Community discussions

MikroTik App
  4. RouterOS
  5. General

More secure DHCP Server.

Post Reply
 
mortin
newbie
Topic Author
Posts: 41
Joined: Wed Mar 09, 2005 9:54 pm

More secure DHCP Server.

Mon May 30, 2005 11:52 am

Hello everyone
My conf :
inteface 1 : DSL
inerface 2 : LAN
out-interface=dsl action=masquerade

Im tryging to make more secure my lan network with dhcp server.

I added in firewall forward chain all my clients src-macs with action=accept.
Example : src-mac-address=00:00:00:00:00:00 action=accept

The last rule in firewall is: action=drop.

Above solution doesnt work :(
In Mikrotik docs I read that the order/sequence is valid firewall chains.

Why it dosent work ?
Thank you for any suggestions !
Top
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Mon May 30, 2005 12:12 pm

You haven't told us what doesn't work when you put these rules in. e.g. is all traffic blocked?

Did you specify an input interface for the rules based on source MAC address?

Regards

Andrew
Top
 
mortin
newbie
Topic Author
Posts: 41
Joined: Wed Mar 09, 2005 9:54 pm

Mon May 30, 2005 12:25 pm

Hello
Thx for replay

You haven't told us what doesn't work when you put these rules in. e.g. is all traffic blocked?
The last rule blocks the all foward traffic to users.

Did you specify an input interface for the rules based on source MAC address?
I dont get it. What do you mean input interafce ? input chain ?
I put all rules in firewall forward chain with src-mac addresses of my clients.

Regards
Mortin
Top
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 700
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Mon May 30, 2005 1:25 pm

Mortin

So, none of the MAC address rules are being matched and all traffic falls through to the final deny rule?

Are these wireless users? Access Points can modify the source MAC address.

You need to specify the Input Interface in each of your rules because the Forward chain applies to all traffic traversing the router. This will result in all traffic from the Internet interface being dropped as the source MAC address will not match.

e.g.

/ip firewall rule input
in-interface=Internal src-mac-address=00:00:00:00:00:01 action=accept

Regards

Andrew
Top
 
mortin
newbie
Topic Author
Posts: 41
Joined: Wed Mar 09, 2005 9:54 pm

Mon May 30, 2005 1:51 pm

Thx Andrew for replay :
So, none of the MAC address rules are being matched and all traffic falls through to the final deny rule?

The MAC addresses are matched. I can see it in winbox. The rules in forward chain with src-mac are mached - there is a transfer/packages flow.

Are these wireless users? Access Points can modify the source MAC address.
No. It is wired lan. No ap.

You need to specify the Input Interface in each of your rules because the Forward chain applies to all traffic traversing the router. This will result in all traffic from the Internet interface being dropped as the source MAC address will not match.
/ip firewall rule input
in-interface=Internal src-mac-address=00:00:00:00:00:01 action=accept

I tested it.
For one user added above rule in input chain
it didnt help :(


Regards
Martin.
Top
 
mortin
newbie
Topic Author
Posts: 41
Joined: Wed Mar 09, 2005 9:54 pm

Mon May 30, 2005 2:09 pm

I think I solved the problem.

The deny rule in forward chain should be set up "in-interace=lan" in my case.
Before I set up on in-interface=all. That was the reason of blocking the transfer.
Top
Post Reply

Who is online

Users browsing this forum: 4l4R1, Ahrefs [Bot] and 128 guests
  4. RouterOS
  5. General