More secure DHCP Server.

mortin · May 30, 2005, 8:52am

Hello everyone
My conf :
inteface 1 : DSL
inerface 2 : LAN
out-interface=dsl action=masquerade

Im tryging to make more secure my lan network with dhcp server.

I added in firewall forward chain all my clients src-macs with action=accept.
Example : src-mac-address=00:00:00:00:00:00 action=accept

The last rule in firewall is: action=drop.

Above solution doesnt work
In Mikrotik docs I read that the order/sequence is valid firewall chains.

Why it dosent work ?
Thank you for any suggestions !

andrewluck · May 30, 2005, 9:12am

You haven’t told us what doesn’t work when you put these rules in. e.g. is all traffic blocked?

Did you specify an input interface for the rules based on source MAC address?

Regards

Andrew

mortin · May 30, 2005, 9:25am

Hello
Thx for replay

You haven’t told us what doesn’t work when you put these rules in. e.g. is all traffic blocked?
The last rule blocks the all foward traffic to users.

Did you specify an input interface for the rules based on source MAC address?
I dont get it. What do you mean input interafce ? input chain ?
I put all rules in firewall forward chain with src-mac addresses of my clients.

Regards
Mortin

andrewluck · May 30, 2005, 10:25am

Mortin

So, none of the MAC address rules are being matched and all traffic falls through to the final deny rule?

Are these wireless users? Access Points can modify the source MAC address.

You need to specify the Input Interface in each of your rules because the Forward chain applies to all traffic traversing the router. This will result in all traffic from the Internet interface being dropped as the source MAC address will not match.

e.g.

/ip firewall rule input
in-interface=Internal src-mac-address=00:00:00:00:00:01 action=accept

Regards

Andrew

mortin · May 30, 2005, 10:51am

Thx Andrew for replay :
So, none of the MAC address rules are being matched and all traffic falls through to the final deny rule?

The MAC addresses are matched. I can see it in winbox. The rules in forward chain with src-mac are mached - there is a transfer/packages flow.

Are these wireless users? Access Points can modify the source MAC address.
No. It is wired lan. No ap.

You need to specify the Input Interface in each of your rules because the Forward chain applies to all traffic traversing the router. This will result in all traffic from the Internet interface being dropped as the source MAC address will not match.
/ip firewall rule input
in-interface=Internal src-mac-address=00:00:00:00:00:01 action=accept

I tested it.
For one user added above rule in input chain
it didnt help

Regards
Martin.

mortin · May 30, 2005, 11:09am

I think I solved the problem.

The deny rule in forward chain should be set up “in-interace=lan” in my case.
Before I set up on in-interface=all. That was the reason of blocking the transfer.