Hello,

Scenario

LAN PCs=========Mikrotik-RB2011ui2hnd-RM (Configured as bridge)==========DHCP=====Main-Router

I have created mikrotik bridge between 2 networks my DHCP server resides on other end, where we have reserved IP address based on MAC address, and not having any Layer2 / 3 switch in network, but i have seen many unauthorized users assigning IP address manually and getting access to network, it is also conflicting ip address on the network, so i thought MAC filtering using bridge may work, as i don't want to touch any gateway / dhcp configuration which not in my control, i have following queries based on above scenario.

1. I am using RB2011 (having 150 clients on network) Is it good method to create bridge filter rules and white-list only required MAC id's to pass through and drop all others.
2. Is there any way where i can create whitemac id's list and create filter based on list if yes ? pl explain how to get it done.
3. Is there any other way in Mikrotik instead of using Layer2/Layer3 switch to restrict unauthorized users who enters ip address manually to get access to network.

Any clue on the issue ? Pl update

You could remove IP from the network and require PPPoE.
(of course that's a different management headache)

You could employ hotspot with MAC-based authentication and add the MAC addresses to a RADIUS server.


Is main-router the DHCP server, and a Mikrotik? If so then you could try this:
on the DHCP server settings, check the box for "Add ARP For Leases"
and on the IP interface, change arp type to reply-only

At this point, the users can still hardwire an IP address, but they won't be able to get to the Internet without hardwiring the MAC address of the main-router in their ARP cache. If they figure this out, then make a script change the MAC address of the router every so often. They'll still be able to access other devices in the LAN itself unless you have a switch that provides "private lan" options.

If the network is primarily wireless, then you can disable default forward (this isolates clients from each other) on the 2011.

Thanks for the reply zerobyte

1) If i use Hotspot with MAC-Authentication how can i allow unauthenticated users to access Windows SMB Shares(NetBIOS) of other PC's & some websites without authentication.

2) I agree with both of your solutions, but isn't it possible through Bridge Firewall Filters this way i don't have to touch DHCP / Create Hotspot in my network, how can i make it easy by Bridge Filters

You could remove IP from the network and require PPPoE.
(of course that's a different management headache)

You could employ hotspot with MAC-based authentication and add the MAC addresses to a RADIUS server.


Is main-router the DHCP server, and a Mikrotik? If so then you could try this:
on the DHCP server settings, check the box for "Add ARP For Leases"
and on the IP interface, change arp type to reply-only

At this point, the users can still hardwire an IP address, but they won't be able to get to the Internet without hardwiring the MAC address of the main-router in their ARP cache. If they figure this out, then make a script change the MAC address of the router every so often. They'll still be able to access other devices in the LAN itself unless you have a switch that provides "private lan" options.

If the network is primarily wireless, then you can disable default forward (this isolates clients from each other) on the 2011.

Thanks for the reply zerobyte

1) If i use Hotspot with MAC-Authentication how can i allow unauthenticated users to access Windows SMB Shares(NetBIOS) of other PC's & some websites without authentication.

2) I agree with both of your solutions, but isn't it possible through Bridge Firewall Filters this way i don't have to touch DHCP / Create Hotspot in my network, how can i make it easy by Bridge Filters

With Hotspot, you could put some rules in the hs-unauth chain (which gets created automatically when you activate hotspot feature) that allow this type of traffic. Honestly, I'd say that hotspot will be much more trouble than it's worth for what your goal is - to stop users from hard-wiring their own IP addresses.

--

With bridge filters, you can accomplish your goal but it would be pretty script-intensive. I notice that dhcp server has a "run this script whenever a lease is created" - you could make a bridge filter that drops all forwarding and input except for broadcast frames, and then make your script insert allow rules for each MAC address - however, if you have multiple switches (or use the hw switching of the 2011) this won't catch everything.

I think the controlled ARP entry solution is the best because it requires zero scripting and zero maintenance - it just works, and it forces users to get DHCP if they want to get on the Internet. I configured that setup in GNS3 and it worked like a champ and was brain-dead-easy to do.

Thanks for the reply zerobyte

I think the controlled ARP entry solution is the best because it requires zero scripting and zero maintenance - it just works, and it forces users to get DHCP if they want to get on the Internet. I configured that setup in GNS3 and it worked like a champ and was brain-dead-easy to do.

[img][/img]

I have some issues in controlled ARP please find configuration below
I have configured DHCP ARP lease option & also configured bridge internet as ARP to reply-only but as i have explained earlier i am using Mikrotik as only bridge to my main router (to which i don't have access, but i can ask them to add static arp entry once), so in this case if any of my client PC hardwire static ip manually he can able to access main router as well as internet i.e. 192.168.1.110, so how can i block access to that ip, if client is not having ip from DHCP and not logged on to the hotspot he must not have access to the internet.

[admin@MikroTik] > /export
# jan/01/2002 02:17:05 by RouterOS 6.34.1
# software id = W3NB-CA6B
#
/interface bridge
add admin-mac=E4:8D:8C:23:B2:E3 arp=reply-only auto-mac=no comment=defconf \
name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/ip hotspot profile
add dns-name=login.myhotspot.com hotspot-address=192.168.0.1 name=hsprof1
/ip pool
add name=default-dhcp ranges=192.168.0.100-192.168.3.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no interface=bridge name=\
defconf
/ip hotspot
add address-pool=default-dhcp disabled=no interface=bridge name=hotspot1 \
profile=hsprof1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
/ip address
add address=192.168.0.1/22 comment=defconf interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/22 comment=defconf gateway=192.168.1.110
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
ether1
/ip hotspot user
add name=admin password=abc
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

I must have missed the detail that your Mikrotik is acting as a bridge. You can't do this (efficiently) with a bridge - bridges are only layer 2 devices (ethernet) and don't really participate in IP.

In a bridge, you could filter ARPs with the bridge firewall rules, but since there's no address-list for MAC addresses, you would have to make a chain rule for each MAC address you want to allow, and if you have lots of hosts on the LAN, this is going to slow down performance, especially for users unfortunate enough to have their MAC at the end of the chain.

You would probably be better off doing double nat and using your Mikrotik as a router, at which point you would be able to enforce the dhcp requirement with reply-only ARP. It appears that the Mikrotik would also need to be configured as the DHCP server because the "add arp for lease" option is not available for DHCP relay.

in case of double NAT, i cannot apply content filter managed by main router ? what's the other option ? is it possible to do same subnet iprouting without NAT ?


or is there any better content filer solution on mikrotik ? except (open dns as i cannot apply per ip policy)

Well, if you want to avoid double nat, if the main router will let you add static routes, then change your lan's IP range to something new e.g. 192.168.128.0/22 and then have the main router create a static route for this new network via the wan IP of the Mikrotik e.g. 192.168.1.2
Then just don't do any NAT in the Mikrotik. The content filter will still see the IP of the clients and be able to filter based on that.

Main router is Linux Box with Squid Configured, i can add static route in that, i assume your suggestion is as follows.

Main Router :
WAN Interface: - Goes to ISP with public IP
LAN Interface(192.168.1.1/24) : - Connected to Mikrotik RB2011 on Ether3 (192.168.1.2/24)

Mikrotik RB2011 : Ether2 (192.168.128.1/22) goes to LAN

Do i need to add any routes to Mikrotik ? What gateway address to be configured to my LAN client's 192.168.128.1 or 192.168.1.1 ?

* PL suggest commands if any on linux / mikrotik

If the main router is a squid box, you could configure it to work without being in-line and let the Mikrotik be the router.

Make a dedicated squid interface and a dedicated squid network-
e.g.:
squid IP 192.168.255.2/24
ether5 IP 192.168.255.1/24
(make sure ether5 is not a slave port of a switch, or attached to any bridge)

In the Mikrotik:
Mikrotik LAN IP 192.168.0.1/24
DHCP on Mikrotik as discussed earlier with add static arp option, lan interface set arp=reply-only

mangle rule:
chain=prerouting in-interface=lan protocol=tcp dst-port=80 action=mark-routing new-routing-mark=proxy
(sets up for policy routing to forward http to the squid proxy)

Then add policy route:
/ip route add dst=0.0.0.0/0 gateway=192.168.255.2 routing-mark=proxy

Finally, the srcnat:
/ip firewall nat add chain=srcnat out-interface=wan action=masquerade
(just a basic NAT rule)

In the Linux box:
You will need to set the default GW to be 192.168.255.1
and add this rule to iptables:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

You could also try redirecting https to the proxy but I think that would end up causing certificate warnings, but if your existing setup works, then this new version should also work. Basically, the squid proxy will now only receive http (and perhaps https if you add another mangle rule for port 443 and another REDIRECT rule for 443 on the Linux box) and all other traffic will just flow straight to the Internet w/o going through the squid box.

Thanks but squid box is not fully configurable, its a ipcop firewall where squid configuration limited

Well, if it's designed to be a transparent in-line proxy, then it will still work when you have policy routing in place as long as the firewall allows you to create static routes - static route the LAN range to 192.168.255.1 (in my example) and then you could always burn one more interface on the Mikrotik for the proxy's WAN interface:

192.168.254.1/24 = Mikrotik (and the firewall's default GW)
192.168.254.2/24 = Firewall's WAN interface.

Basically, policy routing forwards web traffic (and any other traffic you'd like it to filter) to the firewall, and allows everything else to just go straight to the Internet.

There is a situation, i just figured out from IT staff, that there is no additional slot available for adding extra ethernet card in the Squid (ipcop), so current solution may not be feasible ? pl find if there is any other way