Wireless network administration involves not only ensuring a stable connection but also monitoring connected devices. Situations often arise where it's necessary to urgently restrict access for a specific user due to excessive traffic consumption or suspicious activity. In the ecosystem MikroTik This process can be implemented in several ways depending on your network architecture.
There is a difference between simply disconnecting a connection and fully blocking it at the access rule level. Forced shutdown without making any configuration changes, the user will be able to reconnect within a few seconds. To effectively manage the network, it's important to understand the mechanisms used in the current configuration. RouterOS.
In this article we will look at blocking methods through Access List, usage MAC filtering and customer management in HotSpotChoosing the right method depends on how your router is configured: whether it operates as a simple bridge, uses PPPoE, or authenticates users through a portal.
Analysis of connected clients and identification of the intruder
Before applying restrictive measures, it is necessary to accurately identify the device. In the interface WinBox go to the menu Wireless and open the tab Registration Table (or Interfaces -> Wireless -> Registration Table). All active connections are displayed here in real time.
Pay attention to the columns MAC Address And Signal StrengthThe MAC address is a unique identifier for a network card and is used to create blocking rules. The signal helps determine the physical proximity of a device, which is sometimes useful for locating an "unwanted guest" in the office.
⚠️ Attention: MAC addresses can be spoofed by advanced users. If you block a device by MAC address, an attacker can change the address and bypass the restriction.
For a more detailed analysis, use the tool TorchIt allows you to see passing traffic in real time and sort connections by protocol and data volume. This helps you understand what exactly is occupied by the channel: torrents, streaming, or port scanning.
Blocking via Access List in the Wireless interface
The most flexible and modern way to manage access in RouterOS is the use Access ListThis method allows you to create rules that are applied dynamically when a connection attempt is made or during a session. Go to the menu Wireless -> tab Access List.
Create a new rule by clicking on the plus sign +In the field MAC Address Enter the address of the device you want to block. In the field Action select a value reject or dropThe difference between them is significant: reject sends a refusal packet and the client understands that access is denied, and drop simply ignores requests, forcing the device to wait for a response until a timeout.
/interface wireless access-list
add mac-address=00:11:22:33:44:55 action=reject comment="Blocked User"
It's important to consider the priority of rules. The list is read from top to bottom, and the first matching rule is applied. Make sure your blocking rule is above the allowing rules (allow). You can also use a subnet mask or address ranges for group blocking.
Using the MAC filter in Bridge mode
If your MikroTik If you're using simple bridge mode or prefer classic methods, you can use the built-in MAC address filter. This method is less flexible than Access List, but works reliably on older versions. RouterOSFind it in the menu Wireless your wireless interface card.
In the interface properties, go to the tab Access List (In older versions, this may be a separate tab or button). Make sure the option is enabled. Default Authenticate or Default Forward Depending on your desired default behavior, uncheck the box if you want to block everyone except your favorites. Default Authenticate.
| Parameter | Value for blocking | Description |
|---|---|---|
| MAC Address | 00:00:00:00:00:00 | Address of the intruder's device |
| Authenticate | No | Authorization denied |
| Forward | No | Prohibition of data transfer |
| Comment | Text | Description of the rule |
Once an address is added to the authorization-denying list, the connection will be terminated immediately. However, it's important to remember that this method doesn't hide the SSID or protect against scanning; it only prevents a full connection to the access point.
☑️ Check before blocking
Access control via HotSpot server
For guest networks and public access points, the most effective method is to use HotSpotThis mechanism allows you to not only block users but also redirect them to a notification page. Control is provided via the menu. IP -> HotSpot -> tab Users.
If the user is already logged in, find him in the list of active sessions (Active). Select the line and press the button Make Cut or Log OutTo permanently block a user, add their MAC address or login to the list of users with the status blocked or set the time/traffic limit to zero.
⚠️ Attention: When using HotSpot, MAC address blocking may not work if the user logs in with a username and password. In this case, you need to block the user account.
HotSpot's advantage is its ability to create profiles. You can create a "Blocked" profile, which limits speed to 1 kbps, and assign it to offenders. While technically connected, they can't use the internet, reducing the load on the router's processor compared to constantly dropping packets.
Disconnecting via Firewall and Address Lists
Sometimes you need to not only block WiFi connections, but also completely disable internet access while leaving your local network accessible. This is done using FirewallCreate a list of addresses in the menu IP -> Firewall -> tab Address Lists. Call it, for example, Blocked_Clients.
Add the IP address or MAC address (if using PPPoE or tethering) of the intruder to this list. Then create a rule in the tab. Filter Rules. In the chain forward Please indicate the source (Src. Address List) equal Blocked_Clients and action Drop.
/ip firewall filter
add chain=forward src-address-list=Blocked_Clients action=drop comment="Drop blocked users"
This method is advantageous because it allows for flexible access control. You can add a rule that not only terminates the connection but also redirects traffic to a local server with a warning. However, for WiFi, this may be overkill if the goal is simply to free up airtime.
What to do if the IP address is dynamic?
If the client has a dynamic IP address, blocking by IP address list will be ineffective. In this case, it's better to use DHCP Server -> Leases -> Make Static, and then block by MAC address in the Access List.
Automation and scripts for temporary blocking
In complex scenarios, administrators need a temporary block. For example, disabling a user for 1 hour. Manually monitoring the time is inconvenient, so MikroTik allows you to use Scheduler And ScriptsYou can write a script that adds a blocking rule, waits for a specified time, and then removes it.
The script may look like a sequence of commands that add an entry to the Access List, and a second command with a delay (delay), which deletes this entry. This requires careful coding, as a syntax error can result in the administrator being blocked.
There are also ready-made solutions and packages such as User Manager, which provide a more convenient interface for managing quotas and access times. For large networks, this is the preferred option, allowing access control to be delegated without tampering with the router configuration.
Frequently Asked Questions (FAQ)
Is it possible to disable a user without knowing their MAC address?
Technically, it's possible to break all connections at once by rebooting the access point or disabling the WiFi interface, but it's impossible to selectively block a device without its unique identifier (MAC) or IP address (which can change). You first need to see the device in the registration table to retrieve its details.
Why is a blocked user still visible online?
If you used the action drop instead of reject, the device will continue to attempt to connect, and you will see its requests in the logs. The device may also remain in the association table for some time before the timeout expires, even if data transfer is disabled.
Will the blocking work if the user changes devices?
MAC address blocking is tied to the network interface of a specific device. If a user uses a phone instead of a laptop, the new device will have a different MAC address and will be able to connect. In such cases, HotSpot authentication with a username and password is more effective.
How to unlock a device?
You need to go back to the same menu where the rule was created (Access List, Firewall or HotSpot Users), find the corresponding entry and either delete it or change the action to allow. Don't forget to apply the changes if they are not applied automatically.