Community discussions

MikroTik App
 
zong
newbie
Topic Author
Posts: 27
Joined: Thu Sep 29, 2005 2:13 pm

how block by IP or MAC addrres?

Thu Sep 29, 2005 3:15 pm

Hi..All,

Need help, I already install and seting MT with DNS, Gateway correctly and now all user on our network can connect to internet. any body can assist me step by step to restrict user by IP/Mac address?
My configuration asf :

INTERNET
|
|
Mikrotik
ether0 192.168.0.100
ether1 10.97.20.100 -> Client 10.97.20.25 DNS:202.134 GW:10.97.20.100
DNS: 202.134.x.x
Gateway:192.168.0.254

--->Client 10.97.20.98
DNS :202.134.x.x
gateway:10.97.20.100

Now both client can browsing.
How to block client 10.97.20.98 to access the router ??
Need help..
 
proxy
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Wed Dec 15, 2004 1:18 am

Thu Sep 29, 2005 8:47 pm

ip firewall rule forward> add src-address=10.97.20.98 src-mac-address=00:0
0:00:00:00:00 action=drop 
 
zong
newbie
Topic Author
Posts: 27
Joined: Thu Sep 29, 2005 2:13 pm

Fri Sep 30, 2005 4:54 am

ip firewall rule forward> add src-address=10.97.20.98 src-mac-address=00:0
0:00:00:00:00 action=drop 
already tried but appear error mesg. "Source Bad"
any other idea ?
fyi i am using Mt 2.7.14
 
cabana
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri Feb 18, 2005 9:18 pm

Fri Sep 30, 2005 5:28 am

I believe tha you need to check the mask in your source address, something like 10.97.20.98/32
 
zong
newbie
Topic Author
Posts: 27
Joined: Thu Sep 29, 2005 2:13 pm

Fri Sep 30, 2005 6:21 am

ip firewall rule forward> add src-address=10.97.20.98/16 src-mac-address=00:00:00:00:00:00 action=drop

already put netmask but the porblem still the same " Source bad"

any other suggestion ?
 
User avatar
larmaid
Member Candidate
Member Candidate
Posts: 177
Joined: Tue Aug 30, 2005 3:06 pm

Fri Sep 30, 2005 6:50 am

ip firewall rule forward>add src-address=10.97.20.98/32 action=drop protocol=all
 
zong
newbie
Topic Author
Posts: 27
Joined: Thu Sep 29, 2005 2:13 pm

Fri Sep 30, 2005 10:40 am

thanks larmaid and all,
now its works, but may be there is a better way ?

I was thingking, mmhhh how about if there are so many user, 100 users do i have on one by one to block them ??
how the correct syntact --> block all and then allow user that we want to give them access ?

Thanks
 
the_time
newbie
Posts: 28
Joined: Sun Sep 26, 2004 5:14 pm

Fri Sep 30, 2005 11:24 am

For example if you want to block class 10.97.20.x and allow only som of the to have access you can do that like this
ip firewall rule forward add src-address=10.97.20.98/32 action=acept
ip firewall rule forward add action=drop 
the last rule will drop everything and if you want to allow clients to have acces after you have set this rule you can do it
ip firewall rule forward add src-address=10.97.20.x/32 action=acept place-before=0
Hope that this will help.
 
User avatar
larmaid
Member Candidate
Member Candidate
Posts: 177
Joined: Tue Aug 30, 2005 3:06 pm

Fri Sep 30, 2005 2:55 pm

yup i think so.....

you need to block all the ip range in rule forward put it in the top, then you set the ip you want to accept in rule forward to.!


but if the accept ip is same (10.10.2.0-10.10.2.254) you only write once!
 
zong
newbie
Topic Author
Posts: 27
Joined: Thu Sep 29, 2005 2:13 pm

Fri Sep 30, 2005 5:09 pm

if I block all IP addr on the top then I accept specify Ip address
the sytem become block all IP and can not connect
any other idea ?

btw how to block or accept for the rang IP address I want block/accept?
for example:
block address 10.97.20.50/32 - 10.97.20.90/32

or may be there is the simple way ?
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Fri Sep 30, 2005 6:55 pm

Hello Zong,

There is no magic u can do about it....expect if there is a script (which i am yet to know about) that can do that for you automatically.If u want it to be automatic, then you will need a RADIUS which will specity the time range u want for a particular MAC address ( that is if u r doing RADIUS MAC).

In the alternative ( manually) and according to the previous command lines given to u. specify accordingly in the forward chain

/ip firewall rule forward add address=10.97.20.90/32 action=accept

(u will do this for all the host u want to allow and place them above the rules i will specify below... comment can also help u out in sorting the right IP for the right host)

/ip firewall rule forward add address=10.97.20.0/24 action=drop

(/24 if that is ur netmask....this will drop pactects from any other ip host in the network)


i hope this will sort your problem.....and if anybody has better ideas, let us have it too.
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Fri Sep 30, 2005 7:08 pm

corrction to my command line

/ip firewall rule forward add src-address=10.97.20.90/32 action=accept


ip firewall rule forward add src-address=10.97.20.0/24 action=drop
 
User avatar
larmaid
Member Candidate
Member Candidate
Posts: 177
Joined: Tue Aug 30, 2005 3:06 pm

Sat Oct 01, 2005 6:11 am

okay....theres is a way....!
but you need to install hotspot first!
if you already install it...then:

1.erase all the rule in dst-nat.
2.write the ip you want to acept in forward place in top,i forget how to count a range ip..!
3.then write this rule if your client have to login first in login page:
go to winbox->

do this

1.add src-address (10.10.aa.0/24)you want to redirect to hotspot
dst-port=53
protocol=udp
in.interface=all
action redirect
laennya default.

2.add src-address (10.10.aa.0/24)
in.interface=lan
protocol=tcp
flow=hs-auth
action=redirct
to dst.port=80

if your client do not want to login first then dont write no.3
but if u do this u have to login first if u want to using winbox..!

Who is online

Users browsing this forum: Google [Bot] and 40 guests