I need help blocking mac adress if the user that connect use the gateway instead of IP.
Example. My gateway is 192.168.1.1 and i coonect to wireless with static IP 192.168.1.1 and use gateway 192.168.1.2 after about 5 min it will freeze the network.
I need to block mac addres if the user try to connect with the gateway IP or get connect and disconnect more then 6 times in 10 sec. I cant use ARP to let only DHCP clients connect.
What i need is deny all the conection if the IP adress is the same with the gateway or if the gateway is different then my real gateway. all i see in log is macadress@wlan conect reasociating and disconect.
Give me one idea to work with.
/interface bridge filter
add action=drop chain=forward log=yes log-prefix=
“***** User using gateway ip address” mac-protocol=ip src-address=
192.168.1.1/32 src-mac-address=!xx:xx:xx:xx:xx:xx/FF:FF:FF:FF:FF:FF
xx:xx:xx:xx:xx:xx : is your gateway device MAC address
this rule deny any packets which coming from 192.168.1.1 which is your gateway IP address and its MAC address is not your real gateway MAC address then log it.
Your real issue is preventing clients from communicating to each other over layer2 on the network then. There really isn’t anything that you can do on the router itself to prevent people from communicating over layer 2 since that traffic never needs to go through the router to happen. What you need to do is properly setup your LAN to prevent clients from communicating to each other, so that in the case of someone duplicating the default gateway IP address, the ARP requests for 192.168.1.1 will never reach the faulty device.
This means use client or layer2 isolation on the access points, and use VLANs, port isolation, or DHCP guarding on the switches. If your current network equipment does not support these features, then you need to upgrade the equipment you choose to use. That is the only real solution to the problem.
Do your wireless clients need to communicate with each other? (for instance, do you have any wireless printers, or internet-of-things devices that you want to work with, e.g. controlling a Roku from your tablet?)
If the answer is no:
The easiest thing to do in this case is to just set the wireless interface default-forward=no
This isolates all wireless devices from each other.
If you want to isolate them from the LAN as well, you can do it in two ways:
if your device only has one hardware switch, and you’re using the hardware switch, go into the bridge settings menu in the ports tab, and set interface wlan1 horizon=1 and interface ether2-local-master horizon=1.
If your router is a 2011 or any other that has multiple switches connected to your bridge (or if you don’t have a hardware switch chip and just bridge all interfaces) then you can’t use split horizon - just create a bridge filter rule in the forward chain that drops everything.
Done.
If the answer is yes, then ShayanFiroozi’s advice will work, but you don’t even need to put the MAC address portion at all because the forward chain doesn’t apply to the Mikrotik itself - it only applies to traffic going through the switch directly between clients.
My hardware is RB2011UiAS-2HnD i use this at work and made 2 separate bridge and cut all comunication with them since the neighbor with who I share the network is doing some computer repairing like reinstalling windows and saving data from virus and stuff and made him a separate DHCP and wireless since he also dose printing and all the ppl come with usb from home and phones, dont want anything from his network , i have printers that use static IP , IP camera since the main ocupation of the company is selling security staff like home alarms, camera network recorders and other stuff, home i have same hardware and saw a video on youtube how to jam wireless in 4 min but you need to have that wireless password and put youre android phone on static IP, testet this on my home network and in 6 min my ping to google droped and everything stoped, where I normaly instal mikrotik I always use ARP since most of the clients have pubs, this was just pure curiosity for me if i can block this, more for implement in the next instal.
This is an example of “access layer security” issues - where someone can connect to a network and either accidentally or maliciously start doing naughty things that break the network. Unfortunately, the only real cure is to block client-to-client connectivity in some degree.
I think I’d just make a guest network for my own customers / untrusted devices to use and if it gets blown up then oh well.
It isn’t really “jamming” the wireless - it’s ‘just’ an arp-poisoning attack on the hosts. If someone wanted to jam the wireless with a a radio jammer, then you’re screwed no matter what.
Amazing what 2 min of watching a youtube can turn in, i looked on the forum and all say arp and stuff and i can’t do that at work since like i said i need to have freedom to ping and test and ping and test and break IP Camera if they don’t answer to ping ( kidding sending them back to mother china ) but on the future i will start implement this since my boss want to get some funds to start working with fiber and i will need to implement solutions there with mikrotik, and in pubs where they want some fancy login page to acces wireless and stuff.
In pubs, etc., client isolation = your best friend.
Just remember that you have to do this system-wide - every switch, every bridge, every AP must be isolate its clients from each other, and must BE isolated from each other themselves as well. Otherwise, you’ll create little islands of danger, or little islands of local safety within a sea of danger.
normaly i use one simple RB951 10/100 or gigabit with rbcap2n ( capsman ) and make separate bridge for clients and main network, arp and dhcp 3 hour free login 1 hour stay outside filter with mac adreess something simple not complicate and like you said isolated but i let the main router to do this i dont have something like paid to login or put the stuff generate numbers or create users they want it safe simple to not jam interfere with their network and to let more then 20 phone get network acces in some cases limit the bandwith but since i’m in romania i have RDS and is like 300Mb with 100Mb upload, the common problem with TP-link that normaly is used is that after 20 clients wireless stop working.
i dont have something like paid to login or put the stuff generate numbers or create users they want it safe simple to not jam interfere with their network and to let more then 20 phone get network acces in some cases limit the bandwith but since i’m in romania i have RDS and is like 300Mb with 100Mb upload, the common problem with TP-link that normaly is used is that after 20 clients wireless stop working.