Community discussions

MUM Europe 2020
 
lleysan
just joined
Topic Author
Posts: 13
Joined: Tue Jun 30, 2015 5:44 pm

Port security

Wed Dec 04, 2019 10:06 am

Colleagues tell me how to set the ability to connect to the interface only one device (by MAC address)?
Is there an analogue of the Cisco feature "switchport port-security mac-address [MAC]"?
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port security

Wed Dec 04, 2019 11:06 am

Probably the easiest way is to make the interface a member port of a bridge (if it is not yet), and use /interface bridge filter rules for this.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
ammarabbasi
just joined
Posts: 10
Joined: Wed Oct 04, 2017 8:34 am
Location: Lahore

Re: Port security

Wed Dec 04, 2019 11:29 am

Ammar Abbasi.
MTCNA, MTCRE, MTCWE, MTCUME, MTCTCE, MTCINE
Lahore, Pakistan.
 
lleysan
just joined
Topic Author
Posts: 13
Joined: Tue Jun 30, 2015 5:44 pm

Re: Port security

Wed Dec 04, 2019 1:17 pm

Probably the easiest way is to make the interface a member port of a bridge (if it is not yet), and use /interface bridge filter rules for this.
I tried your idea. As example rule:
/interface bridge filter
add action=drop chain=input in-interface=ether7 src-mac-address=!MAC-address/FF:FF:FF:FF:FF:FF
But this solution is not work.... Port a member of a bridge, but this rule does not process packets.
 
lleysan
just joined
Topic Author
Posts: 13
Joined: Tue Jun 30, 2015 5:44 pm

Re: Port security

Wed Dec 04, 2019 1:22 pm

I have Router OS but I can't find a solution on this page.
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port security

Wed Dec 04, 2019 5:39 pm

But this solution is not work.... Port a member of a bridge, but this rule does not process packets.
That's strange as your rule seems correct to me and I have just tested that bridge filter rules do work (including the src-mac-address=!ma:ca:dd:re:ss:00/ff:ff:ff:ff:ff:ff)

When testing, do you access the Mikrotik itself or do you access something else via that bridge? In the latter case, the rule has to be in chain=forward rather than chain=input. So to stay on the safe side, use the same rule in both chains.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
lleysan
just joined
Topic Author
Posts: 13
Joined: Tue Jun 30, 2015 5:44 pm

Re: Port security

Wed Dec 04, 2019 6:01 pm

But this solution is not work.... Port a member of a bridge, but this rule does not process packets.
That's strange as your rule seems correct to me and I have just tested that bridge filter rules do work (including the src-mac-address=!ma:ca:dd:re:ss:00/ff:ff:ff:ff:ff:ff)

When testing, do you access the Mikrotik itself or do you access something else via that bridge? In the latter case, the rule has to be in chain=forward rather than chain=input. So to stay on the safe side, use the same rule in both chains.
I tried both options, but I haven't idea why this rule isn't working. Maybe some bridge settings or fast forward can affect to this.
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port security  [SOLVED]

Wed Dec 04, 2019 7:18 pm

I tried both options, but I haven't idea why this rule isn't working. Maybe some bridge settings or fast forward can affect to this.
Weird. The bridge where I've tried it looks as follows:

name="bridge" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=B8:69:F4:xx:xx:xx
protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=xx:xx:xx ageing-time=5m priority=0x8000
max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1
frame-types=admit-all ingress-filtering=no dhcp-snooping=no


[me@MyTik] > interface bridge settings print
use-ip-firewall: no
use-ip-firewall-for-vlan: no
use-ip-firewall-for-pppoe: no
allow-fast-path: yes
bridge-fast-path-active: yes
bridge-fast-path-packets: 0
bridge-fast-path-bytes: 0
bridge-fast-forward-packets: 0
bridge-fast-forward-bytes: 0


So nothing unusual there.

However, if you have hardware acceleration enabled on ether7 (hw=yes), the frames forwarded between ether7 and any other port on the same switch chip where hw=yes too bypass the CPU so the bridge filter cannot affect them. Regarding frames towards the Mikrotik itself, hw=yes should not cause any trouble.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
ammarabbasi
just joined
Posts: 10
Joined: Wed Oct 04, 2017 8:34 am
Location: Lahore

Re: Port security

Thu Dec 05, 2019 6:19 am

Some features like "rule table" don't work on some Switch Chips. that might be an issue!

https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
Ammar Abbasi.
MTCNA, MTCRE, MTCWE, MTCUME, MTCTCE, MTCINE
Lahore, Pakistan.
 
lleysan
just joined
Topic Author
Posts: 13
Joined: Tue Jun 30, 2015 5:44 pm

Re: Port security

Thu Dec 05, 2019 9:08 am

However, if you have hardware acceleration enabled on ether7 (hw=yes), the frames forwarded between ether7 and any other port on the same switch chip where hw=yes too bypass the CPU so the bridge filter cannot affect them. Regarding frames towards the Mikrotik itself, hw=yes should not cause any trouble.
After turning off the function "Hardware offload", everything began to work as it should. Thanks!
 
sindy
Forum Guru
Forum Guru
Posts: 4193
Joined: Mon Dec 04, 2017 9:19 pm

Re: Port security

Thu Dec 05, 2019 11:00 am

After turning off the function "Hardware offload", everything began to work as it should. Thanks!
@ammarabbasi is right that you may use hardware rules on a switch chip for the same purpose, provided that your RB model contains a switch chip which supports hardware rules. As you haven't specified your RB model, it is hard to say for your case. And to make the task even more complicated, e.g. on RB2011, switch of two different types are used, and the one serving ether6-ether10 does not support hardware rules while the one serving ether1-ether5 does.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 86 guests