MT Hotspot and Rouge Routers

MT ver 2.9.39

We have a wired network of about 500 in apartment complex. We use a central located 2.9.39 Lev6 MT x86 and using freeradius server located at apartment office to run hotspot, from this we break down into switches and each apartment has wired cat5 connection.

Some clients have started to use or their own routers, usually they plug a wireless linksys, d-link or other brand router into this connection to share the connection among their computers and other devices.

Them needing to share their connection with other devices they have is fine with us BUT

The problem comes into the mix once a client installs their router.

1. Client installs linksys (or other brand) router on the cat5 connection from MT
2. Linksys router (WAN side) obtains IP from MT Hotspot
3. Client connects to linksys router (LAN WLAN side)
4. Linksys router hands IP out to client computer
5. Client logs into internet using username and password

The problem:::
All other users and/or computers/devices connecting to linksys router after the first client logs in can now get free internet, as they are not prompted with sign in page.

Many of the “younger” residence here have found this out and now one person will sign up for service and then login leaving his connection open so that all their buddies in the other apartments around can get free service by connecting to his wireless signal from his router.
Not even our managed switches seem to be able to stop this.
We have tried installing our own client side equipment in some of these problem areas but they just unplug it and have their own router clone the MAC and IP from our equipment.

We have even had some of the more clever ones use MAC and IP cloning so they can use the same MAC and IP as our Hotspot Gateway so they don’t even have to login with an account at all.


We have set MT DHCP server to alert us if other dhcp servers are found on the network but even this does not see the routers sitting out there 99% of the time.

We have tried blocking the MAC addresses we find as routers in Hotspot IP Binding by adding the MAC and selecting the type as blocked. However as said before 99% of these routers are not even seen by MT to alert us of the device being there.

I did a search here and found a few post about people using MAC and IP cloning to hack hotspot on a wireless AP, but our setup does not use wireless. Our deployment is hard wired.
Does anyone know of a way we can get this under control, or does everyone using MT hotspot just accept this as revenue loss?

Because they have internet sharing connections from the router (nat), so, everyone connected with that router have single IP and mac address in their WAN side that authenticated with HOTSPOT server.

We have tried installing our own client side equipment in some of these problem areas but they just unplug it and have their own router clone the MAC and IP from our equipment.

I think they can’t obtain ip address from your equipment so far, but only their router does.

We have even had some of the more clever ones use MAC and IP cloning so they can use the same MAC and IP as our Hotspot Gateway so they don’t even have to login with an account at all.

I’m sure that is not about MAC or IP cloning, but internet connection sharing ability from their ROUTER

We have set MT DHCP server to alert us if other dhcp servers are found on the network but even this does not see the routers sitting out there 99% of the time.

I think their DHCP server installed not in WAN side (different interfaces), so DHCP alerting can’t seen any DHCP server behind their router.

We have tried blocking the MAC addresses we find as routers in Hotspot IP Binding by adding the MAC and selecting the type as blocked. However as said before 99% of these routers are not even seen by MT to alert us of the device being there.

Maybe that option can reduce the problem, but you can’t know exactly which one “rouge” router or “real” single client devices.

I did a search here and found a few post about people using MAC and IP cloning to hack hotspot on a wireless AP, but our setup does not use wireless. Our deployment is hard wired.

I think wireless or wired topology will have same problem in that condition.

Does anyone know of a way we can get this under control, or does everyone using MT hotspot just accept this as revenue loss?

I think that is not about MT, but internet sharing connection technology impact.
It’s not easy to solve this problem which you have face with internet connection sharing technology. Everyone that have ability to share internet connection with router (nat), than they got it. Everyone have router and hub, they can share single user id that they want. It’s possible because Hotpost authentication just seeing router mac address (wireless AP router, or other device have connection sharing ability) not client behind that router.

Maybe you can configure idle time and keep alive timout to reduce it.
That is just my opinion, it can be wrong and i’m sorry for my mistake.

Rgrds

And how do you use the time out and keepalive to do that
Thanks

idle-timeout (time | none; default: none) - idle timeout (maximal period of inactivity) for authorized clients. It is used to detect, that client is not using outer networks (e.g. Internet), i.e., there is NO TRAFFIC coming from that client and going through the router. Reaching the timeout, user will be logged out, dropped of the host list, the address used by the user will be freed, and the session time accounted will be decreased by this value
keepalive-timeout (time | none; default: 00:02:00) - keepalive timeout for authorized clients. Used to detect, that the computer of the client is alive and reachable. If check will fail during this period, user will be logged out, dropped of the host list, the address used by the user will be freed, and the session time accounted will be decreased by this value

that is maybe can reduse authorized clients that leaving hotspot authentication unproperly.

Out of curiosity, when you find one of these routers providing free access to your service, do you leave the cat5 to that apartment connected or do you disconnect that customer and wait for them to call you?

There is posiibility

If you change TTL to 1 on packets comming out your LAN interface of hotspot that should stop working routers.

how to do it you can find on forum

Hmm… change TTL = 1, i’ have never tried this option yet, but soon I’ll try. So far as i explore this forum, i found some interesting topic that similiar problems.

http://forum.mikrotik.com/t/isp-doesnt-allow-user-to-share-their-adsl-line/9688/1

rgrds

I’ve test to change ttl = 1, and seemly work to prevent my wireless router to share internet connections. The illustration is :

Internet <----> MT Hotspot <----->AP <----> MT wireless client <—> my laptop

on MT Hotspot i aplied rule :
/ip firewall mangle add chain=postrouting out-interface=ether2-hotspot action=change-ttl new-ttl=set:1

AP using “corega” with bridge mode.

on Mt Wireless I’ve aplied masquerade all trafic which outgoing via wlan1

Explain :

1. From my laptop can’t redirect to login page and can’t get internet connection if change ttl = 1 enable.
2. From my laptop can redirect to login page and get connection internet if change ttl = 1 disable.

Mybe any impact or not, i don’t know yet. But, it work!

Rgrds

There are several NAT routers out there that don’s decrease the TTL so this won’t work for everybody.
What I do is set bandwidth and traffic limits for the account. That way if they do share it out they will all ahve to share the smaller amount of bandwidth and download capacity. If you set a limit of say 10GB downloaded per week (or whatever is reasonable for your network) then when some guy shares the connection with all his neighbours, that limit qwill quickly be reached and he won’t be able to login.

You could also try limiting the maximum number of simultaneous connections permitted.