Hi I am a newby and I have a Mikrotik series 100…routerboard.
I have transparently brigded the first two Inrerfaces (eth1 and eth2) of the router.
What I want to do, is to be able to allow connections of a static Mac address list to passthrough, and BLOCK ALL the OTHER mac addresses…
It seems I have tried everything!!!
Is it so difficult…???
Please HELP me !!!
You must use ARP!
In configuration of interface ARP=reply-only
In /IP ARP
Fasten up IP with MAC on specific interface (bridge)
Im using ric/522, bridge-interface
my all interfaces are:
bridge
ethernet
wlan
This device has local ip address, in order to bind all my clients real ip with mac i have to use IP/ARP lets say 80.220.80.220 00:e0:c3:c4:13:bf on bridge interface and after that i have to set bridge arp to reply-only.
My question is will my link will work properly? I dont have also add some other local ips in arp bridge or something? I fear if i will set bridge arp to replay-only my link will break if i will leave default way it is.
Thanks for reply
Simple:
/ interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R public ether 0 0 1500
1 R local1 ether 0 0 1500
2 R local2 ether 0 0 1500
3 R bridge bridge 0 0 1500
/ interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 local1 bridge 128 10
1 local2 bridge 128 10
/ ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.220.80.220/28 80.220.80.208 80.220.80.223 public
1 192.168.0.1/23 192.168.0.0 192.168.1.255 bridge
Your users have adresses from network 192.168.0.0/23. Some users are connected to local1, some to local2. When you set arp=reply-only and add addresses (if you setup this from that local network, first add your mac on the list)
/ ip arp print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 192.168.0.5 00:0A:6A:4B:12:01 bridge
1 192.168.0.25 00:0A:6A:4B:12:02 bridge
2 192.168.1.250 00:0A:6A:4B:12:03 bridge
Only that IP with that MAC can access throughout bridge (local1 and local2) and access to the router (network, internet,…)!
Regards,
Mladen
Mladen, i will show my pretty close ~ default configuration, i would be really appreciated if you could help me with it. I have seen several examples,manuals where is 2 or more ethernet interfaces and what if i have only 1 and using this stuff:
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R wlan1 wlan 0 0 1500
2 R bridge-interface bridge 0 0 1500
3 DR wds1 wds 0 0 1500
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 ether1 bridge-interface 128 10
1 wlan1 bridge-interface 128 10
2 D wds1 bridge-interface 128 100
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.20.15/24 192.168.20.0 192.168.20.255 ether1
1 192.168.61.15/24 192.168.61.0 192.168.61.255 wlan1
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D 192.168.20.254 00:0C:CE:95:54:BF bridge-interface
(192.168.20.254 is my local whireless gateway and mikrotik automatically adds it to arp)
(and at the moment settings are “arp=enabled”)
And im giving REAL IPs to the clients and now network is very unsecure, people can change ips and one guy can steal internet from another, trying to make it somehow better 
. Will get some extra devices in a week will try to do some testings, atm cant do that and faster information would help me a lot.
And yes i’ve tryed to look at search, did find some information familiar to it, but it didnt fit me or maybe my knowledge is poor and i have to learn a lot stuff, im trying to do that, just some random newbie could use help now . Ofcourse you did help me already and i will try to study your previous post more(with testing myself it), still it was the most accurate information which i did find so far, thanks for it.
Thanks again for reply, if you still want to reply ofcourse.
I don’t understund what you say me (from configuration print).
You are bridge all your interfaces 
I never do that… I don’t have WDS links… My networks is based on ap/client wireless!
I never make my MT as SWITCH 
I allways have one public interface with IP and that inerface are connected to some gateway with static route! Than I make brigde, EoIP tunnels, AP with diferent subnets, static or dynamic routing…
In some case I think that I understund you. You want TRANSPARENT WDS NETWORK.
I have solution for that… But I don’t know how i’t stable… Solution is from my head
What you think when say REAL IP?
Public Ip address… like 64.233.183.103, 64.233.183.104, …
or local addreses… like 192.168.1.1, 192.168.2.15, …
?
I mean i put local IP addresses on wlan and ethernet interfaces in mikrotik. And real IPs(yep public ones) to clients PC. WIll try to do some testing today, will tell how it will goes 
edited:
Yep it doesnt work so easily and i thought 
.If i bound static real ip with mac to bridge interface and do on it “reply-only” - it stops working.
Maybe you have some suggestion how i could bind static real ip with mac on mikrotik? Or there is no way to do with current mikrotik device i have? I understand i could like put l2 switch or some server after mikrotik and would be fine, but mikrotik seems kinda cool device, perhaps there is a way to do this in him himself somehow
Either way i’ve stoped my testing, because i dont want to do a lot testing on working links. Will do some testing on non working links when my new devices will arrive. Im also thinking maybe i will stop using bridge or something if there is no way to bind static real ip with mac on brigde thingy.