hi all,
i made hotspot server as bridge , and i created 11 vlans under ether6, and i put wlan, ether6 , and 11 vlans in bridge ports.
someone give me this filter to prevent clients from seeing ip and mac of other clients in my network ,but really i suffer from connecting with my network and i don't know if this script good , or need some settings to be good , or i have to try another filter .
this is the filter :
/interface bridge filter
add action=drop chain=forward dst-port=10001 ip-protocol=udp mac-protocol=ip
add action=drop chain=input dst-port=10001 ip-protocol=udp mac-protocol=ip
add action=drop chain=output dst-port=10001 ip-protocol=udp mac-protocol=ip
/interface bridge filter
add action=drop chain=forward mac-protocol=arp in-interface=vlan100
add chain=forward mac-protocol=!arp out-interface=vlan100
add action=drop chain=forward mac-protocol=arp in-interface=vlan101
add chain=forward mac-protocol=!arp out-interface=vlan101
add action=drop chain=forward mac-protocol=arp in-interface=vlan102
add chain=forward mac-protocol=!arp out-interface=vlan102
add action=drop chain=forward mac-protocol=arp in-interface=vlan104
add chain=forward mac-protocol=!arp out-interface=vlan104
add action=drop chain=forward mac-protocol=arp in-interface=vlan105
add chain=forward mac-protocol=!arp out-interface=vlan105
add action=drop chain=forward mac-protocol=arp in-interface=vlan106
add chain=forward mac-protocol=!arp out-interface=vlan106
add action=drop chain=forward mac-protocol=arp in-interface=vlan107
add chain=forward mac-protocol=!arp out-interface=vlan107
add action=drop chain=forward mac-protocol=arp in-interface=vlan108
add chain=forward mac-protocol=!arp out-interface=vlan108
add action=drop chain=forward mac-protocol=arp in-interface=vlan109
add chain=forward mac-protocol=!arp out-interface=vlan109
add action=drop chain=forward mac-protocol=arp in-interface=vlan110
add chain=forward mac-protocol=!arp out-interface=vlan110
add action=drop chain=forward mac-protocol=arp in-interface=vlan111
add chain=forward mac-protocol=!arp out-interface=vlan111
Is there anyone can help me plz?... i feel tired from people who steal mac address in my netwrok
-
-
ShayanFiroozi
Member Candidate
- Posts: 281
- Joined:
- Location: Bandar Abbas , Iran
Re: bridge filters for prevent clients from seeing ip and mac ?
Hi,
why don't you use IP's ??
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
why don't you use IP's ??
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
Re: bridge filters for prevent clients from seeing ip and mac ?
iHi,
why don't you use IP's ??
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
thanks Shayan very much
do you mean that rule you gave will prevent client from seeing ip and mac adress in my network
if you don't mind would you write ur rule , cause i am not very good in network
by the way my range is 192.168.88.0/24
Re: bridge filters for prevent clients from seeing ip and mac ?
iHi,
why don't you use IP's ??
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
thanks Shayan very much
so i have to delete my filter and write your rule ? or i have to keep me filter ?
do you mean that rule you gave will prevent client from seeing ip and mac adress in my network , i
if you don't mind would you write ur rule , cause i am not very good in network
by the way my range is 192.168.88.0/24
Re: bridge filters for prevent clients from seeing ip and mac ?
what he mean is forward chain drop src 192.168.88.0/24 dst 192.168.88.0/24
-
-
ShayanFiroozi
Member Candidate
- Posts: 281
- Joined:
- Location: Bandar Abbas , Iran
Re: bridge filters for prevent clients from seeing ip and mac ?
iHi,
why don't you use IP's ??
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
thanks Shayan very much
so i have to delete my filter and write your rule ? or i have to keep me filter ?
do you mean that rule you gave will prevent client from seeing ip and mac adress in my network , i
if you don't mind would you write ur rule , cause i am not very good in network
by the way my range is 192.168.88.0/24
Assume your hotspot gateway is 192.168.88.1
you should allow your clients to communicate with their gateway with this 2 rules :
add chain=forward dst-address=192.168.88.1 src-address=192.168.88.0/24
add chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.1
then drop every packets in same subnet(also your 192.168.88.1 would be matched with below rule but before this rule you accepted your gateway packets , so this rule will not be applied on 192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.0/24
also disabling "Default forward" feature in your WLAN and set arp to reply only will also help you
Re: bridge filters for prevent clients from seeing ip and mac ?
bridge horizon also usefull for ports and client isolation
Re: bridge filters for prevent clients from seeing ip and mac ?
Assume your hotspot gateway is 192.168.88.1
you should allow your clients to communicate with their gateway with this 2 rules :
add chain=forward dst-address=192.168.88.1 src-address=192.168.88.0/24
add chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.1
then drop every packets in same subnet(also your 192.168.88.1 would be matched with below rule but before this rule you accepted your gateway packets , so this rule will not be applied on 192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.0/24
also disabling "Default forward" feature in your WLAN and set arp to reply only will also help you
thank you Shayan, yes your filter is good, it is an effective in ip scan software, but it is not effective in ip scan software That depend in arp scan .
maybe i have add some settings to make this rule is the best , like i have to go to dhcp server and check feature " add arp for leases" ???????
Re: bridge filters for prevent clients from seeing ip and mac ?
yes
Assume your hotspot gateway is 192.168.88.1
you should allow your clients to communicate with their gateway with this 2 rules :
add chain=forward dst-address=192.168.88.1 src-address=192.168.88.0/24
add chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.1
then drop every packets in same subnet(also your 192.168.88.1 would be matched with below rule but before this rule you accepted your gateway packets , so this rule will not be applied on 192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.0/24
also disabling "Default forward" feature in your WLAN and set arp to reply only will also help you
thank you Shayan, yes your filter is good, it is an effective in ip scan software, but it is not effective in ip scan software That depend in arp scan .
maybe i have add some settings to make this rule is the best , like i have to go to dhcp server and check feature " add arp for leases" ???????
-
-
ShayanFiroozi
Member Candidate
- Posts: 281
- Joined:
- Location: Bandar Abbas , Iran
Re: bridge filters for prevent clients from seeing ip and mac ?
Assume your hotspot gateway is 192.168.88.1
you should allow your clients to communicate with their gateway with this 2 rules :
add chain=forward dst-address=192.168.88.1 src-address=192.168.88.0/24
add chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.1
then drop every packets in same subnet(also your 192.168.88.1 would be matched with below rule but before this rule you accepted your gateway packets , so this rule will not be applied on 192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.0/24
also disabling "Default forward" feature in your WLAN and set arp to reply only will also help you
thank you Shayan, yes your filter is good, it is an effective in ip scan software, but it is not effective in ip scan software That depend in arp scan .
maybe i have add some settings to make this rule is the best , like i have to go to dhcp server and check feature " add arp for leases" ???????
Yes , but you should know in a bridged network always there is an security issue , do not bridged unless you have to , routed network are more reliable , more secure , also you have the firewall's power in L3 !!
-
-
marcelofares
Member Candidate
- Posts: 129
- Joined:
Re: bridge filters for prevent clients from seeing ip and mac ?
iHi,
why don't you use IP's ??
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
thanks Shayan very much
so i have to delete my filter and write your rule ? or i have to keep me filter ?
do you mean that rule you gave will prevent client from seeing ip and mac adress in my network , i
if you don't mind would you write ur rule , cause i am not very good in network
by the way my range is 192.168.88.0/24
Assume your hotspot gateway is 192.168.88.1
you should allow your clients to communicate with their gateway with this 2 rules :
add chain=forward dst-address=192.168.88.1 src-address=192.168.88.0/24
add chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.1
then drop every packets in same subnet(also your 192.168.88.1 would be matched with below rule but before this rule you accepted your gateway packets , so this rule will not be applied on 192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.0/24
also disabling "Default forward" feature in your WLAN and set arp to reply only will also help you
This rule did not work on my infrastructure. I'm just looking for that.
I would like to protect and deny that an already authenticated client performs internal network scanning (ipscan).