Mac Address Filter

fpascual · Tue Jul 11, 2006 2:47 pm

Hi, I need to block internet access to some computers on a customer network, can I do that with /ip firewall mangle feature ?, how ?, they must check e-mails but not access the www and chat, etc.

Thanks a lot

Tue Jul 11, 2006 2:54 pm

Firewall filter will help you.
'ip firewall filter'. Use chain=forward to allow/block clietnts traffic. Allow e-mail traffic (25/110 port numbers), and block other traffic,
http://www.mikrotik.com/docs/ros/2.9/ip/filter

fpascual · Tue Jul 11, 2006 3:05 pm

Ok, understand, do you recommend me to apply firewall filters and not firewall mangle ?.

janisk · Tue Jul 11, 2006 3:09 pm

if you have to bock something completely then filter is place to go.

Tue Jul 11, 2006 3:10 pm

Mangle allows to mark packets, modify values in tge IP header like TOS (DSCP) and TTL fields.
'ip firewall filter' filters packets.

fpascual · Tue Jul 11, 2006 10:14 pm

In this case I have a wireless lan with encore access point and need to put mk between adsl modem and this encore. In the mac address filter into the mk, I must put the wireless mac address no ?

Thanks

fpascual · Wed Jul 12, 2006 3:06 pm

Another question, if I want to set more than one mac address in firewall filter, may I do that ?, eg:

add in-interface=inside src-mac-address=00-08-AA-50-BD-33,00-08-AA-50-BD-35, dst-address=0.0.0.0 dst-port=80 protocol=tcp action=drop comment="" disabled=no

Thanks

Wed Jul 12, 2006 3:10 pm

I think, you can set only one MAC-address entry per rule.

wildbill442 · Wed Jul 12, 2006 9:25 pm

I would create a new chain called MAC-Auth.. Put all of the mac addresses that are allowed access to the network in this chain and put a REJECT rule at the bottom of the chain.

Then jump to this chain from the INPUT filter with the condition that the traffic originates from the LAN interface.

That should take care of it.

Your bill is in the mail.

-Bill

fpascual · Thu Jul 13, 2006 2:19 pm

Bill, thanks, have you got an example of this ?