Community discussions

 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 18, 2011 8:24 pm

Question for Mikrotik team & a new way of thinking

Sun Oct 16, 2016 2:59 pm

hello rulers of Mikrotik planet

just wondering here if there is a method or script to block any range of mac addresses by vendors

let say i want to block all tp-link or all d-link or all belkin mac addresses to lower the risk of anyone connecting with these devices to my network,is it possible ?

can it be possible to let mikrotik server block any mac that starts with number 64 and allow all the rest ?
 
User avatar
vetusa2
Member Candidate
Member Candidate
Topic Author
Posts: 122
Joined: Sat Jun 18, 2011 8:24 pm

Re: Question for Mikrotik team & a new way of thinking

Mon Oct 17, 2016 2:03 am

help please !
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Re: Question for Mikrotik team & a new way of thinking

Mon Oct 17, 2016 7:49 am

What real mass usage it could have? Especially when almost all operating systems allow to change the mac address freely...
 
Lakis
Forum Veteran
Forum Veteran
Posts: 701
Joined: Wed Sep 23, 2009 7:52 pm

Re: Question for Mikrotik team & a new way of thinking

Mon Oct 17, 2016 12:04 pm

hello rulers of Mikrotik planet

just wondering here if there is a method or script to block any range of mac addresses by vendors

let say i want to block all tp-link or all d-link or all belkin mac addresses to lower the risk of anyone connecting with these devices to my network,is it possible ?

can it be possible to let mikrotik server block any mac that starts with number 64 and allow all the rest ?
Also t-plink, d-link,belkin mac addresses can be changed, there is clone mac option.
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Question for Mikrotik team & a new way of thinking

Mon Oct 17, 2016 12:07 pm

I don't think you need to write elaborate scripts to achieve that. The menu
/interface bridge filter

has the option to configure filter based on source and destination MAC address and you also have a mask option, so you should be able to filter specific OUIs, and hence filter the source Ethernet frames from a specific vendor.
I personally haven't used so far any filtering on L2 on the RouterOS platform though.


Regards,
Boyan
 
Lakis
Forum Veteran
Forum Veteran
Posts: 701
Joined: Wed Sep 23, 2009 7:52 pm

Re: Question for Mikrotik team & a new way of thinking

Mon Oct 17, 2016 12:12 pm

I don't think you need to write elaborate scripts to achieve that. The menu
/interface bridge filter

has the option to configure filter based on source and destination MAC address and you also have a mask option, so you should be able to filter specific OUIs, and hence filter the source Ethernet frames from a specific vendor.
I personally haven't used so far any filtering on L2 on the RouterOS platform though.


Regards,
Boyan
Yes it's possible but no point of that
imagebk004.jpg
You do not have the required permissions to view the files attached to this post.
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Question for Mikrotik team & a new way of thinking

Mon Oct 17, 2016 12:20 pm

Yes Lakis,
I agree. That's the reason why basing your security policies only on MAC address information is not a good idea, as it could be overcame easily :)
But if the author of this thread would like to apply that for a network with a bulk of clients, most of them non-managed, this is a way of doing it. It's not scalable, but who knows, in some situations it might just save the day :)
That's what I like about RouterOS, it's so diverse, there are so many things you could do, sometimes in few different ways that it's amazing...

Who is online

Users browsing this forum: MSN [Bot] and 66 guests