how block by IP or MAC addrres?

zong · September 29, 2005, 12:15pm

Hi..All,

Need help, I already install and seting MT with DNS, Gateway correctly and now all user on our network can connect to internet. any body can assist me step by step to restrict user by IP/Mac address?
My configuration asf :

INTERNET
|
|
Mikrotik
ether0 192.168.0.100
ether1 10.97.20.100 → Client 10.97.20.25 DNS:202.134 GW:10.97.20.100
DNS: 202.134.x.x
Gateway:192.168.0.254

—>Client 10.97.20.98
DNS :202.134.x.x
gateway:10.97.20.100

Now both client can browsing.
How to block client 10.97.20.98 to access the router ??
Need help..

proxy · September 29, 2005, 5:47pm

ip firewall rule forward> add src-address=10.97.20.98 src-mac-address=00:0
0:00:00:00:00 action=drop

zong · September 30, 2005, 1:54am

already tried but appear error mesg. “Source Bad”
any other idea ?
fyi i am using Mt 2.7.14

cabana · September 30, 2005, 2:28am

I believe tha you need to check the mask in your source address, something like 10.97.20.98/32

zong · September 30, 2005, 3:21am

ip firewall rule forward> add src-address=10.97.20.98/16 src-mac-address=00:00:00:00:00:00 action=drop

already put netmask but the porblem still the same " Source bad"

any other suggestion ?

larmaid · September 30, 2005, 3:50am

ip firewall rule forward>add src-address=10.97.20.98/32 action=drop protocol=all

zong · September 30, 2005, 7:40am

thanks larmaid and all,
now its works, but may be there is a better way ?

I was thingking, mmhhh how about if there are so many user, 100 users do i have on one by one to block them ??
how the correct syntact → block all and then allow user that we want to give them access ?

Thanks

the_time · September 30, 2005, 8:24am

For example if you want to block class 10.97.20.x and allow only som of the to have access you can do that like this

ip firewall rule forward add src-address=10.97.20.98/32 action=acept

ip firewall rule forward add action=drop

the last rule will drop everything and if you want to allow clients to have acces after you have set this rule you can do it

ip firewall rule forward add src-address=10.97.20.x/32 action=acept place-before=0

Hope that this will help.

larmaid · September 30, 2005, 11:55am

yup i think so…

you need to block all the ip range in rule forward put it in the top, then you set the ip you want to accept in rule forward to.!

but if the accept ip is same (10.10.2.0-10.10.2.254) you only write once!

zong · September 30, 2005, 2:09pm

if I block all IP addr on the top then I accept specify Ip address
the sytem become block all IP and can not connect
any other idea ?

btw how to block or accept for the rang IP address I want block/accept?
for example:
block address 10.97.20.50/32 - 10.97.20.90/32

or may be there is the simple way ?

bholler · September 30, 2005, 3:55pm

Hello Zong,

There is no magic u can do about it…expect if there is a script (which i am yet to know about) that can do that for you automatically.If u want it to be automatic, then you will need a RADIUS which will specity the time range u want for a particular MAC address ( that is if u r doing RADIUS MAC).

In the alternative ( manually) and according to the previous command lines given to u. specify accordingly in the forward chain

/ip firewall rule forward add address=10.97.20.90/32 action=accept

(u will do this for all the host u want to allow and place them above the rules i will specify below… comment can also help u out in sorting the right IP for the right host)

/ip firewall rule forward add address=10.97.20.0/24 action=drop

(/24 if that is ur netmask…this will drop pactects from any other ip host in the network)

i hope this will sort your problem…and if anybody has better ideas, let us have it too.

bholler · September 30, 2005, 4:08pm

corrction to my command line

/ip firewall rule forward add src-address=10.97.20.90/32 action=accept

ip firewall rule forward add src-address=10.97.20.0/24 action=drop

larmaid · October 1, 2005, 3:11am

okay…theres is a way…!
but you need to install hotspot first!
if you already install it…then:

1.erase all the rule in dst-nat.
2.write the ip you want to acept in forward place in top,i forget how to count a range ip..!
3.then write this rule if your client have to login first in login page:
go to winbox->

do this

1.add src-address (10.10.aa.0/24)you want to redirect to hotspot
dst-port=53
protocol=udp
in.interface=all
action redirect
laennya default.

2.add src-address (10.10.aa.0/24)
in.interface=lan
protocol=tcp
flow=hs-auth
action=redirct
to dst.port=80

if your client do not want to login first then dont write no.3
but if u do this u have to login first if u want to using winbox..!