Here's one approach that's relatively simple:
1. Configure the router to add an
ARP entry when it hands out leases by setting 'add-
arp' to 'yes'.
http://wiki.mikrotik.com/wiki/Manual:IP ... er#General
add-arp (yes | no; Default: no) Whether to add dynamic ARP entry. If set to no either ARP mode should be enabled on that interface or static ARP entries should be administratively defined in /ip arp submenu.
2. Turn off dynamic
ARP learning on the ether6 interface by setting '
arp' to 'reply-only'.
http://wiki.mikrotik.com/wiki/Manual:In ... Properties
arp (disabled | enabled | proxy-arp | reply-only; Default: enabled) Address Resolution Protocol mode
3. Turn off the IP pool on the
DHCP server and configure
static leases for all valid clients, assigning an IP address to their MAC address.
Now clients that don't have a hard coded
DHCP lease can no longer receive a
DHCP address. Also, the router will not learn about
ARP mappings of MAC to IP addresses unless the client received a
DHCP lease. Clients can send traffic to the router, but the router doesn't know how to send traffic back to the client unless it's a
DHCP lease client, and all traffic to non-
DHCP clients is dropped.
Other approaches would include a Hotspot with MAC address authentication, or PPPoE.