Community discussions

MikroTik App
 
muzi99
just joined
Topic Author
Posts: 1
Joined: Mon Jul 10, 2017 3:57 pm

DHCP clients - MAC Adress filtering

Mon Jul 10, 2017 4:06 pm

Hello,

I have a problem with settings on Mikrotik RB2011UiAS-2HnD-IN.

I need to setup my network, that computers with static IP address would have access without restrictions. Devices connected in DHCP pool, will have allowed access just in case when they´d be in MAC Address list.
How I can set this configuration ?

Thanks.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: DHCP clients - MAC Adress filtering

Mon Jul 10, 2017 4:19 pm

There is no MAC-list in the ROS :-(
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: DHCP clients - MAC Adress filtering

Mon Jul 10, 2017 9:50 pm

As BartosZ said there's no such feature built-in in to ROS. You need to resort to radius for that.

Setting restrictions based on macs however are easily spoofeable, and usually a waste of time.

Not sure what are you trying to achieve, if this is for a SMB or home network, a hotspot or a ISP of some kind.

That being said, you could achieve a "Poor man's" setup achieving what I understood you want without deploying radius by

- Setup DHCP, let's say pool is 192.168.88.2-192.168.88-254
- Create static entries for each allowed mac-address, using IPs within a given range, say, the lower /25 (192.168.88.2-192.168.88.126).

To do this the quickest way is setting it up, let the allowed devices to connect, then right click on the lease and "Make static", editing it afterwards.

Once you have this in place, any device whose mac isn't on a static DHCP lease should get an IP from the pool which is not already statically assigned, i.e., from the upper range, 192.168.88.129-254.

As restricted users will have addresses from the 192.168.88.128/25 range, you will be able to set firewall rules to restrict them.

However... users can set up addresses on their own, overcoming the DHCP. They can forge MAC addresses too. So unless this is for kids (and even so) I wouldn't rely on it to protect anything valuable.
 
Fairfacts
just joined
Posts: 1
Joined: Tue Jan 23, 2018 5:56 am

Re: DHCP clients - MAC Adress filtering

Tue Jan 23, 2018 6:11 am

So I need something similar but it’s not a security question. I have devices on my network that don’t have the option to be given a static IP address. But I need to know their ip address to allow remote control commands. If these devices reboot I don’t want them getting a new dynamic address. On my old router I gave them ips according to a Mac filter so they essentially got fixed addresses and because this technique worked I used it for about ten of these type of devices. Some I could have set static up,s for on the devices, some I could not. Means I have a range of static ip addresses beyond the upper range edge of my dynamic allocation.

I used to have a circuit provider edge router I did not have admin access to so I did not want dhcp from that. I installed my own router inside the provider splitting public and private (my router is private). Now I have purchased a MikroTik edge router and want to move my high speed traffic to use hard wired ports on the edge router rather than traversing my router and switch before getting to my devices. Hopefully reducing buffering and improving throughput.

Who is online

Users browsing this forum: GoogleOther [Bot] and 15 guests