Community discussions

 
lordomega
just joined
Topic Author
Posts: 4
Joined: Thu Mar 24, 2016 1:26 am

IP and MAC Address Validation before pass through the routeros

Thu Mar 24, 2016 1:32 am

Hello,
today i'm implementing a solution with 2 ethernet bridged inside routeros.

one eth on the public network and another in a vlan network.

i setted up a static mac address based Dhcp,

now the question is:

how may i allow to transit only if hosts matches the exactly MAC - IP they must has?

i want to prevent they can change their ip manually and transit through the routeros acting as network gateway.

Tks in Advance
Simone
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: IP and MAC Address Validation before pass through the routeros

Thu Mar 24, 2016 7:41 am

You setup DHCP server to add arp for leases
/ip dhcp-server set "DHCP-Local" add-arp=yes
=> the router will add ARP lease for every DHCP IP address

Than on local bridge you setup arp to reply only
/interface bridge set "LAN" arp=reply-only
=> This means that router will reply only to ARP entries in the table (that the router added, when issued IP address via DHCP server).

This will not prevent users to add static IPs in network, but if they will add static IP, they will not be able to access default gateway and internet.

For some extra-security you can set in DHCP server setting pool to "static-only". And evrytime somenone whant to connect to your network you change the pool to the "LAN - pool", make the DHCP lease static and change back to "static-only" so even it somenone that you dont want to, connect to network wont get the IP address, and even if set up the static ip, will not be able to access internet.

If you want to go even further you can even set /32 mask for every client.
 
lordomega
just joined
Topic Author
Posts: 4
Joined: Thu Mar 24, 2016 1:26 am

Re: IP and MAC Address Validation before pass through the routeros

Thu Mar 24, 2016 8:59 am

i am already using the config. u suggest me :)

but as u described, this will not block someone with a manual ip to bypass the dhcp - router.

is not possible to write a dynamic roule somewhere or to force the arp table of the router as ceck before pass through the gateway?

like in the little firewall routeros has inside, to make a roule referred to dhcp entry / arp table entry to ceck the packets mac - ip?

i'm not so skilled in networking but i think this may be something similar of my target, i think it has to be modified for bridge usage

http://forum.mikrotik.com/viewtopic.php?t=46071

what u think about?
 
nxs02
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Nov 07, 2015 1:25 pm
Location: Planet Earth

Re: IP and MAC Address Validation before pass through the routeros

Thu Mar 24, 2016 9:03 am


If you want to go even further you can even set /32 mask for every client.
how u set /32 mask for every client in mt?
 
lordomega
just joined
Topic Author
Posts: 4
Joined: Thu Mar 24, 2016 1:26 am

Re: IP and MAC Address Validation before pass through the routeros

Thu Mar 24, 2016 9:31 am

adding so many pool as so many ip u have, in the dhcp server list of ip available
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: IP and MAC Address Validation before pass through the routeros

Thu Mar 24, 2016 1:50 pm

Maybe I dont understand what exactly you want to achieve, with this config if clients sets up static IP it cannot communicate with router or internet. I have this setup on many networks, and the clients cannot access internet if setup static IP.
i am already using the config. u suggest me :)

but as u described, this will not block someone with a manual ip to bypass the dhcp - router.

is not possible to write a dynamic roule somewhere or to force the arp table of the router as ceck before pass through the gateway?

like in the little firewall routeros has inside, to make a roule referred to dhcp entry / arp table entry to ceck the packets mac - ip?

i'm not so skilled in networking but i think this may be something similar of my target, i think it has to be modified for bridge usage

http://forum.mikrotik.com/viewtopic.php?t=46071

what u think about?
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: IP and MAC Address Validation before pass through the routeros

Thu Mar 24, 2016 1:51 pm

under:

IP/DHCP Server / Networks / You choose network and add netmask.

If you want to go even further you can even set /32 mask for every client.
how u set /32 mask for every client in mt?
 
lordomega
just joined
Topic Author
Posts: 4
Joined: Thu Mar 24, 2016 1:26 am

Re: IP and MAC Address Validation before pass through the routeros

Thu Mar 24, 2016 3:51 pm

You setup DHCP server to add arp for leases
/ip dhcp-server set "DHCP-Local" add-arp=yes
=> the router will add ARP lease for every DHCP IP address

Than on local bridge you setup arp to reply only
/interface bridge set "LAN" arp=reply-only
=> This means that router will reply only to ARP entries in the table (that the router added, when issued IP address via DHCP server).

This will not prevent users to add static IPs in network, but if they will add static IP, they will not be able to access default gateway and internet.

For some extra-security you can set in DHCP server setting pool to "static-only". And evrytime somenone whant to connect to your network you change the pool to the "LAN - pool", make the DHCP lease static and change back to "static-only" so even it somenone that you dont want to, connect to network wont get the IP address, and even if set up the static ip, will not be able to access internet.

If you want to go even further you can even set /32 mask for every client.

yes, got it. is exactly what i was looking for.

i missed to reboot the Test VM to clear arp entryes between network changing!
Tks a lot man!!!!!

Who is online

Users browsing this forum: No registered users and 12 guests