Community discussions

MikroTik App
 
jeffschips
just joined
Topic Author
Posts: 15
Joined: Sat Jan 25, 2020 7:40 pm

Stop weak-signal neighor attempting to connect

Sun Jan 31, 2021 6:26 am

RouterOS v6.48 accessed via linux webfig panel.

Hello. I have an SXT which connects to an Omni. A neighbor with a weak signal sxt keeps attempting to connect to my sxt and I would like to block them at the firewall or whichever method uses the least bandwidth and also keeps their failed attempts from showing up in the logs. I want to do this not to be mean but because their attempts will never succeed because their signal is so weak and I'd rather just deny them access so my already limited bandwidth doesn't go down more.

Currently their failed attempts keep showing in the logs like this: @wlan1: connected, is AP, wants WDS

I created a firewall rule but it doesn't do anything, the above entry keeps showing in logs.

What si the best way to stop these attempts?

Thank you.
You do not have the required permissions to view the files attached to this post.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Stop weak-signal neighor attempting to connect

Sun Jan 31, 2021 12:33 pm

Firewall is too late in the process. Stop them at the wifi level with the wireless "access list".
You can either allow/deny on MAC address, or less precise but covering more cases by allow/deny on signal level.

But how did they connect to begin with ? They know the SSID and password? SSID can be changed and made hidden in PtP connections. Or is it because WDS is enabled?
And do you really really need WDS ? (Gives a dedicated interface for the bridged traffic.)
Or can the preferred PtP method ("AP bridge"-"station bridge" combination) be used here, for a wifi bridged connection.
("AP bridge"-"station bridge" combination) Works faster and with an extra WLAN you can even simulate a dedicated interface if needed
 
jeffschips
just joined
Topic Author
Posts: 15
Joined: Sat Jan 25, 2020 7:40 pm

Re: Stop weak-signal neighor attempting to connect

Sun Jan 31, 2021 5:08 pm

The offending neighbor is part of the "mesh" network I'm a part of yet, it doesn't have a signal strong enough to connect.

How would I deny based on MAC address or
How would I deny based on signal strength?

I see in under Access List | Add New options for signal strength - a range that if it falls within that range does the Access List deny or accept? It's hard to tell from the way it's presented in that section.
Signal Strength Range - is this for denying or allowing?
Allow Signal Out Of Range - what does this mean?

I have their mac address but again, the language in the interface doesn't make clear if adding it results in denying or allowing. . .

Thank you for your assistance.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Stop weak-signal neighor attempting to connect

Sun Jan 31, 2021 5:46 pm

Yes can be very confusing ... :-)

Here just an example I use. (Roaming mobile users between multiple AP, rule for WLAN1 only). Once you understand you can define your own combinations.

Allow everything on WLAN1 that has a signal above -87dBm (eg, signal between -86 and+120 dBm) , and allow even that signal to drop below -87 dBm for 30 sec.
The allow is authenticate (associate) and forwarding (connect to other clients).
The allow-signal-out-of-range is needed because devices are in their hands, so the signal fluctuates, but I prefer not to drop them immediately.

To stop the weak signal connections on WLAN1 the next line is needed. For everything with signal between -87 and -120 dBm there is no authentication allowed. The allow-signal-out-of range is short here (1 sec) because this is used for roaming clients that are sticky to their first AP, but they may come back very soon to this AP, and I prefer not to deny them longer than needed.
/interface wireless access-list
add allow-signal-out-of-range=30s interface=wlan1 signal-range= -86..120 
add allow-signal-out-of-range=1s authentication=no forwarding=no interface=wlan1 signal-range=-120..-87 
 
jeffschips
just joined
Topic Author
Posts: 15
Joined: Sat Jan 25, 2020 7:40 pm

Re: Stop weak-signal neighor attempting to connect

Sun Jan 31, 2021 6:14 pm

Would this also work if I only used the second command?

/interface wireless access-list
add allow-signal-out-of-range=1s authentication=no forwarding=no interface=wlan1 signal-range=-120..-87

Oh, and does this activity show up in the logs?

By activity I mean that it's dropped, etc. It's just filling up my logs so wish it farewell.
 
fmachado
just joined
Posts: 1
Joined: Sun Jan 09, 2022 2:17 pm

Re: Stop weak-signal neighor attempting to connect

Sun Jan 09, 2022 2:52 pm

I think the 1st rule is redundant.

It works with the 2nd command only. Its like the firewall rules, all accepted by default.
So, that rule will not allow connections with signal between -120..-87 unless the mac address it is registered in the Access List.
In that case (mac registered in AL), you'll need to set the same rule in the register of the mac itself.

I want to reject all bad connections, for all mac address without distinction.
Still dont figure it out how to do it.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Stop weak-signal neighor attempting to connect

Mon Jan 10, 2022 11:31 pm

unless the mac address it is registered in the Access List.
In that case (mac registered in AL), you'll need to set the same rule in the register of the mac itself.
"you'll need to set the same rule in the register of the mac itself" What do you mean ???


The exemple is correct, it is also in the WIKI. https://wiki.mikrotik.com/wiki/Manual:I ... ccess_List
If you don't fill in a MAC address in an 'Access List' rule, then that rule is used for ALL MAC addresses.
If you fill in the "any" interface , then it is used for all WLAN interfaces.
/interface wireless access-list
add allow-signal-out-of-range=30s interface=wlan1 signal-range= -86..120 
add allow-signal-out-of-range=1s authentication=no forwarding=no interface=wlan1 signal-range=-120..-87 

The first rule is there to allow a certain grace period if connected, the "Allow signal out of range" seconds, to avoid disconnects just because of a short signal dip. (here set to 30 sec)
The second rule does not allow authentication with a low signal. (No new connections and no existing connections after the above grace period)
This 2 rules apply for WLAN1.
But I just keep repeating myself here.

If you just want to lock out a MAC address , just set "authentication=no" fill in the MAC address , and leave signal on "-120..120", so the rule is applied for all possible strengths.

The by default "authenticate" rule is in the wireless tab of each WLAN interface. There you define what to do if no 'Access List' rule matches. (for Authorize and Forward, VLAN Mode and VLAN ID)

Use "/system logging topics=wireless" to see connection attempts, accepts, and rejects in the log.
Last edited by bpwl on Tue Jan 11, 2022 12:38 am, edited 1 time in total.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Stop weak-signal neighor attempting to connect

Tue Jan 11, 2022 12:20 am

Klembord-2.jpg

GREEN is the selection filter/criteria for this rule
RED is the action : authenticate? (yes=allow authentication, no=reject,deny) - forwarding? - VLAN mode ? - VLAN id ?
BLUE: special: allow for specific preshared key PPSK (different from the PSK/password of the interface)
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: CGGXANNX, cmmike, DanMos79, holvoetn, oscar120584, sutrus and 28 guests