Hello,
Within the same VLAN, there are several /24 subnets. The gateways are configured on the MikroTik device, but I’m experiencing a problem. There is a malicious user who sets up a virtual router on their own server and assigns the gateway address to themselves, redirecting all traffic to their server.
How can I prevent this?
Hi @asdgmae2, the solution would depend on how your network architecture is (other routers, switches, etc).
Generally speaking, it could be tackled by enabling dhcp-snooping, trusted ports and denying arp-learning on switch ports what are untrusted.
Additionally, in your case, in RouterOS set the arp=reply-only at vlan level setting, and add-arp=yes at dhcp-server level.
I’m assuming you have enabled DHCP server for address assignment.
Again, network architecture diagram and /export hide-sensitive would be necessary to bring a more detailed solution path.
most effective place to prevent this issue is on access network (switches, access-points, OLT, DSLAM, CMTS etc)
@ asdgmae2,
There is a malicious user who sets up a virtual router on their own server and assigns the gateway address to themselves, redirecting all traffic to their server.
if your network is office network,
then you should lock down all the workers station from any system modification.
if your network is a service provider environment,
then you should start to think about changing your subscribers access method.
hope this helps.
I’m not using DHCP; IP addresses are assigned manually, but I’m involved in server leasing, and the management of the leased servers belongs to the customers. Each server is allocated one IP address, so I’m running only one VLAN. How can I solve this using a different method?
I am using a MikroTik router followed by a Juniper switch. How can I solve this?
I am involved in server leasing, where each server is allocated one IP address. I prevent IP spoofing by using the “Make Static” method, but the IP addresses are not listed in the gateway’s ARP table.
I’m not using DHCP; IP addresses are assigned manually, but I’m involved in server leasing, and the management of the leased servers belongs to the customers. Each server is allocated one IP address, so I’m running only one VLAN. How can I solve this using a different method?
are you in some kind of rack rental environment? datacenter?
if yes, then it (customer gateway spoofing) hardly/has little effect to draw traffic or getting more bandwidth because the amount of interface bandwidth available is obvious.
you can try to use separate vlan for the customers, so they don’t talk to each other.
you can try to implement switch port mac security. limit by 1 macaddr per port.
or you can try to use separate pppoe profile and separate pppoe server for each customer.
hope this helps
find out what security features that switch provides, then you can choose which strategy to properly isolate customers between them just to start, you must see that infrastructure as a untrust zone
Get the MAC address of the machine pretending to be the gateway
a simple “arp -a” on the command terminal on windows will show it
example
arp -a
Interface: 192.168.1.35 — 0xc
Internet Address Physical Address Type
192.168.1.1 24-5a-4c-d5-87-d6 dynamic
192.168.1.106 b0-e4-d5-ab-7f-87 dynamic
192.168.1.167 c8-9e-43-c5-6e-3d dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Block or filter the MAC address on all the other machines, routers and switches
Wait for the idiot to complain he can’t access anything
Hello,
This is a solution, but the real solution would be to prevent him from doing this.
Because when you do this, dozens of customers lose access.
Proper config of the router.
It would appear the hacker is not getting into your router but manipulating the traffic reaching his router.
The fact that other traffic can reach his device, id indicative of a leaky setup.
Post your config
/export file=anynameyouwish ( minus public IP address info, any keys, router serial number, any long dhcp lists etc…)