I have Mikrotik v4.11 with hotspot. I want to block arp-scan or solution to prevent this.
I connect to the hotspot without login, then do arp-scan and get one of the ip and mac address and clone mine as his and I can connect to the Internet.
an Authorize people can steal free internet.
On an open access wireless system it is impossible to do that.
This has been stated many times. The only way to prevent clients talking to each other over a layer 2 network is for the edge equipment to be set up to prevent this. This has been and will always be the case. On switches this means VLANs and or Port Isolation, on access points this means Client Isolation. If you’re choice of equipment doesn’t have these basic security settings, I would suggest looking into better hardware.
How is a device in the middle of the network supposed to stop devices right next to each other from talking to each other? The simple answer is that it can’t, it can only manage traffic that is going over it.
I enable (Block Relay Between Clients) option in my APs if it is the same. What is left between the AP?
what kind of cheap 8 port or more switches that can do this and can handle 40-60users? (eBay link or exact model will be helpful)
edit:
the switch that I have is Dlink DES-1008D
You’re looking at managed switches. Extreme, HP, Foundry, AT, Cisco - that kind of thing.
will this one do the job:
3com 3CDSG8
Not according to the manual you posted. Unless I missed that feature when briefly scanning the ToC and sections that could contain it. That switch can do VLANs but that in and by itself isn’t enough to prevent hotspot users from cheating their way into access, which I think you are really after.
I found this one: http://www.zyxel.com/web/support_download_list.php?indexflag=20040906173729&ModelIndexflags=0,420060809155239
Managed switches are expesive. I hoped that Mikrotik has the capability that I want.
I have Mikrotik RB450(with RouterOS v4.11 Level 4). Can I turn this into managed switch?Will be able to handle 40-60 users?
If you are looking at 3Com switches, I wouldn’t bother with anything less than a 4500 series. Their 26 port version can be had for around $500 US, ans is a very good switch. We use it all over the place, it does both port isolation and VLANs, and more than likely anything you would need it to do. The 3Com Baseline/Office Connect series honestly suck as far as managed switches go, spend the extra 100 to 200 and save yourself a lot of headaches and problems.
You can use any MikroTik board as a layer 2 device fine, for what you are looking for you do not want to use the switch chip feature however, you will want to bridge all of the ports together. You’ll lose out on some of the features of a real switch however. You can use the Horizon option when adding in ports to the bridge to block communication between ports, you’ll probably just need to exclude the up-link port from that option.
I am plannig to use RB450 as switch and my intel PC as a router for now and in the future, I will buy RB493AH and use it as a router and managed switch
what is the command to clear setting in Mikrotik?
and what setting do I need to do to turn RB450 into managed switch that can do client isolation and block arp scan to prevent two computer with the same IP and mac from using the same hotspot user account. (First is the real user and second a thief who steal the IP and mac)
Log into the device via the CLI and type in ‘setup’. In there is an option to completely reset the configuration of the MikroTik. I think there a few other ways to get at this too. Be sure you have console cable ready as that will be the fastest way to get back into it.
The basic way you will do that is to make a bridge and add all of the interfaces to that bridge. Be sure to set up the Horizon option on each port as you add them into the bridge.
http://wiki.mikrotik.com/wiki/Manual:MPLSVPLS#Split_horizon_bridging
You will want to leave that option off probably of whatever the up-link port is, I’m not sure on this point as I’ve never set up a MikroTik like that. This should prevent clients from talking to each other over the “switch”, but won’t prevent it from happening over the access point, so be sure to set up the client isolation on them.
Do not user the switch chip on the MikroTik if you want to do any kind of isolation like that, the switch chip does not support it.
Should I have the setup like this
/interface bridge add name=bridge
/interface bridge port add bridge=bridge interface=ether1 horizon=1
/interface bridge port add bridge=bridge interface=ether2 horizon=2
/interface bridge port add bridge=bridge interface=ether3 horizon=3
/interface bridge port add bridge=bridge interface=ether4 horizon=4
/interface bridge port add bridge=bridge interface=ether5 horizon=5
Is this correct? I want ether5 to be connected to LAN of intel PC Mikrotik router
with the above setting it is still show the mac and IP of users of other AP when I do arp-scan
update: I also create different vlan for each port but the result the same
No, the Horizon value needs to be the same, basically what it’s saying is any traffic that comes in on this port with a Horizon number of x, do not let the traffic go out of any of the ports that have the same number set. This is why you will need to leave the Horizon option off of the uplink port, otherwise the traffic will not be able to leave the bridge (not a problem if the MikroTik is the router).
MikroTiks handle VLANs very differently than a real switch will. It is a Linux based device and it handles and deals with VLANs just like Linux will. Whenever you add in a VLAN, what it does is it makes a virtual interface in the router that just so happens to tag all traffic leaving it with the tag and read only traffic coming into it with the right tag. As far as the MikroTik is concerned it’s just another usable physical interface, you can assign an IP to that interface, route traffic out of it, or anything else that you can do to a real interface. When you add in a VLAN on switch and assign it to an interface, the switch will not treat that VLAN as a separate interface, all it really does there is tell the switch what ports the traffic is allowed to come in on and out of.
should I put the horzon 1 foll ports 1-4 disable the horizon for port 5 which is connected to intel PC Mikrotik router?
Do you mean that I do not need the vlan? What is the difference from normal switch?
I am using 192.168.1.0/24 for DHCP and 192.168.1.2-192.168.1.254 pool for the hotspot. Will using different pools for hotspot and DHCP help? Does it accually work to have diffrent pools for them
It works, it doesn’t help your case.
You don’t need VLANs.
Set the same horizon value on client ports, set NO horizon value on the uplink port.
should I also add filter between each combination port port such as
/interface bridge filter
add in-interface=ether2 out-interface=ether3 action=drop
what about the chain? Is it forward, input or output?
what about between the uplink port and other?
I am assuming the the chain is forward and I should not filter port 5 which is connected to the router (uplink).
/interface bridge filter
add in-interface=ether1 out-interface=ether2 action=drop chain=forward
add in-interface=ether1 out-interface=ether3 action=drop chain=forward
add in-interface=ether1 out-interface=ether4 action=drop chain=forward
add in-interface=ether2 out-interface=ether1 action=drop chain=forward
add in-interface=ether2 out-interface=ether3 action=drop chain=forward
add in-interface=ether2 out-interface=ether4 action=drop chain=forward
add in-interface=ether3 out-interface=ether1 action=drop chain=forward
add in-interface=ether3 out-interface=ether2 action=drop chain=forward
add in-interface=ether3 out-interface=ether4 action=drop chain=forward
add in-interface=ether4 out-interface=ether1 action=drop chain=forward
add in-interface=ether4 out-interface=ether2 action=drop chain=forward
add in-interface=ether4 out-interface=ether3 action=drop chain=forward
Do I need the Horizon? (all port horizon=1 expect port 5 horizon is disabled)
Question: are you running a public Hotspot over WiFi?
If so, you HAVE to run it as an open access point. You cannot use WEP or WPA (which are broken, anyway), and you cannot use WPA2. You would confuse people and make it hard for them to connect, and you would lose customers.
In an open access point ANYONE CAN SEE THE FRAMES THE RADIO SENDS INTO THE AIR. Client isolation does not magically make it so the AP somehow transmits only to the intended client, client isolation only makes it so that clients can’t talk to one another. THEY CAN STILL SEE THE TRAFFIC, and can therefore see the MAC and IP address of one another.
You cannot prevent users from stealing access. You can come up with some harebrained schemes like having an open access point where users buy credentials, and then they get limited to 1k up Nd down and instead use the credentials to log into a WPA2 access point that then grants the real access. If you do that - or anything similar - you increase the amount of service calls and reduce purchases to the point that you lose more money than through people stealing access.
Give up. This isn’t worth your time.
the people who are stealing are taking mac and IP of an active authorize client so that client will complain that the internet is slow. I don’t have a method to know if something wrong with his computer or someone clone his ip and mac as him.