Community discussions

MikroTik App
 
zivtal
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Sun Feb 05, 2017 6:22 pm

Block unknown MAC address from wired network

Sun Feb 11, 2018 7:51 pm

Hi,

I would like to know if there is a way to block unknown devices by mac address from my local wired lan.

I mean if someone connect cable to my local port (wired) today he is getting dhcp pool ip and have access to my network, there is a way to block it ?
CCR1009-8G-S+S+PC | RB962UiGS-5HacT2HnT | RBOmniTikPG-5HacD | RB750Gr3 | RBwAPG-5HacT2HnD
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: Block unknown MAC address from wired network

Wed Feb 28, 2018 12:17 am

the idea is as follows:
All known DHCP clients are placed in WhiteList, and then in firewall droping all not WhiteList'ed source addressed clients in local bridge
/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0
/ip firewall filter
add action=drop chain=forward comment="DROP all not WhiteListed clients" disabled=no in-interface=bridge src-address-list=!WhiteList
--
poi
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1127
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: Block unknown MAC address from wired network

Thu Mar 01, 2018 1:53 pm

the idea is as follows:
All known DHCP clients are placed in WhiteList, and then in firewall droping all not WhiteList'ed source addressed clients in local bridge
/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0
/ip firewall filter
add action=drop chain=forward comment="DROP all not WhiteListed clients" disabled=no in-interface=bridge src-address-list=!WhiteList
I may be missing the intention of this but how would the list distinguish between genuine DHCP clients and rogue clients though?

PPPoE could possibly be an option?
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
poizzon
Member Candidate
Member Candidate
Posts: 113
Joined: Fri Jun 21, 2013 12:53 pm

Re: Block unknown MAC address from wired network

Thu Mar 01, 2018 1:58 pm

just make static genius clients.

this command adds genuine clients to static and adding to WhiteList


/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0
--
poi
 
User avatar
AlainCasault
Trainer
Trainer
Posts: 631
Joined: Fri Apr 30, 2010 3:25 pm
Location: Laval, QC, Canada
Contact:

Re: Block unknown MAC address from wired network

Thu Mar 01, 2018 6:27 pm

You could go into bridge-filters and add all known mac addresses and permit those while droping the rest. Just make sure to input all the devices you own, obviously ;)


Sent from Tapatalk

___________________________
Alain Casault, Eng.
If I helped you, let me know!
 
User avatar
minhazulOO7
just joined
Posts: 2
Joined: Tue Jan 08, 2019 1:18 am

Re: Block unknown MAC address from wired network

Sat Mar 02, 2019 2:13 pm

the idea is as follows:
All known DHCP clients are placed in WhiteList, and then in firewall droping all not WhiteList'ed source addressed clients in local bridge
/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0
/ip firewall filter
add action=drop chain=forward comment="DROP all not WhiteListed clients" disabled=no in-interface=bridge src-address-list=!WhiteList
THANKS MAN! It worked like a charm! Now I can easily block any unknown user in WiFi/ LAN! :wink:

Also for more security changed ARP from enabled to reply-only and statically assigned all of the IP in ARP List

Who is online

Users browsing this forum: No registered users and 7 guests