need to retain a list of MAC Addresses on wlan1

xunil76 · May 19, 2011, 11:44pm

hey guys, i’m new here to the forums, but not really new to MikroTik…we’ve been using them at work for quite a while, i use MikroTik on my home network, and i just recently got the 3 MikroTik advanced certs. i’m running an RB493G with an R52Hn wireless card to handle 2.4Ghz wifi duties.

however, i have not yet figured out a way to retain a list of the MAC addresses for devices that are connecting (or attempting to connect) to my wlan1 interface.

i have a connect list set up with a list of MAC addresses that i have specifically allowed to connect on wlan1, and put the following entry at the very bottom to disallow connections from any MAC addresses other than the ones that i have specifically allowed. the devices that are allowed are set up exactly the same as this last rule, except with connect=yes, and with the actual MAC address listed, instead of 00:00:00:00:00:00

/interface wireless connect-list
add area-prefix="" comment="Drop everything not listed above" connect=no disabled=no interface=wlan1 mac-address=00:00:00:00:00:00 security-profile=default signal-range=-120.120 ssid="" wireless-protocol=any

as i understand it, this last rule should prevent any other wireless devices from even being able to associate with my wireless interface…however, checking the log, i see a ton of entries (mostly from the same MAC address) which state the following:

May/19/2011 16:51:54 | wireless info | wlan1: data from unknown device 00:20:00:57:91:91, sent deauth

according to Arul John’s MAC Lookup Tool, this MAC address is a Lexmark device…in all likelihood, a Lexmark wireless printer from one of my neighbors.

what i want to do is create a permanent list of the MAC addresses of all devices attempting to connect to my wlan1 interface.

i tried setting up a mangle rule that marks all connections on the wlan1 interface and adds it to a list called “MAC Associations”:

/ip firewall mangle
add action=add-src-to-address-list address-list="MAC Associations" address-list-timeout=0s chain=prerouting disabled=no in-interface="wlan1" src-mac-address=!00:00:00:00:00:00

notice the “not” (!) just before the MAC of 00:00:00:00:00:00, indicating for it to put any MAC address on the list except “00:00:00:00:00:00”. this rule works, but it only shows the IP address…no MAC address.

i am not running a hotspot on the unit, and would rather not do so if i don’t have to…just want to keep everything it’s running down to a minimum.

anyone have any ideas on the easiest way to accomplish this?

blake · May 20, 2011, 12:24am

It sounds like you want access-list, not connect-list.

Connect lists for controlling which AP’s a subscriber unit attempts to register with, not which subscribers an AP will allow to register.

xunil76 · May 20, 2011, 1:34am

yeah, it looks like you’re correct on that, and i’ve corrected that part…but any idea on how to list the MAC addresses of any devices attempting to connect to the wlan1 interface?

blake · May 20, 2011, 5:02am

I would continue to look at ‘/log’. That’s the only way I know to view devices attempting to connect, but which are denied.

changeip · May 20, 2011, 3:17pm

can you hide the ssid?

xunil76 · June 11, 2011, 4:03am

unfortunately, no…my girlfriend’s computer has issues with connecting to the router when the SSID is hidden…stupid Macintoshes…

xunil76 · June 11, 2011, 4:05am

that works for anything that’s currently in the log…but as we all know, once the maximum number of lines has been reached, the oldest lines start getting pushed off…so if i don’t look at it constantly, or have some way of logging it permanently (which I would prefer), it is possible that some entries may get missed.

not to mention the fact that you can’t copy/paste from the log, so i would have to manually type each MAC address that shows up in the list…which can be a major PITA if there are a lot of them.

fewi · June 11, 2011, 4:18am

Just a thought, not that versed in the wireless portions of Mikrotik, but it’s my impression that you can use RADIUS servers to authorize MAC addresses that are allowed to connect. At the same time you could then use that RADIUS server to log authentication attempts, and thus generate the list you’re after.
Though logging to syslog would probably be simpler, and sufficient. Certainly better than using the built in logs. And on a side note, you can copy/paste from the CLI view of the internal log just fine since it’s just text in a terminal.

sw0rdf1sh · July 10, 2011, 3:57am

You might need an “on-login” script for sending tha mac address to e-mail,as a text to an external website or something like that.
Just a thought

laithmikrotik · July 10, 2011, 3:05pm

nice subject