We have a single bridge bridge1 bridging ether1, wlan1, wlan2, wlan3 but how can I create a filter to reject a specific mac address? I tried to create one in winbox but it failed to work.
If you are going to test to see if the bridge filter works then do not test from bridge itself. filter only filters what passes through it. Atleast so in 2.8.x
No we have someone that is ghosting our ip’s and causing ip conflicts with customers. We need to block that persons MAC from having access.
Are you trying to block from IP → Firewall or Bridge → Firewall ? Adding his MAC as the src-mac-address in the bridge firewall should do the trick.
since he/she is constantly changing ip’s we have to do it by mac address.. What I tried was…
add chain=forward src-mac-address=00:30:F1:10:2E:3C action=reject
reject-with=icmp-admin-prohibited comment=“” disabled=no
but it did not seem to work. So how do I need to properly phrase it?
Ah, you are referring to v2.9, that might just be a bug.
In v2.8 it works. But changing mac address is just as simple as changing IP address with most of the cards i’ve used. Perhaps you should look for a solution that would deal with the cause of the problem. Hacks to deal with a symptom of a problem has rarely made the problem go away.
Yeah we are in touch with the bandwidth management unit company seems that it’s got a bug in latest software update and letting ips that do not match correct mac addresses or those that are not in the system through. But in the meantime we can’t seem to figure out where it’s comming from or anything but we have noticed mac has stayed the same just the ip is being changed. Hoping that solution will last long enough and correctly until they get that bug fixed.
Since this is a bridge, is there any reason why you haven’t tried the bridge firewall??
Well because I am new to the entire Mikrotik Firewall and still learning it. Can you give me the example of how to set it in the bridge firewall?
From the CLI, go to > “interface bridge firewall” and from Winbox it’s under the bridge setting menu from the interfaces menu (both from 2.8.x - I’m not familiar with 2.9 yet). All you need to do is add the offending MAC address to the “src-mac-address” and set the action to drop. That should block him.
Ok here’s what I added to the firewall.
add chain=forward src-mac-address=00:30:F1:10:2E:3C in-bridge-port=bridge1
out-bridge-port=bridge1 action=drop comment=“” disabled=no
But I am still able to ping it’s ip address which seems to indicate to me it’s not blocking.. Is their something I am missing to make this work?
Try using the physical port (interface) that is a member of the bridge (i.e. ether3 or wlan1 or something like that)
instead of bridge1 for out-bridge-port and in-bridge-port. Then, by the way, in- and out ports usually will not be
identical 
because a frame with the same in- and out-port would not be forwarded through the bridge anyway.
–Tom
tneumann ok thanks for that advice.
I have a firewall rule set to block unauthorized access to winbox other than the ones are set un our address list. But I am having a flood from a specific MAC address that is trying to connect to winbox using ghost IP’s the MAC address attempts we are havings are tons in a minute. How can I prevent it or how can I block that IP MAC address here is my firewall rule for winbox:
add action=drop chain=input comment=“Drop anyone in the Black List (Winbox)” disabled=no src-address-list=“Black List (Winbox)”
add action=drop chain=forward comment=“Drop anyone in the Black List (Winbox)” disabled=no src-address-list=“Black List (Winbox)”
add action=jump chain=input comment=“Jump to RWF Winbox Chain” disabled=no jump-target=“RWF Winbox Chain”
add action=add-src-to-address-list address-list=“Black List (Winbox)” address-list-timeout=0s chain=“RWF Winbox Chain” comment=“Transfer repeated attempts from Winbox Stage 3 to Black-List” connection-state=new disabled=no dst-port=8291 protocol=tcp src-address-list=“Winbox Stage 3”
add action=add-src-to-address-list address-list=“Winbox Stage 3” address-list-timeout=1m chain=“RWF Winbox Chain” comment=“Add succesive attempts to Winbox Stage 3” connection-state=new disabled=no dst-port=8291 protocol=tcp src-address-list=“Winbox Stage 2”
add action=add-src-to-address-list address-list=“Winbox Stage 2” address-list-timeout=1m chain=“RWF Winbox Chain” comment=“Add succesive attempts to Winbox Stage 2” connection-state=new disabled=no dst-port=8291 protocol=tcp src-address-list=“Winbox Stage 1”
add action=add-src-to-address-list address-list=“Winbox Stage 1” address-list-timeout=1m chain=“RWF Winbox Chain” comment=“Add Intial attempt to Winbox Stage 1” connection-state=new disabled=no dst-port=8291 protocol=tcp
add action=log chain=“RWF Winbox Chain” comment=“Log Black Listed IPs” disabled=no log-prefix="Winbox Black List - " src-address-list=“Black List (Winbox)”
add action=return chain=“RWF Winbox Chain” comment=“Return From RWF Winbox Chain” disabled=no
add chain=output comment=“Section Break” disabled=yes
Depending on your RB model and from where that flood comes physically, a rule in the switch (preferred if technically possible) or a rule in the bridge firewall is necessary. To make bridge rules work, you need to use ****
/interface bridge settings set use-ip-firewall=yes
This is a common setting for all bridges, so expect a throughput penalty.
The rule for a bridge would then look like ****
/interface bridge filter add action=drop chain=input src-mac-address=00:11:22:33:44:55/ff:ff:ff:ff:ff:ff mac-protocol=ip ip-protocol=tcp dst-port=8291
But it is well possible that there is actually a network full of infected devices behind a gateway element with that MAC address, so I’d recommend not to stop at just using that filter rule and to investigate further into the issue.