Community discussions

 
mshahid85
newbie
Topic Author
Posts: 26
Joined: Thu Mar 01, 2018 12:19 pm

MAC Address limitation

Mon Jul 29, 2019 12:38 pm

Hi,

i have another problem,,, i hope this form will again help me :)

i am using hexa lite Mikrotik router and i wanna block all MAC ID except my internet IDs. Let me brief,,,,,

as you know about wireless MAC filtering, you will enter MAC ID then you will enter that network and use wifi otherwise it will block you to access LAN or wifi.. same like that, i want to block all type of access to enter my LAN and internet without my permission. until unless i enter that MAC ID and then that person will be able to share file, printer or etc and internet.

i hope it is possible.......

Thanks,

Regards,,,,
M. Shahid
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1795
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: MAC Address limitation

Mon Jul 29, 2019 3:49 pm

Hi

I see two options:
* disable arp on the relevant interface: this will prevent unknown client from accessing router. This could mean no dns/dhcp/... But its not "air-tight", client could configure a static ip. Further client will still be able to contact other clients on same subnet., over unmanaged switches.
* Dot1x: protect network as a whole, but much more work / requirements to setup
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 928
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: MAC Address limitation

Mon Jul 29, 2019 4:03 pm

I'd like to add the option of only using static dhcp leases with "add arp for lease" option and setting the arp mode of the lan-facing interface to reply-only.
That at least blocks rogue clients from accessing the internet.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
mshahid85
newbie
Topic Author
Posts: 26
Joined: Thu Mar 01, 2018 12:19 pm

Re: MAC Address limitation

Wed Jul 31, 2019 7:48 am

its mean there is no complete solution for me?????????????? :(
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 928
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: MAC Address limitation

Wed Jul 31, 2019 8:13 am

The definitely best solution is dot1x as @sebastia mentioned. When your switches support it as well you're close to 100% secure.
-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: MAC Address limitation

Wed Jul 31, 2019 12:38 pm

Any good switch for business use will offer port access control using MAC addresses and a RADIUS server.
It does not require additional device support like dot1x.
Just configure a RADIUS server with the list of MAC addresses you want to allow, and setup the port access control in the switches (for the ports where you need this).
You can even configure a VLAN with the MAC addresses in the RADIUS server, and an unauth-VLAN in the switches, so all the equipment you plug in the ports that has
been preconfigured in the RADIUS db ends up in the correct VLAN (you can have your computers, servers, printers etc in different VLAN and route between them) while
all unrecognized equipment ends up on a VLAN where it has internet access but no access to your local servers (for the external workers that plugin their own laptop to
your network and you want to give them internet only).

Now, the tricky question of course is: does MikroTik sell any good switches?
 
mshahid85
newbie
Topic Author
Posts: 26
Joined: Thu Mar 01, 2018 12:19 pm

Re: MAC Address limitation

Sat Aug 03, 2019 10:40 am

hmmmmm, its mean there is no simple way as per your all discussion, simple in way that just configure command on terminal or firewall and a few rules and its done.... but its not possible........................ :(
 
sindy
Forum Guru
Forum Guru
Posts: 4037
Joined: Mon Dec 04, 2017 9:19 pm

Re: MAC Address limitation

Sat Aug 03, 2019 1:21 pm

What @cdiedrich has proposed can be described more in detail, maybe you have missed it?
  • set add-arp=yes on all dhcp servers
  • make all the current dhcp leases which you recognize (most important, the PC from which you configure the machine) static
  • make the address-range of all ip pool items used by dhcp servers incompatible with the subnets attached to the interfaces on which the dhcp servers are listening
  • set arp=reply-only on all LAN interfaces to which IP configuration is attached
With this setup,
  • when a known device connects, it will get a dhcp lease with a fixed IP address from the correct subnet, and the mapping between its IP address and its MAC address will get stored in the arp table, so it will be able to communicate bidirectionally
  • when an unknown device connects and asks for an address using DHCP, it will get one but not from any of the subnets so it won't get any response packets. But this allows you to add new devices to the whitelist by making these leases static and changing the IP address in them
  • when an unknown device connects and manually sets up an address from the proper subnet, it won't get any response packets because its MAC address won't be stored in the arp table and Mikrotik won't use ARP to determine it.
However, all the above can be outsmarted by changing the MAC address of the "alien" device to one of those for which a static lease exists, same like any other access control method which is based on use of an authentication factor which can be intercepted and spoofed because it traverses the network in plaintext (i.e. not encrypted).

802.1X requires that the client knows a secret which is not sent in plaintext, so it cannot be found by just connecting to your switch and sniffing the broadcast traffic for a while - which is how the attacker can easily identify whitelisted MAC addresses. And the secret is individual per client so by sharing it with friends, the client risks that he'll be unable to connect himself.

So 802.1X is the way to go, but Mikrotik has only got halfway so far (yet thanks for at least that after all those years!) - it can talk to the connected devices and control the ports using 802.1X, but its embedded RADIUS server (the User Manager) doesn't support EAP yet, so you need an external one at the moment.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: MSN [Bot], nellson and 78 guests