Community discussions

MikroTik App
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

please help

Mon Jan 03, 2011 3:12 pm

there is a fact in mikrotik system tell that
"If the user has IP address specified, only one simultaneous login is allowed. If the same credentials are used again when the user is still active, the active one will be automatically logged off."


how can i change that
i mean that when the client is active and other one login he cant login or the system ask him for user name and password


this is to limit mac spoofing
if there is other ways to limit mac spoofing please help me
and thanks in advance
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: please help

Tue Jan 04, 2011 3:05 pm

1) Control physical access to your network;
2) Use smart switch to protect your local network;
3) Use PPPoE, when higher security is necessary.
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: please help

Wed Jan 05, 2011 3:07 am

1) Control physical access to your network;
2) Use smart switch to protect your local network;
3) Use PPPoE, when higher security is necessary.

ok thanks for paying attention
how can i control physical access to my network (please give some details) v3.3 mikrotik
how can i use smart switch to protect my local network ?
how will this help?


thanks in advance
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: please help

Wed Jan 05, 2011 8:45 am

how can i control physical access to my network (please give some details) v3.3 mikrotik
the way how users are connected to your switches, that give them access to the network and ability to run Netcut.
how can i use smart switch to protect my local network ?
when network is wired, smart switch could control per port MAC-address access.
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: please help

Wed Jan 05, 2011 12:05 pm

ok i see what the physical is


now i dont under stand smart switching and how can i carry out it in mikrotik please give some details

thanks
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: please help

Wed Jan 05, 2011 12:25 pm

when network is wired, smart switch could control per port MAC-address access.
realy i may have reached it
are realy there wire switchs that control and specify mac address per port
what are the names of these switches(types)?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: please help

Wed Jan 05, 2011 1:14 pm

Router has nothing to do with it, unless clients are not attached directly to the MikroTik ports.
By the "switch" I mean the terminating devices, where end-clients are connected directly.
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Wed Jan 05, 2011 3:44 pm

ok that is wonderful
i have to buy these switches it will be very very useful thanks alot
it will limit mac spoofing for some extent

does wireless access points can do the same?
by using wep or other coding methods?

does that help?
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: please help

Wed Jan 05, 2011 7:00 pm

any ideas....??
 
Feklar
Forum Guru
Forum Guru
Posts: 1726
Joined: Tue Dec 01, 2009 11:46 pm

Re: please help

Wed Jan 05, 2011 8:29 pm

You have to look at what the access point supports to determine that. What you are looking for in that case is often called Station Separation, or Layer2 Isolation, etc. etc. etc. Most manufactures are going to have their own name for the same thing. MikroTik calls it default forwarding on their wireless cards. One very important thing to keep in mind here with wireless is that this will not necessarily stop someone sniffing the wireless traffic. Since the traffic is being broadcast in clear text if there is no encryption going on between the client and the AP, anyone that is in range can listen in and on this traffic. All it is doing is preventing an end user from connecting to and talking to another computer over the network itself.

As for the switch, you are looking for a decent managed one. You are more specifically looking for one that supports port isolation, VLANs, layer 2 security features such as ARP and DHCP inspection. Port Isolation on a Cisco is run by "switchport protected", 3Com switches if they support it is "port isolate". The basic concept here is, any traffic coming in on this port cannot go out of any other port than the uplink port, i.e. the only port not in protected mode. We extensively use the 3Com 4500 series of switches for their price point and the features.
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: please help

Wed Jan 05, 2011 8:45 pm

that is good


thanks alot
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: please help

Thu Jan 06, 2011 9:28 am

I would recommend different approach for wireless networks.
Strong WPA/WPA2 preshared key should be secure enough solution, (different WPA key per each client).
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re:

Thu Jan 06, 2011 12:07 pm

thanks very much

i can see now that we cant prevent mac spoofing in the router but we can stop it or be limited in the layer 2
thanks very much :)
Last edited by heleopless on Thu Jan 06, 2011 12:19 pm, edited 1 time in total.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6624
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: please help

Thu Jan 06, 2011 12:10 pm

Yes, it is correct.
As router "sees" client with spoofed MAC/IP, in the same way how it would "see" good client with the same MAC/IP.
You have to prevent it with described approaches.
 
heleopless
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 78
Joined: Mon Jan 03, 2011 3:03 pm

Re: please help

Thu Jan 06, 2011 1:14 pm

thanks

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], biomesh, nishadul and 59 guests