1-i will make one address per mac
2-i will specify an address for the client
3- i will make shared users more than "1"or "none"
4 i will disable broadcast
5- i will make a virtual gateway for dhcp


when the hacker who use mac spoofing try to join by the spoofing mac
he cant take the specific address from dhcp because the address already has been bound by the real client and cant take another address from dhcp because of specifying one address per mac for the real client


we will do shared users per mac "2or more"or"none" to allow the spoofer to join but he wont take the specific id and in the same time the real client wont log of in result of spoofer joining

the spoofer in this time wil have a yellow triangle mark on his connection and he will have to insert the ip and gateway manually
here it is the job of virtual gateway of dhcp he will not be able to know this virtual gateway how ever he knew the ip so he wont be able to login





is that can help protecting of mac spoofing please answer me
thanks in advance
ahmed hassan
heleopless@yahoo.com

You cannot prevent MAC spoofing on the router.

Search for posts of the user 'namo', and the replies he has received over the last year.

why do you say that ?
every problem has a solution this is real
i tested this and have some success


when the spoofing mac join and the real client is active
the spoofing mac cant take an the same ip of the client from dhcp server
so the hacker must make manual ip for his internet connection
we can solve that by make "address pool" in dhcp server "static only" so the hacker cant take any another ip

am i right?
please tell me and discuss that will be help for me and all
thanks in advance

As Fewi stated, it is all laid out to Namo repeatedly over the past year. There is a real solution, it's not solved on the router, it is solved on the layer2 network and investing in the proper hardware to do so. A router can only control traffic going over itself, it cannot control traffic on the rest of the network.

A router cannot prevent someone at the edge of the network from spoofing a MAC/IP combination. Some switches can protect against this for wired connections (must be implemented on the switch, not the router), but it is absolutely impossible to prevent MAC/IP spoofing on wireless access points if both clients are on the same AP. This is a shortcoming of how TCP/IP works when not combined with authentication such as PPPoE or 802.1x, which may not be acceptable in ad hoc networks.

Edit: Feklar was first, still posting it for the references to what layer 2 technologies can be used to mitigate.

the subject here doesnt tell that
we prevent some one from spoof a mac
i know that it is impossible

the idea is to let him join but not take the dhcp server ip
as the real client with the true mac will gain or bound the ip before the spoofer

the mikrotik router can control which internet protocols will have the traffic


the true mac will bound the ip specified
the spoofing mac will not as a mac bound it before
we will specify the property of one address per mac

Won't work, that's the way DHCP works. A client broadcasts and requests an IP address, then the DHCP server responds and gives them the IP information. How do you know if the client just isn't releasing and renewing their IP? Or their DHCP client has decided it wants to renew the lease? What about if the client is just rebooting their PC?

If you want the DHCP server to only respond to the first DHCP request it receives from a client and no other after that you'd create more problems and solve nothing. What you are thinking is very easy to get around, the MAC-Spoofer would just have to assign himself a static IP and continue on and bypass the DHCP server all together.

ok your reply prove that my idea is probably true

now to solve this problem
we will bind a specific ip with the mac and specify a big lease time such 60d
and be careful that the client bound the ip before the spoofer
we will disable the broadcast and not mak address pool
we will make it static only

now the spoofer cant take any other ip except the specified one
and the specified one is already taken by the real client

So the spoofer just uses the same IP address - something you cannot prevent on the router.

i will specify the property of one address per mac
this address will be bound by the real mac
and the spoofer cant bound the same address when the true client is active

i found it logical doesnt it??

No. You can spoof both MAC and IP addresses. The router will be completely unable to tell that there are two users sharing both addresses.

Once again, this WILL NOT solve what you think it will. It would be very very trivial for me to do an IP scan of a network or set up a packet sniffer and get the MAC and IP of a legitimate client and modify my settings to match theirs. Then all of the sudden I am online with their account. Anyone that is doing MAC spoffing knows how to use these programs and modify their settings, you solve nothing by doing this.

ALL DHCP is a service by witch end users do not have to manually enter in the network settings in order to get online, this does not prevent others from modifying these settings themselves to get online. When you make a sticky DHCP lease it is only set on the server so it knows to always give that IP to a certain MAC, it does not modify or change anything on the clients side. Should someone change their MAC and ask for a lease, the server will hand it to them. If you somehow find a way to prevent the server from giving out the lease again until after it has expired (which you probably will not be able to do) you completely ignore my other points about completely legitimate reasons for the client to ask for the IP again. When you do a "repair" on a connection in windows it releases and renews the IP, when you reboot a computer it asks for a lease, most DHCP clients will ask for a new lease 1/2 way through their current lease.

All you are doing at this point is making things overly complicated on yourself, creating problems, going to make clients mad, and driving up your costs due to the extra support required of you now. All of that for not even putting a dent in the problem or slowing it down.

ok that is a good point we reach

the router will not give the spoofing mac the same ip automatically

the spoofer must insert his ip and gateway manually

you agree with that????

tell me

No, it will give the same IP to the same MAC asking for it. That's the way DHCP works. If an end user has copied the MAC of another end user and asks for a lease, then the DHCP server will see if that MAC already has a lease, if so it will reply with the same address in the table and give it to them, if not it will give them another address not in use.

The spoffer can either get the same DHCP lease from the server, or manually set their settings to match the other end user, something that takes all of 1 minute at most if you are on a slow computer.

no no no the dhcp doesnt give the spoofer mac the same ip as it is bounded before
the spoofer must provide it for his connection manually



here we must make a virtual gateway to the dhcp server
the spoofer will not be able to know it
moreover you can change this virtual gateway every day
it is easy to change

is that help protecting??????

thanks

Yes the DHCP server will give them the same IP address, Subnet Mask, Gateway, and DNS servers as the legitimate end user, because that is the way DHCP works. It does not matter if you bind or make it sticky or anything else. If the DHCP server is running, it will respond to DHCP requests, it will see a DHCP request from a given MAC and it will hand out a DHCP lease. If that MAC has an active lease it WILL give them the same lease information again.

Here once again, ALL that the "spoofer" needs to do is get a packet sniffer and adjust their settings accordingly, making them do this via modifying there settings manually is in no way shape or form a deterrent, or even something that will slow them down. It DOES not matter how often you change this "gateway", they can just change it themselves when you do. And then you generate a ton of problems for your end users by changing settings like that on a daily basis, because all of the sudden their lease information is incorrect and they can no longer get online. There again, all you have done is increase your work load, generated a lot of problems, and made a ton of pissed off clients.

ok if i MAKE SHARED USERS "1"
now one computer can login by the mac

any way help that the first one who has the real mac not logging of when the spoofer log in

Once again, that does nothing. All that defines is how many people are allowed to sign in at once with an account. If the MAC and IP address are spoffed, then the router has no way of knowing who is who and both are still online.

I am done posting in this thread, as you are not listening and we are going in circles. You have been given the information you requested, and pointed in the direction of where the answers are. Read the threads that Namo started asking the same question, the answer is the same every time, and will be the same every time for you. You are both asking about the exact same "problem" and the solution is the same for both of you. Decide what you want your network to do and invest in the hardware that will allow you to accomplish those goals, otherwise live with what you have.

thanks

ok sir i reached your point and have been convinced
thanks alot

but please tell me if there is a way or rule in hotspot
to mask or prevent ips and macs in the scanning programs from appearing or appear like that
not real (ff:ff:ff:ff:ff:ff)

like pppoe system

i hobe i didnt disturb u
really thanks alot

No, there is no way to prevent that on a Hotspot.

Again, search threads started by 'namo' for a lengthy discussion on why.