Hello;
Our hotspot users are buying Wireless Home Routers and using them in NAT mode to distrubute the Internet access in the flat to more than 1 people but only buying a single username/password.
Is there a way to prevent this happening ?
It seems it is not doable since MT hotspot is only seeing the MAC address of the Wireless Router (WAN).
Any tricks ?
Set the TTL of packets sent to them to 1.
LOL. “Hacking the hackers”
but how can I identify which IP belongs to a wireless router ?
There are hotspot solutions out there which authenticates the computers itselfs regardless of the actual connection.
In those systems, the hotspot page actually sends the MAC or IP address of the actual computer trying to auth and gives access to only that MAC unlike the MT hotspot which uses the MAC and IP of the connection seen by the hotspot server.
Is there any way we can implement a solution like this ?
No. You’re mistaken that other products can prevent this. The whole purpose of port overload NAT is to hide everything behind the router that is performing NAT. It translates all IP addresses behind it to itself. You can’t ever see the MAC address of devices behind a router that is operating on layer 3 because MAC addresses by design get rewritten on layer 3 hops. What you’re seeing is just a consequence of how NAT and TCP/IP work. Setting the TTL is harmless for devices that are directly connected to your router, but will cause any router connected to your router to discard the packet, effectively cutting everyone behind the router from your services until the router is removed and everyone connects directly.
If you know German (I dont), follow the below URL
http://www.netopsie.de/index.php?option=com_content&view=category&layout=blog&id=26&Itemid=23&lang=de
This product does exactly what I would like to achieve with RouterOS as I have seen it live .
Suppose that the hotspot is wired;
when you connect the WAN port of a Wireless Home Router running in NAT mode to the hotspot, system uses the MAC and IP of the individual computers to authenticate, not the Wireless Routers WAN port. Therofeore limits access to one login, multiple use scenario.
I dont know how it does that but it works exactly this way ..
I guess the hotspot page displayed in the initial login has something to do with this but not sure …
Any ideas if we can achieve this in RouterOS ?
TCP/IP doesn’t work that way.
Yes I know that it doesnt work that way thats why I am asking .
But you’re asking for something impossible. There’s no way you saw that product do that, because it’s literally impossible. You’re mistaken if you think you saw that. The NAT router rewrites the source IP addresses because it performs NAT, and rewrites the source MAC addresses because it’s a layer 3 hop. With both fields having been rewritten a device further upstream cannot possibly see the original values of the source MAC address and IP address fields. The fields have changed.
Fewi;
I know all of these 
Thats why I am seeking an opportunity now to get some screenshots and detailed info in a few days and post here.
I am pretty sure it works exactly as I tell you. So no mistakes there.
I have talked to my friend in an another ISP using the product and he told me the following scenario
The hotspot page displayed to the user sends the local IP of the clients computer to the hotspot server and authenticates based on that local IP address regardless of what it sees on the actual connection.
So basically NAT routers IP and MAC never gets authenticated and Internet connectivity behind the NAT never works !
he accepted meeting up tomorrow to test this and have screenshots.
If I am not really confused big time (which I think I am not), after this, I would like this functinality to be added as a feature request.
Very creative.
What do you guys say ?
Mt team, is it possbile to do something like this ?