Is there a way to setup a 450g box with 5 ports to only allow specific mac addresses without using it as a router? I just want traffic to come in on port 2 and exit on port 1, but let clients pull dhcp addresses from the local subnet attached to port 1, if there mac address is approved.
Never tried it, but the switch chipset in the 450G allows you to write rules:
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Rule_Table
You’d have rules for the allowed MAc addresses matching on port ether2 and src-mac address and an action of new-dst-ports=ether1 (permit the explicitly allowed hosts behind ether2 to pass traffic to ether1), followed by a rule matching on port ether1 and an action of new-dst-ports=ether2 (permit all traffic from ether1 back to ether2) and then a last rule matching on port ether2 and an action of new-dst-ports=“”", forcing a drop of all remaining packets coming from ether2 to ether1.
You’re limited to between 8 and 32 rules depending on matchers used, I’m not sure how many you could fit matching on both port and source MAC address.
If that doesn’t work, it might be possible to add both routed ports to a bridge and enable the IP firewall. But the IP firewall can only match on src-mac-address - the only traffic that could flow from ether1 to ether2 would be for connections that have statefully been established from behind ether2. You could work around that by assigning static DHCP leases to clients behind ether2 and using address lists, but anyone assigning themselves a static IP in that range could then circumvent your filter.
Hope that helps. There may be other options.
Should be able to do it with switch chip… But Bridge filter would be really easy. Prolly wont get gigabit with bridge filter, though.
I am looking at it via winbox now, and understand the concept. Can you provide a sample rule(s) that allows all traffic to pass from specific mac address to port 2 and be redirected out port 1?
Does the rule limitation mean I can only create up to 32 matching rules by mac address? Is there a work around if that is the case? I could see needing up to 100 rules.
This is for a wireless project. Turns out the Aps that will be used do not have a central management tool to restrict access by mac addresses, so I want to run them all through the 450, keeping them on the same subnet as the rest of the network. A hotspot would be much easier, but I need to eliminate user logins for this setup.
if you need 100 rules - use bridging + bridge filter (yep, you don’t need IP firewall)
Yeah, no workaround for the 32 rules on the chipset. No point trying if it isn’t going to scale.
/interface bridge
add name=bridge1
/interface bridge port
add interface=ether1 bridge=bridge1
add interface=ether2 bridge=bridge1
/interface bridge filter
add chain=forward in-interface=ether1 action=accept
add chain=forward src-mac-address=aa:bb:cc:dd:ee:fe action=accept
add chain=forward src-mac-address=aa:bb:cc:dd:ee:ff action=accept
add chain=forward action=drop
Yes, the bridge filter is the way to go. I had created the following rules before discovering this last reply. It is different than what was posted, but it looks like I need to add the last “drop” rule.
/interface bridge filter>
0 chain=forward out-interface=ether1 action=accept in-interface=ether2
src-mac-address=B8:AC:6F:7A:FC:34/FF:FF:FF:FF:FF:FF
disable – Disable interface
1 chain=forward out-interface=ether2 action=accept in-interface=ether1
dst-mac-address=B8:AC:6F:7A:FC:34/FF:FF:FF:FF:FF:FF