Page 1 of 1

Block unknown MAC address from wired network

Posted: Sun Feb 11, 2018 7:51 pm
by zivtal
Hi,

I would like to know if there is a way to block unknown devices by mac address from my local wired lan.

I mean if someone connect cable to my local port (wired) today he is getting dhcp pool ip and have access to my network, there is a way to block it ?

Re: Block unknown MAC address from wired network

Posted: Wed Feb 28, 2018 12:17 am
by poizzon
the idea is as follows:
All known DHCP clients are placed in WhiteList, and then in firewall droping all not WhiteList'ed source addressed clients in local bridge
/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0
/ip firewall filter
add action=drop chain=forward comment="DROP all not WhiteListed clients" disabled=no in-interface=bridge src-address-list=!WhiteList

Re: Block unknown MAC address from wired network

Posted: Thu Mar 01, 2018 1:53 pm
by Steveocee
the idea is as follows:
All known DHCP clients are placed in WhiteList, and then in firewall droping all not WhiteList'ed source addressed clients in local bridge
/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0
/ip firewall filter
add action=drop chain=forward comment="DROP all not WhiteListed clients" disabled=no in-interface=bridge src-address-list=!WhiteList
I may be missing the intention of this but how would the list distinguish between genuine DHCP clients and rogue clients though?

PPPoE could possibly be an option?

Re: Block unknown MAC address from wired network

Posted: Thu Mar 01, 2018 1:58 pm
by poizzon
just make static genius clients.

this command adds genuine clients to static and adding to WhiteList


/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0

Re: Block unknown MAC address from wired network

Posted: Thu Mar 01, 2018 6:27 pm
by AlainCasault
You could go into bridge-filters and add all known mac addresses and permit those while droping the rest. Just make sure to input all the devices you own, obviously ;)


Sent from Tapatalk


Re: Block unknown MAC address from wired network

Posted: Sat Mar 02, 2019 2:13 pm
by minhazulOO7
the idea is as follows:
All known DHCP clients are placed in WhiteList, and then in firewall droping all not WhiteList'ed source addressed clients in local bridge
/ip dhcp-server lease
add address=10.10.0.3 address-lists=WhiteList client-id=1:30:7:4d:00:00:00 mac-address=30:07:4D:00:00:00 server=dhcp0
/ip firewall filter
add action=drop chain=forward comment="DROP all not WhiteListed clients" disabled=no in-interface=bridge src-address-list=!WhiteList
THANKS MAN! It worked like a charm! Now I can easily block any unknown user in WiFi/ LAN! :wink:

Also for more security changed ARP from enabled to reply-only and statically assigned all of the IP in ARP List