Only allow specific IPs to access the network

gerhard · August 21, 2013, 5:21pm

I have created an address list of IPs (bound to specific MAC addresses) which are the only ones allowed to have access on the router.

/ip firewall address-list
add address=192.168.88.2-192.168.88.11 list=employees

The firewall filter looks currently like this:

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add action=drop chain=input src-address-list=!employees
add action=drop chain=forward src-address-list=!employees
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway

The IPs in the list cannot connect outside the network (everything works fine inside). What am I missing? Is there a better way of achieving this?

efaden · August 21, 2013, 5:36pm

gerhard:

I have created an address list of IPs (bound to specific MAC addresses) which are the only ones allowed to have access on the router.
/ip firewall address-list
add address=192.168.88.2-192.168.88.11 list=employees
The firewall filter looks currently like this:
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add action=drop chain=input src-address-list=!employees
add action=drop chain=forward src-address-list=!employees
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
The IPs in the list cannot connect outside the network (everything works fine inside). What am I missing? Is there a better way of achieving this?

What does your NAT table look like? Post your whole config. Also I am pretty sure you don’t mean to DROP everything coming in on input…

Can you explain more about your network? What you are trying to do? Etc?

I may be able to explain a better way to do it.

gerhard · August 21, 2013, 9:18pm

Yes, you’re right, dropping all the input is silly - no idea what I was thinking.

I’m basically trying to ensure that only specific MAC addresses can connect to the network. Currently, anyone plugging an ethernet into the router gets access to anything on the network.

I’m going through the official wiki once again to see what I might have missed.

efaden · August 21, 2013, 10:12pm

If you only want to allow certain macs then look into static arp

Sent from my SCH-I545 using Tapatalk 4

gerhard · August 22, 2013, 10:55am

OK, so the following seems to have done the trick:

I have set ARP on bridge-local to reply-only:

[admin@CH] /ip dhcp-server lease> /interface bridge print
Flags: X - disabled, R - running
 0  R name="bridge-local" mtu=1500 l2mtu=1598 arp=reply-only mac-address=D4:CA:6D:97:6D:D3 protocol-mode=rstp priority=0x8000 auto-mac=no admin-mac=D4:CA:6D:97:6D:D3 max-message-age=20s forward-delay=15s
      transmit-hold-count=6 ageing-time=5m

One thing that I’m not certain about is what happens when the gateway that currently provides internet connectivity assigns a new address to our router (it’s not static)? Won’t the static ARP on bridge-local prevent the new IP address to be correctly assigned to ethernet-1? ethernet-1 still has ARP enabled.

efaden · August 22, 2013, 11:00am

gerhard:

OK, so the following seems to have done the trick:

I have set ARP on bridge-local to reply-only:
[admin@CH] /ip dhcp-server lease> /interface bridge print
Flags: X - disabled, R - running
 0  R name="bridge-local" mtu=1500 l2mtu=1598 arp=reply-only mac-address=D4:CA:6D:97:6D:D3 protocol-mode=rstp priority=0x8000 auto-mac=no admin-mac=D4:CA:6D:97:6D:D3 max-message-age=20s forward-delay=15s
      transmit-hold-count=6 ageing-time=5m
One thing that I’m not certain about is what happens when the gateway that currently provides internet connectivity assigns a new address to our router (it’s not static)? Won’t the static ARP on bridge-local prevent the new IP address to be correctly assigned to ethernet-1? ethernet-1 still has ARP enabled.

The static ARP on the bridge should only affect things it communicates with… ether1 is still ARPing so it shouldn’t be affected.

gerhard · August 22, 2013, 12:40pm

Oh, great, thanks for pointing me in the right direction