Hi..All,
Need help, I already install and seting MT with DNS, Gateway correctly and now all user on our network can connect to internet. any body can assist me step by step to restrict user by IP/Mac address?
My configuration asf :
INTERNET
|
|
Mikrotik
ether0 192.168.0.100
ether1 10.97.20.100 -> Client 10.97.20.25 DNS:202.134 GW:10.97.20.100
DNS: 202.134.x.x
Gateway:192.168.0.254
--->Client 10.97.20.98
DNS :202.134.x.x
gateway:10.97.20.100
Now both client can browsing.
How to block client 10.97.20.98 to access the router ??
Need help..
Code: Select all
ip firewall rule forward> add src-address=10.97.20.98 src-mac-address=00:0
0:00:00:00:00 action=drop
already tried but appear error mesg. "Source Bad"Code: Select allip firewall rule forward> add src-address=10.97.20.98 src-mac-address=00:0 0:00:00:00:00 action=drop
any other idea ?
fyi i am using Mt 2.7.14
For example if you want to block class 10.97.20.x and allow only som of the to have access you can do that like this
the last rule will drop everything and if you want to allow clients to have acces after you have set this rule you can do it
Hope that this will help.
Code: Select all
ip firewall rule forward add src-address=10.97.20.98/32 action=aceptCode: Select all
ip firewall rule forward add action=drop Code: Select all
ip firewall rule forward add src-address=10.97.20.x/32 action=acept place-before=0if I block all IP addr on the top then I accept specify Ip address
the sytem become block all IP and can not connect
any other idea ?
btw how to block or accept for the rang IP address I want block/accept?
for example:
block address 10.97.20.50/32 - 10.97.20.90/32
or may be there is the simple way ?
the sytem become block all IP and can not connect
any other idea ?
btw how to block or accept for the rang IP address I want block/accept?
for example:
block address 10.97.20.50/32 - 10.97.20.90/32
or may be there is the simple way ?
Hello Zong,
There is no magic u can do about it....expect if there is a script (which i am yet to know about) that can do that for you automatically.If u want it to be automatic, then you will need a RADIUS which will specity the time range u want for a particular MAC address ( that is if u r doing RADIUS MAC).
In the alternative ( manually) and according to the previous command lines given to u. specify accordingly in the forward chain
/ip firewall rule forward add address=10.97.20.90/32 action=accept
(u will do this for all the host u want to allow and place them above the rules i will specify below... comment can also help u out in sorting the right IP for the right host)
/ip firewall rule forward add address=10.97.20.0/24 action=drop
(/24 if that is ur netmask....this will drop pactects from any other ip host in the network)
i hope this will sort your problem.....and if anybody has better ideas, let us have it too.
There is no magic u can do about it....expect if there is a script (which i am yet to know about) that can do that for you automatically.If u want it to be automatic, then you will need a RADIUS which will specity the time range u want for a particular MAC address ( that is if u r doing RADIUS MAC).
In the alternative ( manually) and according to the previous command lines given to u. specify accordingly in the forward chain
/ip firewall rule forward add address=10.97.20.90/32 action=accept
(u will do this for all the host u want to allow and place them above the rules i will specify below... comment can also help u out in sorting the right IP for the right host)
/ip firewall rule forward add address=10.97.20.0/24 action=drop
(/24 if that is ur netmask....this will drop pactects from any other ip host in the network)
i hope this will sort your problem.....and if anybody has better ideas, let us have it too.
okay....theres is a way....!
but you need to install hotspot first!
if you already install it...then:
1.erase all the rule in dst-nat.
2.write the ip you want to acept in forward place in top,i forget how to count a range ip..!
3.then write this rule if your client have to login first in login page:
go to winbox->
do this
1.add src-address (10.10.aa.0/24)you want to redirect to hotspot
dst-port=53
protocol=udp
in.interface=all
action redirect
laennya default.
2.add src-address (10.10.aa.0/24)
in.interface=lan
protocol=tcp
flow=hs-auth
action=redirct
to dst.port=80
if your client do not want to login first then dont write no.3
but if u do this u have to login first if u want to using winbox..!
but you need to install hotspot first!
if you already install it...then:
1.erase all the rule in dst-nat.
2.write the ip you want to acept in forward place in top,i forget how to count a range ip..!
3.then write this rule if your client have to login first in login page:
go to winbox->
do this
1.add src-address (10.10.aa.0/24)you want to redirect to hotspot
dst-port=53
protocol=udp
in.interface=all
action redirect
laennya default.
2.add src-address (10.10.aa.0/24)
in.interface=lan
protocol=tcp
flow=hs-auth
action=redirct
to dst.port=80
if your client do not want to login first then dont write no.3
but if u do this u have to login first if u want to using winbox..!