i have problem with my PPP server , its easily attacked by using Sniffer program Like Cain&Abel and copy of mikrotik OS installed on Virtual machine on the attacker PC and they can see the username / password of the online users and then simply use it .
i have upgrade the router to 5.7 and enable the PPP encryption , yes the encryption fixed the sniffing on the PPP users but the attacker got my Mikrotik int. MAC address and configure it on his virtual one .
It sounds like you’ll need to set up layer2 security then, basically isolate each end user from each other. Client Isolation on the access points (Default forwarding turned off on MT radios), and port isolation or VLANs on switches. Depending on your CPE’s you might be able to set up firewalls to prevent things like that too. A router cannot prevent people from talking to each other over a layer2 network, it can only control the traffic that flows over it. That means you need to set up your layer2 network in such a way as to isolate your end users and prevent thing like that.
My network is : Mikrotik router ---- Cisco Switch — Clients "My clients is not end users "only P2P links to resellers , from my side i do isolate them in my main switch so the users in port1 not see the users in port 2 also using EOIP tunnel for each P2P client with seperate PPP server for each one that its not allow users of the client A to work on the access point of Client B .
The problem is , Client A that he is connected to port 1 in my switch have end users and those users able to see each others with in them small network also using managed switch at the clients side will not solve the issue because he will connect his access point to one port and its will be PTMP so the end users will see each others .
the question is :
1- can i prevent virtual PC using Virtual Mikrotik from connecting to my network using my Interface MAC address and see the end users on them network ?
2- the clietns using Mikrotik + r52h as PTMP Access point , is it possible to isolate the end users in this case .
You obviously don’t have port isolation set up if a client is able to set up their CPE or a virtual machine to do that then and mess up your network. If you have a managed Cisco switch, then you can do port isolation, that has been a standard feature on them for years.
Port isolation means this: Any port that is isolated cannot trade ANY frames with another port that is also isolated. So someone setting up their PC in such a manner would only matter to the person doing it, not anyone else connected to that switch. This means every port except your uplink ports, or ports that are connected to devices that you want everyone to have access to should be set up as isolated. If you have control over the access point, as suggested above, turn off default forwarding, then people cannot transfer frames over the radio card itself without explicit rules set up to allow it.