LAN MAC Filter?

captainproton · January 25, 2009, 3:52pm

Hey,

is there a way to block a network component with a certain mac address from communicating with a mikrotik router on a LAN interface?

something like “drop all pakets from 001B11BFBE03”

Regards,

Kai

Letni · January 25, 2009, 6:19pm

You are going to want to read up on Firewall rules. Here is a link for the manual.
http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php

Here is an example of specifically what you are looking for.

Drops packets with that source mac address destined for somewhere else.
/ip firewall filter add chain=forward src-mac-address=001B11BFBE03 action=drop

Drops packets with that source mac address destined for the router itself.
/ip firewall filter add chain=input src-mac-address=001B11BFBE03 action=drop

-Louis

captainproton · January 27, 2009, 6:20am

that sound like what I was searching for, but it does not work the way I wanted to.

Is that possible?:

I have 2 ADSL Modems on a distant place, they are connected by a switch.
Then there is one (!) line from that place A to B. On side B, I want to have 2 Mikrotik Routers. Each one connecting with a seperate modem on the other side.

Place A Place B

Modem X --, ,—Mikrotik X
Switch---------Switch
Modem Y --’ '—Mikrotik Y

Since I can build multiple PPPoE connections one DSL Line, with the construction above I can not be sure what Mikrotik used which Modem/DSL Line. Or maybe they both use the same.

I used the LAN-Mac filterrule to e.g. prevent Mikrotik X from using Modem Y. But this does not work. Mikrotik X can still connect using Modem Y.

I know, this construction is a litte unusual, but for some reasons, I would like to use tis construction. Maybe someone knows howto…

Letni · January 27, 2009, 3:15pm

Your picture did not come out so well.

Are you trying to achieve bonding or redundancy?

If redundancy then only have one mikrotik connected to one modem and on your lan side use VRRP.
-Louis

Maryan · January 28, 2009, 12:08am

Is it possible to block all MAC’s exept ones i would list manually ? - can it be done with 1 rule and some kind of list ?

Letni · January 28, 2009, 12:54am

After putting some more thought into it, I am thinking what you want is not doable because PPPoE does a broadcast that gets sent out on the interface. Since you have your dsl-modems on the same switch, the broadcast goes to both of them. No way to filter that.
I recommend you restate what your true ultimate goal is, to find the best solution.

-Louis

mrz · January 28, 2009, 6:41am

Is it possible to block all MAC’s exept ones i would list manually ? - can it be done with 1 rule and some kind of list ?

Sure you can. Create bridge interface, add physical interface to bridge and use bridge filters.

captainproton · January 28, 2009, 9:43am

ok, my graphic somehow changed after I posted the message.

What I am trying to do:

we have a remote location (B) where broadband internet is not available. so we connected it via wlan (5 km away) with location (A), where ADSL ia available. That works all well, but now we want a second ADSL Connection.

I would prefere a solution with 2 dsl modems on location A,
and 2 mikrotik routers on location B dailing up with pppoe.

The problem is: you cannot control which mikrotik connects with which modem. It might also be possible that both mikrotik routers dail up using one modem and one adsl line.

I thought, that I could control it with a LAN Mac Filter rule, but this does not work.