hello everyone
i have a real problem with my network which is MAC spoofing.
a lot of people are using MAC changers to access my network
so they are stealing other people's credit on my network.
is there anyway to stop the MAC spoofing and hide the MAC addresses from showing in any MAC scanner ?
i was able to hide them and also hide the nano station from showing in Ubnt discovery without any scripts or rules but i forgot how.
is there any way to solve this problem ?

You need invest in the Mikrotiks, configure them as bridges and give them to the clients to stabilize MAC address base.
Then you can account their traffic using Mikrotik's MACs not clients ones as client will be hidden behind bridges.

Disable client forwarding on WiFi networks and use bridge horizon

I'm sorry but i didn't understand anything
can you give me steps please ? on what should i do or where to go ?
i'm using MikroTik Router RB1100AHx2 and NSM2 for the customers to connect
and i'm using username and password only once to get authorized after that they can login by MAC address.

I'm not sure a band aid based on a response from here is going to solve your problem.

If this is causing you real issues, you need to spend some time thinking about your current strategy and do some research on a number of possible solutions to the security and accountability issues you are facing.

MAC based login is a very insecure way to go. It's ease of use and subsequent ease of abuse is becoming apparent so I would rethink this aspect entirely.

i know my response is not enough but its because i don't really know what to say about my network i began 1 month ago and i don't have that much of information to talk about my network .
i tried to stop the MAC based login but it seems that everyone is enjoying it and they just don't want to login every time they connect to the network
so i think you have to ask me about info and i will answer it because i really don't know where to start and if you can't help it's okay .
my firewall is kinda clean it has some filter's rule but i think they are for logging in and out and redirecting .

Is this a hotspot or what?

yes its a hotspot i think

You are going to need to spend time implementing layer 2 isolation on your network. Basically this is not something that can be done or controlled at the core of your network, you need to do it at the edge of the network, the point that client devices connect. How you do that is up to you and depends on your network equipment that you have installed and what it is able to do. Your ultimate goal is to stop client to client communication over layer2, this is a network design problem.

If you need to maintain a layer2 network, here are some steps.

The first line of defense is going to be disabling forwarding on your wireless interfaces. Mikrotik calls this "default forwarding", other manufacturers call it something else. But the basic idea is the same, not allowing devices connected to the wireless network talk to each other over the wireless network.

The next step is deciding how you want to isolate hosts on your switches. This can typically be done through VLANs or port isolation on switches. Port isolation works by telling the switch what ports traffic is allowed to be forwarded to.

Both of these things need not change how your clients connect today and use the system today, but will greatly increase security, and will help with your problem. This doesn't prevent someone from grabbing the MAC address by using a wireless sniffer and grabbing it from the air, but does prevent someone from grabbing a MAC address from another part of the network.

If your current equipment doesn't support these kinds of things, then you will need to budget for network upgrades that will allow you to do so.

i already read about all of that but no one is giving steps like open here, write this. add this to firewall, they are all talking about layer2 and to be honest i dont even know where is this layer2 or how to reach it.
by the way im using nano station M2 with XM.v6.0.7 version , and RB SXT 5nD r2 as a receiver,
does these equipment support the ip isolate ?

You should probably consider switching to PPPoE instead of hotspot if you have such rampant issues with end-user abuse.
Another option to experiment with would be cookie logins.

Unfortunately, there is nothing much you can do to stop devices from MAC spoofing. Client isolation won't completely fix this issue. The only thing this would do is give your network a small amount of defense against unskilled users easily monitoring network traffic for other MAC addresses on the network.

Layer 2 refers to ethernet / wifi devices (as opposed to routers) - MAC addresses are part of this layer 2 and a router (which is layer 3) cannot really do much about spoofed MAC addresses. Layer 2 security requires devices that have such features - ethernet switches and WiFi access points are the devices which would have such features, and not a router such as your Mikrotik.

If your access is strictly wifi-based, then you should set up a lab and implement username/password for connecting to the WiFi itself. That would be the best solution IMO.

yes i kinda understand now and yes its wifi-based .
there are a lot of routers that you can't connect to when your MAC is changed it will always say that the wifi password is wrong even if its right.
can we use that feature in Nano station ?
it will be like the best thing to stop spoofing

yes i kinda understand now and yes its wifi-based .
there are a lot of routers that you can't connect to when your MAC is changed it will always say that the wifi password is wrong even if its right.
can we use that feature in Nano station ?
it will be like the best thing to stop spoofing

I think your lack of knowledge in regards to the OSI Model https://en.wikipedia.org/wiki/OSI_model and how to use it to understand your issues and mitigate the problems they present is the first thing you need to address, until you do, even following steps here may not produce the results you are expecting and could even make things worse as you don't understand what going on.

You need to build yourself a lab (a small scale version of what your running in the field) and spend some time learning the basics, slowing increasing the complexity of the setup and configuration so that you can gain a clear understanding of whats happening, why and how to make the changes you need, but, also, how to debug a setup when it's not performing as expected.

Start by learning the various layers of the OSI model and what part they play within each piece of network equipment. (Difference between routing, switching, bridging etc. IP's, MAC's, MTU, TCP, UDP... The list goes on)

Then spend some time working through examples in the Mikrotik Wiki and from elsewhere on the Internet. YouTube also has many good videos to learn from.

Take a look at GNS3 https://www.gns3.com/

It's easy to say, give me the answer, but, there's no point if you don't understand the solutions that are given or how to apply them to your setup without breaking anything else.

If you have more knowledge, at least if you don't fully understand the solutions given to begin with, you'll be better equipped to analyse them and see what's going on, test it in a lab setup and learn what's going on and how it can be used.

There's no way to stop MAC Spoofing, but you can minimise chances of people scanning your network to collect MAC's which they can then use for spoofing. This doesn't stop people from sharing MAC's with each other in order to abuse your network though.

Ultimately that's not going to solve your problem.
Your problem stems from using MAC's as a means of authentication. It's flawed.
Various online articles have existed for over a decade warning against the pitfalls of using MAC address's for access control (example http://www.techrepublic.com/article/the ... filtering/).

There area limited number of instances where the use of MAC's can be useful, but never in a network facing a public domain.

everything you have said is true i do lack tons of knowledge and i don't know where to start
and i don't even know my own network that much so i have to learn as you said but can you give me more links about the basics please

The first thing you should do is re-read every reply you've had in this thread and make a list of all the terms you don't understand. Take each one you don't understand and Google it. Write down some notes about what you find to help cement your knowledge.
Nobody is paid to post on these forums and having to spoon-feed somebody who won't help themselves is tedious and unrewarding, and you will find that the number of replies to your requests for help dwindle.
Like ebreyit says you need to build a lab and test out some different scenarios.

there is no way you can stop some one from spoofing mac address as long as he have some device is mac address thats active user on your hotspot and he have rooted phone, but what you can do is prevent wifi scanners from showing your clients,s mac addresses by changing the network prefix lenghth from 24 to 32
from your winbox settings go to
IP
DHCP SERVER
choose NETWORKS
make the gateway 2.2.2.2
netmask 32
then apply

method two
when a client connect to your hotspot the system will show you the mac address of the device, ip and the host name so as we know if some one steal other client is mac you still can find out by the hostname of the device for example if he spoofed 3 different clients the dhcp server will list those three macs with the same host name unless he is very genius and found a way of spoofing hostnames too.
ok lets get to the point there is a script you put into the new terminal what this script do is scans all the hostnames every 20 seconds if one of them is duplicated it automaticly cicks that bad hostname so the hacker can have access for maximum 20sec before he gets cicked out, i hope it will solve your problems

the acript
# use global hacklist variable
#:log info ($hacklist)
:foreach host in $hacklist do={
:foreach i in= [/ip dhcp-server lease find host-name $host] do={
:local ipnum [/ip dhcp-server lease get $i address]
:local unum [/ip hotspot active find address $ipnum]
:if ([:len $unum] >0) do {
:local usr [/ip hotspot active get $unum user]
:log warning ($host . " " . $ipnum . " " . $usr)
#next line kick them out right now, could also check pppoe
/ip hotspot active remove $unum
#other stuff can do now with the identified IP and USER
}

what you can do is prevent wifi scanners from showing your clients,s mac addresses by changing the network prefix lenghth from 24 to 32

MAC addresses are not encrypted on wifi. You can confirm this yourself with a tool like Kismet, eg:

https://lh6.googleusercontent.com/VjbpX ... m3dBEvwZ60

what you can do is prevent wifi scanners from showing your clients,s mac addresses by changing the network prefix lenghth from 24 to 32

MAC addresses are not encrypted on wifi. You can confirm this yourself with a tool like Kismet, eg:

https://lh6.googleusercontent.com/VjbpX ... m3dBEvwZ60

wifi scanners scans for the ip range therefore if you prevent it from showing ip addresses mac addresses wont be listed too

One can still do ARP requests as that is a layer2 function, and need not involve the IP addresses, also if someone just sniffs for wireless traffic they can still grab MAC addresses out of the air. So your solutions will only slow down someone that has a basic knowledge of what is going on, not really preventing anything.

Also by someone duplicating a MAC address, it still causes problems for the real host regardless if you block the offender from gaining access to the internet for a short time.

ok why dont you provide us with a better solutions then?

ok why dont you provide us with a better solutions then?

Check earlier in the thread where layer2 isolation on the wireless access is talked about, along with VLANs and port isolation on switches. There is also enabling WPA2 encryption on wireless assuming that you are in a situation that you can get away with that.

A router is a router, a layer 3 device, it cannot control traffic that does not flow over it. When you are talking about computers talking to each other, i.e. spoofing MAC addresses of legitimate users, that is all happening on layer2, and it does not need to involve a router to happen. So you need to control it on the devices that handle that specific traffic the best you can.

It is not a router issue, it is a network design issue.

wifi scanners scans for the ip range therefore if you prevent it from showing ip addresses mac addresses wont be listed too

I think you are confused. I linked to a screenshot of a wifi scanner by the name of "kismet", a tool I have used myself [you can also verify this easily enough, because it - amongst other, similar tools, no doubt - is free to download and use]. That screenshot shows the MAC addresses of devices connected to an encrypted wireless network.

You cannot hide MAC addresses of wireless clients, so any scheme that relies for it's integrity on MAC addresses being secret, is doomed to failure.

ok why dont you provide us with a better solutions then?

Scroll up.

What about using PPPoE.
Then every user need to configure their client with a username/password.
Off course someone can give login information to other people.

Off course someone can give login information to other people.

...which is an improvement on "other people" just taking your login without you knowing about it!

Given the choice between PPPoE and WPA2-enterprise, I'd choose the latter because access to the WiFi network is controlled at the front door by AAA. It still cannot stop MAC spoofing but at least the spoofing client must possess active credentials to join the network before being naughty, and those can be disabled / changed centrally. PPPoE will end up being a protection for layer 3 but still uses MACs as well, ostensibly on an open WiFi network that goes nowhere w/o PPPoE, but bad actors can still cause issues in this scenario.

Not sure if darkoknght only uses Wifi, but if so, I agree that WPA2 enterprise is a good solution.

Why you don't think to use dhcp-server with adding arp for static leases without arp requests from clients? If its wi-fi, disable default forwarding.

Why you don't think to use dhcp-server with adding arp for static leases without arp requests from clients? If its wi-fi, disable default forwarding.

This will not stop MAC spoofing. This is a method to enforce the use of DHCP on the LAN, and disabling default forward blocks the clients from direct east-west communication at layer 2, but doesn't do anything to prevent MAC spoofing.

Why you don't think to use dhcp-server with adding arp for static leases without arp requests from clients? If its wi-fi, disable default forwarding.

This will not stop MAC spoofing. This is a method to enforce the use of DHCP on the LAN, and disabling default forward blocks the clients from direct east-west communication at layer 2, but doesn't do anything to prevent MAC spoofing.

You're right. What would you do?

scroll up..... and see that I would go with WPA2-Enterprise
i.e. AAA-backed per-user authentication
That STILL doesn't stop the endpoint's ability to spoof MAC addresses but at least you can disable the account of anyone caught doing it and that device won't be able to join the network.

At the end of the day, there's nothing you can do to prevent a device from spoofing its MAC. If it chooses to lie, then it's going to tell lies. The only thing you can do is limit the ability to attach to your network.

scroll up..... and see that I would go with WPA2-Enterprise
i.e. AAA-backed per-user authentication
That STILL doesn't stop the endpoint's ability to spoof MAC addresses but at least you can disable the account of anyone caught doing it and that device won't be able to join the network.

At the end of the day, there's nothing you can do to prevent a device from spoofing its MAC. If it chooses to lie, then it's going to tell lies. The only thing you can do is limit the ability to attach to your network.

How about segment the network in few small int different interfaces and filter hosts in terminating points by src-mac?

How about segment the network in few small int different interfaces and filter hosts in terminating points by src-mac?

Okay - so I'll take my laptop there, unplug the expected device, note its MAC address (which I can ultimately learn by plugging my laptop directly into the "mac-verified" device's ethernet card and using wireshark to sniff the packets it sends, noting the SRC MAC) and then set my laptop to spoof that MAC and plug into the network in the same spot.

What then?

How about segment the network in few small int different interfaces and filter hosts in terminating points by src-mac?

Okay - so I'll take my laptop there, unplug the expected device, note its MAC address (which I can ultimately learn by plugging my laptop directly into the "mac-verified" device's ethernet card and using wireshark to sniff the packets it sends, noting the SRC MAC) and then set my laptop to spoof that MAC and plug into the network in the same spot.

What then?

How you sniff the traffic of other devices if they are in another broadcast domain? Your network ends on terminating interface.

How you sniff the traffic of other devices if they are in another broadcast domain? Your network ends on terminating interface.

I go to the other device physically - pull its cable out and sniff it from a direct connection to the device. Then I connect into its port and go online with that MAC from its port.
The point is that even east/west isolation doesn't stop the ability to spoof MAC addresses, if that's your goal.
MAC-based security is broken, which was the original point of this thread.

How you sniff the traffic of other devices if they are in another broadcast domain? Your network ends on terminating interface.

I go to the other device physically - pull its cable out and sniff it from a direct connection to the device. Then I connect into its port and go online with that MAC from its port.
The point is that even east/west isolation doesn't stop the ability to spoof MAC addresses, if that's your goal.
MAC-based security is broken, which was the original point of this thread.

The point is isolate the clients from each other any way. Segmentation in subnets is solution.

The point is isolate the clients from each other any way. Segmentation in subnets is solution.

I'm not saying client isolation is bad. I'm just saying that doesn't help in the OP's problem.

OP's problem is that wireless clients are spoofing the MAC addresses of other customers to have their traffic billed to other customers.
In a wireless environment, be it open or shared key, it is trivial to sniff the air for other users' traffic to learn MAC addresses and spoof them.
wpa2-enterprise authentication solves the issue in two ways:
1) billing is done based on higher-layer authentication so MAC spoofing won't help leeches
2) if a client DOES spoof another's MAC, then the password of the spoofer can be disabled

Of course the approach depends a lot on the actual problem at hand. When you have a problem with unknown/anonymous attackers who sniff for a valid MAC address then change their own AP to that MAC, and the response is to disable usage of that MAC, an innocent (and paying) user of the network will be locked out and he did not do anything wrong.
When the actual problem is that users hand out their credentials to others, of course it is a valid approach to disable them.
(assuming the terms of service disallow that action)

Radius AAA then.