Community discussions

MikroTik App
 
spaxton
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

MAC address filtering

Mon Jul 19, 2010 11:02 am

hello,

as I said in the subject it is about filtering by MAC addresses. I need to make router unaccessible for all except for few machines and I want to do that by mac filtering. So, nothing can access the router and nothing can access to anything behind the router if the mac address is not matching to the allowed one. Can anyone tell me how to do this?

bye

;-)
 
oeyre
Member Candidate
Member Candidate
Posts: 118
Joined: Wed May 27, 2009 12:48 pm

Re: MAC address filtering

Mon Jul 19, 2010 11:28 am

Keep in mind that people can get around this by faking their MAC address.

Bridge > Filters > New
chain forward, in interface ether1, src mac, action drop

Repeat for input chain.
 
spaxton
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: MAC address filtering

Mon Jul 19, 2010 1:53 pm

Keep in mind that people can get around this by faking their MAC address.

Bridge > Filters > New
chain forward, in interface ether1, src mac, action drop

Repeat for input chain.
Hi,

Thanks for reply!
Isn't this for restricting access for some MAC addresses? WHat I need is allowing MAC access. Something similar MAC access on wireless, just I need to apply it on ADSL, 3G , etc... I mean on access from outside. Something like MAC firewall where access will be possible only for allowed MAC addresses and disallowed for everything else. I hope that You understand what I mean...

bye

;-)
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: MAC address filtering

Mon Jul 19, 2010 4:24 pm

So use the same concept but instead of drop, accept. Further down drop everything else.
 
spaxton
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: MAC address filtering

Mon Jul 19, 2010 4:30 pm

So use the same concept but instead of drop, accept. Further down drop everything else.
Thanks for reply. I will try this. I hope it will work on 3G connection too.

bye

;-)
 
spaxton
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: MAC address filtering

Mon Jul 19, 2010 8:28 pm

hello,

this does not work... I can put anything I want but no change... everything can access to anything. :( Also I think that this is only for internal traffic. Is there any more ideas how to do this?

bye
 
andrescamino
Member Candidate
Member Candidate
Posts: 198
Joined: Wed Aug 19, 2009 7:07 pm
Location: Guayaquil-Ecuador

Re: MAC address filtering

Mon Jul 19, 2010 8:46 pm

Have you tried going to the interface and select ARP: reply-only , and on the ARP list put all the MAC address you would like to work on with

that will work
 
andrescamino
Member Candidate
Member Candidate
Posts: 198
Joined: Wed Aug 19, 2009 7:07 pm
Location: Guayaquil-Ecuador

Re: MAC address filtering

Mon Jul 19, 2010 8:48 pm

one more thing...be careful to put your mac address first...so you don't get kicked out of the router forever
 
spaxton
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: MAC address filtering

Mon Jul 19, 2010 11:00 pm

Have you tried going to the interface and select ARP: reply-only , and on the ARP list put all the MAC address you would like to work on with

that will work
hmmm... this works but still no luck with outside logins. This works in local network which is behind the router. My router is connected to the internet via 3G modem and I can not set ARP for that interface. I need this to prevent unwanted access to router from outside but to make it accessible from one external PC. For example: I can login to router couse my MAC is allowed but You can not couse Your MAC is not listed. I need something just like standard firewall but with MAC's. I really don't know how to do this or it is maybe inpossible.

bye
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: MAC address filtering

Mon Jul 19, 2010 11:06 pm

If it's from outside for administrative access on a 3G interface, filtering by MAC address makes no sense. You're unlikely to connect directly to the 3G interface, and MAC addresses get rewritten by layer 3 hops, so you would need to filter by source IP (possibly combined with port knocking, if that IP is dynamic).

Just to ensure we're understanding you right, can you do a quick network diagram of what your layout is and what you're trying to accomplish?
 
spaxton
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: MAC address filtering

Tue Jul 20, 2010 12:19 am

Just to ensure we're understanding you right, can you do a quick network diagram of what your layout is and what you're trying to accomplish?
Here is simplified network diagram. On the diagram You can see, for example, two external PC's and one can access to the my mikrotik router and another can not. Is it possible to make it like that? Does not need exactly to be filtered with MAC address. If this is not possible please suggest me what to do to avoid unwanted flooding my router in attempt to login and similar things.

bye
You do not have the required permissions to view the files attached to this post.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: MAC address filtering

Tue Jul 20, 2010 12:31 am

If there is just one other router between the 3G modem and the machines administratively accessing the router behind the 3G modem, you CANNOT filter by MAC address. How TCP/IP works makes that absolutely impossible. Since you have the Internet between the two, that's more than one router.

So the next question is: what source IP address does the router behind the 3G modem see PC1 and PC2 as having? Are they both the same? In that case you cannot meaningfully differentiate between the two and cannot permit access to one and categorically deny a login prompt to the other. If they have different source IPs (PC1 and PC2 are either not NAT'd by the router, or get NAT'd to different IP addresses) you can filter administrative access by IP address. If you don't know the answer to that question, go to both PCs and load http://whatismyipaddress.com in a browser and compare the results.

If they do have the same source IP, you can look up port-knocking on the wiki and use the concept to just allow a PC with that source IP address to connect to a particular secret sequence of ports in order to open up the firewall administrative access for a short timeframe (one or two minutes) - but still, during that timeframe any PC with that source IP address would get a login prompt. However, that's a somewhat advanced concept and can be a hassle to use, so you may be better off just living with the fact that all PCs behind the router on the left hand side of your graphic will get a login prompt. Use decent passwords and non-obvious usernames and that shouldn't be too much of a problem.
 
rmichael
Forum Veteran
Forum Veteran
Posts: 718
Joined: Sun Mar 08, 2009 11:00 pm

Re: MAC address filtering

Tue Jul 20, 2010 12:39 am

To bring MAC address information to your firewall you'll need to encapsulate llayer2 in TCP or UDP. Use GRE or EOIP or VPLS between the two networks to bridge them together.

http://wiki.mikrotik.com/wiki/Transpare ... using_MPLS
 
spaxton
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: MAC address filtering

Tue Jul 20, 2010 12:52 am

Thanks a lot fewi. This last explanation really helps me to understand it.

bye

;-)
 
spaxton
Member Candidate
Member Candidate
Topic Author
Posts: 176
Joined: Fri Jan 01, 2010 12:18 pm

Re: MAC address filtering

Tue Jul 20, 2010 12:54 am

To bring MAC address information to your firewall you'll need to encapsulate llayer2 in TCP or UDP. Use GRE or EOIP or VPLS between the two networks to bridge them together.

http://wiki.mikrotik.com/wiki/Transpare ... using_MPLS
Thanks for reply.

bye ;-)
 
soamz
Member
Member
Posts: 431
Joined: Thu Mar 19, 2015 7:19 am

Re: MAC address filtering

Sat Jun 11, 2016 10:17 am

Is Mac filtering only possible in bridge ?

What about them, who doesnt use a bridge as bridge has his own set of problems. 

Who is online

Users browsing this forum: brixsat, markos222, saltynomad and 53 guests