problem with unauthorized hotspot users

RouterOS General
1

i active hotspot server with User manger in RB951 G-2HND, but now when users connect to the wifi network can access other ip on hotspot ip range without authentication or login to the hotpsot.
they can use RDP or SMB to connect other Unauthorized users or access ADSL Router & iphone on port 80.

how can i prevent unauthorized users to connect other unauthorized users or other Device with IP?
I want users to have access to each other after login in hotspot.

Config:
/ip address
add address=192.168.9.2/24 disabled=no interface=ether5 network=192.168.9.0
add address=192.168.7.2/24 disabled=no interface=ether2 network=192.168.7.0

/ip pool
add name=DLink ranges=192.168.7.50-192.168.7.150

/ip dhcp-server network
add address=192.168.7.0/24 dhcp-option="" dns-server="" gateway=192.168.7.2 \
    ntp-server="" wins-server=""

/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
    cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
    split-user-domain=no use-radius=no
add dns-name=amir.reza hotspot-address=192.168.7.2 html-directory=hotspot \
    http-proxy=0.0.0.0:0 login-by=http-chap name=hsprof1 nas-port-type=\
    wireless-802.11 radius-accounting=yes radius-default-domain="" \
    radius-interim-update=10s radius-location-id="" radius-location-name="" \
    radius-mac-format=XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 \
    split-user-domain=no use-radius=yes
/ip hotspot
add address-pool=DLink addresses-per-mac=1 disabled=no idle-timeout=5m \
    interface=ether2 keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \
    shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip hotspot ip-binding

/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add disabled=no name=admin password=123453 profile=default
add disabled=no name=s password=s profile=default
add disabled=no name=1 password=1 profile=default
add disabled=no name=2 password=2 profile=default
2

Unfortunately, networks are designed to allow such things. Mikrotik’s hotspot feature works by sending ARP replies for everything in the network. If the other host’s ARP reply reaches the requester first, though, then the Mikrotik cannot stop the two hosts from communicating.

If two hosts have a layer2 (ethernet/wifi) path directly to each other which does not pass through the Mikrotik, then the Mikrotik ultimately cannot block such traffic. It can only confuse the clients into thinking they must talk to the Mikrotik instead.

If you want host<>host communication, but only once authorized, then I would suggest that you convert your network into a point-to-multipoint type of design - all APs use client isolation, and all switches implement private VLAN / split horizon. Then the Mikrotik can be set to answer proxy-arp for all clients and they will communicate with each other by ‘bouncing’ their packets off of the Mikrotik.

3

In our Internet Cafe we had such problem.
I have 2 LinkSys modems. I disable both DHCP Servers and the only DHCP which is active is MT.
1st network: 192.168.20.0/24
2nd network: 192.168.30./24
hotspot: 10.5.50.0/24

my MT doesn’t have any wireless interface.
So when users wanted to connect my network via linksys AP, there is no DHCP server to respond them except My Mikrotik. so they gain right IP from my hotspot range and no unauthorized users.
Maybe you just need to disable your DHCP on your modems and AP, like my story?