My company is thinking to buy mikrotik as simple routers, for only wired network NOT WIRELESS. We have a few hundred pc’s that are using internet though masquerading.
MISSION: we must give access to internet not by ip, because user can change IP at any time. I want to give masquerading by mac address.
QUESTION: how I can do this? can I use somehow address lists for mac-address, how I can dynamicaly find the ip and mac-address of users that I need to gace access to public internet?
EXAMPLE: when a new order from my administration that the user LAMER with current IP 10.0.0.5 must have access to internetю I want just simple see his mac-address somewhere in MT, and add him to allowed masquerade to public. Is this possible?
The RouterOS hotspot can indeed also be used to grant access by
MAC address, but are you really sure that would be the best solution for you?
Is the MAC address really the deciding factor wether internet access should be possible or not,
or wouldn’t a username scheme be better (that is, granting access to user “Jim” - who knows
his password, rather than to “Jim’s computer”, which might be used by anyone
if “Jim” leaves it unattended etc.)
I dont want that user enters his password hava internet access. I dont need this feauture. I want maybe bind mac-address to some username, and then manypulate all access list with usernames. Can I do this way?
The hotspot can authenticate a user by it’s mac address if both the user name and password are the user’s mac address (upper case, separated by colons).
The login screen flashes by briefly, no more than a second before the requested page is loaded.
haytcsd can you explaine me more detailed what you wanted to say. I’m sorry for my bad english.
As I understand, if the username and passwd are the mac address of his ethernet interface, then he automaticaly authentificates on hotspot? and he dont see any of login requests?
Maybe it is simpler to add MAC/IP pairs into ARP cache this disalow anyone to change his IP (if he changes IP, MT will refuse to pass his packets). Once IP is forced for MAC, you may continue to use IP based rules.
if the username and passwd are the mac address of his ethernet interface, then he automaticaly authentificates on hotspot? and he dont see any of login requests?
Yes, that’s right, at least for 2.2.28.
I just tried setting up a user by mac address in 2.9.7 and it doesn’t work, has anybody else got this going in 2.9?
I’m going to upgrade to 2.9.8 and test again.
In 2.8.28 I have some clients with Linksys routers for their sites, that’s the mac address that I put in as a user name, for individual users it’s the mac of the nic in their PC, works fine
I think that is a very good ideea to use ARP to bind to fixed IPs… pedja thx, I forgot about this feauture…
There will be a good ideea to make a feauture request to mikrotik developers, that they make the ARP table so that I can change from dynamic arp entrys in that table to fixed entrys… so that I dont enter them manualy, just chenge de state from dynamicaly to fixed. What you ppl think, its an ideea?
In version 2.9 hotspot can login user by mac address without even showing any login page. Actually, client even will not notice, that there is a hotspot
server in the middle.
Just enable login-by=mac in hotspot server profile and add allowed MAC
addresses as hotspot user names. Leave passwords empty. Set
transparent-proxy=no in hotspot user profile for complete transparency.
Clients, whose mac address will not be in user list, will get hotspot login
page. This page can be modified to fit any needs (for example, to explain,
that access is not allowed for him, that he should contact administrator).
but for HOTSPOT module I need to by a higher licensce, right? I want to buy licence 3 for ISP, and use this kind of scheme with access by mac addresses without hotspot feature, Can I do this using /ip arp, and manualy add IP addresses that are bind to mac addresses ? Will this procedure be effective, if I want to deny users that want to change their IP addresses? hmm… i think NO, because if the user come with a new NIC in my internal network, he can setup a unused IP address and use internet with a dynamic entry in ARP cache /ip arp. right?
QUESTION: normis but how about a new feature in arp list, so that we can change a dynamic entry to a fixed entry by just one click, if you understand what I wanted to say???
QUESTION: Can I make somehow a rule that will log mac-addresses that have changed their IP? (its for security reason, so that I can see if a user is trying to donwload something with an other IP than his officialy). Please if you have an positive answer to this question, replay as quick as posibile to this post… Thank you.
QUESTION: normis but how about a new feature in arp list, so that we can change a dynamic entry to a fixed entry by just one click, if you understand what I wanted to say??? <<
IP binding in the hotspot module does that in 2.9.
I want to buy licence 3 for ISP, and use this kind of scheme with access by mac addresses without hotspot feature, Can I do this using /ip arp, and manualy add IP addresses that are bind to mac addresses ? Will this procedure be effective, if I want to deny users that want to change their IP addresses? hmm… i think NO, because if the user come with a new NIC in my internal network, he can setup a unused IP address and use internet with a dynamic entry in ARP cache /ip arp. right?