How to allow some mac addresses in firewall/filter rules

RouterOS Beginner Basics
1

Hello,

This is my /ip firewall filter print:

[admin@RouterOS] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; saeed-laptop
      chain=forward action=accept src-mac-address=some_mac_address log=no log-prefix="" 

 1    ;;; saeed-phone
      chain=input action=accept src-mac-address=some_mac_address log=no log-prefix="" 

 2    ;;; saeed-phone
      chain=forward action=accept src-mac-address=some_mac_address log=no log-prefix="" 

 3    ;;; bro-phone
      chain=forward action=accept src-mac-address=some_mac_address log=no log-prefix="" 

 4    ;;; bro-laptop
      chain=forward action=accept src-mac-address=some_mac_address log=no log-prefix="" 

 5    chain=forward action=drop log=no log-prefix=""

When the last drop rule is enabled, none of my allowed devices have internet access, but as soon as I disable the drop rule, everything works fine.

I’m going to allow only some specific mac addresses to allow but I was unable to do so.

I connect to my Mikrotik via Wi-Fi network.

I googled but wasn’t able to find docs or helps I’m going to reach.

How can I filter and allow only some specific mac addresses to connect or even have internet access through my Mikrotik wireless network?

2

Why do you want to use firewall rules, they are for layer3 traffic. if you need something else, I believe you may have success under bridge filters???

3

Thanks, but I have nothing in Bridge section.
I just added the same rules in bridge filters, and finally added a drop forward chain, but it didn’t work.

I didn’t know the firewall rules are for layer3 traffic (I don’t know what the 7 layers mean exactly, I’m going to read about them).

4

#5 rule drop all from internet (in chain forward)

5

“src-mac-address=some_mac_address”
What about dst? :wink:

6

Thanks, but I didn’t understand what do you mean. My last rule drop all from internet but in the other rules with higher priority than the last one, I stated to allow some mac-addresses.

7

Doesn’t this mean this sentence?
If src-mac-address is my laptop for example, then allow this mac address.

But what do you mean by the dst-mac? My laptop connects to Mikrotik and Mikrotik again sends the data to my laptop. Do you mean in this case, I should assign the dst to my laptop again?
I mean both src and dst should be the same?

8

https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall

9

No, use ip->firewall->connections to see how the Internet works :slight_smile:
Use a standart firewall! :slight_smile:

10

Thanks for the doc. I read it before, but didn’t understand it to how to reach what I’m looking for.

11

I know a little about how internet works:) I’m not that much un-familiar with this concept because of my work, but up to my knowledge, I tried to figure out the docs and do but I 've not yet succeded.

12

I solved it by this link: https://www.uobabylon.edu.iq/eprints/publication_5_13385_1412.pdf
In my case, it’s working.

If this solution is not a good one, I’ll be happy to hear the reason and find a better solution.

13

Well obviously I thought we were dealing with a router not an access point, which all radio setups have mac-filtering setup for layer2 traffic control ( NOT fw rules )
Again, i should have read more closely, glad you got it sorted.

14

Oops, yes that’s an access point.
In fact, I’m using Mikrotik as extender in my house, to extend the ADSL modem to the bedrooms. In the bedrooms I have weak signals from my ADSL modem.