Weird, so you have a bunch of users that are scanning ports on your LANS?
I dont see this as a problem because By being on the LAN they can access all the IPs on a LAN, as they are on layer 2, so there is no real expectation of security other than what you put on each PC for firewall or AV.
However if you have different subnets, put them on different interfaces and then use FW rules to block subnet to subnet traffic.
that users who use scan apps can get another users mac addresses then copy it and access in free internet cuz i use hotspot server and use 1 dhcp server
thats why am asking if there someway to block scan apps
my idea is if there a way to get the user who is using scan app then block his first main mac address be4 get any mac or his scan app work ... thats my idea and need some1 expert can apply it in some rules