I have a gateway “A” that have ip 192.168.0.1 in lan 192.168.0.0/255.255.255.0.
I have a router mikrotik “B” with ip 192.168.0.2 in the same lan that assign ip to client through dhcp server and only with a “static-only” mode. The router B doesn’t have NAT function and the dhcp server assign gateway “A” to clients.
I would that only ip assigned by dhcp server can access to internet through gateway 192.168.0.1 and if an user try to assing an ip manually he hasn’t access to internet through 192.168.0.1.
Have you any idea ?
at first glance - all these configuration have one feature or drawback - security through obscurity - with correct static configuration user will be able to access internet.
My suggestion in this case would be to use Hotspot, that is captive portal built into RouterOS. So authenticated users get everywhere they want, others are less fortunate. Yes, that requires more configuration, but it is worth it in the end. I should note, that automatic log-on can be configured based on user MAC address to ease use for customers.
Ok but,
in hotspot configuration the router B must have a nat function … right ?
I don’t want NAT. I would that a single client in 192.168.0.0 network contact directly 192.168.0.1.
Move DHCP to the gateway router, use static leases only and set add-arp to yes, and then set the ARP mode of the LAN interface to reply-only. That way only clients that received a lease from the DHCP server can make it into the ARP table of the gateway router, and the router is inherently unable to send traffic to any other clients, leaving them without Internet access.
