A mac lock can be performed, the mac lock consists of if it is a device that connects to a port and does not have the IP and mac that are specified in a list (ARP Table) in the router it will not be able to have communication With your gateway, you will not have communication with other devices and nor will you have access to the Internet.
For it to work, in the interface you must enable the arp reply-only mode and manually add arp, ip, mac and interface to the table.
When a customer incorrectly connects a router to the network, using one of its LAN ports, and this router starts issuing IP addresses (acting as an unauthorized DHCP server), it can cause IP conflicts and connectivity problems on the network.
To resolve this issue on a network managed by a MikroTik device, you can take steps to block traffic from the specific IP address that is causing the issue or disable the unwanted DHCP server.
Here's how to block that specific IP address using the MikroTik firewall:
Using WinBox
- Access your MikroTik: Log in to your MikroTik device using WinBox.
- Open the Firewall: go to IP > Firewall on the menu.
- Add a New Rule in the 'Forward' Chain:
- Click on the tab Filter Rules and then on the button + to add a new rule.
- General: In the “General” tab, set the “Chain” to
forward
. - Advanced: No need to set options here for this purpose.
- source address: Enter the IP address of the unauthorized DHCP server that you want to block.
- Action: Switch to the “Action” tab, select
drop
in the “Action” field. This will block all traffic coming from that IP address. - Click on Apply and then OK to keep the rule.
Using the CLI
If you prefer to use the command line, here is the corresponding command:
/ip firewall filter add action=drop chain=forward src-address=<IP_Servidor_DHCP_Errado>
Replaces <IP_Servidor_DHCP_Errado>
with the IP address of the rogue DHCP server that is causing the problem.
Additional Solutions
Aside from blocking the IP, there are other strategies you could consider to prevent these types of incidents in the future:
- Disable DHCP on Unwanted Ports: If you have a manageable switch between the MikroTik and the users, you can configure the ports as “untrusted” for DHCP Snooping, preventing them from acting as DHCP servers.
- Using DHCP Snooping: If your network equipment supports it, DHCP Snooping can help identify and block unauthorized DHCP responses on the network.
- Alerts and Monitoring: Set up alerts to notify you when IP conflicts occur or when a new device is trying to act as a DHCP server on the network.
These measures will help you maintain the stability of your network and avoid connectivity problems caused by misconfigurations of devices on the network.
There are no tags for this post.