Community discussions

 
aslanbdb
just joined
Topic Author
Posts: 12
Joined: Sat Oct 03, 2015 9:49 pm
Location: Germany
Contact:

Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses

Sat Jun 08, 2019 11:47 pm

Hello,
I'm looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses, so that all the connected mac addresses will not have internet access till i add them on the firewall filter... thnx in advance ...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1060
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses

Sun Jun 09, 2019 12:31 am

 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
aslanbdb
just joined
Topic Author
Posts: 12
Joined: Sat Oct 03, 2015 9:49 pm
Location: Germany
Contact:

Re: Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses

Sun Jun 09, 2019 7:41 am

thnx for ur reply.. but i dont wanna use the ARP reply service.. cause sometimes it makes multiple ARP and then that will mess the board.. also it reduces transfer rate bcz of low cpu frequency :( ..
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1060
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses

Sun Jun 09, 2019 8:34 am

You can use static DHCP (convert all lease to static) and block by IP.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
aslanbdb
just joined
Topic Author
Posts: 12
Joined: Sat Oct 03, 2015 9:49 pm
Location: Germany
Contact:

Re: Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses

Mon Jun 10, 2019 4:01 am

You can use static DHCP (convert all lease to static) and block by IP.
great idea, thnx.. but actually it's a bit easy to find out the IPs ... i'm not sure but i saw somewhere people use simple firewall rules to allow internet for specific MAC... unrecognized MAC automatically get deny from filter... like the same way filter mac works on normal routers...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1060
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses

Mon Jun 10, 2019 9:58 am

Here is the script I do use on my DHCP server (DHCP Lease script)
It converts all DHCP lease to static lease and log a message.
# Created Jotne 2019 v1.2
#
# This script converts all DHCP release to static automatically
# It should run on all routerOS version


# Test if this is a Bound session and the lease is a dynamic one. Do not change older reservation
:if (($leaseBound=1) && ([/ip dhcp-server lease find where dynamic mac-address=$leaseActMAC]!="")) do {

# Get the lease number
	:local Lease [/ip dhcp-server lease find mac-address=$leaseActMAC]
	
# Get date and time
	:local date [/system clock get date]
	:local time [/system clock get time]
	
# Make the lease static	
	/ip dhcp-server lease make-static $Lease
	
# Add date and time as a comment to show when it was seen first time	
	/ip dhcp-server lease comment comment="$date $time" $Lease
	
# Send a message to the log	
	:log info message="script=dhcp_static server=$leaseServerName IP=$leaseActIP MAC=$leaseActMAC"
}
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
sindy
Forum Guru
Forum Guru
Posts: 3287
Joined: Mon Dec 04, 2017 9:19 pm

Re: Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses

Mon Jun 10, 2019 1:01 pm

You can use static DHCP (convert all lease to static) and block by IP.
great idea, thnx.. but actually it's a bit easy to find out the IPs ... i'm not sure but i saw somewhere people use simple firewall rules to allow internet for specific MAC... unrecognized MAC automatically get deny from filter... like the same way filter mac works on normal routers...
You can set arp=reply-only on an interface to which the clients are connected, and set the DHCP server to add local arp records for the leased IPs along with lease. This way, the client must first get a DHCP lease (so it must have (or spoof if he knows it!) a proper MAC address to get a static lease with an IP from the permitted range), and only then Mikrotik will send anything back to it as it will not send ARP requests. So the client can spoof its own IP to match the permitted range and send a packet to the internet, but the response will never reach it.

Another way is to use /interface bridge filter instead of or together with /ip firewall filter. To do that, it is necessary that the clients are connected to a bridge, even if that bridge should have just a single slave port. Then, you can either directly drop ingress frames carrying IP packets by src-mac-address and (IP) dst-address after first permitting frames from the same src-mac-address to allowed ranges of dst-address, or you may assign packet-mark to them and use matching on that packet-mark in /ip firewall filter.

If the client manages to guess/sniff a correct MAC address, you're helpless unless you implement 802.1X on the bridge ports (which is currently only available in the beta/RC channel); in that case, he'll have to guess/sniff the authentication username and password instead, but unlike the MAC address, these can be changed for the legal users if they leak.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1060
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses  [SOLVED]

Mon Jun 10, 2019 2:16 pm

in that case, he'll have to guess/sniff the authentication username and password instead, but unlike the MAC address, these can be changed for the legal users if they leak.
If I am not wrong, the 802.1x communication goes encrypted so to see username and password should be hard. This can even be combined by a digital certificate.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 45 guests