Hotspot/DHCP fails to give out IP address - pool empty

I encounter following problem on some routers:

A client (or his NAT router, some SMC devices are doing this) floods the hotspot with many IP addresses. The addresses are mostly public IP addresses, ranging from 4.X.X.X to 21X.X.X.X. There can appear dozens and hundreds IP addresses from a single client MAC address in minutes. In result, the Hosts page in Hotspot is flooded with addresses, which are translated by Hotspot to the assigned client IP range. Since I use pools with C-Class size, the pool runs out of space very quickly and it is impossible for a new client to get an IP address.

When I remove those entries from the Hosts list, everything works, until it gets filled by this crap again.

What rule in firewall would prevent ANY IP address other than from legitimate range to access the Hotspot, before it appears in the Hosts list?

Any suggestion is very welcome, thanks.

One simple method would probably be:

/ip firewall filter
add chain=input src-address=x.x.x.0/24! in-interface=local action=drop

. src-address would be the valid network address and subnet of your dhcp server
. in-interface would be the interface your clients connect to
. i’m not sure if a forward rule will be relevant as well
. if you like you can use action=reject (in this case an icmp message is sent to the user)
. you could also choose to add those spoofed addresses to a list and see if there’s anything
interesting you could do with them later.

Of course since you have the user’s mac address you could always take it up with them.

Cheers.