08 December 2010

Mikrotik mac address filtering

Playing with an RB493G and wanted to allow only a certain list of mac addresses to be able to connect. We all know this type of security is in no way fool proof.

The 493G has 2 switch chips in it and ports 2-5 are on switch2 and ports 1 and 6-9 are on switch1

Much like /ip firewall filter rules, switch rules are checked chronologically (top down). And like /ip firewall filter rules, you must specify a deny rule. Although there is no 'deny' rule as such, you can just specify a redirect to null (specify no port) which achieves the same result.


/interface ethernet switch rule
add copy-to-cpu=no disabled=no mirror=no ports=ether2,ether3,ether4,ether5 \
redirect-to-cpu=no src-mac-address=00:0B:08:D2:44:C2/FF:FF:FF:FF:FF:FF \
switch=switch2
add copy-to-cpu=no disabled=no mirror=no ports=ether6,ether7,ether8,ether9 \
redirect-to-cpu=no src-mac-address=00:0B:08:3A:C3:81/FF:FF:FF:FF:FF:FF \
switch=switch1
add copy-to-cpu=no disabled=no mirror=no ports=ether2,ether3,ether4,ether5 \
redirect-to-cpu=no src-mac-address=00:0B:08:D2:44:C4/FF:FF:FF:FF:FF:FF \
switch=switch2
add copy-to-cpu=no disabled=no mirror=no ports=ether6,ether7,ether8,ether9 \
redirect-to-cpu=no switch=switch1
add copy-to-cpu=no disabled=no mirror=no ports=ether4,ether2,ether3,ether5 \
redirect-to-cpu=no switch=switch2

You can either restrict mac addresses per port, or per switch. The latter means you can plug device into any port.

/interface ethernet switch rules are very powerful and you can do much more than simply blocking mac addresses. You can match source and destination macs, arp requests, pppoe discovery and much more, then redirect that traffic or maybe append a new vlan number.

No comments:

Post a Comment