Hi Yall,

Got 3 MT Private hotspots running and am having a heck of a time keeping up with the connections. Is there a simple way to block unapproved MAC addresses into the system? As it sits now, a couple of my customers have figured out that once I queue them back, all they have to do is change routers or MAC addresses.

Even if ya'll can just point me to a thread that already addresses this issue I'd be grateful.

Mac

Disable "Default Authenticate" on wireless cards where you need it. It's on tab Wireless. After that only users in Wireless - Registration table can connect.

Disable "Default Authenticate" on wireless cards where you need it. It's on tab Wireless. After that only users in Wireless - Registration table can connect.

Ok, I'll look into that, but let me give a little more detail about our system. We're using the MT to act as a T1 Gateway and using Motorola Canopy Wireless AP's and SM's to give access to our customers. So, really it's not acting like a wireless system, we're using license level 5. So it's not acting as a hot spot.

I'm queuing customers using simple queues but a few have realized that they can simply change mac addresses and until I catch their switch, they're operating at full bandwidth and dragging the system down for others.

What I'm looking for is a simple mac addess based way to allow only approved MAC addresses and essentially block or redirect any MAC address that isn't already authorized.

Any Help appreciated.
Mac

are you using the hotspot feature to create the queues and do MAC address authentication? If you do it that way it's real simple, you can create multiple profiles (different queues and settings) assign the user a profile and when that MAC connects to the network RouterOS creates a dynamic simple queue based on the settings for the profile.

Any unauthorized MAC addresses will get redirected to a Mikrotik hotspot login or if you disable the http login they will receive a page cannot be displayed when browsing.

We use an Allot NetEnforcer for bandwidth provisioning. It allows you to create pipes for each individual user and has what they call a "fall back pipe" which is a catch all for any users that haven't been specified. I limit our fallback pipe to 512kbps, which is our lowest service level so no one ever gets more than what they pay for.

You should be able to create something similar with Mikrotik, I don't have a step by step configuration, but the concept is pretty simple. Create a queue that catches all users on your network and set it to whatever you decide is an appropriate speed. Then define each of your users as you would have previously.

I haven't gone into queuing with the mikrotiks in too much depth myself, so I'm not quite sure how RouterOS will handle packets that meet the requirements of two seperate queues (the fallback/catch-all and the defined user). So I'm sure this will require some testing and tweaking to get it working right.

Good luck.

Really,

What I'm looking for is a simple way to block connections or drop connections that don't come from preauthorized MAC addresses. I'm not using hotspot at all. This doesn't have anything to do with wireless. I just want to be able to accept and/or deny connection based upon a client MAC address. I know there has to be a way to do this, I just don't know what it is.
Any help appreciated.
Mac

Mac,

if you read my reply then you would realize that using the hotspot package IS a way of doing just that.

Another way of achieving the same goal would be to mangle the traffic. Mangle the src-mac-address of the authorized traffic and set it as something like net-auth, and all other traffic to net-no-auth. or somthing like that.. drop or redirect net-no-auth to your signup page and allow traffic mangeled as net-auth access to the network.

It's that simple.

The hotspot package does this with an easy to use and configure interface. It also allows you to create queues based on service level. That's why I recomended it. You get the authentication as well as the bandwidth control.

-Bill

I'm queuing customers using simple queues but a few have realized that they can simply change mac addresses and until I catch their switch, they're operating at full bandwidth and dragging the system down for others.

Create one simple queue rule that catches all traffic, but place it on the botom of the list. Then shape that queue to slow down block traffic. If someone change settings to avoid simple queue made for him, he will end up in general queue that limits him rapidly.

> ip firewall filter
> add chain=forward in-interface=LAN src-mac-address=11:22:33:44:55:66 action=accept
..... repeat for evey mac-address you need to allow
..... and at last, you need to add drop filter
> add chain=forward in-interface=LAN action=drop

If you only need to block (not queue) un-authorized mac-address, you can try to use this script

> ip firewall filter
> add chain=forward in-interface=LAN src-mac-address=11:22:33:44:55:66 action=accept
..... repeat for evey mac-address you need to allow
..... and at last, you need to add drop filter
> add chain=forward in-interface=LAN action=drop

You can also force a given MAC address to use a specific IP address via a static DHCP lease to help keep track of who is who, and then as mentioned only allow those IP addresses through the firewall. This won't protect you from a non-customer spoofing someone else's MAC but it sounds like that's not as much of an issue (plus, they'd need Canopy to get on your system it sounds like).

Are these people changing around their MACs and routers paying customers? I'd add in your TOS/AUP that this kind of behavior is prohibited, and give them the boot if they continue.

WildBill,

I meant no disrespect, I just didn't really understand your solution. I was under the impression that "Hotspot" had to do with wireless. Sorry.

Valens, I'll be trying what you explained this week. That's exactly what I was looking for.

See, we provide 1 ip address for each customer, supposedly based upon their MAC address. i.e. a router or a single computer in their home. All I'm trying to do is to keep up with my simple queues to make sure each customer gets the proper amount of bandwidth and that nobody can take advantage.

Thanks for all ya'lls help.
Mac

You can also force a given MAC address to use a specific IP address via a static DHCP lease to help keep track of who is who, and then as mentioned only allow those IP addresses through the firewall. This won't protect you from a non-customer spoofing someone else's MAC but it sounds like that's not as much of an issue (plus, they'd need Canopy to get on your system it sounds like).

Are these people changing around their MACs and routers paying customers? I'd add in your TOS/AUP that this kind of behavior is prohibited, and give them the boot if they continue.

Jarsoup,

Actually, I've tried that already, and once I get the filters in place that Valens suggested that'll work really well. I'm not too worried about somebody dropping $400 on a canopy modem to hack our system, also, they'd really have to know what they're doing, cause I'd figure out there's an extra connection on our system within a day or two. I currently have all of our customers IP's assigned through DHCP, but I make them static as soon as they're up and running. Problem is, we've got 3 MT routers and over 100 customers. (as I keep telling my boss, THIS IS A PART TIME JOB) It's not really a problem with customers who use an internal router, they almost always leave it on and I simply queue the IP of that router. When the DHCP lease is up, it re-assigns that IP address and all is fine. It's the customers who switch MAC devices on me that are a pain. As to the TOS, we're a small, "FRIENDLY" ISP. But we do let people know that if they blatantly try to circumvent our system we'll shut em down.

Thanks again for all the help guys. Great to have a resource.
Mac