logo elektroda
logo elektroda
X
logo elektroda
Advanced Search
logo elektroda

Securing Mikrotik Network: MAC Address Filtering for 10 LAN Computers, ARP Configuration & Tips

robsonet 7935 12
ADVERTISEMENT
Treść została przetłumaczona polish » english Zobacz oryginalną wersję tematu
Reply | New topic
  • #1 17069625
    robsonet
    Level 11  
    Hello,
    I wanted to do MAC address filtering on MT, according to the assumption, I have 10 LAN computers in the network and only they should be able to connect to the network so that it is the safest.
    I did the ARP list by adding the IP and MAC of the computer and then on the Ethernet interface I marked ARP: reply-only but unfortunately I could still connect to other computers.
    I would like to ask you for help with steps to best secure this, thank you in advance.
  • ADVERTISEMENT
  • #2 17069822
    ryba884
    Level 19  
    Set the address-pool to static-only in the DHCP server, check add-arp-for-leases, add computers by MAC and assign them static addresses. Additionally, set the interface on which the DHCP server is ARP reply-only. It should work.
  • ADVERTISEMENT
  • #3 17070227
    robsonet
    Level 11  
    ryba884 wrote:
    Set the address-pool to static-only in the DHCP server, check add-arp-for-leases, add computers by MAC and assign them static addresses. Additionally, set the interface on which the DHCP server is ARP reply-only. It should work.


    Thanks for the hint, I did as you wrote, but then I could not connect my computer to WinBox, even though it gave me an IP, not what was supposed to be only still with DHCP, maybe somewhere else some option?
  • ADVERTISEMENT
  • Helpful post
    #4 17070369
    ryba884
    Level 19  
    But you assigned addresses in DHCP and not computers? Computers are still to be set to dhcp. You can do it with a semi-automatic machine. First, leave the usual address pool. Log in to mikrotik and go to DHCP Server -> Leases. There, right-click to select other computers and click on make-static. After adding all computers, change addres-pool to static only. And check ;)
  • #5 17071921
    robsonet
    Level 11  
    ryba884 wrote:
    But you assigned addresses in DHCP and not computers? Computers are still to be set to dhcp. You can do it with a semi-automatic machine. First, leave the usual address pool. Log in to mikrotik and go to DHCP Server -> Leases. There, right-click to select other computers and click on make-static. After adding all computers, change addres-pool to static only. And check ;)


    I did according to your instructions and it seems to work. A computer that is not on the list does not get an address from the DHCP pool, is there anything else you can do / set to increase security?
  • #6 17072093
    ryba884
    Level 19  
    Even if he sets his address hard, the network will not work for him. The rest is a proper firewall.
  • #7 17072261
    robsonet
    Level 11  
    ryba884 wrote:
    Even if he sets his address hard, the network will not work for him. The rest is a proper firewall.


    I have a site-to-site tunnel configured between the headquarters and the branch in Mikrotiki and I connect to both places via client-to-site 2TP + IPSEC.
    The branch connects to the headquarters using RDP and printers transferred in the session. Users at the headquarters and in the branch are to have access to the Internet, below I paste the firewall rules analogous to the headquarters and branches. I would like to ask for help in securing both networks, I would like to do it on the principle of letting in what needs to be done and cutting out the rest.

    The rules I have are:
    Code: text Expand Select all Copy to clipboard
    /ip firewall filter
add action=accept chain=input comment="akceptuj WinBox z zewnatrz" dst-port=\ 8291 in-interface="ether1 WAN" protocol=tcp - tutaj oczywiście nie koniecznie bo mogę wejść na Winboxa lokalnie po podłączeniu się przez VNP client-to-site
add chain=input in-interface="ether1 WAN" src-address=xx.xx.xx.xx - tutaj adres filii i analogicznie adres centrali w ruterze filii
add action=accept chain=input comment="akceptuj L2TP" dst-port=1701 \ in-interface="ether1 WAN" protocol=udp
add action=accept chain=input comment="akceptuj IPsec" dst-port=500 \ in-interface="ether1 WAN" protocol=udp
add action=accept chain=input comment="akceptuj IP sec VPN" dst-port=4500 \ in-interface="ether1 WAN" protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" in-interface=\ "ether1 WAN" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related in-interface="ether1 WAN"
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related in-interface="ether1 WAN"
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface="ether1 WAN"
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid in-interface="ether1 WAN"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface="ether1 WAN"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface="ether1 WAN"


    I don't have much experience with rules, could you please advise me based on the above?
    Thank you in advance for your help.
  • ADVERTISEMENT
  • Helpful post
    #8 17072347
    ryba884
    Level 19  
    I would do it like this:
    Code: text Expand Select all Copy to clipboard
    /ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept established,related" connection-state=established,related in-interface="ether1 WAN"
add action=accept chain=input comment="akceptuj WinBox z zewnatrz" dst-port=8291 in-interface="ether1 WAN" protocol=tcp
add action=accept chain=input comment="akceptuj L2TP" dst-port=1701 in-interface="ether1 WAN" src-address=xx.xx.xx.xx protocol=udp ipsec-policy=in,ipsec
add action=accept chain=input comment="akceptuj IPsec" dst-port=500 in-interface="ether1 WAN" src-address=xx.xx.xx.xx protocol=udp
add action=accept chain=input comment="akceptuj IP sec VPN" dst-port=4500 in-interface="ether1 WAN" src-address=xx.xx.xx.xx protocol=udp
add action=accept chain=input comment="accept ICMP from WAN" in-interface="ether1 WAN" protocol=icmp
add action=drop chain=input comment="drop all from WAN" in-interface="ether1 WAN"
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="ether1 WAN"
add action=drop chain=output comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface="ether1 WAN"

    It's still a little bit missing, but nobody here will write it for you. You can also secure traffic from the inside (in input and forward chains). I suggest you read the Mikrotik wiki, review the information regarding iptables . Have a look again packet flow .
  • #9 17072421
    robsonet
    Level 11  
    ryba884 wrote:
    I would do it like this:
    Code: text Expand Select all Copy to clipboard
    /ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept established,related" connection-state=established,related in-interface="ether1 WAN"
add action=accept chain=input comment="akceptuj WinBox z zewnatrz" dst-port=8291 in-interface="ether1 WAN" protocol=tcp
add action=accept chain=input comment="akceptuj L2TP" dst-port=1701 in-interface="ether1 WAN" src-address=xx.xx.xx.xx protocol=udp ipsec-policy=in,ipsec
add action=accept chain=input comment="akceptuj IPsec" dst-port=500 in-interface="ether1 WAN" src-address=xx.xx.xx.xx protocol=udp
add action=accept chain=input comment="akceptuj IP sec VPN" dst-port=4500 in-interface="ether1 WAN" src-address=xx.xx.xx.xx protocol=udp
add action=accept chain=input comment="accept ICMP from WAN" in-interface="ether1 WAN" protocol=icmp
add action=drop chain=input comment="drop all from WAN" in-interface="ether1 WAN"
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="ether1 WAN"
add action=drop chain=output comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface="ether1 WAN"

    It's still a little bit missing, but nobody here will write it for you. You can also secure traffic from the inside (in input and forward chains). I suggest you read the Mikrotik wiki, review the information regarding iptables . Have a look again packet flow .


    Thanks so much for the information I will study the topic. best regards
  • #10 17081379
    robsonet
    Level 11  
    ryba884 wrote:
    Even if he sets his address hard, the network will not work for him. The rest is a proper firewall.


    I will come back to the topic, testing the proposed settings, I set the static IP, mask and gate at the end and the computer connected to the resources. Where else can you secure?
  • Helpful post
    #11 17081867
    ryba884
    Level 19  
    Do you have reply-only mode on the interface with dhcp arp? A computer with a fixed address should not be in the router's arp table. You must remove it before testing. That way only devices that get an address from dhcp are in the arp table.
  • #12 17085933
    robsonet
    Level 11  
    ryba884 wrote:
    Do you have reply-only mode on the interface with dhcp arp? A computer with a fixed address should not be in the router's arp table. You must remove it before testing. That way only devices that get an address from dhcp are in the arp table.


    I marked it and it helped thanks.

    Added after 3 [minutes]:

    ryba884 wrote:
    I would do it like this:
    Code: text Expand Select all Copy to clipboard
    /ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept established,related" connection-state=established,related in-interface="ether1 WAN"
add action=accept chain=input comment="akceptuj WinBox z zewnatrz" dst-port=8291 in-interface="ether1 WAN" protocol=tcp
add action=accept chain=input comment="akceptuj L2TP" dst-port=1701 in-interface="ether1 WAN" src-address=xx.xx.xx.xx protocol=udp ipsec-policy=in,ipsec
add action=accept chain=input comment="akceptuj IPsec" dst-port=500 in-interface="ether1 WAN" src-address=xx.xx.xx.xx protocol=udp
add action=accept chain=input comment="akceptuj IP sec VPN" dst-port=4500 in-interface="ether1 WAN" src-address=xx.xx.xx.xx protocol=udp
add action=accept chain=input comment="accept ICMP from WAN" in-interface="ether1 WAN" protocol=icmp
add action=drop chain=input comment="drop all from WAN" in-interface="ether1 WAN"
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="ether1 WAN"
add action=drop chain=output comment="drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface="ether1 WAN"

    It's still a little bit missing, but nobody here will write it for you. You can also secure traffic from the inside (in input and forward chains). I suggest you read the Mikrotik wiki, review the information regarding iptables . Have a look again packet flow .


    Back to your rules. When the connection is always from the same IP, I can enter it for ports 500,1701,4500 as you specified and when I connect with a laptop from many places by running VPN on L2TP, I do not enter this address because it is variable?
  • #13 17086899
    ryba884
    Level 19  
    Yes. If you have a variable address, you do not enter it, because you will not be able to connect.
Reply | New topic
Report a violation of the law

Topic summary

The discussion revolves around securing a Mikrotik network through MAC address filtering for 10 LAN computers. The user initially faced issues with ARP configuration, where marking the Ethernet interface as ARP: reply-only did not prevent unauthorized connections. Suggestions included setting the DHCP server to static-only, adding MAC addresses for the computers, and ensuring that only devices obtaining IPs from DHCP appear in the ARP table. The user successfully implemented these changes, preventing unauthorized devices from connecting. Further security measures discussed included configuring firewall rules to allow only necessary traffic and managing IPsec and L2TP VPN connections. The importance of removing static IPs from the ARP table before testing was also emphasized.
Summary generated by the language model.
ADVERTISEMENT