IP and MAC Address Validation before pass through the routeros

lordomega · March 23, 2016, 11:32pm

Hello,
today i’m implementing a solution with 2 ethernet bridged inside routeros.

one eth on the public network and another in a vlan network.

i setted up a static mac address based Dhcp,

now the question is:

how may i allow to transit only if hosts matches the exactly MAC - IP they must has?

i want to prevent they can change their ip manually and transit through the routeros acting as network gateway.

Tks in Advance
Simone

tr00g33k · March 24, 2016, 5:41am

You setup DHCP server to add arp for leases

/ip dhcp-server set "DHCP-Local" add-arp=yes

=> the router will add ARP lease for every DHCP IP address

Than on local bridge you setup arp to reply only

/interface bridge set "LAN" arp=reply-only

=> This means that router will reply only to ARP entries in the table (that the router added, when issued IP address via DHCP server).

This will not prevent users to add static IPs in network, but if they will add static IP, they will not be able to access default gateway and internet.

For some extra-security you can set in DHCP server setting pool to “static-only”. And evrytime somenone whant to connect to your network you change the pool to the “LAN - pool”, make the DHCP lease static and change back to “static-only” so even it somenone that you dont want to, connect to network wont get the IP address, and even if set up the static ip, will not be able to access internet.

If you want to go even further you can even set /32 mask for every client.

lordomega · March 24, 2016, 6:59am

i am already using the config. u suggest me

but as u described, this will not block someone with a manual ip to bypass the dhcp - router.

is not possible to write a dynamic roule somewhere or to force the arp table of the router as ceck before pass through the gateway?

like in the little firewall routeros has inside, to make a roule referred to dhcp entry / arp table entry to ceck the packets mac - ip?

i’m not so skilled in networking but i think this may be something similar of my target, i think it has to be modified for bridge usage

http://forum.mikrotik.com/t/firewall-to-validate-ip-matches-mac-address/41737/1

what u think about?

nxs02 · March 24, 2016, 7:03am

how u set /32 mask for every client in mt?

lordomega · March 24, 2016, 7:31am

adding so many pool as so many ip u have, in the dhcp server list of ip available

tr00g33k · March 24, 2016, 11:50am

Maybe I dont understand what exactly you want to achieve, with this config if clients sets up static IP it cannot communicate with router or internet. I have this setup on many networks, and the clients cannot access internet if setup static IP.

tr00g33k · March 24, 2016, 11:51am

under:

IP/DHCP Server / Networks / You choose network and add netmask.

lordomega · March 24, 2016, 1:51pm

tr00g33k:

You setup DHCP server to add arp for leases
/ip dhcp-server set "DHCP-Local" add-arp=yes
=> the router will add ARP lease for every DHCP IP address

Than on local bridge you setup arp to reply only
/interface bridge set "LAN" arp=reply-only
=> This means that router will reply only to ARP entries in the table (that the router added, when issued IP address via DHCP server).

This will not prevent users to add static IPs in network, but if they will add static IP, they will not be able to access default gateway and internet.

For some extra-security you can set in DHCP server setting pool to “static-only”. And evrytime somenone whant to connect to your network you change the pool to the “LAN - pool”, make the DHCP lease static and change back to “static-only” so even it somenone that you dont want to, connect to network wont get the IP address, and even if set up the static ip, will not be able to access internet.

If you want to go even further you can even set /32 mask for every client.

yes, got it. is exactly what i was looking for.

i missed to reboot the Test VM to clear arp entryes between network changing!
Tks a lot man!!!