I have a mikrotik wireless network at the moment with 6 high sites. I want to only allow my PPPOE-clients to have access to the internet. I want to be able to disable someone trying to give their computers an IP address on their local machine without authenicating with PPPOE. any suggestions. I am using DMAsoft's Radius Manager. Using OS 3.4 on the sites and using routes to control everything. I want to prevent people from hacking/using the network without paying. Even if i allow that mac-address to connect. What stops him from giving himself an ip address with gateway etc and using my network.

Do not give IP address to the interfaces which is for customers and turn of default forward on the wireless interfaces. This won't allow your client to communicate through your AP directly. And if you don't have IP on the interface (PPPOE don't need it) the router won't route them. They can only work through pppoe channel.

Thank you, seems to be working. So when i client connects on PPPOE the router creates the routes only then. I take it, it is recommended to set up OSPF. However OSPF slowed my network down and had problems with interfaces with multiple networks on it.

OSPF is a must in every modern network, especially if you have many pppoe conentrators (on every AP), unless you want to distribute routes by your self , besides that close your backbone network (make it round) turn ospf on and be happy with redundancy and some sort of LB

After that there's just at least two different gateways to outside world (from different isps) at different points in your backbone, turn on BGP between them, and be really happy, since then you can think about your self as an excellent ISP:)


cheers
Michal

I have re enabled OSPF with my network once again, will test and let Mikrotik Support know if i still have a problem.

Basically i had done the following: disabled default forwarding on my sectors, given no ip address to the sectors, Enabled OSPF with security, Enabled MAC auth on radius and on the router.

Will this be a secure network?

CERTAINLY NOT, YOU CANNOT AUTHORIZE USERS BY MAC, THIS TOTALLY MISUNDERSTANDING NOWADAYS MAC SPOOF IS JUST FEW CLICKS AWAY, I suggest you to authorize by login and password (strong passwords) with at least chap pppoe handshake.

Cheers
Michal