Mac filtering on RB750

RouterOS Beginner Basics
1

Hello. First of all sorry for my poor english.

Have mikrotik RB750 router and wap4410n wireless access point, need to configure mikrotik so that only people with allowed mac adresses could connect to the wireless network. Can do this through ciscos mac filtering…but it is limited to 20 clients…so would try to do it on mikrotik.

On ether 1 have internet over pptp
ether 2 wired client
ether 3 cisco wap4410n wireless access point
ether 4,5 wired clients

Here’s my config

# jan/25/2017 11:48:57 by RouterOS 6.38.1
# software id = G0WL-2VCL
#
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/interface pptp-client
add add-default-route=yes connect-to=vpn.***.ru disabled=no name=pptp-out1 \
    password=***** user=*****
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 name=dhcp1
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established in-interface=\
    pptp-out1
add action=accept chain=input connection-state=related in-interface=pptp-out1
add action=drop chain=input in-interface=pptp-out1
add action=jump chain=forward in-interface=pptp-out1 jump-target=customer
add action=accept chain=customer connection-state=established
add action=accept chain=customer connection-state=related
add action=drop chain=customer
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pptp-out1
add action=masquerade chain=srcnat out-interface=ether1
/ip upnp interfaces
add interface=ether1 type=external
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
/system clock
set time-zone-name=Europe/Moscow
2

You can only filter packets at the layer2 level when they pass through a bridge. So you need to set the master-port of ether3 to none, and create a bridge.

IP > Interface, edit ether3 set master-port = none

Bridge > add bridge, name = bridge1

Go to ‘Ports’ tab, add ether2 to bridge1. Then add ether3 to bridge1

IP > Addresses, change your LAN IP from ether2 to bridge1
IP > DHCP Server, change your DHCP Server to bridge1

Then go to Filters tab. Add rule, chain=forward, in-interface=ether3, action=drop. This is the ‘default’ rule, it’ll drop all packets. Then add a rule for each mac you wish to allow. chain=forward, src-mac=xxx, action=allow. These rules must be above the default rule.

if your cisco AP has a mac, add that too.

3

Thanks for the reply.
Did everything according your instruction…

  1. Can not get access to cisco’s web interface (added access points mac to the rule as you had advised)
  2. Wireless clients do not have access to internet
4

Maybe back track a little.

If AP is plugged into ether2 do wifi clients have internet? If not then there is something wrong with the bridge setup.

If ether2 works fine, then confirm ether3 is in a bridge with ether2. Delete your filter rules, does wifi work?