hello everyone
i have a real problem with my network which is MAC spoofing.
a lot of people are using MAC changers to access my network
so they are stealing other people’s credit on my network.
is there anyway to stop the MAC spoofing and hide the MAC addresses from showing in any MAC scanner ?
i was able to hide them and also hide the nano station from showing in Ubnt discovery without any scripts or rules but i forgot how.
is there any way to solve this problem ?
You need invest in the Mikrotiks, configure them as bridges and give them to the clients to stabilize MAC address base.
Then you can account their traffic using Mikrotik’s MACs not clients ones as client will be hidden behind bridges.
Disable client forwarding on WiFi networks and use bridge horizon
I’m sorry but i didn’t understand anything
can you give me steps please ? on what should i do or where to go ?
i’m using MikroTik Router RB1100AHx2 and NSM2 for the customers to connect
and i’m using username and password only once to get authorized after that they can login by MAC address.
I’m not sure a band aid based on a response from here is going to solve your problem.
If this is causing you real issues, you need to spend some time thinking about your current strategy and do some research on a number of possible solutions to the security and accountability issues you are facing.
MAC based login is a very insecure way to go. It’s ease of use and subsequent ease of abuse is becoming apparent so I would rethink this aspect entirely.
i know my response is not enough but its because i don’t really know what to say about my network i began 1 month ago and i don’t have that much of information to talk about my network .
i tried to stop the MAC based login but it seems that everyone is enjoying it and they just don’t want to login every time they connect to the network
so i think you have to ask me about info and i will answer it because i really don’t know where to start and if you can’t help it’s okay .
my firewall is kinda clean it has some filter’s rule but i think they are for logging in and out and redirecting .
Is this a hotspot or what?
yes its a hotspot i think
You are going to need to spend time implementing layer 2 isolation on your network. Basically this is not something that can be done or controlled at the core of your network, you need to do it at the edge of the network, the point that client devices connect. How you do that is up to you and depends on your network equipment that you have installed and what it is able to do. Your ultimate goal is to stop client to client communication over layer2, this is a network design problem.
If you need to maintain a layer2 network, here are some steps.
The first line of defense is going to be disabling forwarding on your wireless interfaces. Mikrotik calls this “default forwarding”, other manufacturers call it something else. But the basic idea is the same, not allowing devices connected to the wireless network talk to each other over the wireless network.
The next step is deciding how you want to isolate hosts on your switches. This can typically be done through VLANs or port isolation on switches. Port isolation works by telling the switch what ports traffic is allowed to be forwarded to.
Both of these things need not change how your clients connect today and use the system today, but will greatly increase security, and will help with your problem. This doesn’t prevent someone from grabbing the MAC address by using a wireless sniffer and grabbing it from the air, but does prevent someone from grabbing a MAC address from another part of the network.
If your current equipment doesn’t support these kinds of things, then you will need to budget for network upgrades that will allow you to do so.
i already read about all of that but no one is giving steps like open here, write this. add this to firewall, they are all talking about layer2 and to be honest i dont even know where is this layer2 or how to reach it.
by the way im using nano station M2 with XM.v6.0.7 version , and RB SXT 5nD r2 as a receiver,
does these equipment support the ip isolate ?
You should probably consider switching to PPPoE instead of hotspot if you have such rampant issues with end-user abuse.
Another option to experiment with would be cookie logins.
Unfortunately, there is nothing much you can do to stop devices from MAC spoofing. Client isolation won’t completely fix this issue. The only thing this would do is give your network a small amount of defense against unskilled users easily monitoring network traffic for other MAC addresses on the network.
Layer 2 refers to ethernet / wifi devices (as opposed to routers) - MAC addresses are part of this layer 2 and a router (which is layer 3) cannot really do much about spoofed MAC addresses. Layer 2 security requires devices that have such features - ethernet switches and WiFi access points are the devices which would have such features, and not a router such as your Mikrotik.
If your access is strictly wifi-based, then you should set up a lab and implement username/password for connecting to the WiFi itself. That would be the best solution IMO.
yes i kinda understand now and yes its wifi-based .
there are a lot of routers that you can’t connect to when your MAC is changed it will always say that the wifi password is wrong even if its right.
can we use that feature in Nano station ?
it will be like the best thing to stop spoofing
I think your lack of knowledge in regards to the OSI Model https://en.wikipedia.org/wiki/OSI_model and how to use it to understand your issues and mitigate the problems they present is the first thing you need to address, until you do, even following steps here may not produce the results you are expecting and could even make things worse as you don’t understand what going on.
You need to build yourself a lab (a small scale version of what your running in the field) and spend some time learning the basics, slowing increasing the complexity of the setup and configuration so that you can gain a clear understanding of whats happening, why and how to make the changes you need, but, also, how to debug a setup when it’s not performing as expected.
Start by learning the various layers of the OSI model and what part they play within each piece of network equipment. (Difference between routing, switching, bridging etc. IP’s, MAC’s, MTU, TCP, UDP… The list goes on)
Then spend some time working through examples in the Mikrotik Wiki and from elsewhere on the Internet. YouTube also has many good videos to learn from.
Take a look at GNS3 https://www.gns3.com/
It’s easy to say, give me the answer, but, there’s no point if you don’t understand the solutions that are given or how to apply them to your setup without breaking anything else.
If you have more knowledge, at least if you don’t fully understand the solutions given to begin with, you’ll be better equipped to analyse them and see what’s going on, test it in a lab setup and learn what’s going on and how it can be used.
There’s no way to stop MAC Spoofing, but you can minimise chances of people scanning your network to collect MAC’s which they can then use for spoofing. This doesn’t stop people from sharing MAC’s with each other in order to abuse your network though.
Ultimately that’s not going to solve your problem.
Your problem stems from using MAC’s as a means of authentication. It’s flawed.
Various online articles have existed for over a decade warning against the pitfalls of using MAC address’s for access control (example http://www.techrepublic.com/article/the-pitfalls-of-mac-filtering/).
There area limited number of instances where the use of MAC’s can be useful, but never in a network facing a public domain.
everything you have said is true i do lack tons of knowledge and i don’t know where to start
and i don’t even know my own network that much so i have to learn as you said but can you give me more links about the basics please
The first thing you should do is re-read every reply you’ve had in this thread and make a list of all the terms you don’t understand. Take each one you don’t understand and Google it. Write down some notes about what you find to help cement your knowledge.
Nobody is paid to post on these forums and having to spoon-feed somebody who won’t help themselves is tedious and unrewarding, and you will find that the number of replies to your requests for help dwindle.
Like ebreyit says you need to build a lab and test out some different scenarios.
there is no way you can stop some one from spoofing mac address as long as he have some device is mac address thats active user on your hotspot and he have rooted phone, but what you can do is prevent wifi scanners from showing your clients,s mac addresses by changing the network prefix lenghth from 24 to 32
from your winbox settings go to
IP
DHCP SERVER
choose NETWORKS
make the gateway 2.2.2.2
netmask 32
then apply
method two
when a client connect to your hotspot the system will show you the mac address of the device, ip and the host name so as we know if some one steal other client is mac you still can find out by the hostname of the device for example if he spoofed 3 different clients the dhcp server will list those three macs with the same host name unless he is very genius and found a way of spoofing hostnames too.
ok lets get to the point there is a script you put into the new terminal what this script do is scans all the hostnames every 20 seconds if one of them is duplicated it automaticly cicks that bad hostname so the hacker can have access for maximum 20sec before he gets cicked out, i hope it will solve your problems
the acript
use global hacklist variable
#:log info ($hacklist)
:foreach host in $hacklist do={
:foreach i in= [/ip dhcp-server lease find host-name $host] do={
:local ipnum [/ip dhcp-server lease get $i address]
:local unum [/ip hotspot active find address $ipnum]
:if ([:len $unum] >0) do {
:local usr [/ip hotspot active get $unum user]
:log warning ($host . " " . $ipnum . " " . $usr)
#next line kick them out right now, could also check pppoe
/ip hotspot active remove $unum
#other stuff can do now with the identified IP and USER
}
MAC addresses are not encrypted on wifi. You can confirm this yourself with a tool like Kismet, eg:
wifi scanners scans for the ip range therefore if you prevent it from showing ip addresses mac addresses wont be listed too
One can still do ARP requests as that is a layer2 function, and need not involve the IP addresses, also if someone just sniffs for wireless traffic they can still grab MAC addresses out of the air. So your solutions will only slow down someone that has a basic knowledge of what is going on, not really preventing anything.
Also by someone duplicating a MAC address, it still causes problems for the real host regardless if you block the offender from gaining access to the internet for a short time.
ok why dont you provide us with a better solutions then?