Community discussions

MikroTik App
 
techclerk
newbie
Topic Author
Posts: 28
Joined: Tue Oct 27, 2020 7:36 pm

Capsman dynamic provisioning and MAC ACL

Wed Jun 09, 2021 5:59 pm

I have a certain number of Mikrotik AC CAP-s, which are connected to my main mikrotik router.
I've created 2 VLANs on the interface, where these CAP-s are connected to the Mikrotik router.
Then I have two DHCP servers, one is office, the other is guest hotspot/configured hotspot separately using Userman/
The provisioning is with create dynamic and the config is - Master config - office, slave config - hotspot.
To summarize - each physical CAP has two SSID-s, which are in fact 2 separate networks, each with it's own VLAN ID, DHCP server and address pool.
The issue is that for the office network I want to apply MAC ACL to prevent the connection of all devices, except approved.
Is there a way to set up this using create dynamic?
 
mbaute
newbie
Posts: 30
Joined: Fri May 22, 2015 3:54 pm

Re: Capsman dynamic provisioning and MAC ACL

Fri Jun 11, 2021 2:03 am

hi techclerk,

maybe you can try in capsman's access list doing accepts for MACs you want to connect to office network interfaces, and then a general reject for those interfaces. I don't know if it works with dynamic ones but if it doesn't the SSID regex filter should do the trick.

Regards,
 
UpRunTech
Member Candidate
Member Candidate
Posts: 209
Joined: Fri Jul 27, 2012 12:11 pm

Re: Capsman dynamic provisioning and MAC ACL

Fri Jun 11, 2021 2:12 pm

You can do this by making a whitelist. Add all the allowed MACs - for example:

/caps-man access-list
add action=accept mac-address=AA:BB:CC:DD:EE:FF
add action=accept mac-address=CC:00:FF:EE:12:34
add action=accept mac-address=DE:AD:BE:EF:00:00
add action=accept mac-address=D0:0F:D0:0F:00:00
add action=reject mac-address-mask=00:00:00:00:00:00

This will allow any of the first 4 MACs to be accepted. Any other MACs which don't match will match on the last line (00:00:00:00:00:00 in the MAC mask means any MAC) will get rejected. You might want to add in the SSID regexp if you want to refine this behaviour just for your office SSID. As it stands what I wrote above will enforce this behaviour on all the SSIDs.

(edited as per advice on the email below. I just tested it on my CAPSMAN system using mac-address-mask=00:00:00:00:00:00 with some of my devices MAC addresses and the above is now correct.)
Last edited by UpRunTech on Fri Jun 11, 2021 2:46 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Capsman dynamic provisioning and MAC ACL

Fri Jun 11, 2021 2:30 pm

>useless, previous post fixed<
Last edited by rextended on Fri Jun 11, 2021 5:37 pm, edited 1 time in total.
 
techclerk
newbie
Topic Author
Posts: 28
Joined: Tue Oct 27, 2020 7:36 pm

Re: Capsman dynamic provisioning and MAC ACL

Fri Jun 11, 2021 5:24 pm

no, the reject are
/caps-man access-list
add action=reject disabled=no interface=cap-office
without any mac address
do not confuse mac-address with mac-mask
The issue is that interfaces are dynamically created. I connect my CAP-s using CAP mode of the AP and interfaces are dynamically created.
That's because I plan to connect a batch of 30+ CAP-s in the future. If I use Create dynamic, then I just switch the CAP-s to CAP mode, plug them and done.
So, rather than specifying interface, I need to specify SSID or something different. But there aren't that many options when it comes to MAC filtering.
I can do it with the DHCP and firewall.
1. The client receives IP from the DHCP.
2. I assign static lease and add him to list, that allows him to use internet. Having IP bound to MAC...
3. Allow internet access from this IP to the Internet by creating firewall rule, which bypasses the general DROP for all IP-s from the mentioned DHCP.
4. Unless he is allowed via firewall rule, the client gets IP, but nothing more.
But...
This is much more tedious to manage. Although using MAC filter means that nobody, whose MAC was not specified will be able to connect to the network at all.
But
Manually setting up all CAP interfaces, while I run two virtual APs on one physical AP and etc is also tedious task.
Also, bounding MAC-s to IP-s means that I no longer can use these IP-s even if the device is no longer present, unless I manually remove the static lease.
There is also an option, where my DHCP uses static leases only. And unless the device is previously added, no IP will be received. But this again means two lists, because if one manually specifies IP and there isn't firewall rule to block all, except allowed, then he will be able to access internet.
My idea is not to impede people from using internet on their devices, but because the network will grow up significantly in size, I need to control what devices are connected. So, even if someone has the password, he can't just connect random device to the network. So, even if someone from the staff gives the password to their friend or whatever, this person won't be able to use internet or poke around unnoticed.
I know that MAC can be spoofed, but two devices with identical MAC-s...Because no device with MAC different than specified list will be able to connect to the internet...will be noticed.
And having two networks running on the same IP-s creates other sort of issues. I need to specify SSID or interface. Interfaces are dynamically created in this case. And wildcard blocking means that clients won't be able to connect to the hotspot.
My config is not simple one.
One port from the mikrotik router is reserved for WLANs. It is a part of a bridge.. There are two VLANS on this bridge One is assigned to the master config, other to slave config of the CAP-s, so I can have two SSIDs on a single CAP. And if I consider that one port is no more adequate, I will just add another port to the bridge and connect more CAP-s.
-------
Where I can find info about SSID REGEXP and will this work at all? Having MAC filter with SSID REGEXP, so the filter works on the specified SSID but on all dynamically added CAP-s?
 
UpRunTech
Member Candidate
Member Candidate
Posts: 209
Joined: Fri Jul 27, 2012 12:11 pm

Re: Capsman dynamic provisioning and MAC ACL

Fri Jun 11, 2021 11:15 pm

Where I can find info about SSID REGEXP and will this work at all? Having MAC filter with SSID REGEXP, so the filter works on the specified SSID but on all dynamically added CAP-s?
[/quote]

You just need to do something like this: (^YOURSSID$) include the brackets.
 
techclerk
newbie
Topic Author
Posts: 28
Joined: Tue Oct 27, 2020 7:36 pm

Re: Capsman dynamic provisioning and MAC ACL

Sat Jun 12, 2021 12:29 pm

You just need to do something like this: (^YOURSSID$) include the brackets.
But will this work, just specifying SSID and not specifying interfaces? Or it requires both specifying interface and SSID?
 
techclerk
newbie
Topic Author
Posts: 28
Joined: Tue Oct 27, 2020 7:36 pm

Re: Capsman dynamic provisioning and MAC ACL

Wed Jul 07, 2021 5:13 pm

So, it works.
1. Create reject rule. Do not specify MAC, just in SSID REGEX write this regex and specify interfaces - dynamically created
^NETWORKNAME$

2. Add your exceptions with MAC + SSID REGEX mentioned above and interfaces - dynamically created, but with accept
3. Now you have filter list that filter clients trying to connect only to the SSID specified with the SSID REGEX. Connecting to other networks works just fine.
 
EYAAAAA
just joined
Posts: 1
Joined: Sat Apr 23, 2022 10:28 pm

Re: Capsman dynamic provisioning and MAC ACL

Sat Apr 23, 2022 10:57 pm

Hello,

I would like to force one of my devices to connect to the nearest CAP.
I have created these entries in the access list:
# INTERFACE MAC-ADDRESS MAC-ADDRESS-MASK ACTION

2 SMC-01 - Main 80:91:33:B8:82:13 reject
3 SMC-02-Ground Fl 80:91:33:B8:82:13 accept
4 SMC-03-1st Fl 80:91:33:B8:82:13 accept

But they it does not seem to be willing to work! it is still connecting to the SMC-01-Main interface!

Is there any solution to what I would like to achieve?

Who is online

Users browsing this forum: No registered users and 30 guests