Community discussions

 
Znuff
Member Candidate
Member Candidate
Topic Author
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Restriction by MAC

Wed Sep 27, 2006 5:37 am

Hello.

I know this thing has been posted, but I feel like I've got a special situation:

I need to create a "WhiteList" for people that are allowed to acces the internet on the MT. I'm only using it as a LAN station, so no Wireless involved. I've been trying numerous solutions...

I can't mark the packages, because that ruins the bandwidth limiting by country (http://wiki.mikrotik.com/wiki/How_to_ap ... as_traffic).
I need something MORE than the hotspot method that redirects the clients to the hotspots login page, because that still allows access to IRC and other services... and it's more like a black list =/

I've tried some other way to block their acces, but if I cut everything, the transparent proxy still remains in place and customers can still get access.

So, is there a solution for me? and I want to use Transparent Proxy, Different Limits for Local/Overseas, and to be able to block client's acess completely.

Thanks
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Wed Sep 27, 2006 8:23 am

Static ARP table can help you for secure network access.
Set 'arp=reply-only' to local interface (interface users are connected to), add IP MAC addresses pairs to '/ip arp'. Only users from '/ip arp' will be able to access outer networks.
What do you mean by 'I can't mark the packages, because that ruins the bandwidth limiting by country' ?
Anyway mangle is required if you want to apply limits for the different type of traffic.
 
Znuff
Member Candidate
Member Candidate
Topic Author
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Wed Sep 27, 2006 7:16 pm

well, first I tried to block everything in forward that is not marked with "allowed". but if I mark packages that way, bandwidth limiting doesn't work anymore, because it overrides the previously "local" / "external" traffic marks.

I can't use the ARP table because I use dhcp with dynamic leases (currently I only have a /25 and I've got almost 130 clients and I'm still waiting for my /24 - damn isp!)

Any other solution?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6615
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Thu Sep 28, 2006 8:05 am

1) You may use static leases for the DHCP users, and than ARP table.

2) If you don't want static leases, than create firewall filter rules to accept data from desired MACs,
'/ip firewall filter add chain=forward src-mac-address=XX:XX:XX:XX:XX action=accept', drop should be at the end.
 
Znuff
Member Candidate
Member Candidate
Topic Author
Posts: 139
Joined: Tue Sep 26, 2006 2:42 am
Contact:

Mon Oct 02, 2006 4:11 am

I tried using DHCP leases. I added every client, bla, bla... I set arp to reply-only and clients are still able to access the internet and ping the local mikrotik server...

How's that? =/

I've got enabled the following "tricks":
http://wiki.mikrotik.com/wiki/How_to_Block_Customer
http://wiki.mikrotik.com/wiki/How_to_se ... _using_ARP
http://wiki.mikrotik.com/wiki/How_to_ap ... as_traffic

And transparent proxy.

Here's the output of
interface ethernet> print
Flags: X - disabled, R - running 
 #    NAME                                                                               MTU   MAC-ADDRESS       ARP       
 0  R internet                                                                           1500  00:0A:CD:07:12:AE enabled   
 1  R lan                                                                                1500  00:90:27:A8:17:70 reply-only
the DHCPD server is set not to add arp entries in the table:
ip dhcp-server> print
Flags: X - disabled, I - invalid 
 #   NAME                                                         INTERFACE RELAY           ADDRESS-POOL LEASE-TIME ADD-ARP
 0   N-Zone                                                    lan                       n-zone       6h        
How do I set the DHCPD server not to give dynamic ips? how can I make it reply only static?

The FORWARD method doesn't work, if I add DROP, it just drops everything, even if I added a rule that accepts the specified macs before dropping...

I'm in the state that I can't actually do anything to prevent other users to connect to my network without knowing... and some clients could just change their mac address and get connected with another IP addres.. =/

Also, I mention that I have a running Fileserver on the network (Samba) that also acts as a WINS, DNS, http, ftp server.

EDIT: Seems that HOTSPOT is doing me this... if I disable the Bypass rule, I get the normal behaviour of arp... how can I fix this?
I still want to keep the hotspot feature so I can notify clients they didn't pay...

I'm willing to try another to redirect users to a local running webserver if they don't pay... I tried it but I didn't have too much success =/

Who is online

Users browsing this forum: MSN [Bot] and 89 guests