Administering a wireless network requires constant monitoring of connected devices. Situations often arise where it's necessary to restrict access to a specific user or device. Mikrotik provides powerful tools for solving these problems, but beginners often get lost in the abundance of functions.
Blocking may be necessary for various reasons: from a persistent torrent downloader to a former employee or guest who has exceeded their time limit. It's important to understand that there are several levels of access restriction. You can simply terminate the connection, completely prohibit authorization, or throttle the speed to a minimum.
In this article, we'll cover the main methods available in RouterOS. We'll cover working with Address List, setting Firewall and using specialized services. The specific method you choose depends on your goals and the router's software version.
Analysis of connected devices and preparation
Before applying sanctions, it is necessary to accurately identify the offender. In the interface WinBox or WebFig go to the menu IP -> DHCP Server and open the tab LeasesAll devices that have received an IP address automatically are displayed here.
Pay attention to the columns MAC Address And Address. Exactly MAC address This is a unique identifier for a network card, making it harder to forge than an IP address. Find the device you need by name (if transmitted) or by the chip manufacturer listed in the first bytes of the address.
For a more in-depth analysis, you can use the tool Torches on the menu ToolsIt allows you to see traffic passing through interfaces in real time. This helps you understand what exactly is using the communication channel.
⚠️ Note: If your network is in Bridge mode, DHCP leases may not be displayed correctly or may be missing if the server is configured on another device. In this case, use
IP->Neighborsor ARP tables.
Write down or copy the MAC address of the target device. This is a key parameter for most blocking methods. Without the exact address, you risk blocking the legitimate user.
Blocking via Address List and Firewall Filter
The most flexible and frequently used method is to create a list of addresses and apply filtering rules. This method allows you to not only disable a device, but also redirect it or display notifications. Go to the menu IP -> Firewall and select the tab Address Lists.
Click the add new item button (plus). In the field Address Enter the MAC address of the intruder, and in the field List Give it a descriptive name, for example, blocked_clientsUsing address lists simplifies rule management because you don't need to modify the firewall itself when adding new blocks.
Now let's move on to creating the rule. In the tab Filter Rules create a new rule in the chain forward. As a source (Src. Address) specify the previously created list blocked_clients. Action (Action) select drop to completely break packets or reject to send an error response.
/ip firewall filter add chain=forward src-address-list=blocked_clients action=drop comment="Block bad client"
It is important to place this rule above the rules that allow other traffic. Mikrotik Rules are processed from top to bottom, and the first match is decisive. If a blocking rule is at the end of the list, it will never be triggered.
Using Access List in Wireless Settings
For wireless networks, there is a more native tool built directly into the WiFi driver. It is called Access List and is located in the menu WirelessThis method is more efficient because the pruning occurs at the radio channel level, without overloading the processor with processing unnecessary packets.
Open the tab Access List and add a new entry. In the field MAC Address Enter the address of the device you want to restrict. In the field Interface select your wireless interface (eg wlan1). In the field Action select an option reject or disassociate.
Option disassociate Forces the connection to be dropped, but allows the device to attempt to connect again (and be dropped again). Option reject is more categorical and immediately informs the client about access denial, which saves battery life on mobile devices.
| Parameter | Meaning | Description of the effect |
|---|---|---|
| Action | accept | Allow access (used for whitelisting) |
| Action | reject | Deny access with error message |
| Action | disassociate | Terminate connection without the right to re-authorize |
| Comment | Text | Comment for the administrator (not visible to the client) |
This method is especially good because it works even if the client device has a static IP address configured, bypassing DHCP. Access List Checks the MAC address before obtaining the IP, which makes the blocking as reliable as possible.
☑️ Check before blocking
Speed limiting via Simple Queues
Sometimes a complete block isn't necessary, but you do need to limit the user's preferences. For example, you can grant a guest access to instant messaging apps but prohibit viewing 4K videos. This tool is ideal for this. Simple Queues.
Go to the menu Queues -> Simple Queues. Create a new queue. In the field Target Please specify the IP or MAC address of the intruder. In the section Max Limit set the desired values, for example, 1M/1M (1 megabit for reception and transmission).
This speed is sufficient for messaging on WhatsApp or Telegram, but it will make downloading large files or streaming impossible. This is a "soft" block, which is often more effective than a full ban, as the user immediately recognizes that the channel is overloaded and disconnects.
⚠️ Note: Limiting the speed through queues consumes more CPU resources than a simple firewall drop. On low-end devices Mikrotik (hAP lite, mAP series) creating dozens of such rules can lead to a drop in overall network performance.
You can combine this method with Time profiles. For example, configure a rule so that the restriction applies only during working hours or at night, when the channel should be free for server tasks.
Setting up a Hotspot for Guest Areas
If your network is built on the basis of the service Hotspot, access control becomes centralized. In this case, blocking is done not through the firewall, but through the user or profile database. Go to the menu IP -> Hotspot -> Users.
Find a user or create a new entry linked to the MAC address (the MAC address is specified in the field MAC Address, login and password can be left blank or use the default ones). In the user profile (Profile) set the time or traffic volume limit to zero or the minimum value.
Hotspot also has a feature BannedIf a user exceeds the password entry limit or is flagged by the administrator, their address is added to the banned list. Adding the MAC address to the banned list ensures that the login page won't even open.
Secrets of MAC filtering in Hotspot
Hotspot systems can be configured to redirect users to a page with an ad or an offer to pay for additional time after their access time expires, rather than disconnecting completely. This is done through the 'Keepalive-timeout' parameter and profile settings.
For large events, it's convenient to use scripts that automatically add everyone who has exceeded a certain traffic limit to a block list. This relieves the administrator of the manual work.
Working with the command line and scripts
For experienced users and process automation it is indispensable TerminalBlocking can be accomplished with a single command, which is especially convenient when connecting via SSH. For example, adding to a blacklist:
/ip firewall address-list add address=AA:BB:CC:DD:EE:FF list=blocked comment="Auto-ban"
You can create complex scripts that analyze channel load and automatically block top consumers. The script is placed in System -> Scripts and can be triggered by a schedule or an event.
Using the command line allows you to quickly apply changes to multiple routers at once if you are using a centralized management system such as The Dude or Cloud Router RouterOS.
Don't forget to save the configuration after making changes with the command save, although in modern versions of RouterOS, changes are applied instantly and saved automatically upon proper shutdown.
Is it possible to block a client if they have changed their MAC address?
If the user uses MAC address randomization (common in iOS and Android), blocking by hardware address will be ineffective. In this case, only account-based blocking (login/password) in Hotspot or in-depth traffic analysis will help, but it's difficult to guarantee 100% protection.
Does blocking a client affect the speed of the router itself?
A correctly configured rule drop Having it at the top of the firewall's list has virtually no impact on performance. The processor spends minimal resources on inspecting packet headers and discarding them. Issues may only arise when using complex scripts or deep packet inspection (Layer 7) on low-end devices.
How do I unlock a device if I forgot which rule is blocking it?
Check the lists in IP -> Firewall -> Address Lists and filtering rules. Also check Wireless -> Access ListTemporarily disable suspicious rules (by unchecking them) to check access. In the terminal, enter the command /ip firewall filter print disabled will help you see hidden rules.
Conclusion and safety recommendations
Network access control Mikrotik It's a balance between security and convenience. Hard MAC address blocking is effective against casual users, but powerless against a trained attacker who knows how to clone an address.
For maximum security, we recommend a comprehensive approach: hide the guest network's SSID, use complex WPA2/WPA3 passwords, and set up a separate VLAN for guests with limited access to local network resources. Regularly check logs and lists of connected devices.
Please note that interfaces and item names may differ slightly between versions. RouterOSAlways check the official documentation when updating the firmware, as the menu structure may be changed by the developers.