Community discussions

MikroTik App
 
User avatar
larmaid
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Tue Aug 30, 2005 3:06 pm

reply-only problem.......

Sat Feb 24, 2007 11:08 pm

hi all
i got this configuration on my mikrotik machine=
ether 1 = reply-only (local)
ether 2 = reply-only (local)
ether 3 = enabled (local)
all in one bridge = enabled (192.168.10.2)

what i want to achives r =
1. all the computers that connect through ether 1 & ether 2 must assign their ip & mac into ARP
2. all the computers that connect through ether 3 do not need to assign their ip & mac into ARP

can mikrotik do this....??? :cry: :cry: :roll: :roll:
Last edited by larmaid on Sun Feb 25, 2007 10:09 pm, edited 1 time in total.
i like it
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sat Feb 24, 2007 11:30 pm

If you have ether1,ether2,ether3 joined into a bridge then you should assign the IP address to the bridge interface and not assign any IP addresses to any of the physical ports ether1,ether2,ether3.
Because all ARP related settings are only relevant for interfaces that have an IP address assigned (without IP there will not be any need for ARP on an interface) and the IP address should be on the bridge interface, you will only be able to configure the ARP behaviour on the bridge interface. It does not matter what you configure for ARP on ether1,ether2,ether3 as it will never be used anyway.

--Tom
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Sun Feb 25, 2007 9:26 pm

cool , so you may answer this question which still not answered by anyone yer :

arp table :
user1 192.168.1.100 mac 11:11:11:11:11:11
user2 192.168.1.101 mac 22.22.22.22.22.22

can any intruder get in by making his parameter like this :

192.168.1.101 mac 11:11:11:11:11:11

??
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Feb 25, 2007 9:54 pm

can any intruder get in by making his parameter like this :

192.168.1.101 mac 11:11:11:11:11:11
On a hotspot? Or on a plain IP interface?

--Tom
 
User avatar
larmaid
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Tue Aug 30, 2005 3:06 pm

Sun Feb 25, 2007 10:13 pm

@tneumann sorry i've forgot to mentioned the ip.....
okay here is the ip =
ether 1 = blank ip
ether 2 = blank ip
ether 3 = blank ip
bridge 1 = 192.168.10.2/16

so can mikrotik to this....???? :?: :?: :?:
i like it
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Feb 25, 2007 10:28 pm

larmaid,

Your IP setup looks OK with the IP address on the bridge interface and no IP addresses on the ether interfaces, but please recall what I already wrote: ARP has no meaning on interfaces that do not have IP configured. That alone practically answers your question: As there are no IP addresses on ether1,ether2,ether3 why do you think you would be able influence anything by configuring ARP modes on these interfaces?

OK, back to your original question: The short answer is no, you can not do this.

The longer answer is maybe you can, but just not by playing with the ARP modes on the ether interfaces. You can try to configure bridge filter rules that specifically filter ARP requests and/or replies that go to/originate from the bridge and these filter rules may take the bridge port (ether1,ether2,ether3) into account when deciding what to drop and what to pass. But this is an ugly design, IMHO.

--Tom
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Mon Feb 26, 2007 2:55 am

tneumann , in a DHCP server ..
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1501
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Mon Feb 26, 2007 4:41 am

Samsoft,

Your question has been answered and answered and answered yet again. Stop wasting our time and asking it.

Get a MT Access Point!

Stop posting the question which has been locked at least TWICE now!
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1501
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Tue Feb 27, 2007 2:08 pm

For you I will answer yet AGAIN.

Switch to Mikrotik AP's and come back when you have.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24608
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Tue Feb 27, 2007 2:14 pm

samsoft, if you don't like getting banned, please stop using rude language, and prove your point when making statements about something.

saying "this is bad, don't use it" will not help anyone, especially if you haven't used it yourself.

and once more - you are asking us to fix a feature on your 'other brand ap'? i don't understand what you want. if we have misunderstood your problem, please clarify it.
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Tue Feb 27, 2007 7:18 pm

well , i dont know what language i have to use ? english , arabic .. cos i dont know other languages ..

what other brand ap you are talking about ?

me and many ISP's ((((( forget wireless )))) had test the reply-only features and found that it can be fooled .. why is that ?????
this is what we ( not only me ) wanna know .. why reply-only is not working ???
what i know from the manual is that a specific mac address has to get a specific IP address .. HOW could another mac take another IP from the list ?

do you really dont understand me ??? or you just defending your MT ?? i dont think i'm talking any misteries .. its so clear and many other ISP tested it and found that it's not protecting anything ..

beside i gave you an example above ..

you cannot force me to use any kind of hardware , i select MT couse i thought its very powerfull in security .. but WE found that MT hotspot is a joke , a tiny little mean software like NET-CUT can brake it !!!!! can you believe that ?? and you cannot make anything just threating me with banned !!!!!!!!!
I dont know if you banned me would solve this problem??
its not a civilized or scientific way for talk .. and your rugular daily answers : read the manual !! send support !! would not solve the problem ..

in the end , just try it yourself and tell me if its working ..
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Wed Feb 28, 2007 8:58 am

1) What exactly does not work for 'reply-only ?
Reply-only binds specific IP address to MAC-address, static table is used to server clients. MAC/IP user cannot pass data trought the router, if MAC/IP is not in the list.
If other user is taken the same IP address and MAC-address configuration, router (forget about HotSpot or anything) is not able to specify, which one of them is correct user and which one uses stolen IP and MAC-address.

2) To solve your problem for Ethernet network (if we are not talking about wireless).
Firstly you can use management switches, that allow to set restrictions MAC-address per port. In other words this means, that user A with MAC-addres xx:xx:xx:xx:xx:xx is able to forward data only over specific port (when appropriate configuration is used).
If you do not have opportunites to use management switces use PPPoE server,
do not assign IP address to local interface, every user requires PPPoE client configuration (login/password).

3) If security is important for your non-wireless network, then use PPPoE or management switches. Otherwise some users will be able to get other user MAC/IP address and use it, it is not MikroTik security issue, since it is router.
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Thu Mar 01, 2007 2:12 am

in the static arp list :
IP1 for MAC1
IP2 for MAC2

if someone got IP1 with MAC2 , can he get in ?
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 617
Joined: Sat Nov 26, 2005 10:52 pm

Thu Mar 01, 2007 2:13 am

note that IP1 is not bind to MAC2 in the list ..
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Thu Mar 01, 2007 7:38 am

No, client should not 'get in', if interface user is connected has 'reply-only'.
If you users are able to 'get in', make sure the latest version is used on your RouterOS and contact support (support@mikrotik.com) with attached support output file and your problem.

Who is online

Users browsing this forum: Bing [Bot] and 56 guests