Block MAC from getting DHCP

4GSam · Sat Nov 05, 2011 8:13 pm

In a small business we have guest WiFi access but someone from next door (the only neighbor) was stealing the internet connection at all hours of the day.

I have their MAC blocked (anything from their MAC gets dropped), so they can't access the internet.

The current firewall filter I have is

chain=forward action=drop src-mac-address=[their:mac:addr]

And this stops them from getting to the net, but I don't want them getting DHCP leases, either.

fewi · Sat Nov 05, 2011 8:30 pm

http://wiki.mikrotik.com/wiki/Manual:In ... ccess_List
Add their MAC address to the wireless interface access list and keep them from associating at all.

4GSam · Mon Nov 07, 2011 3:23 am

Thanks, forgot to mention it's just a regular Linksys AP. I can block clients on it but I'd rather everything maintained on the Mikrotik (RB750G)

that said, in the firewall I figured out blocking UDP from those specific MAC addresses will stop DHCP requests. However, why the traditional
way of blocking everything in my first example doesn't work I have no idea.

cbrown · Mon Nov 07, 2011 3:29 am

Block them also in the input chain.

jandafields · Mon Nov 07, 2011 4:03 am

Block them also in the input chain.

There have been some in-depth discussions here about the difficulty of blocking DHCP in Mikrotik v4, because DHCP is done BEFORE the firewall.

I don't know if that has changed or not in v5.

changeip · Mon Nov 07, 2011 4:13 am

make their dhcp lease static, and then click the 'block access' checkbox ... that way they can't grab one.

hilton · Thu Nov 10, 2011 11:34 am

Or allow them access and in the web proxy access section, point their static DHCP IP to one of your favourite malware sites.

jandafields · Sat Nov 12, 2011 7:54 pm

Or allow them access and in the web proxy access section, point their static DHCP IP to one of your favourite malware sites.

You really don't want to associate yourself with the distribution of viruses...

dakatech · Fri Jan 20, 2012 9:00 am

I have a slightly different situation.
Perhaps someone can help?

I need to limit access to and via a 711 to just one piece of equipment with one MAC address.
I have two 711's configured as a point to point link with a bridge from wlan to ether set up on them both.
One end (office) has a switch and 4 PC's connected.
The other end has a video recorder connected that is viewed from one of the PC's in the office.
The recorder has a static IP address.
The problem I have is that a "nice" person unplugs the DVR and connects a PC in it's place. The person can now access anything on the other end of the radio link.

I think (occasionally, but today is not one of those times) that if I could use mac address filtering I could stop this happening by allowing traffic to and from one mac address only.

I have tried using a firewall in the bridge from wlan to ether but can't get it to work ( I can get it to work using IP address filtering, but the person is clever enough to set his PC to the same IP address as the recorder)!

Any help you can give would be appreciated.

Thanks

Dave

Drakken · Thu Sep 04, 2014 1:27 am

Thank You cbrown!

You were absolutely right. So these codes were needed in case someone else need' em

Code:
chain=forward action=drop src-mac-address=[their:mac:addr]

then just double clic a copy the rule. In the new one just change the chain=input. Will then be like this:

Code:
chain=input action=drop src-mac-address=[their:mac:addr]