hi all,

Let's speak frankly, 6 years ago and MikroTik system did not find any solution to that problem, I saw a number of topics to speak on the same problem and MikroTik company did not provide any solution.

five months ago, and I'm looking for a solution to this problem, but there is not , and I do not think it's the big problem for company ..

I have a wireless network, to share internet , and I suffer from the problem of theft of Mac address in networks by scan ip software which caused the separation in Access Point devices, I tried a lot search for a solution, and I can not find any solution so far, so that MikroTik company did not try to put a general topic To resolve this problem. why why why ???


i am very tired, and MikroTik doesn't have ears .

please give us solution ?

Are the mac addresses being stolen from other clients or from your network devices like the AP or router for example? Normally using hotspot/radius can prevent it but it also requires the server to reset the session if there is a confusion if a client's mac gets stolen. Most importantly dont run your AP without encryption, using AES WPA2 can help against scans and AES WPA2 Enterprise (requires radius) is a lot better.

Are the mac addresses being stolen from other clients or from your network devices like the AP or router for example? Normally using hotspot/radius can prevent it but it also requires the server to reset the session if there is a confusion if a client's mac gets stolen. Most importantly dont run your AP without encryption, using AES WPA2 can help against scans and AES WPA2 Enterprise (requires radius) is a lot better.

no i can't use WPA2, cause it is public network. i mean i am sharing internet by using hotspot server, login page with username and password , that means AP is without encryption and clients have ip scan software that make scan for my network and find Mac of people and steal their mac , do you understand me ?

In your case theres nothing to prevent scanning the wireless network and unencrypted wifi isnt a good idea. Consider a 2 layer authentication, first is to use radius with WPA2 (public login), 2nd is to authenticate them further with hotspot. Apply isolation for radius so that clients cant communicate with each other directly (force layer 3 routing).

Mikrotik has layer 2 which is very useful to do all sorts of things (very useful for me for other reasons) but you wont find tutorials on configuring layer 2, the layer 2 firewall is a niche area and many other brands dont even have layer 2 configurability.

In your case theres nothing to prevent scanning the wireless network and unencrypted wifi isnt a good idea. Consider a 2 layer authentication, first is to use radius with WPA2 (public login), 2nd is to authenticate them further with hotspot. Apply isolation for radius so that clients cant communicate with each other directly (force layer 3 routing).

Mikrotik has layer 2 which is very useful to do all sorts of things (very useful for me for other reasons) but you wont find tutorials on configuring layer 2, the layer 2 firewall is a niche area and many other brands dont even have layer 2 configurability.

the only thing i know ,there is no problem in this world without solution , it is not the last theory in physics which Links the relativity theory with quantum theory, but MikroTik doesn't have ears, or maybe this easy problem made MikroTik feel embarrassed, because it means weak capabilities of MikroTik in networking solutions

As long as you are running an open wifi public network, you will never have a solution. Blaming MikroTik is not your answer. There is no way to prevent someone from trying to hijack a MAC on a wifi network. Anyone with a stronger signal can do it, and there is no way for you to stop them.

If you need a better WiFi solution, I would recommend you buying a Cisco managed system, rather than using a router.

solution - apply layer 3 networking. This problem isnt limited to mikrotik but to every manufacturer.

There is a solution for APs now that is isolation feature. See if your APs have them and if you have mikrotik AP than this feature has to be applied manually (via rules and layer 2).

Theres nothing any brand can do against a weak point. If one of your APs allows scanning and such this isnt mikrotik's fault if the AP isnt mikrotik because even with good layer 2 security your AP will still leak information regardless.

as for ethernet and TCP/IP networking - there is no cure for L2 vulnerabilities, making stack "broken by design" by USA authority/agencies purposely to exploit that for years.
thats why following 802.1x-2010 extensions pushed to market by relevant SIG and consortion(include most networking vendors across globe).
but technically-speaking present implementations of MacSec and PortSec (as well as other extensions and app to 802.1x-2010) - hardware-dependant on newer PHY/Interfaces, "built from scratch" to support it.
bottom line: its not "vendor-specific" thing and affect ALL networking gear. nearly 99% of it.
so far ARP and NDP "broken by design" and unusable/insecure regardless gear you use.

Open access means exactly that: It is open. And you want open access without being open...
If MAC spoofing could be prevented on unauthenticated access, then we wouldn't need authentication.
The fact that we have that means it can not be prevented without it.
And since you don't use it, it is not MT's fault that open access is, well, open, exactly as you request it.

If you have open and unencrypted wireless, then there is absolutely nothing you can do to stop malicious abuse of your LAN - everything that goes on the network is broadcast in the clear for anyone with an antenna to capture and analyze.

And think of this - how does an access point know who sent a transmission? If someone sets their device to spoof a MAC - the only thing the AP can see is a radio signal with a MAC address that it claims to come from.... If a malicious user has spoofed a MAC, then there's nothing you can do in an un-authenticated network, but trust that they're not lying. It's not like the AP can recognize a client radio's voice or anything...

It's not like the AP can recognize a client radio's voice or anything...

nice one

viewtopic.php?f=2&t=124038
block ip scanner with no false alarms 100%