I have Mikrotik v4.11 with hotspot. I want to block arp-scan or solution to prevent this.
I connect to the hotspot without login, then do arp-scan and get one of the ip and mac address and clone mine as his and I can connect to the Internet.
an Authorize people can steal free internet.
Re: how to block arp-scan in hotspot
On an open access wireless system it is impossible to do that.
Re: how to block arp-scan in hotspot
This has been stated many times. The only way to prevent clients talking to each other over a layer 2 network is for the edge equipment to be set up to prevent this. This has been and will always be the case. On switches this means VLANs and or Port Isolation, on access points this means Client Isolation. If you're choice of equipment doesn't have these basic security settings, I would suggest looking into better hardware.
How is a device in the middle of the network supposed to stop devices right next to each other from talking to each other? The simple answer is that it can't, it can only manage traffic that is going over it.
How is a device in the middle of the network supposed to stop devices right next to each other from talking to each other? The simple answer is that it can't, it can only manage traffic that is going over it.
Re: how to block arp-scan in hotspot
I enable (Block Relay Between Clients) option in my APs if it is the same. What is left between the AP?This has been stated many times. The only way to prevent clients talking to each other over a layer 2 network is for the edge equipment to be set up to prevent this. This has been and will always be the case. On switches this means VLANs and or Port Isolation, on access points this means Client Isolation. If you're choice of equipment doesn't have these basic security settings, I would suggest looking into better hardware.
How is a device in the middle of the network supposed to stop devices right next to each other from talking to each other? The simple answer is that it can't, it can only manage traffic that is going over it.
what kind of cheap 8 port or more switches that can do this and can handle 40-60users? (eBay link or exact model will be helpful)
edit:
the switch that I have is Dlink DES-1008D
Re: how to block arp-scan in hotspot
You're looking at managed switches. Extreme, HP, Foundry, AT, Cisco - that kind of thing.
Re: how to block arp-scan in hotspot
will this one do the job:You're looking at managed switches. Extreme, HP, Foundry, AT, Cisco - that kind of thing.
3com 3CDSG8
datasheet: http://www.google.com/url?sa=t&source=w ... Ow&cad=rja
Re: how to block arp-scan in hotspot
Not according to the manual you posted. Unless I missed that feature when briefly scanning the ToC and sections that could contain it. That switch can do VLANs but that in and by itself isn't enough to prevent hotspot users from cheating their way into access, which I think you are really after.
Re: how to block arp-scan in hotspot
I found this one: http://www.zyxel.com/web/support_downlo ... 0809155239
Managed switches are expesive. I hoped that Mikrotik has the capability that I want.
I have Mikrotik RB450(with RouterOS v4.11 Level 4). Can I turn this into managed switch?Will be able to handle 40-60 users?
Managed switches are expesive. I hoped that Mikrotik has the capability that I want.
I have Mikrotik RB450(with RouterOS v4.11 Level 4). Can I turn this into managed switch?Will be able to handle 40-60 users?
Re: how to block arp-scan in hotspot
If you are looking at 3Com switches, I wouldn't bother with anything less than a 4500 series. Their 26 port version can be had for around $500 US, ans is a very good switch. We use it all over the place, it does both port isolation and VLANs, and more than likely anything you would need it to do. The 3Com Baseline/Office Connect series honestly suck as far as managed switches go, spend the extra 100 to 200 and save yourself a lot of headaches and problems.
You can use any MikroTik board as a layer 2 device fine, for what you are looking for you do not want to use the switch chip feature however, you will want to bridge all of the ports together. You'll lose out on some of the features of a real switch however. You can use the Horizon option when adding in ports to the bridge to block communication between ports, you'll probably just need to exclude the up-link port from that option.
You can use any MikroTik board as a layer 2 device fine, for what you are looking for you do not want to use the switch chip feature however, you will want to bridge all of the ports together. You'll lose out on some of the features of a real switch however. You can use the Horizon option when adding in ports to the bridge to block communication between ports, you'll probably just need to exclude the up-link port from that option.
Re: how to block arp-scan in hotspot
I am plannig to use RB450 as switch and my intel PC as a router for now and in the future, I will buy RB493AH and use it as a router and managed switch
what is the command to clear setting in Mikrotik?
and what setting do I need to do to turn RB450 into managed switch that can do client isolation and block arp scan to prevent two computer with the same IP and mac from using the same hotspot user account. (First is the real user and second a thief who steal the IP and mac)
what is the command to clear setting in Mikrotik?
and what setting do I need to do to turn RB450 into managed switch that can do client isolation and block arp scan to prevent two computer with the same IP and mac from using the same hotspot user account. (First is the real user and second a thief who steal the IP and mac)
Re: how to block arp-scan in hotspot
Log into the device via the CLI and type in 'setup'. In there is an option to completely reset the configuration of the MikroTik. I think there a few other ways to get at this too. Be sure you have console cable ready as that will be the fastest way to get back into it.
The basic way you will do that is to make a bridge and add all of the interfaces to that bridge. Be sure to set up the Horizon option on each port as you add them into the bridge.
http://wiki.mikrotik.com/wiki/Manual:MP ... n_bridging
You will want to leave that option off probably of whatever the up-link port is, I'm not sure on this point as I've never set up a MikroTik like that. This should prevent clients from talking to each other over the "switch", but won't prevent it from happening over the access point, so be sure to set up the client isolation on them.
Do not user the switch chip on the MikroTik if you want to do any kind of isolation like that, the switch chip does not support it.
The basic way you will do that is to make a bridge and add all of the interfaces to that bridge. Be sure to set up the Horizon option on each port as you add them into the bridge.
http://wiki.mikrotik.com/wiki/Manual:MP ... n_bridging
You will want to leave that option off probably of whatever the up-link port is, I'm not sure on this point as I've never set up a MikroTik like that. This should prevent clients from talking to each other over the "switch", but won't prevent it from happening over the access point, so be sure to set up the client isolation on them.
Do not user the switch chip on the MikroTik if you want to do any kind of isolation like that, the switch chip does not support it.
Re: how to block arp-scan in hotspot
Should I have the setup like this
Is this correct? I want ether5 to be connected to LAN of intel PC Mikrotik router
with the above setting it is still show the mac and IP of users of other AP when I do arp-scan
update: I also create different vlan for each port but the result the same
Code: Select all
/interface bridge add name=bridge
/interface bridge port add bridge=bridge interface=ether1 horizon=1
/interface bridge port add bridge=bridge interface=ether2 horizon=2
/interface bridge port add bridge=bridge interface=ether3 horizon=3
/interface bridge port add bridge=bridge interface=ether4 horizon=4
/interface bridge port add bridge=bridge interface=ether5 horizon=5
with the above setting it is still show the mac and IP of users of other AP when I do arp-scan
update: I also create different vlan for each port but the result the same
Re: how to block arp-scan in hotspot
No, the Horizon value needs to be the same, basically what it's saying is any traffic that comes in on this port with a Horizon number of x, do not let the traffic go out of any of the ports that have the same number set. This is why you will need to leave the Horizon option off of the uplink port, otherwise the traffic will not be able to leave the bridge (not a problem if the MikroTik is the router).
MikroTiks handle VLANs very differently than a real switch will. It is a Linux based device and it handles and deals with VLANs just like Linux will. Whenever you add in a VLAN, what it does is it makes a virtual interface in the router that just so happens to tag all traffic leaving it with the tag and read only traffic coming into it with the right tag. As far as the MikroTik is concerned it's just another usable physical interface, you can assign an IP to that interface, route traffic out of it, or anything else that you can do to a real interface. When you add in a VLAN on switch and assign it to an interface, the switch will not treat that VLAN as a separate interface, all it really does there is tell the switch what ports the traffic is allowed to come in on and out of.
MikroTiks handle VLANs very differently than a real switch will. It is a Linux based device and it handles and deals with VLANs just like Linux will. Whenever you add in a VLAN, what it does is it makes a virtual interface in the router that just so happens to tag all traffic leaving it with the tag and read only traffic coming into it with the right tag. As far as the MikroTik is concerned it's just another usable physical interface, you can assign an IP to that interface, route traffic out of it, or anything else that you can do to a real interface. When you add in a VLAN on switch and assign it to an interface, the switch will not treat that VLAN as a separate interface, all it really does there is tell the switch what ports the traffic is allowed to come in on and out of.
Re: how to block arp-scan in hotspot
should I put the horzon 1 foll ports 1-4 disable the horizon for port 5 which is connected to intel PC Mikrotik router?No, the Horizon value needs to be the same, basically what it's saying is any traffic that comes in on this port with a Horizon number of x, do not let the traffic go out of any of the ports that have the same number set. This is why you will need to leave the Horizon option off of the uplink port, otherwise the traffic will not be able to leave the bridge (not a problem if the MikroTik is the router).
MikroTiks handle VLANs very differently than a real switch will. It is a Linux based device and it handles and deals with VLANs just like Linux will. Whenever you add in a VLAN, what it does is it makes a virtual interface in the router that just so happens to tag all traffic leaving it with the tag and read only traffic coming into it with the right tag. As far as the MikroTik is concerned it's just another usable physical interface, you can assign an IP to that interface, route traffic out of it, or anything else that you can do to a real interface. When you add in a VLAN on switch and assign it to an interface, the switch will not treat that VLAN as a separate interface, all it really does there is tell the switch what ports the traffic is allowed to come in on and out of.
Do you mean that I do not need the vlan? What is the difference from normal switch?
Re: how to block arp-scan in hotspot
I am using 192.168.1.0/24 for DHCP and 192.168.1.2-192.168.1.254 pool for the hotspot. Will using different pools for hotspot and DHCP help? Does it accually work to have diffrent pools for them
Re: how to block arp-scan in hotspot
It works, it doesn't help your case.
You don't need VLANs.
Set the same horizon value on client ports, set NO horizon value on the uplink port.
You don't need VLANs.
Set the same horizon value on client ports, set NO horizon value on the uplink port.
Re: how to block arp-scan in hotspot
It works, it doesn't help your case.
You don't need VLANs.
Set the same horizon value on client ports, set NO horizon value on the uplink port.
should I also add filter between each combination port port such as
Code: Select all
/interface bridge filter
add in-interface=ether2 out-interface=ether3 action=dropwhat about between the uplink port and other?
Re: how to block arp-scan in hotspot
I am assuming the the chain is forward and I should not filter port 5 which is connected to the router (uplink).
Do I need the Horizon? (all port horizon=1 expect port 5 horizon is disabled)
Code: Select all
/interface bridge filter
add in-interface=ether1 out-interface=ether2 action=drop chain=forward
add in-interface=ether1 out-interface=ether3 action=drop chain=forward
add in-interface=ether1 out-interface=ether4 action=drop chain=forward
add in-interface=ether2 out-interface=ether1 action=drop chain=forward
add in-interface=ether2 out-interface=ether3 action=drop chain=forward
add in-interface=ether2 out-interface=ether4 action=drop chain=forward
add in-interface=ether3 out-interface=ether1 action=drop chain=forward
add in-interface=ether3 out-interface=ether2 action=drop chain=forward
add in-interface=ether3 out-interface=ether4 action=drop chain=forward
add in-interface=ether4 out-interface=ether1 action=drop chain=forward
add in-interface=ether4 out-interface=ether2 action=drop chain=forward
add in-interface=ether4 out-interface=ether3 action=drop chain=forward
Re: how to block arp-scan in hotspot
Question: are you running a public Hotspot over WiFi?
If so, you HAVE to run it as an open access point. You cannot use WEP or WPA (which are broken, anyway), and you cannot use WPA2. You would confuse people and make it hard for them to connect, and you would lose customers.
In an open access point ANYONE CAN SEE THE FRAMES THE RADIO SENDS INTO THE AIR. Client isolation does not magically make it so the AP somehow transmits only to the intended client, client isolation only makes it so that clients can't talk to one another. THEY CAN STILL SEE THE TRAFFIC, and can therefore see the MAC and IP address of one another.
You cannot prevent users from stealing access. You can come up with some harebrained schemes like having an open access point where users buy credentials, and then they get limited to 1k up Nd down and instead use the credentials to log into a WPA2 access point that then grants the real access. If you do that - or anything similar - you increase the amount of service calls and reduce purchases to the point that you lose more money than through people stealing access.
Give up. This isn't worth your time.
If so, you HAVE to run it as an open access point. You cannot use WEP or WPA (which are broken, anyway), and you cannot use WPA2. You would confuse people and make it hard for them to connect, and you would lose customers.
In an open access point ANYONE CAN SEE THE FRAMES THE RADIO SENDS INTO THE AIR. Client isolation does not magically make it so the AP somehow transmits only to the intended client, client isolation only makes it so that clients can't talk to one another. THEY CAN STILL SEE THE TRAFFIC, and can therefore see the MAC and IP address of one another.
You cannot prevent users from stealing access. You can come up with some harebrained schemes like having an open access point where users buy credentials, and then they get limited to 1k up Nd down and instead use the credentials to log into a WPA2 access point that then grants the real access. If you do that - or anything similar - you increase the amount of service calls and reduce purchases to the point that you lose more money than through people stealing access.
Give up. This isn't worth your time.
Re: how to block arp-scan in hotspot
the people who are stealing are taking mac and IP of an active authorize client so that client will complain that the internet is slow. I don't have a method to know if something wrong with his computer or someone clone his ip and mac as him.Question: are you running a public Hotspot over WiFi?
If so, you HAVE to run it as an open access point. You cannot use WEP or WPA (which are broken, anyway), and you cannot use WPA2. You would confuse people and make it hard for them to connect, and you would lose customers.
In an open access point ANYONE CAN SEE THE FRAMES THE RADIO SENDS INTO THE AIR. Client isolation does not magically make it so the AP somehow transmits only to the intended client, client isolation only makes it so that clients can't talk to one another. THEY CAN STILL SEE THE TRAFFIC, and can therefore see the MAC and IP address of one another.
You cannot prevent users from stealing access. You can come up with some harebrained schemes like having an open access point where users buy credentials, and then they get limited to 1k up Nd down and instead use the credentials to log into a WPA2 access point that then grants the real access. If you do that - or anything similar - you increase the amount of service calls and reduce purchases to the point that you lose more money than through people stealing access.
Give up. This isn't worth your time.
Re: how to block arp-scan in hotspot
No one does. There was no security built into MAC addresses when it was first implemented and as a result you can spoof the MAC of whatever you want. Think of it this way, if you meet two people and both claim to have the same name, but one of them is not telling the truth, how do you know what one is the real one when you only ever have their name to go off of? You can't, when the router gets a packet from said MAC and IP that is a completely valid request it will do what routers do, it has no way of knowing who is the legitimate user or not.the people who are stealing are taking mac and IP of an active authorize client so that client will complain that the internet is slow. I don't have a method to know if something wrong with his computer or someone clone his ip and mac as him.
The firewall chains you are describing are inefficient, the Horizon option works much better. As Fewi mentioned, this will ONLY protect the traffic going over the router/switch itself, not the AP. Client Isolation will ONLY ever prevent people from talking to each other over AP itself. The radio cards in a laptop/computer/access points will broadcast signal, and anyone that wants to listen in that is in range can do so. That is the nature of wireless, there is nothing you can do about that.
You can encrypt traffic between the AP and the client itself to prevent someone from understanding it, or make it so the client needs to make a tunnel to the router in order to get online, but these are only realistic options when you control everything about the network up to and including the devices that will connect to the network. Otherwise you are asking to spend most of your time troubleshooting and dealing with support issues on one network for every new client that comes in. If you are in a hotspot kind of situation this is not a viable solution at all. At least by preventing people from scanning each other over the entire network, you are now narrowing it down to a specific area around one AP. You're only course of action is to find out who is doing it and preform some "guest education", or live with this reality.
Re: how to block arp-scan in hotspot
what I don't understand that how can the router, switch , AP forward packages correctly. The Internet work correctly for both users with the same IP and mac addresses.No one does. There was no security built into MAC addresses when it was first implemented and as a result you can spoof the MAC of whatever you want. Think of it this way, if you meet two people and both claim to have the same name, but one of them is not telling the truth, how do you know what one is the real one when you only ever have their name to go off of? You can't, when the router gets a packet from said MAC and IP that is a completely valid request it will do what routers do, it has no way of knowing who is the legitimate user or not.the people who are stealing are taking mac and IP of an active authorize client so that client will complain that the internet is slow. I don't have a method to know if something wrong with his computer or someone clone his ip and mac as him.
The firewall chains you are describing are inefficient, the Horizon option works much better. As Fewi mentioned, this will ONLY protect the traffic going over the router/switch itself, not the AP. Client Isolation will ONLY ever prevent people from talking to each other over AP itself. The radio cards in a laptop/computer/access points will broadcast signal, and anyone that wants to listen in that is in range can do so. That is the nature of wireless, there is nothing you can do about that.
You can encrypt traffic between the AP and the client itself to prevent someone from understanding it, or make it so the client needs to make a tunnel to the router in order to get online, but these are only realistic options when you control everything about the network up to and including the devices that will connect to the network. Otherwise you are asking to spend most of your time troubleshooting and dealing with support issues on one network for every new client that comes in. If you are in a hotspot kind of situation this is not a viable solution at all. At least by preventing people from scanning each other over the entire network, you are now narrowing it down to a specific area around one AP. You're only course of action is to find out who is doing it and preform some "guest education", or live with this reality.
Re: how to block arp-scan in hotspot
That's a very large question, because you're basically asking "how does TCP/IP work". Here's a very short summary.
Switches maintain lists of what MAC address are seen on what ports. When a switch receives a frame for a specific MAC address it looks into that list to see if it knows what port the MAC address is behind. If it doesn't know, it floods the frame out all ports. If it does know, it forwards the frame out just that one port. When a switch sees an incoming frame it also updates the MAC address table and sets the list entry for the frame source MAC address to the port the frame was received through.
Routers, when sending to a destination on a directly connected network, ARP for the destination IP address. That resolves the IP address to a MAC address. The router then dispatches that frame to that destination MAC address (sometimes the MAC address is directly connected, sometimes the frame goes into a switch that further forwards it).
APs just send out the frame via their radios if the destination MAC address is associated with a radio. This is a wireless broadcast - anyone listening can see that frame.
So when someone spoofs a MAC address and IP address, nothing changes at all for the router. That IP stills resolves via ARP to the same MAC - it just sends the frame into the network. It is 100% impossible for the router to even know that someone spoofed someone the credentials of someone else.
When the switch receives the frame, it will send it out the last known port from its internal list. This may cause the frame to go to the wrong client - but that client will just discard the data since it doesn't know what to do with it. The switch will see the spoofed MAC address flap between two ports if the two clients are behind different switch ports, and will continually update its internal table as it sees frames come in from the different ports. Because of the reliability built into TCP/IP the two clients will often receive data that they will discard, but TCP/IP will take care of the retransmissions. The users will get a bad quality of service, but things will generally continue to function, albeit badly. Non-reliable protocols such as UDP based protocols that don't take care of reliability in an upper layer will experience a high degree of packet loss.
You can defend against this with smart switches. Cisco calls this port-security, for example - you can ensure that a MAC address learned on a specific switch port cannot suddenly show up somewhere else. Other manufacturers have similar configuration options.
However, when the two clients are connected to the same AP, the switch never sees the MAC address flap since they are both behind the AP, which is on just one switch port - and that's where the inherent problem is with defending against MAC address spoofing on public Hotspots. The Hotspot must necessarily allow anyone to connect, or you can't sell services ad hoc to everyone that comes in and attaches to the AP. Anyone that attaches to the AP can claim to be any MAC/IP address they want, because TCP/IP and Ethernet make this fundamentally possible. Any authentication schemes that establish identity on parameters other than MAC/IP address make it harder for people to connect to the Hotspot. You either lose money by configuring your AP in a way that makes it very hard for people to pay you money, or you lose money because people steal access. Usually you lose less money by people stealing access, at least in public Hotspots. If you're trying to sell static Internet access to home users, you're better off having a real ordering process and using PPPoE credentials to allow users to connect - but this means that anyone wanting to buy Internet access from you has to call you, or email you from outside your network, or come by your office, and set up an account with you after payment. But that is simply not an option in a public WiFi Hotspot where people must be able to buy access without talking to you before even connecting to your network.
Switches maintain lists of what MAC address are seen on what ports. When a switch receives a frame for a specific MAC address it looks into that list to see if it knows what port the MAC address is behind. If it doesn't know, it floods the frame out all ports. If it does know, it forwards the frame out just that one port. When a switch sees an incoming frame it also updates the MAC address table and sets the list entry for the frame source MAC address to the port the frame was received through.
Routers, when sending to a destination on a directly connected network, ARP for the destination IP address. That resolves the IP address to a MAC address. The router then dispatches that frame to that destination MAC address (sometimes the MAC address is directly connected, sometimes the frame goes into a switch that further forwards it).
APs just send out the frame via their radios if the destination MAC address is associated with a radio. This is a wireless broadcast - anyone listening can see that frame.
So when someone spoofs a MAC address and IP address, nothing changes at all for the router. That IP stills resolves via ARP to the same MAC - it just sends the frame into the network. It is 100% impossible for the router to even know that someone spoofed someone the credentials of someone else.
When the switch receives the frame, it will send it out the last known port from its internal list. This may cause the frame to go to the wrong client - but that client will just discard the data since it doesn't know what to do with it. The switch will see the spoofed MAC address flap between two ports if the two clients are behind different switch ports, and will continually update its internal table as it sees frames come in from the different ports. Because of the reliability built into TCP/IP the two clients will often receive data that they will discard, but TCP/IP will take care of the retransmissions. The users will get a bad quality of service, but things will generally continue to function, albeit badly. Non-reliable protocols such as UDP based protocols that don't take care of reliability in an upper layer will experience a high degree of packet loss.
You can defend against this with smart switches. Cisco calls this port-security, for example - you can ensure that a MAC address learned on a specific switch port cannot suddenly show up somewhere else. Other manufacturers have similar configuration options.
However, when the two clients are connected to the same AP, the switch never sees the MAC address flap since they are both behind the AP, which is on just one switch port - and that's where the inherent problem is with defending against MAC address spoofing on public Hotspots. The Hotspot must necessarily allow anyone to connect, or you can't sell services ad hoc to everyone that comes in and attaches to the AP. Anyone that attaches to the AP can claim to be any MAC/IP address they want, because TCP/IP and Ethernet make this fundamentally possible. Any authentication schemes that establish identity on parameters other than MAC/IP address make it harder for people to connect to the Hotspot. You either lose money by configuring your AP in a way that makes it very hard for people to pay you money, or you lose money because people steal access. Usually you lose less money by people stealing access, at least in public Hotspots. If you're trying to sell static Internet access to home users, you're better off having a real ordering process and using PPPoE credentials to allow users to connect - but this means that anyone wanting to buy Internet access from you has to call you, or email you from outside your network, or come by your office, and set up an account with you after payment. But that is simply not an option in a public WiFi Hotspot where people must be able to buy access without talking to you before even connecting to your network.
Re: how to block arp-scan in hotspot
Does RouterOS has port security if it is setup as switch? I try to to mac scanning and I cannot see the user that are connected to the same AP which mean what I need is the protection at the switch level.
Re: how to block arp-scan in hotspot
No, it does not.
And as I said in that post, if the users are connected to the same AP (which is going to be virtually guaranteed as they could not determine the MAC and IP of a user that is connected to an AP far away, so they wouldn't know what to spoof) switch level security does you no good.
I think I am going to stop posting on his topic, we are just going around in circles. You can't solve this problem for public Hotspots.
Good luck with your network.
And as I said in that post, if the users are connected to the same AP (which is going to be virtually guaranteed as they could not determine the MAC and IP of a user that is connected to an AP far away, so they wouldn't know what to spoof) switch level security does you no good.
I think I am going to stop posting on his topic, we are just going around in circles. You can't solve this problem for public Hotspots.
Good luck with your network.
Re: how to block arp-scan in hotspot
thank you for your help and info.