Hello i have a problem i have more then 50 clients have there own speed limitation but the mostly clients change the NIC mac address to other clients & using internet i want to stop MAC cloneing how? i have option for hotspot & proxy but i want to provide internet in same method i.e now i m using simple NAT anyone have a idea thanks in advanced
if you will have any kind of user/pass based authentication (like hotspot or pppoe) then the mac cloning will be useless for these violators, they will also need username+password
no i m using just simpale NAT by firewall masqeurade & i can’t change into hotspot or pppe any one have idea??
If all your client devices are running RouterOS, you can use management frame protection available in wireless-test:
http://wiki.mikrotik.com/wiki/Wireless_Development#Management_frame_protection
Or you can use WPA and assign different preshared key for every customer.
AOA,
Dear Atif,
why can not you implement to PPPoE or Hotspot, they are the best authentication methods. Where are you running your cable internet system
Hello normis i run hotspot but in my school student still do mac cloning and bypass the hotspot is there nay way i could handle this?
Thanks
The only way to prevent MAC spoofing on a layer2 network is to prevent each client from seeing each other. This is beyond the control and scope of ANY layer3 device, this must happen at the edge of the network. Get access points that support client isolation, get managed switches that support port isolation, this is your solution.
Note that this does not prevent them from changing their MAC address at will, it just prevents them from scanning the network and finding out other peoples MAC addresses in the hopes of getting on with another clients MAC address.
Yea thanks for ur reply but could i use mikrotik to do that ?
For pppoe spoofing MAC is not working 
In Russia some providers use PPTP VPN (warning it uses CPU on VPN server/router) because its more secure than PPPoE.
If you don’t want any username/password authentication for your users you can use managed switch with MAC filtering (each user then would be connected to his own port on managed switch and only packets from his MAC address would be accepted on that port). This would eliminate MAC cloning completely (yes, managed switch can eliminate MAC spoofing/cloning).
If the only problem is that users cheat their speed limits and you have a few standard speed limits (lets say 2/2, 10/10 and 20/20 Mbps) for all your customers in some cases cheaper alternative woud be isolating groups of users with similar speed limits. For example if you have 3 standard speed limits (example above), all your customers are connected to one port of your router and it has 2 unused ports you can connect all users with 2/2 limit to unused port 1 and all users with 10/10 limit to unused port 2. Bridge these ports together and in BRIDGE filter rules input chain (or if you want to use ip firewall filter specify in-bridge-port there) put IP or MAC restrictions to these ports (be aware that DHCP will also use 0.0.0.0 as source address). An alternative to bridging would be putting clients with different speed limits in different subnets (or some nasty configuration with big drawbacks). In case of different subnets there won’t be many filtering rules but IP address will have to be changed along with speed limit. If your router doesn’t have enaugh free ports attach managed switch to it and use VLANs (or set IP/MAC restrictions on the switch). In any case cheaper method will have drawback that you must also physically connect user to another layer 2 (switch) network when changing speed limit.
If you have long lines with many chained switches don’t think about 1 big managed switch, but think about replacing your small unmanaged switches with small managed switches that support MAC filtering (e.g. MikroTik RB250GS).
In any case you must also ensure physical security of switches (that users won’t plug their cords to different ports or networks).
If the MikroTik is the edge device, i.e. the access point yes. Or if a client needs to go “through” the MikroTik to talk to another client, you can block them.
If it’s just the layer3 hop on the network to the internet then no. A client does not need to use a router to talk to other devices on the same layer2 network.
Dear Sir,
I have PPPoE user name and password but some other person using the same MAC and login. Can you please help us to clear the issue with MAC Spoofing.
Wrong!!!At least on Hotspot anyway.
@Mplsguy Link does not exist
That’s what happens when you respond to a 5 year old post 
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Management_frame_protection
Thanks Normis 