Hi,

i have another problem,,, i hope this form will again help me

i am using hexa lite Mikrotik router and i wanna block all MAC ID except my internet IDs. Let me brief,,,,,

as you know about wireless MAC filtering, you will enter MAC ID then you will enter that network and use wifi otherwise it will block you to access LAN or wifi.. same like that, i want to block all type of access to enter my LAN and internet without my permission. until unless i enter that MAC ID and then that person will be able to share file, printer or etc and internet.

i hope it is possible.......

Thanks,

Regards,,,,
M. Shahid

Hi

I see two options:
* disable arp on the relevant interface: this will prevent unknown client from accessing router. This could mean no dns/dhcp/... But its not "air-tight", client could configure a static ip. Further client will still be able to contact other clients on same subnet., over unmanaged switches.
* Dot1x: protect network as a whole, but much more work / requirements to setup

I'd like to add the option of only using static dhcp leases with "add arp for lease" option and setting the arp mode of the lan-facing interface to reply-only.
That at least blocks rogue clients from accessing the internet.
-Chris

its mean there is no complete solution for me??????????????

The definitely best solution is dot1x as @sebastia mentioned. When your switches support it as well you're close to 100% secure.
-Chris

Any good switch for business use will offer port access control using MAC addresses and a RADIUS server.
It does not require additional device support like dot1x.
Just configure a RADIUS server with the list of MAC addresses you want to allow, and setup the port access control in the switches (for the ports where you need this).
You can even configure a VLAN with the MAC addresses in the RADIUS server, and an unauth-VLAN in the switches, so all the equipment you plug in the ports that has
been preconfigured in the RADIUS db ends up in the correct VLAN (you can have your computers, servers, printers etc in different VLAN and route between them) while
all unrecognized equipment ends up on a VLAN where it has internet access but no access to your local servers (for the external workers that plugin their own laptop to
your network and you want to give them internet only).

Now, the tricky question of course is: does MikroTik sell any good switches?

hmmmmm, its mean there is no simple way as per your all discussion, simple in way that just configure command on terminal or firewall and a few rules and its done.... but its not possible........................

What @cdiedrich has proposed can be described more in detail, maybe you have missed it?

• set add-arp=yes on all dhcp servers
• make all the current dhcp leases which you recognize (most important, the PC from which you configure the machine) static
• make the address-range of all ip pool items used by dhcp servers incompatible with the subnets attached to the interfaces on which the dhcp servers are listening
• set arp=reply-only on all LAN interfaces to which IP configuration is attached

With this setup,

• when a known device connects, it will get a dhcp lease with a fixed IP address from the correct subnet, and the mapping between its IP address and its MAC address will get stored in the arp table, so it will be able to communicate bidirectionally
• when an unknown device connects and asks for an address using DHCP, it will get one but not from any of the subnets so it won't get any response packets. But this allows you to add new devices to the whitelist by making these leases static and changing the IP address in them
• when an unknown device connects and manually sets up an address from the proper subnet, it won't get any response packets because its MAC address won't be stored in the arp table and Mikrotik won't use ARP to determine it.

However, all the above can be outsmarted by changing the MAC address of the "alien" device to one of those for which a static lease exists, same like any other access control method which is based on use of an authentication factor which can be intercepted and spoofed because it traverses the network in plaintext (i.e. not encrypted).

802.1X requires that the client knows a secret which is not sent in plaintext, so it cannot be found by just connecting to your switch and sniffing the broadcast traffic for a while - which is how the attacker can easily identify whitelisted MAC addresses. And the secret is individual per client so by sharing it with friends, the client risks that he'll be unable to connect himself.

So 802.1X is the way to go, but Mikrotik has only got halfway so far (yet thanks for at least that after all those years!) - it can talk to the connected devices and control the ports using 802.1X, but its embedded RADIUS server (the User Manager) doesn't support EAP yet, so you need an external one at the moment.