Community discussions

MikroTik App
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

how to block mac in firewall?

Tue Jul 12, 2005 1:14 am

We have a single bridge bridge1 bridging ether1, wlan1, wlan2, wlan3 but how can I create a filter to reject a specific mac address? I tried to create one in winbox but it failed to work.
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Tue Jul 12, 2005 12:39 pm

If you are going to test to see if the bridge filter works then do not test from bridge itself. filter only filters what passes through it. Atleast so in 2.8.x
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Tue Jul 12, 2005 5:28 pm

No we have someone that is ghosting our ip's and causing ip conflicts with customers. We need to block that persons MAC from having access.
 
jarosoup
Long time Member
Long time Member
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Tue Jul 12, 2005 7:27 pm

Are you trying to block from IP -> Firewall or Bridge -> Firewall ? Adding his MAC as the src-mac-address in the bridge firewall should do the trick.
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Tue Jul 12, 2005 9:35 pm

since he/she is constantly changing ip's we have to do it by mac address.. What I tried was....

add chain=forward src-mac-address=00:30:F1:10:2E:3C action=reject \
reject-with=icmp-admin-prohibited comment="" disabled=no

but it did not seem to work. So how do I need to properly phrase it?
 
User avatar
sten
Forum Veteran
Forum Veteran
Posts: 920
Joined: Tue Jun 01, 2004 12:10 pm

Tue Jul 12, 2005 11:20 pm

Ah, you are referring to v2.9, that might just be a bug.
In v2.8 it works. But changing mac address is just as simple as changing IP address with most of the cards i've used. Perhaps you should look for a solution that would deal with the cause of the problem. Hacks to deal with a symptom of a problem has rarely made the problem go away.
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Tue Jul 12, 2005 11:42 pm

Yeah we are in touch with the bandwidth management unit company seems that it's got a bug in latest software update and letting ips that do not match correct mac addresses or those that are not in the system through. But in the meantime we can't seem to figure out where it's comming from or anything but we have noticed mac has stayed the same just the ip is being changed. Hoping that solution will last long enough and correctly until they get that bug fixed.
 
jarosoup
Long time Member
Long time Member
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Wed Jul 13, 2005 12:30 am

Since this is a bridge, is there any reason why you haven't tried the bridge firewall??
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Wed Jul 13, 2005 12:58 am

Well because I am new to the entire Mikrotik Firewall and still learning it. Can you give me the example of how to set it in the bridge firewall?
 
jarosoup
Long time Member
Long time Member
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Wed Jul 13, 2005 4:38 am

From the CLI, go to > "interface bridge firewall" and from Winbox it's under the bridge setting menu from the interfaces menu (both from 2.8.x - I'm not familiar with 2.9 yet). All you need to do is add the offending MAC address to the "src-mac-address" and set the action to drop. That should block him.
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Wed Jul 13, 2005 9:36 pm

Ok here's what I added to the firewall.

add chain=forward src-mac-address=00:30:F1:10:2E:3C in-bridge-port=bridge1 \
out-bridge-port=bridge1 action=drop comment="" disabled=no

But I am still able to ping it's ip address which seems to indicate to me it's not blocking.. Is their something I am missing to make this work?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Wed Jul 13, 2005 10:27 pm

add chain=forward src-mac-address=00:30:F1:10:2E:3C in-bridge-port=bridge1 \
out-bridge-port=bridge1 action=drop comment="" disabled=no
Try using the physical port (interface) that is a member of the bridge (i.e. ether3 or wlan1 or something like that)
instead of bridge1 for out-bridge-port and in-bridge-port. Then, by the way, in- and out ports usually will not be
identical :wink: because a frame with the same in- and out-port would not be forwarded through the bridge anyway.

--Tom
 
marvin
Member Candidate
Member Candidate
Topic Author
Posts: 119
Joined: Mon Nov 15, 2004 9:56 pm

Thu Jul 14, 2005 5:07 pm

tneumann ok thanks for that advice.
 
User avatar
ariosvelez
newbie
Posts: 29
Joined: Mon Mar 11, 2013 5:39 pm
Location: Ocala, FL
Contact:

Re: how to block mac in firewall?

Wed Mar 28, 2018 12:49 am

I have a firewall rule set to block unauthorized access to winbox other than the ones are set un our address list. But I am having a flood from a specific MAC address that is trying to connect to winbox using ghost IP's the MAC address attempts we are havings are tons in a minute. How can I prevent it or how can I block that IP MAC address here is my firewall rule for winbox:

add action=drop chain=input comment="Drop anyone in the Black List (Winbox)" disabled=no src-address-list="Black List (Winbox)"
add action=drop chain=forward comment="Drop anyone in the Black List (Winbox)" disabled=no src-address-list="Black List (Winbox)"
add action=jump chain=input comment="Jump to RWF Winbox Chain" disabled=no jump-target="RWF Winbox Chain"
add action=add-src-to-address-list address-list="Black List (Winbox)" address-list-timeout=0s chain="RWF Winbox Chain" comment="Transfer repeated attempts from Winbox Stage 3 to Black-List" connection-state=new disabled=no dst-port=8291 protocol=tcp src-address-list="Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" address-list-timeout=1m chain="RWF Winbox Chain" comment="Add succesive attempts to Winbox Stage 3" connection-state=new disabled=no dst-port=8291 protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" address-list-timeout=1m chain="RWF Winbox Chain" comment="Add succesive attempts to Winbox Stage 2" connection-state=new disabled=no dst-port=8291 protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" address-list-timeout=1m chain="RWF Winbox Chain" comment="Add Intial attempt to Winbox Stage 1" connection-state=new disabled=no dst-port=8291 protocol=tcp
add action=log chain="RWF Winbox Chain" comment="Log Black Listed IPs" disabled=no log-prefix="Winbox Black List - " src-address-list="Black List (Winbox)"
add action=return chain="RWF Winbox Chain" comment="Return From RWF Winbox Chain" disabled=no
add chain=output comment="Section Break" disabled=yes
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
MTCNA, MTCRE, MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 4239
Joined: Mon Dec 04, 2017 9:19 pm

Re: how to block mac in firewall?

Wed Mar 28, 2018 8:30 pm

I have a firewall rule set to block unauthorized access to winbox other than the ones are set un our address list. But I am having a flood from a specific MAC address that is trying to connect to winbox using ghost IP's the MAC address attempts we are havings are tons in a minute. How can I prevent it or how can I block that IP MAC address here is my firewall rule for winbox:
Depending on your RB model and from where that flood comes physically, a rule in the switch (preferred if technically possible) or a rule in the bridge firewall is necessary. To make bridge rules work, you need to use
/interface bridge settings set use-ip-firewall=yes
This is a common setting for all bridges, so expect a throughput penalty.
The rule for a bridge would then look like
/interface bridge filter add action=drop chain=input src-mac-address=00:11:22:33:44:55/ff:ff:ff:ff:ff:ff mac-protocol=ip ip-protocol=tcp dst-port=8291
But it is well possible that there is actually a network full of infected devices behind a gateway element with that MAC address, so I'd recommend not to stop at just using that filter rule and to investigate further into the issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: eworm, LunaticRv, MaRaToN, solelunauno, Zacharias and 135 guests