MikroTik

Posted: **Wed Feb 16, 2022 10:00 pm**

I wanna make a rule where it blocks internet to devices that are not in a address list.
I've got it set up like this. chain forward> src. address list if not (list) > action drop.
But instead of blocking devices that aren't on the list it just blocks everything. : /

Posted: **Wed Feb 16, 2022 10:10 pm**

Can you please share your exact configuration? So...all the filters and the list involved.

Posted: **Wed Feb 16, 2022 10:13 pm**

Can you please share your exact configuration? So...all the filters and the list involved.

How would I do that? Do I need to export the config or something?

Posted: **Wed Feb 16, 2022 10:24 pm**

If you post the complete export, we can check the entire config:

/export hide-sensitive file=anynameyoulike

Posted: **Wed Feb 16, 2022 10:45 pm**

If you post the complete export, we can check the entire config:

/export hide-sensitive file=anynameyoulike

How does this look?

Posted: **Fri Feb 18, 2022 2:49 am**

First of all, generally the recommendation is to specifically allow what you want to allow and then at the bottom each chain, delete everything. For example:

add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"

and

add action=drop chain=input comment=\
    "Drop any input packets that get this far"

Using that mentality, I would change your first rule to allow "known devices" and then add a drop everything at the end of the forward chain. Of course several other of your rules would require similar changes.

Also, makes it easier for us humans if you group all your input packets together and all your forward packets together, etc rather than mixing them together. The router does not care, but it is far easier for us humans to read.

Posted: **Sat Feb 19, 2022 6:03 pm**

cool, I rebooted my router, now my configs don't work.
I didn't change anything in my configs. they just stopped working. like i cant block facebook anymore, and none of my simple ques work either.
How the fuck is router os so bad?

Posted: **Sat Feb 19, 2022 6:23 pm**

The Router is not alive! The router responds to what you have configured.
More than likely you locked yourself out of the router by not understanding how all the firewall rules work.
Nothing wrong with RoS!

Posted: **Sat Feb 19, 2022 6:33 pm**

The Router is not alive! The router responds to what you have configured.
More than likely you locked yourself out of the router by not understanding how all the firewall rules work.
Nothing wrong with RoS!

wtf does that mean?
There was nothing wrong with the config. it just stopped working for no reason.
how do i fix it???

Posted: **Sun Feb 20, 2022 10:01 pm**

Try to connect with MAC address if only you allowed it in the configuration.

Posted: **Mon Feb 21, 2022 11:13 am**

Try to connect with MAC address if only you allowed it in the configuration.

No. I can log into the router and shit somewhat works. But the issue is that it doeant block thing like facebook.com and it doesn't limit the internet speed to devices on certain websites in simple ques.

Posted: **Mon Feb 21, 2022 12:47 pm**

block thing like facebook.com

Can not be done. Same as with torrent etc.
As long as you do not have 100% control of the clients (typical a corporate network), you are out of luck.
You can try block DNS: Client uses another DNS
You try to redirect DNS: Clients uses DoH
You try to block IP: Facebook IP do change.
Client uses VPN etc.
If this is for children, do give them education and tell them if they missuses the trust it will give consequences.

Posted: **Mon Feb 21, 2022 3:05 pm**

block thing like facebook.com
Can not be done. Same as with torrent etc.
As long as you do not have 100% control of the clients (typical a corporate network), you are out of luck.
You can try block DNS: Client uses another DNS
You try to redirect DNS: Clients uses DoH
You try to block IP: Facebook IP do change.
Client uses VPN etc.
If this is for children, do give them education and tell them if they missuses the trust it will give consequences.

Bruh... Ok what about blocking all internet access? And what about limiting peoples internet speed?

Posted: **Mon Feb 21, 2022 3:35 pm**

Blocking all and open certain sites may be a way to go. Many sites do not work with just one IP open, everything is interconnected.
But then the kids just use their cellular network, friends cellular network, neighbor wifi etc.

Posted: **Mon Feb 21, 2022 5:47 pm**

Blocking all and open certain sites may be a way to go. Many sites do not work with just one IP open, everything is interconnected.
But then the kids just use their cellular network, friends cellular network, neighbor wifi etc.

Ok, but how do I do it? I literally can't block anything.
Its like the firewall rules i set up dont work at all.
Everything worked fine until I rebooted my router. Why is that?

Posted: **Fri Sep 30, 2022 10:36 pm**

I setup multiple users (kids).
One is called "UnknownDevices". It is set to block all day long.
One is called "ApprovedDevices". It is set to allow all day long. All my devices are put here.
Some users for kids devices with proper block/allow times set.

Add this script. It will take any device that isn't assigned to a user and assign it to the "UnknownDevices" user.

Setup the scheduler to run the script every ?? seconds - i put 30 seconds. That means within 30 seconds, a new device will automatically get pushed to the "UnknownDevices" user and therefore be blocked. This will mean that IOS devices that change their mac address will get blocked automatically.

#log info "Checking for unknown devices...";
:foreach i in=[/ip kid-control device find user=""] do= {
    :local name [/ip kid-control device get $i name];
    :local mac [/ip kid-control device get $i mac-address];
    #log info $i;
    #log info $name;
    #log info $mac;
    
    :local dt ([/system clock get date ] . "_" . [ /system clock get time ]);
    #log info $dt;
    
    if ($name = "") do={
        :set name "<Unknown>";
    }
    :set name "$name $dt";
    log warning "** Found Unknown device $name - adding to UnknownDevices list.";
    /ip kid-control device add name="$name" user="UnknownDevices" mac-address=$mac
}

MikroTik

How do I block unknown devices?

How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?

Re: How do I block unknown devices?