Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses

aslanbdb · June 8, 2019, 8:47pm

Hello,
I’m looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses, so that all the connected mac addresses will not have internet access till i add them on the firewall filter… thnx in advance …

Jotne · June 8, 2019, 9:31pm

Have you tried this:
https://www.youtube.com/watch?v=64Z9WDbcPvU

aslanbdb · June 9, 2019, 4:41am

thnx for ur reply.. but i dont wanna use the ARP reply service.. cause sometimes it makes multiple ARP and then that will mess the board.. also it reduces transfer rate bcz of low cpu frequency ..

Jotne · June 9, 2019, 5:34am

You can use static DHCP (convert all lease to static) and block by IP.

aslanbdb · June 10, 2019, 1:01am

great idea, thnx.. but actually it’s a bit easy to find out the IPs … i’m not sure but i saw somewhere people use simple firewall rules to allow internet for specific MAC… unrecognized MAC automatically get deny from filter… like the same way filter mac works on normal routers…

Jotne · June 10, 2019, 6:58am

Here is the script I do use on my DHCP server (DHCP Lease script)
It converts all DHCP lease to static lease and log a message.

# Created Jotne 2019 v1.2
#
# This script converts all DHCP release to static automatically
# It should run on all routerOS version


# Test if this is a Bound session and the lease is a dynamic one. Do not change older reservation
:if (($leaseBound=1) && ([/ip dhcp-server lease find where dynamic mac-address=$leaseActMAC]!="")) do {

# Get the lease number
	:local Lease [/ip dhcp-server lease find mac-address=$leaseActMAC]
	
# Get date and time
	:local date [/system clock get date]
	:local time [/system clock get time]
	
# Make the lease static	
	/ip dhcp-server lease make-static $Lease
	
# Add date and time as a comment to show when it was seen first time	
	/ip dhcp-server lease comment comment="$date $time" $Lease
	
# Send a message to the log	
	:log info message="script=dhcp_static server=$leaseServerName IP=$leaseActIP MAC=$leaseActMAC"
}

sindy · June 10, 2019, 10:01am

You can set arp=reply-only on an interface to which the clients are connected, and set the DHCP server to add local arp records for the leased IPs along with lease. This way, the client must first get a DHCP lease (so it must have (or spoof if he knows it!) a proper MAC address to get a static lease with an IP from the permitted range), and only then Mikrotik will send anything back to it as it will not send ARP requests. So the client can spoof its own IP to match the permitted range and send a packet to the internet, but the response will never reach it.

Another way is to use /interface bridge filter instead of or together with /ip firewall filter. To do that, it is necessary that the clients are connected to a bridge, even if that bridge should have just a single slave port. Then, you can either directly drop ingress frames carrying IP packets by src-mac-address and (IP) dst-address after first permitting frames from the same src-mac-address to allowed ranges of dst-address, or you may assign packet-mark to them and use matching on that packet-mark in /ip firewall filter.

If the client manages to guess/sniff a correct MAC address, you’re helpless unless you implement 802.1X on the bridge ports (which is currently only available in the beta/RC channel); in that case, he’ll have to guess/sniff the authentication username and password instead, but unlike the MAC address, these can be changed for the legal users if they leak.

Jotne · June 10, 2019, 11:16am

If I am not wrong, the 802.1x communication goes encrypted so to see username and password should be hard. This can even be combined by a digital certificate.