or firewall). If network lacks some mechanisms, then sometimes poor substitutes exist … emphasis is on “poor”.
Thanks