Hello.
I know this thing has been posted, but I feel like I've got a special situation:
I need to create a "WhiteList" for people that are allowed to acces the internet on the MT. I'm only using it as a LAN station, so no Wireless involved. I've been trying numerous solutions...
I can't mark the packages, because that ruins the bandwidth limiting by country (http://wiki.mikrotik.com/wiki/How_to_ap ... as_traffic).
I need something MORE than the hotspot method that redirects the clients to the hotspots login page, because that still allows access to IRC and other services... and it's more like a black list =/
I've tried some other way to block their acces, but if I cut everything, the transparent proxy still remains in place and customers can still get access.
So, is there a solution for me? and I want to use Transparent Proxy, Different Limits for Local/Overseas, and to be able to block client's acess completely.
Thanks
Static ARP table can help you for secure network access.
Set 'arp=reply-only' to local interface (interface users are connected to), add IP MAC addresses pairs to '/ip arp'. Only users from '/ip arp' will be able to access outer networks.
What do you mean by 'I can't mark the packages, because that ruins the bandwidth limiting by country' ?
Anyway mangle is required if you want to apply limits for the different type of traffic.
Set 'arp=reply-only' to local interface (interface users are connected to), add IP MAC addresses pairs to '/ip arp'. Only users from '/ip arp' will be able to access outer networks.
What do you mean by 'I can't mark the packages, because that ruins the bandwidth limiting by country' ?
Anyway mangle is required if you want to apply limits for the different type of traffic.
well, first I tried to block everything in forward that is not marked with "allowed". but if I mark packages that way, bandwidth limiting doesn't work anymore, because it overrides the previously "local" / "external" traffic marks.
I can't use the ARP table because I use dhcp with dynamic leases (currently I only have a /25 and I've got almost 130 clients and I'm still waiting for my /24 - damn isp!)
Any other solution?
I can't use the ARP table because I use dhcp with dynamic leases (currently I only have a /25 and I've got almost 130 clients and I'm still waiting for my /24 - damn isp!)
Any other solution?
I tried using DHCP leases. I added every client, bla, bla... I set arp to reply-only and clients are still able to access the internet and ping the local mikrotik server...
How's that? =/
I've got enabled the following "tricks":
http://wiki.mikrotik.com/wiki/How_to_Block_Customer
http://wiki.mikrotik.com/wiki/How_to_se ... _using_ARP
http://wiki.mikrotik.com/wiki/How_to_ap ... as_traffic
And transparent proxy.
Here's the output of
the DHCPD server is set not to add arp entries in the table:
How do I set the DHCPD server not to give dynamic ips? how can I make it reply only static?
The FORWARD method doesn't work, if I add DROP, it just drops everything, even if I added a rule that accepts the specified macs before dropping...
I'm in the state that I can't actually do anything to prevent other users to connect to my network without knowing... and some clients could just change their mac address and get connected with another IP addres.. =/
Also, I mention that I have a running Fileserver on the network (Samba) that also acts as a WINS, DNS, http, ftp server.
EDIT: Seems that HOTSPOT is doing me this... if I disable the Bypass rule, I get the normal behaviour of arp... how can I fix this?
I still want to keep the hotspot feature so I can notify clients they didn't pay...
I'm willing to try another to redirect users to a local running webserver if they don't pay... I tried it but I didn't have too much success =/
How's that? =/
I've got enabled the following "tricks":
http://wiki.mikrotik.com/wiki/How_to_Block_Customer
http://wiki.mikrotik.com/wiki/How_to_se ... _using_ARP
http://wiki.mikrotik.com/wiki/How_to_ap ... as_traffic
And transparent proxy.
Here's the output of
Code: Select all
interface ethernet> print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R internet 1500 00:0A:CD:07:12:AE enabled
1 R lan 1500 00:90:27:A8:17:70 reply-only
Code: Select all
ip dhcp-server> print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 N-Zone lan n-zone 6h
The FORWARD method doesn't work, if I add DROP, it just drops everything, even if I added a rule that accepts the specified macs before dropping...
I'm in the state that I can't actually do anything to prevent other users to connect to my network without knowing... and some clients could just change their mac address and get connected with another IP addres.. =/
Also, I mention that I have a running Fileserver on the network (Samba) that also acts as a WINS, DNS, http, ftp server.
EDIT: Seems that HOTSPOT is doing me this... if I disable the Bypass rule, I get the normal behaviour of arp... how can I fix this?
I still want to keep the hotspot feature so I can notify clients they didn't pay...
I'm willing to try another to redirect users to a local running webserver if they don't pay... I tried it but I didn't have too much success =/