MAC address filtering

spaxton · July 19, 2010, 8:02am

hello,

as I said in the subject it is about filtering by MAC addresses. I need to make router unaccessible for all except for few machines and I want to do that by mac filtering. So, nothing can access the router and nothing can access to anything behind the router if the mac address is not matching to the allowed one. Can anyone tell me how to do this?

bye

oeyre · July 19, 2010, 8:28am

Keep in mind that people can get around this by faking their MAC address.

Bridge > Filters > New
chain forward, in interface ether1, src mac, action drop

Repeat for input chain.

spaxton · July 19, 2010, 10:53am

Hi,

Thanks for reply!
Isn’t this for restricting access for some MAC addresses? WHat I need is allowing MAC access. Something similar MAC access on wireless, just I need to apply it on ADSL, 3G , etc… I mean on access from outside. Something like MAC firewall where access will be possible only for allowed MAC addresses and disallowed for everything else. I hope that You understand what I mean…

bye

fewi · July 19, 2010, 1:24pm

So use the same concept but instead of drop, accept. Further down drop everything else.

spaxton · July 19, 2010, 1:30pm

Thanks for reply. I will try this. I hope it will work on 3G connection too.

bye

spaxton · July 19, 2010, 5:28pm

hello,

this does not work… I can put anything I want but no change… everything can access to anything. Also I think that this is only for internal traffic. Is there any more ideas how to do this?

bye

andrescamino · July 19, 2010, 5:46pm

Have you tried going to the interface and select ARP: reply-only , and on the ARP list put all the MAC address you would like to work on with

that will work

andrescamino · July 19, 2010, 5:48pm

one more thing…be careful to put your mac address first…so you don’t get kicked out of the router forever

spaxton · July 19, 2010, 8:00pm

hmmm… this works but still no luck with outside logins. This works in local network which is behind the router. My router is connected to the internet via 3G modem and I can not set ARP for that interface. I need this to prevent unwanted access to router from outside but to make it accessible from one external PC. For example: I can login to router couse my MAC is allowed but You can not couse Your MAC is not listed. I need something just like standard firewall but with MAC’s. I really don’t know how to do this or it is maybe inpossible.

bye

fewi · July 19, 2010, 8:06pm

If it’s from outside for administrative access on a 3G interface, filtering by MAC address makes no sense. You’re unlikely to connect directly to the 3G interface, and MAC addresses get rewritten by layer 3 hops, so you would need to filter by source IP (possibly combined with port knocking, if that IP is dynamic).

Just to ensure we’re understanding you right, can you do a quick network diagram of what your layout is and what you’re trying to accomplish?

spaxton · July 19, 2010, 9:19pm

Here is simplified network diagram. On the diagram You can see, for example, two external PC’s and one can access to the my mikrotik router and another can not. Is it possible to make it like that? Does not need exactly to be filtered with MAC address. If this is not possible please suggest me what to do to avoid unwanted flooding my router in attempt to login and similar things.

bye

fewi · July 19, 2010, 9:31pm

If there is just one other router between the 3G modem and the machines administratively accessing the router behind the 3G modem, you CANNOT filter by MAC address. How TCP/IP works makes that absolutely impossible. Since you have the Internet between the two, that’s more than one router.

So the next question is: what source IP address does the router behind the 3G modem see PC1 and PC2 as having? Are they both the same? In that case you cannot meaningfully differentiate between the two and cannot permit access to one and categorically deny a login prompt to the other. If they have different source IPs (PC1 and PC2 are either not NAT’d by the router, or get NAT’d to different IP addresses) you can filter administrative access by IP address. If you don’t know the answer to that question, go to both PCs and load http://whatismyipaddress.com in a browser and compare the results.

If they do have the same source IP, you can look up port-knocking on the wiki and use the concept to just allow a PC with that source IP address to connect to a particular secret sequence of ports in order to open up the firewall administrative access for a short timeframe (one or two minutes) - but still, during that timeframe any PC with that source IP address would get a login prompt. However, that’s a somewhat advanced concept and can be a hassle to use, so you may be better off just living with the fact that all PCs behind the router on the left hand side of your graphic will get a login prompt. Use decent passwords and non-obvious usernames and that shouldn’t be too much of a problem.

rmichael · July 19, 2010, 9:39pm

To bring MAC address information to your firewall you’ll need to encapsulate llayer2 in TCP or UDP. Use GRE or EOIP or VPLS between the two networks to bridge them together.

http://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks_using_MPLS

spaxton · July 19, 2010, 9:52pm

Thanks a lot fewi. This last explanation really helps me to understand it.

bye

spaxton · July 19, 2010, 9:54pm

Thanks for reply.

bye

soamz · June 11, 2016, 7:17am

Is Mac filtering only possible in bridge ?

What about them, who doesnt use a bridge as bridge has his own set of problems.