Currently MikroTik allows you to use the firewall option in the bridge, this will allow you to manage layer 2 protocol connections.
It is possible to perform MAC filtering on MikroTik devices. MAC (Media Access Control) address filtering is a network security technique that allows network administrators to specify which devices are allowed (or denied) access to the network based on their unique MAC address.
In the context of MikroTik RouterOS, the operating system that runs on MikroTik devices, there are several ways to implement MAC filtering, depending on the context of use (such as in Wi-Fi networks, Ethernet accesses, etc.).
For wireless networks:
- Access to the Wireless Interface: You can configure MAC filtering directly on the wireless interface to control access to a Wi-Fi network. This is done by creating an “Access List” or a “MAC Address List” where you specify the allowed or blocked MAC addresses.
- Using Bridge Filters: If devices are connected via a bridge, you can use Bridge Filters to allow or deny traffic based on MAC addresses.
For Ethernet networks:
- Using Switch Chip Features: For MikroTik devices that use a switch chip, you can use the features of the switch chip to implement MAC filtering on specific Ethernet ports.
- Filtering in the Firewall: You can also configure rules in the RouterOS firewall to filter traffic based on MAC addresses, which can apply to both wireless and Ethernet interfaces.
How to configure MAC filtering on a Wi-Fi network (Basic Example):
To add a MAC address to the access list and allow it to connect, you can use the following commands in the RouterOS terminal:
/interface wireless access-list add mac-address=XX:XX:XX:XX:XX:XX interface=all allow-signal-out-of-range=10s
Where XX:XX:XX:XX:XX:XX
is the MAC address you want to allow. The option allow-signal-out-of-range=10s
This is useful for devices that may not always be in range but that you don't want to block permanently.
To deny access to a specific MAC address, you simply configure the corresponding entry in the access list but without adding it to an allow list or explicitly specifying the deny.
It is important to note that MAC filtering can be a complementary security method, but should not be the only security method used, as MAC addresses can be spoofed by an attacker with the right knowledge and tools.
Combining MAC filtering with other security measures, such as WPA2/WPA3 encryption for Wi-Fi networks, can provide an additional layer of security.
There are no tags for this post.