hi all
i got this configuration on my mikrotik machine=
ether 1 = reply-only (local)
ether 2 = reply-only (local)
ether 3 = enabled (local)
all in one bridge = enabled (192.168.10.2)
what i want to achives r =
can mikrotik do this…??? 
If you have ether1,ether2,ether3 joined into a bridge then you should assign the IP address to the bridge interface and not assign any IP addresses to any of the physical ports ether1,ether2,ether3.
Because all ARP related settings are only relevant for interfaces that have an IP address assigned (without IP there will not be any need for ARP on an interface) and the IP address should be on the bridge interface, you will only be able to configure the ARP behaviour on the bridge interface. It does not matter what you configure for ARP on ether1,ether2,ether3 as it will never be used anyway.
–Tom
cool , so you may answer this question which still not answered by anyone yer :
arp table :
user1 192.168.1.100 mac 11:11:11:11:11:11
user2 192.168.1.101 mac 22.22.22.22.22.22
can any intruder get in by making his parameter like this :
192.168.1.101 mac 11:11:11:11:11:11
??
On a hotspot? Or on a plain IP interface?
–Tom
@tneumann sorry i’ve forgot to mentioned the ip…
okay here is the ip =
ether 1 = blank ip
ether 2 = blank ip
ether 3 = blank ip
bridge 1 = 192.168.10.2/16
so can mikrotik to this…??? 
larmaid,
Your IP setup looks OK with the IP address on the bridge interface and no IP addresses on the ether interfaces, but please recall what I already wrote: ARP has no meaning on interfaces that do not have IP configured. That alone practically answers your question: As there are no IP addresses on ether1,ether2,ether3 why do you think you would be able influence anything by configuring ARP modes on these interfaces?
OK, back to your original question: The short answer is no, you can not do this.
The longer answer is maybe you can, but just not by playing with the ARP modes on the ether interfaces. You can try to configure bridge filter rules that specifically filter ARP requests and/or replies that go to/originate from the bridge and these filter rules may take the bridge port (ether1,ether2,ether3) into account when deciding what to drop and what to pass. But this is an ugly design, IMHO.
–Tom
tneumann , in a DHCP server ..
Samsoft,
Your question has been answered and answered and answered yet again. Stop wasting our time and asking it.
Get a MT Access Point!
Stop posting the question which has been locked at least TWICE now!
For you I will answer yet AGAIN.
Switch to Mikrotik AP’s and come back when you have.
samsoft, if you don’t like getting banned, please stop using rude language, and prove your point when making statements about something.
saying “this is bad, don’t use it” will not help anyone, especially if you haven’t used it yourself.
and once more - you are asking us to fix a feature on your ‘other brand ap’? i don’t understand what you want. if we have misunderstood your problem, please clarify it.
well , i dont know what language i have to use ? english , arabic .. cos i dont know other languages ..
what other brand ap you are talking about ?
me and many ISP’s ((((( forget wireless )))) had test the reply-only features and found that it can be fooled .. why is that ???
this is what we ( not only me ) wanna know .. why reply-only is not working ???
what i know from the manual is that a specific mac address has to get a specific IP address .. HOW could another mac take another IP from the list ?
do you really dont understand me ??? or you just defending your MT ?? i dont think i’m talking any misteries .. its so clear and many other ISP tested it and found that it’s not protecting anything ..
beside i gave you an example above ..
you cannot force me to use any kind of hardware , i select MT couse i thought its very powerfull in security .. but WE found that MT hotspot is a joke , a tiny little mean software like NET-CUT can brake it !!! can you believe that ?? and you cannot make anything just threating me with banned !!!
I dont know if you banned me would solve this problem??
its not a civilized or scientific way for talk .. and your rugular daily answers : read the manual !! send support !! would not solve the problem ..
in the end , just try it yourself and tell me if its working ..
What exactly does not work for 'reply-only ?
Reply-only binds specific IP address to MAC-address, static table is used to server clients. MAC/IP user cannot pass data trought the router, if MAC/IP is not in the list.
If other user is taken the same IP address and MAC-address configuration, router (forget about HotSpot or anything) is not able to specify, which one of them is correct user and which one uses stolen IP and MAC-address.
To solve your problem for Ethernet network (if we are not talking about wireless).
Firstly you can use management switches, that allow to set restrictions MAC-address per port. In other words this means, that user A with MAC-addres xx:xx:xx:xx:xx:xx is able to forward data only over specific port (when appropriate configuration is used).
If you do not have opportunites to use management switces use PPPoE server,
do not assign IP address to local interface, every user requires PPPoE client configuration (login/password).
If security is important for your non-wireless network, then use PPPoE or management switches. Otherwise some users will be able to get other user MAC/IP address and use it, it is not MikroTik security issue, since it is router.
in the static arp list :
IP1 for MAC1
IP2 for MAC2
if someone got IP1 with MAC2 , can he get in ?
note that IP1 is not bind to MAC2 in the list ..
No, client should not ‘get in’, if interface user is connected has ‘reply-only’.
If you users are able to ‘get in’, make sure the latest version is used on your RouterOS and contact support (support@mikrotik.com) with attached support output file and your problem.