Firewall

Recently I have needed to restrict access to the internet during certain hours.  This is very easy to achieve with MikroTIk using a few mangle and filter rules.  I currently have this configuration on a RB751 so I am using a bridge for the LAN.  I have ports 2-5 switched together and then bridged the wlan1 and ether2 (the master port) together.  Instead of just restricting everything on the bridge I wanted to be able to allow access to myself and certain others during “restricted times”, and this is why I used mangle to mark connections and filter via the connection marks.

Here you can see the two rules mark the connections from my allowed devices.  The last two rules mark everything else in and out of the DHCP bridge.

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark CBrown Computer" disabled=no in-interface=DHCP \
    new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX
add action=mark-connection chain=forward comment="Mark CBrown iPhone" disabled=no in-interface=DHCP \
    new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX
add action=mark-connection chain=prerouting comment="DHCP Upload" disabled=no in-interface=DHCP \
    new-connection-mark=DHCP passthrough=no
add action=mark-connection chain=postrouting comment="DHCP Download" disabled=no new-connection-mark=DHCP \
    out-interface=DHCP passthrough=no

Continue reading

Categories

Archives