sorry for my bad english....

i have noticed in hotspot/hosts lots of public ip addresses with the same MAC address as one local user and i wondering maybe i configured something wrong in my MT or hotspot. ROS 3.15. Screenshot atached

Greetings!

Is the mac address 00:17:31:56:85:28 another wireless AP connected to the system, or is it one of your clients? If it is a client, then it appears he may be letting friends/family/neighbors share his connection. He may not know he is doing it.
Why did the device with that mac address get bypassed?

Hotspot functions at both the MAC and IP layer. The issue is more commonly found when you have some form of Router, behind your hotspot. In this case, MAC bypasses really don't work well, as the MAC is the MAC of the router. course as you see, you get multiple IPs behind the same MAC.

This is not an issue, but, you loose some security, epically if you are bypassing IPs. Your only security you have is via the IP layer, not the mac, so you allow the IP not the mac really. If a client changed their IP to one that is bypassed, they would get on-line without any issues.

I would suggest to fix this, to move the hotspot to the AP or router that you have. I also suggest only allowing a FEW IPS from each MAC, such as 2-3. However, with that said, we have seen Motorola CPEs, translate all MACs into its MAC, even though their are many clients. So, ..

Greetings!

Is the mac address 00:17:31:56:85:28 another wireless AP connected to the system, or is it one of your clients? If it is a client, then it appears he may be letting friends/family/neighbors share his connection. He may not know he is doing it.
Why did the device with that mac address get bypassed?

It is one of my clients and he gets bypassed only temporary because I'm still new to MT ROS and trying different situations

another question from hotspot would be why "To Address" is different from "Address". It seems like it happens randomly to hosts, and when it happens they lost connectivity

If your client does not request a new IP when he/she connects, the hotspot will do a one-to-one NAT. The 'Address' is the IP the client is using, and the 'To Address' is the address the hotspot is translating that IP to.

If your client does not request a new IP when he/she connects, the hotspot will do a one-to-one NAT. The 'Address' is the IP the client is using, and the 'To Address' is the address the hotspot is translating that IP to.

But how my client should request new IP? He is using static IP(DHCP is impossible because there is another DHCP servers on the network). And when IP is translated clients are unable to access internet

If your clients are static IP, then I would bypass your clients by IP, rather than by MAC. If he/she is always assigned 192.168.21.34, then bypass that IP.

If your clients are static IP, then I would bypass your clients by IP, rather than by MAC. If he/she is always assigned 192.168.21.34, then bypass that IP.

But if i bypass that IP then i am unable to control rate limit using user profiles. And hotspot is only needed for this: http://wiki.mikrotik.com/wiki/How_to_Block_Customer