Hello.
I know how to block users to access internet if they are not in MAC address list and or dont have IP from DHCP server. But what if some users brings own router and clone mac address from registered pc?
We have this problem with some users which using router and give connection to friends (not registered). Only one come to register and then many people have internet.
Its there any solution how to detect those people (or routers) and block them?
I guess not. They are behind nat and you even cannot detect this, can you?
Sent from Android by Tapatalk.
You would need something like 509.x to accomplish this, thereby requiring all devices to have a valid certificate to be allowed network access, and then simply not issue these to a device that is NAT-capable.
However, this is something normally done in the access switches, not in the routers.
Simple, change the TTL of the packet to 1 in the mangle rules.
/ip firewall mangle
add action=change-ttl chain=forward in-interface=<WAN INTERFACE> new-ttl=set:1 passthrough=no
That way when a packet flows over their router, it will decrement the TTL by 1. The router will then see that and drop the packet and never deliver it out of the LAN port.
You forgot to add: And cross fingers that these users don’t use MikroTik router to increment the TTL 
Regards,