Good night,
I can predict the unauthorized distribution of dynamic IP address via DHCP?
Resumindo- If a malicious user put a virtual machine with a DHCP server, he can send addresses valid for the entire network, it is possible to guard against that?
Regards,
Mikrotik support DHCP Server Alert function that can tell when a new DHCP server is found.
/ip dhcp-server alert
add disabled=no interface=bridge-lan on-alert=“/log error "server found"”
You can add your own script as required.
It is also possible to filter DHCP on a Bridge if required. http://wiki.mikrotik.com/wiki/Bridge_Filter_-_Blocking_DHCP_Traffic
What exactly does this bridge dhcp filter in wiki?
I also have this problem in buildings that users connect routers to their apartment without asking.
manageable switches normally have this functionality because its a problem to be solved at access layer
So filtering dhcp in bridge as said above wont help right?
Hello Friend,
I created this alert, thanks for the tip.
But as this alert work? Where will I be alerted?
What this video is doing the same thing this address above?
Sorry, I am a layman in this part 
https://www.youtube.com/watch?v=oP1sIROxcwg
Unfortunately my Switch does not offer this feature.
Thanks!
I also like to know what these rules will do?
I think this video shows a correct tip for warning procedure work correctly, see
https://www.youtube.com/watch?v=lgD6qqJAISk
OR…
I think this video would be valid, but do not understand anything in this language
Yes these rules works. You have to place a command also to sent u email that a rogue dhcp has appeared in the network
This is the script i am using in my routers. This is from another user posted in the past…
:local CurrentTime [/system clock get time]
:local hostname [/system identity get name]
:global date [/system clock get date]
:local int “$interface”
:local addr “$address”
:local mac $“mac-address”
:local dh
/tool e-mail send to=“mymail@gmail.com” subject=“ROGUE DHCP Server have been detected on $hostname at $date - time $CurrentTime - Interface= $int - IP Address=$addr - MAC-Address= $mac”
I’m using the same commands this video below, I’m not sure this works see:
https://www.youtube.com/watch?v=lgD6qqJAISk
/ tool e-mail send to = “my-e-mail” subject = (“DHCP server on the network from unauthorized.” [/ system identity get name]) $ $ address $ interface server “mac-address” "
If I want to use your tip, just copy this script and put the correct email, only this?
Put your email address and also set correct parapeters in tools-email
Perfect my friend, I’ve done this procedure
Unfortunately there is no way the own mikrotik to prevent false DHCP servers (unauthorized). I think these functions are all layer two (switch). So far only found detective tips and not preventive (proactive)
They will stop DHCP traffic if it passes through the MikroTik router. However, DHCP packets are distributed in the whole LAN, independent from the router.
As already mentioned, a manageable/smart switch is really the only way to filter out such packets, by making all devices forward packets only in the direction of your router and back (which would also effectively forbid your clients from communicating with each other at all, without the router’s permission).
The alternative is simply not using DHCP, but using either IPs or PPPoE. Leave DHCP to provide settings that only lead to a single web page, which explains how to setup the connection “manually”.
Well, taking advantage of the topic, you know a way (with script usage) to detect the same mac-address (clone) in HOTSPOT network? I’ve been looking for this for a long time!
I think this:
https://github.com/davidnutter/mikrotik-arpwatch
will do what you want but a) documentation for it is thin on the ground and b) it requires an external server to run it on [although I guess you could run it on an OpenWRT metarouter]
Sorry friend, but I do not understand WHAT you wrote above. This is a complementary tool to prevent or detect ARP spoofing?
arpwatch alerts you when a MAC address changes IP address, or when an IP address changes MAC address. If a “bad guy” assumes somebody else’s MAC and IP addresses, you aren’t going to be able to know who the “real” one is. Perhaps you could set hotspot interface ARP mode to reply-only, populate ARP from DHCP and disable client-to-client forwarding. That will make it harder for a “bad guy” to get enough information about innocent users in order to spoof them.
This is how is done.