I have RB951G-2Hnd I used wifi access list to give access to clients using Mac address of their devices
Every thing was working right.
Last days I notice that some clients disconnects from wifi and they do many trials to connects again
I found out that there is some one hacked wifi password and use their Mac address on his device to connect. How I know this > I notice that one of my client was outside while wifi registration shows he was connects and having ip.
I changed password but after one day He do it again
I am loseing my clients and bandwidth
How to log what is happening ??
How to prevent this ??
Update
Netinstall, using LTS (https://mikrotik.com/download/changelogs/long-term-release-tree).
Use WPA2/3 only, AES only, long, complex passphrase, disable PMKID, enable PMF.
Unfortunately WPA3 is only for wifiwave2 capable devices.
Just thinking …
How does the intruder get the password? Change the RouterOS password.
Finding the MAC address is not difficult. It is broadcasted all the time. (Use MT WLAN Sniffer or Snooper to see all of them around )
Is this just one password for all MAC addresses? Using access list with entries for MAC address and per MAC wifi passwords (private pre shared key) would make it somewhat better.
It might allow to find who is leaking his/her (or worse the common) password.
Set valid operation time limits on these access lists.
Default access (wrong hours, wrong MAC, signal out of range) on the wifi interface would be the default “no authentication”, or better leading to a honeypot network (VLAN?)
Restrict the Signal Strength Ranges in the access list , to exclude far away attempts to connect
Analyse the registration information , any hints on where from or device characteristics? Log the internet connects, they mostly reveal the device used, based on their internet-accessibility-test sequence.
Set Management protection key (management frame protection), to avoid forced disconnects for the real client device, used in “Deauthentication attacks”.
Use Snooper from different AP’s to trace and locate the offending MAC address device.
Once the abused MAC is known, do not change the connection password, but slow down that specific connection (again in access list: AP Tx limit), keep them busy without knowing if succesfull or not
… and just one more … give a clear message to the intruder … with the password, or create a honeypot SSID
In fact I was using one password for all MAC addresses now I modify it Using access list with entries for MAC address and per MAC WIFI passwords
I hope this solve my problem
I need to know where to “Log the internet connects”
Also some of WIFI client overcomes my queues bandwidth limiting and use full bandwidth also MK queues do show their real
Bandwidth consumptions I do not know how they do this ?? ( is this a vpn sofware )
In fact I was using one password for all MAC addresses now I modify it Using access list with entries for MAC address and per MAC WIFI passwords
I hope this solve my problem
Should help …
I need to know where to “Log the internet connects”
That is not an easy one with Mikrotik.
In MT it could be done partially with the firewall and logging. Very important to disable Fasttrack. This is also needed for the queue’s to work !
Please see: http://forum.mikrotik.com/t/logging-connections-ip-firewall-connections-solved/135209/1
I use the transparant Hotspot function of another brand router for this user logging.
Otherwise it is done in a free proxy server like “SQUID” ( there you not only have the IP address, but also the used URL, and can even filter (allow/deny) based on that URL)
Also some of WIFI client overcomes my queues bandwidth limiting and use full bandwidth also MK queues do show their real
Bandwidth consumptions I do not know how they do this ?? ( is this a vpn sofware )
Fastrack will bypass queue’s and firewall !
Yet another way is to use the “AP Tx Limit” and maybe even the “Client Tx Limit” as set in the Access List rule for that MAC address.
This is the wifi data stream, not only the Internet data stream. It is not about the wifi speed, this remains high, so no wifi degradation, but it limits the amount of data per second. (in bits!) for that connection.
If the DHCP server is also the edge router to Internet, having a queue created with each IP address lease could be another way of limiting traffic.
I copied this script from this forum into my DHCP server
:local queueName "$leaseActIP";
:if ($leaseBound = "1") do={
/queue simple
add name=$leaseActIP parent=main target=($leaseActIP . "/32") max-limit=2M/4M
} else={
/queue simple remove $leaseActIP
}
But will probably be using “User Manager” RADIUS attributes to create the queue.
http://forum.mikrotik.com/t/hotspot-and-radius-volume-limit-doesnt-work/153558/1 . However not as expected with that “Limit-AT” value set to the MAX rate, not the MIN rate.