Community discussions

MikroTik App
 
gcraenen
newbie
Topic Author
Posts: 38
Joined: Fri Dec 19, 2014 11:50 pm

Block internet access for devices by mac-address & schedule

Mon Dec 29, 2014 6:32 pm

Hi,

On my network I want to block internet access for a group of devices that, identified by mac-address and during a an certain time of the day (say between 20:00-08:00 everyday) by schedule.

How can I accomplish this in my Mikrotik with RouterOS 6.24?

The "plan" I'm getting stuck at is:

1. creating the address list based on mac-addresses
2. creating the schedule for blocking
3. creating the firewall rule to block/drop access to wan based on 1 and 2
4. adding the src-ip-address and what external ip-address and ports they want to visit to a list to review.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Block internet access for devices by mac-address & sche

Mon Dec 29, 2014 6:47 pm

You don't need a schedule. Firewall rules can be set to apply between a particular time interval.

However, address lists can't use MAC addresses (yet?), so you need to add an individual firewall rule for each MAC address.

You can make the rule for example do masquerade only at the allowed time OR make a rule that drops an otherwise valid packet at the prohibited time.

Going with the second option, for each MAC address, run the following:
/ip firewall filter add chain=forward action=drop time="20:00:00-12h,mon,tue,wed,thu,fri,sat,sun" src-mac-address=00:00:00:00:00:00
(replace the MAC address accordingly)

The "time" argument you'll notice takes the form of "time since 00:00:00 today", dash, "duration since starting time". The interval between 20:00:00 and 8:00:00 the next day is 12 hours, hence the above.
 
gcraenen
newbie
Topic Author
Posts: 38
Joined: Fri Dec 19, 2014 11:50 pm

Re: Block internet access for devices by mac-address & sche

Tue Dec 30, 2014 1:21 pm

You don't need a schedule. Firewall rules can be set to apply between a particular time interval.

However, address lists can't use MAC addresses (yet?), so you need to add an individual firewall rule for each MAC address.

That's to bad, becasue it's far easier to maintain than making a seperate firewall rule for each mac-address.

You can make the rule for example do masquerade only at the allowed time OR make a rule that drops an otherwise valid packet at the prohibited time.

I guess the difference between the two is that with the masquerading rule only wan-access is blocked but the internal network can be used and the "drop-rule" makes sure that networking is not possible at all?

Going with the second option, for each MAC address, run the following:
/ip firewall filter add chain=forward action=drop time="20:00:00-12h,mon,tue,wed,thu,fri,sat,sun" src-mac-address=00:00:00:00:00:00
(replace the MAC address accordingly)

The "time" argument you'll notice takes the form of "time since 00:00:00 today", dash, "duration since starting time". The interval between 20:00:00 and 8:00:00 the next day is 12 hours, hence the above.
Very nice, this helped a lot. So thanks.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2400
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Block internet access for devices by mac-address & sche

Tue Dec 30, 2014 1:30 pm

I guess the difference between the two is that with the masquerading rule only wan-access is blocked but the internal network can be used and the "drop-rule" makes sure that networking is not possible at all?
No. In both cases, the internal network would work.

The only difference I can think of is that with the masquerade variant, you can still ping LAN IPs from a WAN neighbor to the router (IF that neighbor is clever enough to route LAN IPs to your router...), while with the drop rule, you can't. Very esoteric...
 
gcraenen
newbie
Topic Author
Posts: 38
Joined: Fri Dec 19, 2014 11:50 pm

Re: Block internet access for devices by mac-address & sche

Tue Dec 30, 2014 1:43 pm

Somehow the time settings are giving me a failure "start time bigger than end time". So I guess I have to break tem up in two rules. Onde for the time between 20:00-23:59 and one for the time 00:00-08:00.
 
Nanflexal
Member Candidate
Member Candidate
Posts: 127
Joined: Wed Sep 16, 2009 7:34 am

Re: Block internet access for devices by mac-address & schedule

Sun Aug 16, 2020 3:48 pm

How to block mac address completely without giving them internet access?

Regards,
Alex
 
creatin
Member Candidate
Member Candidate
Posts: 108
Joined: Sat Nov 23, 2019 2:59 am

Re: Block internet access for devices by mac-address & schedule

Mon Aug 17, 2020 1:55 am

If you are assigning IP addresses for each MAC by DHCP, than go to IP - DHCP Server - Leases and you have a list of all active IP addresses, double click on the address and enabled Block access option.
 
ivicask
Member
Member
Posts: 438
Joined: Tue Jul 07, 2015 2:40 pm
Location: Croatia, Zagreb

Re: Block internet access for devices by mac-address & schedule

Mon Aug 17, 2020 3:48 pm

BTW all this wont work on most new phones like Samsung etc as they by default generate new MAC address every time they connected, just keep that in mind..
 
creatin
Member Candidate
Member Candidate
Posts: 108
Joined: Sat Nov 23, 2019 2:59 am

Re: Block internet access for devices by mac-address & schedule

Wed Aug 19, 2020 1:24 am

BTW all this wont work on most new phones like Samsung etc as they by default generate new MAC address every time they connected, just keep that in mind..
Xiaomi phones as well.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block internet access for devices by mac-address & schedule

Wed Aug 19, 2020 7:46 am

BTW all this wont work on most new phones like Samsung etc as they by default generate new MAC address every time they connected, just keep that in mind..

At least on Samsung it is possible to disable this "feature" on per-SSID basis ... after gadget successfully connects to SSID.
 
cuky
just joined
Posts: 1
Joined: Mon Feb 04, 2019 11:48 pm

Re: Block internet access for devices by mac-address & schedule

Wed Aug 19, 2020 9:24 am

It's android feature, not manufacturer based.

I'm really interested how to block this. Maybe by using host name?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12979
Joined: Thu Mar 03, 2016 10:23 pm

Re: Block internet access for devices by mac-address & schedule

Wed Aug 19, 2020 11:01 am

I'm really interested how to block this. Maybe by using host name?

Host name can only be used in conjunction with DHCP server that can update DNS server records while assigning new address lease to a device. DHCP server on ROS can't do it automatically (and DHCP lease data can't be directly used in firewall rules).

Who is online

Users browsing this forum: kbabioch, seriosha and 29 guests