Ways to secure my network for unauthorized routers

Good day to all!

I would like to ask if somebody has experienced (probably yes) that there are unauthorized routers connected to your network. This issue is becoming headache for me now. Right now, I am tracing these devices and blocking using their MAC addresses. But the problem is, there are users that are smart to changed their MAC address or cloning their Laptop MAC address to be used on their router. Is there a way to limit them? This is usually happening for individual subscribers… using a Radius server for authentication, etc.

If you any have other suggestion on securing the network, please share.

Thanks in advance.

Andrew

You could try changing the TTL. But you can also get around this but it takes a more advanced user to do so. It is worth a try.

you should accept this connections in Radius server and give one range of ip address to them .

hi cbrown,

How would I use the TTL to do this? I am very much interested on trying this, can you give more details info please?

hi armivox,

We are doing our DHCP services on the Mikrotik before the users connects to the Radius server. Can you add more details please?

Thanks to both of you.

This is on the router directly connected to your clients. Change the dst-address to your network. This will set the TTL to 2 and when it leaves your router it will we decremented by 1, so when it gets to your client it will be 1 and no further routing will be possible without the client changing the TTL. Most of your users will not be able to fix this.

/ip firewall mangle
add action=change-ttl chain=output disabled=no dst-address=192.168.1.0/24 \
    new-ttl=set:2

“Output” isn’t a good chain to do that in, though. That only contains packets originated by the router, not packets going through the router.

I tend to simple set the TTL to 1 in postrouting (it hs already been decremented by the router at this point, so you’d want it to be 1, or it could go one hop behind a customer router).

He’s right