I want to protect wireless and cable client from changing IP to other’s. I know how to do it on the gateway (linuks, not MT), but I want to have it also on Mikrotik access points.
Bridged network, WDS, all interfaces on Mikrotics are in bridge1.
Let’s say client with mac 00:11:22:33:44:55 usually have IP 192.168.5.20 changes his IP SAME AS GATEWAY 192.168.5.1
All clients in this network have no internet.
I want block him not only on the main router/gateway but also on the AP. Wher should I set static ARP? For bridge1 interface or wlan1? If I set it on wlan1 interface then all traffic from that client cant get to bridge, yes? But all clients on the same wlan1 still have no internet?
If you aren’t using the MT as the gateway, static ARP will not help.
First, be sure you turn “default forwarding” off for your wireless interfaces, to prevent the clients from directly communicating.
Then, in the firewall, create rules to drop packets that don’t match your intentions:
/ip firewall filter add chain=forward in-interface=bridge1 out-interface=bridge1 src-mac-address=!00:ff:11:ee:22:dd src-address=192.168.5.1 action=drop
/ip firewall filter add chain=forward in-interface=bridge1 out-interface=bridge1 src-mac-address=00:11:22:33:44:55 src-address=!192.168.5.20 action=drop
Where 00:ff:11:ee:22:dd is the legitimate MAC address of your gateway, and the other numbers are per your example.
The first rule will drop any packet claiming to be from 192.168.5.1, but not coming from the gateway’s MAC. The second will drop any traffic from your trouble maker’s MAC, unless it comes from 192.168.5.20.
–Eric