Router Setup with MAC Filtering

romeetb · July 18, 2013, 1:44pm

Hello All, i Have acquired a new router Mikrotik RB2011UAS-2HND-IN and upgraded RouterOS to V6.1.

After configuring Wan and Lan,its working fine.Internet is distributed to LAN via Eth2 and Eth1 is connected to ISP Link using Static IP specified by ISP.

I do not use DHCP on Lan Side as all client machines have been assigned Static IP Addresses.

I need help in setting up the router/firewall in such a way that i can Filter Internet Access on LAN using MAC Addresses bound to specific IP Addresses. For Eg. Only IP Addresses 192.168.101.22, 24,32 & 35 should have access to Internet rest should not.I have MAC Records of .22,24,32 & 35.

I would appreciate if anyone on the forum could spare some time and assist on steps on configuring the router to do this.
Thx
Romeet

Feklar · July 18, 2013, 5:19pm

Set the LAN interface to “arp=reply-only”, and add in your arp entries into IP->ARP. That will probably be the quickest way to do that.

Rudios · July 18, 2013, 7:30pm

why filter it on MAC?
You could also do it via ip firewall filter
create a rule allowing traffic in your forward chain for the desired IP’s and deny the rest.

romeetb · August 1, 2013, 8:21pm

Hello Feklar, Thank you for responding and trying to help. I tried doing the above, but when i go to IP->ARP, all the functions are grayed out and can not be selected? Yes, i did set arp=reply-only

romeetb · August 1, 2013, 8:23pm

Dear Rudios, Thank you for taking time to try and help, reason for filtering it on MAC is because i have some smart alecks in my network who tend to copy IPs that have been “allowed” net access and use them on their own computers.

romeetb · August 1, 2013, 8:44pm

Hello Feklar, Sorry,ignore my previous response,i realised my mistake was trying it out from my laptop which had not been “allowed” first in the ARP List lols, i rectified the situation and tested, YES it works superb! Thank you very much,such a simple procedure!

Now, on the same note, do you reckon its possible to limit access using time frame, i.e for eg, for a MAC/IP which has been allowed in the ARP list, i would like some users to only be able to get access to Internet between say 5pm and 7pm and 1pm to 2pm? what would be the best way to implement this?

Thanks!

Feklar · August 2, 2013, 6:06pm

The way you would go about that is with the IP firewall and setting up appropriate filters with a time setting under the extra tab. Since you have static entries in the ARP pool for specific IP addresses, you can create an address list for the different IP addresses, and use them in your firewall filter rules. You will also want your SNTP or NTP client, and timezone set so that the router has an accurate time.