Matching MAC and IP in firewall

ivanperino · February 2, 2008, 11:04pm

Hello.
I was trying to match IP address and MAC address in firewall but I have not been able to do it.
I just set up the following Gaps.
firewall / General / Chain forward
firewall / General / Src Address 192.168.200.21 (it is an example)
firewall / Advanced / MAC address 00:0E:41:52:A4:B8

but, when I set the last line, firewall reject packets from this machine.
Maybe this is not the way to match MAC address and IP address.

Please, I will appreciate any help from you.
Ivan Perino

Chupaka · February 2, 2008, 11:14pm

hmmm.. firewall / Action - what action do you set?

ivanperino · February 2, 2008, 11:43pm

sorry, the action is ACEPT
I have not shown the entire configuration but it has been working well since months.
The point is that I want to match (on firewall) by IP address and MAC address too.
I will tell you the problem.
Clients change theirs IP just for watching what happend. and a lot of IP DUPLICAATED messages appears in clients who have the same IP address.
I thought If I clould check which MAC belong to such IP addres I could deny access to this issues.
THANKs (sorry if my english is not so good as you could expect)

rezsi · February 3, 2008, 8:30pm

Hi All!

If somebody has a extension idea about same problem and it can take the modification from a common place (web, mikrotik, etc). Pls take it him/her ideas because I have a same problem.

I have a idea with ARP table. If I can modificate the ARP tale of Mikrotik by a script then is it a possible idea.

THNKS

Chupaka · February 3, 2008, 11:49pm

this script makes all dynamic ARP table entries static, if there is no another entry with such MAC

:local dmac
:local smac
:local dip
:local sip
:local iface
:local exist
:foreach i in [/ip arp find dynamic=yes] do={
  :set exist false
  :set dmac [/ip arp get $i mac-address]
  :set dip [/ip arp get $i address]
  :set iface [/ip arp get $i interface]
  :foreach j  in [/ip arp find dynamic=no] do={
    :set smac [/ip arp get $j mac-address]
    :if ($dmac=$smac) do={
      :set sip [/ip arp get $j address]
 :set exist true
     }
  }
  :if ($exist!=true) do={
    :log info ("Adding ARP entry with MAC " . $dmac . " and IP " . $dip)
    /ip arp add copy-from=$i
  }
}

radocicala · October 27, 2008, 7:41pm

Please can you explain what that script does??

Chupaka · October 27, 2008, 9:30pm

this script makes all dynamic ARP table entries static

=)

for example, if you have a new user, it sets/receives via DHCP his new address, is being added to ARP table as dynamic record. then this script makes that record static. but when your old user changes its IP address, script will not add another static ARP entry with the same MAC

well, if you do not need control of ‘duplicate’ MAC addresses, at least in v3 you may use the following command to convert all dynamic entries to static:

:foreach i in [/ip arp find dynamic=yes] do={ /ip arp add copy-from=$i }

sathishsa · October 4, 2011, 2:07pm

Hello,

mine is v5.7 , you are genius and your solution worked for me on old mikrotik v2.9 , but iam not able to see it working on 5.7

Please help me

Thanks,
sathish

Chupaka · October 5, 2011, 10:37am

what solution? what exactly doesn’t work? what error do you see when you paste the script to Terminal?

sathishsa · October 11, 2011, 3:00pm

only one ip is adding , i had more than 500 ip’s

Thanks,
Sathish

Chupaka · October 11, 2011, 7:43pm

and nothing in Terminal?..

sathishsa · October 16, 2011, 1:22pm

i cant access the terminal sir , iam getting “serial port already used by Serial Console (6)”

i tried to disable special login under system menu in winbox but i cant find this , iam not even ssh and telnet iam getting the same error

my ROS is 3.22, please help me in disabling this so, that i can get the terminal config i can paste here

Thanks,
Sathish

Chupaka · October 16, 2011, 1:55pm

(O_o)

just open WinBox and press ‘Terminal’ in left-side menu

p.s. a screenshot?..

sathishsa · October 20, 2011, 5:03am

please help me

Thanks,
Sathish

Chupaka · October 20, 2011, 7:01am

yep, seems like ‘Special Login’ feature

sathishsa · October 20, 2011, 12:45pm

But,
i cant see a special login menu under system , i searched whole system but cant find

Thanks,
Sathish

Chupaka · October 21, 2011, 2:34pm

haha, in old versions it’s available only via CLI

/special-login print

create another user with full access, use terminal under another name

sathishsa · October 25, 2011, 6:11am

Hello,

Chupka you are just great , and giving karma

iwant one more support, please help me , in my network iam introducing radius manager with hotspot i would like hotspot login auto redirect for the desired pool only , but its working for all the hosts who are connected to my network

i dont want this and i dont want to use user bypass in hotspot menu

Please tell us is there any chance to workout

Thanks,
Sathish

Chupaka · October 25, 2011, 7:34am

sorry, I don’t work with Hotspots