Blocking access to the MikroTik firewall is at the network level. How to block access while on the same network for the Mac? Can this be restricted in the firewall?
Yes, you can block clients through the mac in the filter rules using the src-mac address option in the advanced tab.
In MikroTik RouterOS, the firewall is very powerful and flexible, allowing a wide range of rules and configurations to control network traffic. However, blocking access to devices based solely on the MAC address from the firewall is neither the standard nor the most direct practice, since the MikroTik firewall operates primarily at the network layer level (Layer 3) and above, while that MAC addresses operate at the link level (Layer 2).
However, there are other ways in RouterOS to restrict access based on MAC addresses, although these solutions may be more suitable for controlling access to the Wi-Fi network or through specific Ethernet interfaces, and less suitable for filtering traffic at the level network. Here I present some alternatives:
1. Wi-Fi Access Control by MAC
If you want to restrict access to a Wi-Fi hotspot on a MikroTik, you can use the “Access List” functionality in the WLAN settings to allow or deny clients based on their MAC addresses.
2. Bridge Filtering
For wired networks, you can use Bridge Filtering to block traffic from certain MAC addresses across bridges. This is an effective way to control access at the Layer 2 level.
3. DHCP Server Leasing
Another option is to configure the DHCP server on the MikroTik to map specific IP addresses to known MAC addresses and then use the firewall to block traffic to or from those specific IP addresses. This requires an additional mapping step between the MAC address and the IP address, but effectively achieves the desired result using the capabilities of the firewall.
4. Using Scripts
You can write scripts in RouterOS that dynamically add firewall rules based on MAC address, although this would be more complex and would require script logic to first resolve the MAC address to an IP address.
Considerations
Blocking access to devices based on MAC addresses may not always be the most secure solution, as MAC addresses can be spoofed (MAC spoofing). For network-level security, it is preferable to implement solutions based on higher layers, such as network layer firewalls, strong authentication, and encryption.
In conclusion, while the MikroTik firewall is not designed to directly filter by MAC addresses, there are alternative methods within RouterOS that can help you control and restrict access effectively. The choice of method will depend on your specific network configuration and security needs.
There are no tags for this post.- Share this Article
