Hello.
I was trying to match IP address and MAC address in firewall but I have not been able to do it.
I just set up the following Gaps.
firewall / General / Chain forward
firewall / General / Src Address 192.168.200.21 (it is an example)
firewall / Advanced / MAC address 00:0E:41:52:A4:B8
but, when I set the last line, firewall reject packets from this machine.
Maybe this is not the way to match MAC address and IP address.
Please, I will appreciate any help from you.
Ivan Perino
Re: Matching MAC and IP in firewall
hmmm.. firewall / Action - what action do you set? 
-
-
ivanperino
Frequent Visitor
- Posts: 70
- Joined:
Re: Matching MAC and IP in firewall
sorry, the action is ACEPT
I have not shown the entire configuration but it has been working well since months.
The point is that I want to match (on firewall) by IP address and MAC address too.
I will tell you the problem.
Clients change theirs IP just for watching what happend. and a lot of IP DUPLICAATED messages appears in clients who have the same IP address.
I thought If I clould check which MAC belong to such IP addres I could deny access to this issues.
THANKs (sorry if my english is not so good as you could expect)
I have not shown the entire configuration but it has been working well since months.
The point is that I want to match (on firewall) by IP address and MAC address too.
I will tell you the problem.
Clients change theirs IP just for watching what happend. and a lot of IP DUPLICAATED messages appears in clients who have the same IP address.
I thought If I clould check which MAC belong to such IP addres I could deny access to this issues.
THANKs (sorry if my english is not so good as you could expect)
Re: Matching MAC and IP in firewall
Hi All!
If somebody has a extension idea about same problem and it can take the modification from a common place (web, mikrotik, etc). Pls take it him/her ideas because I have a same problem.
I have a idea with ARP table. If I can modificate the ARP tale of Mikrotik by a script then is it a possible idea.
THNKS
If somebody has a extension idea about same problem and it can take the modification from a common place (web, mikrotik, etc). Pls take it him/her ideas because I have a same problem.
I have a idea with ARP table. If I can modificate the ARP tale of Mikrotik by a script then is it a possible idea.
THNKS
Re: Matching MAC and IP in firewall
this script makes all dynamic ARP table entries static, if there is no another entry with such MACHi All!
If somebody has a extension idea about same problem and it can take the modification from a common place (web, mikrotik, etc). Pls take it him/her ideas because I have a same problem.
I have a idea with ARP table. If I can modificate the ARP tale of Mikrotik by a script then is it a possible idea.
THNKS
Code: Select all
:local dmac
:local smac
:local dip
:local sip
:local iface
:local exist
:foreach i in [/ip arp find dynamic=yes] do={
:set exist false
:set dmac [/ip arp get $i mac-address]
:set dip [/ip arp get $i address]
:set iface [/ip arp get $i interface]
:foreach j in [/ip arp find dynamic=no] do={
:set smac [/ip arp get $j mac-address]
:if ($dmac=$smac) do={
:set sip [/ip arp get $j address]
:set exist true
}
}
:if ($exist!=true) do={
:log info ("Adding ARP entry with MAC " . $dmac . " and IP " . $dip)
/ip arp add copy-from=$i
}
}-
-
radocicala
Member Candidate
- Posts: 136
- Joined:
Re: Matching MAC and IP in firewall
Please can you explain what that script does??
Re: Matching MAC and IP in firewall
=)this script makes all dynamic ARP table entries static
for example, if you have a new user, it sets/receives via DHCP his new address, is being added to ARP table as dynamic record. then this script makes that record static. but when your old user changes its IP address, script will not add another static ARP entry with the same MAC
well, if you do not need control of 'duplicate' MAC addresses, at least in v3 you may use the following command to convert all dynamic entries to static:
Code: Select all
:foreach i in [/ip arp find dynamic=yes] do={ /ip arp add copy-from=$i }Re: Matching MAC and IP in firewall
Hello,
mine is v5.7 , you are genius and your solution worked for me on old mikrotik v2.9 , but iam not able to see it working on 5.7
Please help me
Thanks,
sathish
mine is v5.7 , you are genius and your solution worked for me on old mikrotik v2.9 , but iam not able to see it working on 5.7
Please help me
Thanks,
sathish
Re: Matching MAC and IP in firewall
what solution? what exactly doesn't work? what error do you see when you paste the script to Terminal?
Re: Matching MAC and IP in firewall
what solution? what exactly doesn't work? what error do you see when you paste the script to Terminal?
only one ip is adding , i had more than 500 ip's
Thanks,
Sathish
Re: Matching MAC and IP in firewall
and nothing in Terminal?..
Re: Matching MAC and IP in firewall
and nothing in Terminal?..
i cant access the terminal sir , iam getting "serial port already used by Serial Console (6)"
i tried to disable special login under system menu in winbox but i cant find this , iam not even ssh and telnet iam getting the same error
my ROS is 3.22, please help me in disabling this so, that i can get the terminal config i can paste here
Thanks,
Sathish
Re: Matching MAC and IP in firewall
(O_o)
just open WinBox and press 'Terminal' in left-side menu
p.s. a screenshot?..
just open WinBox and press 'Terminal' in left-side menu
p.s. a screenshot?..
Re: Matching MAC and IP in firewall
(O_o)
just open WinBox and press 'Terminal' in left-side menu
p.s. a screenshot?..
please help me
Thanks,
Sathish
Re: Matching MAC and IP in firewall
yep, seems like 'Special Login' feature
Re: Matching MAC and IP in firewall
But,yep, seems like 'Special Login' feature
i cant see a special login menu under system , i searched whole system but cant find
Thanks,
Sathish
Re: Matching MAC and IP in firewall
haha, in old versions it's available only via CLI 
create another user with full access, use terminal under another name
Code: Select all
/special-login printRe: Matching MAC and IP in firewall
Hello,
Chupka you are just great , and giving karma
iwant one more support, please help me , in my network iam introducing radius manager with hotspot i would like hotspot login auto redirect for the desired pool only , but its working for all the hosts who are connected to my network
i dont want this and i dont want to use user bypass in hotspot menu
Please tell us is there any chance to workout
Thanks,
Sathish
Chupka you are just great , and giving karma
iwant one more support, please help me , in my network iam introducing radius manager with hotspot i would like hotspot login auto redirect for the desired pool only , but its working for all the hosts who are connected to my network
i dont want this and i dont want to use user bypass in hotspot menu
Please tell us is there any chance to workout
Thanks,
Sathish
haha, in old versions it's available only via CLI
create another user with full access, use terminal under another nameCode: Select all/special-login print
Re: Matching MAC and IP in firewall
sorry, I don't work with Hotspots