Some time ago I saw this in a forum. I?m trying to implement it in my customers.

When I do step 6, every one is dropped.

Is it possible to fix?
How?

"If using WinBox, select IP->Firewall. The Filter Rules tab should be selected by default.

1. On the right side near the top is a select box allowing you to choose a chain to modify, Select the 'forward' chain.

2. Now enter a new rule for this chain. In the Src. Address field enter the customer's IP address.

3. Then select the 'Advanced' tab and enter the customer's MAC address in the Src. MAC Address field.

4. Then click the 'Action' tab and set the Action field to accept.

5. Create one of these rules for each customer.

6. Once all your customer rules are in place, create one last default rule. The only thing you need to set in the default rule is to set the action in the 'Action' tab to drop. Make sure the default rule is at the very bottom of the rule set. If any of your customer rules are below the default rule any traffic from those customers will be dropped before their specific rule is examined. With this setup, any correct packet (that is, IP and MAC match correctly) will be accepted by the forward chain and passed through the router, but any other packets will automatically be dropped."


Thanks in advance!

That's right, this is how firewall filters work!
Quote from the manual:

When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain.

http://www.mikrotik.com/docs/ros/2.8/ip ... ent#6.35.4

Yes, but the user is complaining that all packets are rejected once the last default rule is in place.

What Interfaces are these customer rules being applied to? If all, then the return packets will be rejected because the IP addresses and MACs will not be recognised on the Internet side. You need to apply the rules to the LAN side only.

Regards

Andrew

Hi andrewluck,
Yes it is applied to 'all' now I'm going to apply only to LAN, I'll let you know.

Thanks!

It doesn't work!
I did change in-interface=LAN, then out-interface=LAN and all possible combination in LAN, WAN and Bridge

Please see my config firewall

Flags: X - disabled, I - invalid, D - dynamic
0 src-address=192.168.200.1/32 in-interface=LAN src-mac-address=00:05:E6:B9:00:15
action=accept

1 src-address=192.168.200.2/32 action=accept

2 action=drop log=yes


/ ip firewall rule forward
add src-address=192.168.200.1/32 in-interface=LAN src-mac-address=00:05:E6:B9:00:15 \
action=accept comment="" disabled=no
add src-address=192.168.200.2/32 action=accept comment="" disabled=no
add action=drop log=yes comment="" disabled=no
[admin@mikrotik] ip firewall rule forward>

Yes, but the user is complaining that all packets are rejected once the last default rule is in place.

All packets which come back are dropped.. you must allow established and related connections.
Place these two rules before all your rules:
connection-state=related action=accept
connection-state=established action=accept

Done, and doesn't works


0 connection-state=related action=accept

1 connection-state=established action=accept

2 src-address=192.168.200.1/32 in-interface=LAN src-mac-address=00:05:E6:B9:00:15
action=accept

3 src-address=192.168.200.2/32 in-interface=LAN action=accept

4 action=drop log=yes

[admin@82] ip firewall rule forward> print
Flags: X - disabled, I - invalid, D - dynamic
0 connection-state=established action=accept
1 connection-state=related action=accept
2 src-address=x.x.x.83/32 in-interface=ether1 src-mac-address=x:x:x:x:72:3E action=accept
3 action=drop

82 is a bridge between 83 and others, when I disable 2nd rule traffic doesn't go through so in your case should be the same -- check mac addresses (ping 192.168.200.1 and see in `/ip arp print` what mac it has)
and btw what configuration do you have and what version are you using?