Community discussions

MikroTik App
 
Mactrekr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Dec 28, 2005 3:32 am
Location: SE Arizona
Contact:

mac filtering lesson for newbie needed

Tue Apr 18, 2006 10:25 pm

Hi Yall,

Got 3 MT Private hotspots running and am having a heck of a time keeping up with the connections. Is there a simple way to block unapproved MAC addresses into the system? As it sits now, a couple of my customers have figured out that once I queue them back, all they have to do is change routers or MAC addresses.

Even if ya'll can just point me to a thread that already addresses this issue I'd be grateful.

Mac
 
Mapik
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Tue Nov 29, 2005 11:08 am

Thu Apr 20, 2006 10:06 pm

Disable "Default Authenticate" on wireless cards where you need it. It's on tab Wireless. After that only users in Wireless - Registration table can connect.
 
Mactrekr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Dec 28, 2005 3:32 am
Location: SE Arizona
Contact:

Sun Apr 23, 2006 12:23 am

Disable "Default Authenticate" on wireless cards where you need it. It's on tab Wireless. After that only users in Wireless - Registration table can connect.
Ok, I'll look into that, but let me give a little more detail about our system. We're using the MT to act as a T1 Gateway and using Motorola Canopy Wireless AP's and SM's to give access to our customers. So, really it's not acting like a wireless system, we're using license level 5. So it's not acting as a hot spot.

I'm queuing customers using simple queues but a few have realized that they can simply change mac addresses and until I catch their switch, they're operating at full bandwidth and dragging the system down for others.

What I'm looking for is a simple mac addess based way to allow only approved MAC addresses and essentially block or redirect any MAC address that isn't already authorized.

Any Help appreciated.
Mac
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Sun Apr 23, 2006 12:46 am

are you using the hotspot feature to create the queues and do MAC address authentication? If you do it that way it's real simple, you can create multiple profiles (different queues and settings) assign the user a profile and when that MAC connects to the network RouterOS creates a dynamic simple queue based on the settings for the profile.

Any unauthorized MAC addresses will get redirected to a Mikrotik hotspot login or if you disable the http login they will receive a page cannot be displayed when browsing.

We use an Allot NetEnforcer for bandwidth provisioning. It allows you to create pipes for each individual user and has what they call a "fall back pipe" which is a catch all for any users that haven't been specified. I limit our fallback pipe to 512kbps, which is our lowest service level so no one ever gets more than what they pay for.

You should be able to create something similar with Mikrotik, I don't have a step by step configuration, but the concept is pretty simple. Create a queue that catches all users on your network and set it to whatever you decide is an appropriate speed. Then define each of your users as you would have previously.

I haven't gone into queuing with the mikrotiks in too much depth myself, so I'm not quite sure how RouterOS will handle packets that meet the requirements of two seperate queues (the fallback/catch-all and the defined user). So I'm sure this will require some testing and tweaking to get it working right.

Good luck.
 
Mactrekr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Dec 28, 2005 3:32 am
Location: SE Arizona
Contact:

Wed May 03, 2006 4:25 am

Really,

What I'm looking for is a simple way to block connections or drop connections that don't come from preauthorized MAC addresses. I'm not using hotspot at all. This doesn't have anything to do with wireless. I just want to be able to accept and/or deny connection based upon a client MAC address. I know there has to be a way to do this, I just don't know what it is.
Any help appreciated.
Mac
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Wed May 03, 2006 8:46 am

Mac,

if you read my reply then you would realize that using the hotspot package IS a way of doing just that.

Another way of achieving the same goal would be to mangle the traffic. Mangle the src-mac-address of the authorized traffic and set it as something like net-auth, and all other traffic to net-no-auth. or somthing like that.. drop or redirect net-no-auth to your signup page and allow traffic mangeled as net-auth access to the network.

It's that simple.

The hotspot package does this with an easy to use and configure interface. It also allows you to create queues based on service level. That's why I recomended it. You get the authentication as well as the bandwidth control.

-Bill
 
pedja
Long time Member
Long time Member
Posts: 684
Joined: Sat Feb 26, 2005 5:37 am

Wed May 03, 2006 10:46 am

I'm queuing customers using simple queues but a few have realized that they can simply change mac addresses and until I catch their switch, they're operating at full bandwidth and dragging the system down for others.
Create one simple queue rule that catches all traffic, but place it on the botom of the list. Then shape that queue to slow down block traffic. If someone change settings to avoid simple queue made for him, he will end up in general queue that limits him rapidly.
 
valens
Trainer
Trainer
Posts: 246
Joined: Tue Jun 01, 2004 5:42 pm
Location: INDONESIA
Contact:

Wed May 03, 2006 11:52 pm

> ip firewall filter
> add chain=forward in-interface=LAN src-mac-address=11:22:33:44:55:66 action=accept
..... repeat for evey mac-address you need to allow
..... and at last, you need to add drop filter
> add chain=forward in-interface=LAN action=drop
 
valens
Trainer
Trainer
Posts: 246
Joined: Tue Jun 01, 2004 5:42 pm
Location: INDONESIA
Contact:

Wed May 03, 2006 11:53 pm

If you only need to block (not queue) un-authorized mac-address, you can try to use this script

> ip firewall filter
> add chain=forward in-interface=LAN src-mac-address=11:22:33:44:55:66 action=accept
..... repeat for evey mac-address you need to allow
..... and at last, you need to add drop filter
> add chain=forward in-interface=LAN action=drop
 
jarosoup
Long time Member
Long time Member
Posts: 600
Joined: Sun Aug 22, 2004 9:02 am

Thu May 04, 2006 12:34 am

You can also force a given MAC address to use a specific IP address via a static DHCP lease to help keep track of who is who, and then as mentioned only allow those IP addresses through the firewall. This won't protect you from a non-customer spoofing someone else's MAC but it sounds like that's not as much of an issue (plus, they'd need Canopy to get on your system it sounds like).

Are these people changing around their MACs and routers paying customers? I'd add in your TOS/AUP that this kind of behavior is prohibited, and give them the boot if they continue.
 
Mactrekr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Dec 28, 2005 3:32 am
Location: SE Arizona
Contact:

Thu May 04, 2006 12:50 am

WildBill,

I meant no disrespect, I just didn't really understand your solution. I was under the impression that "Hotspot" had to do with wireless. Sorry.

Valens, I'll be trying what you explained this week. That's exactly what I was looking for.

See, we provide 1 ip address for each customer, supposedly based upon their MAC address. i.e. a router or a single computer in their home. All I'm trying to do is to keep up with my simple queues to make sure each customer gets the proper amount of bandwidth and that nobody can take advantage.

Thanks for all ya'lls help.
Mac
 
Mactrekr
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Dec 28, 2005 3:32 am
Location: SE Arizona
Contact:

Thu May 04, 2006 1:02 am

You can also force a given MAC address to use a specific IP address via a static DHCP lease to help keep track of who is who, and then as mentioned only allow those IP addresses through the firewall. This won't protect you from a non-customer spoofing someone else's MAC but it sounds like that's not as much of an issue (plus, they'd need Canopy to get on your system it sounds like).

Are these people changing around their MACs and routers paying customers? I'd add in your TOS/AUP that this kind of behavior is prohibited, and give them the boot if they continue.
Jarsoup,

Actually, I've tried that already, and once I get the filters in place that Valens suggested that'll work really well. I'm not too worried about somebody dropping $400 on a canopy modem to hack our system, also, they'd really have to know what they're doing, cause I'd figure out there's an extra connection on our system within a day or two. I currently have all of our customers IP's assigned through DHCP, but I make them static as soon as they're up and running. Problem is, we've got 3 MT routers and over 100 customers. (as I keep telling my boss, THIS IS A PART TIME JOB) It's not really a problem with customers who use an internal router, they almost always leave it on and I simply queue the IP of that router. When the DHCP lease is up, it re-assigns that IP address and all is fine. It's the customers who switch MAC devices on me that are a pain. As to the TOS, we're a small, "FRIENDLY" ISP. But we do let people know that if they blatantly try to circumvent our system we'll shut em down.

Thanks again for all the help guys. Great to have a resource.
Mac

Who is online

Users browsing this forum: Bing [Bot], cvalavik, Google [Bot], miguel34, phaap, sindy, Znevna and 213 guests