Community discussions

MikroTik App
 
namo
Long time Member
Long time Member
Topic Author
Posts: 530
Joined: Sat Oct 03, 2009 4:44 pm

Client isolation (PC + managed switch )

Mon Oct 11, 2010 1:15 pm

I have Mikrotik RouterOS with hotspot on Intel PC. The computer is connected to switch, and switch is connected to several APs. (user can login using user name and password using HTTP-chap only) .

I have a problem that unauthorized users can scan IP and Mac of active users and change their mac and IP to mach that of the active user to use the internet in the same time. I prevent this on the same AP by using client isolation. I was told that I can buy manged switch to do client isolation and prevent two computer with the same mac and IP.

I enabled client isolation in my AP, and now authorized users can not see the mac and IP of users from the same AP but they still can see the mac and IP of users of other AP. will managed switch solve the problem? ( I will get Dell™ PowerConnect™ 3024 from someone)

http://support.dell.com/support/edocs/n ... /index.htm
Last edited by namo on Fri Nov 12, 2010 3:51 pm, edited 3 times in total.
 
User avatar
MCT
Member Candidate
Member Candidate
Posts: 158
Joined: Wed Mar 03, 2010 5:53 pm

Re: Client isolation (PC + managed switch Vs RB493AH)

Mon Oct 11, 2010 7:11 pm

It's difficult with most hotspot setups using MAC authentication. The best thing would be to try to find another authentication method.

A managed switch won't really help unless the spoofing is from two different APs that pass through it. If it's on the same AP then the AP itself won't know which is which. That's why the only defense is to use something that requires login credentials from the PC connected to the AP.
 
namo
Long time Member
Long time Member
Topic Author
Posts: 530
Joined: Sat Oct 03, 2009 4:44 pm

Re: Client isolation (PC + managed switch Vs RB493AH)

Mon Oct 11, 2010 7:30 pm

It's difficult with most hotspot setups using MAC authentication. The best thing would be to try to find another authentication method.

A managed switch won't really help unless the spoofing is from two different APs that pass through it. If it's on the same AP then the AP itself won't know which is which. That's why the only defense is to use something that requires login credentials from the PC connected to the AP.
user log using user name and password ( I use HTTP chap not Mac for login). The problem that if user A log in. Then user B without logging use netCut or other program to scan IP and mac. Get the IP and Mac of user A. User B change his IP and MAC the same As user A. The internet will work with user B. Two users has the same IP and MAC: one is authorized user that buy the service from me and the other one is unauthorized user that is stealing user A bandwidth.
 
namo
Long time Member
Long time Member
Topic Author
Posts: 530
Joined: Sat Oct 03, 2009 4:44 pm

Re: Client isolation (PC + managed switch Vs RB493AH)

Fri Oct 29, 2010 6:26 am

I discover that unauthorized client can scan IP and Mac using netcut. Then , He or she can change the mac of his WiFi adapter to a Mac address that is the same as an authorized user and the Mikrotik will give him the same IP The user then can use other people internet.

I decide to by this managed switch to solve the problem with NetCut:

used: http://cgi.ebay.com/ws/eBayISAPI.dll?Vi ... 0476757490

Do I need just to create Private VLan for each port and set port going to Mikrotik router as internet port?
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 736
Joined: Tue Aug 25, 2009 12:01 am

Re: Client isolation (PC + managed switch Vs RB493AH)

Fri Oct 29, 2010 11:02 am

Split horizon bridging or bridge firewall. Have used both. Works great for me.
 
namo
Long time Member
Long time Member
Topic Author
Posts: 530
Joined: Sat Oct 03, 2009 4:44 pm

Re: Client isolation (PC + managed switch Vs RB493AH)

Fri Oct 29, 2010 4:41 pm

Split horizon bridging or bridge firewall. Have used both. Works great for me.
I have the a PC computer with one ethernet port lan not RB493AH. so I have one port for lan.
 
Feklar
Forum Guru
Forum Guru
Posts: 1724
Joined: Tue Dec 01, 2009 11:46 pm

Re: Client isolation (PC + managed switch Vs RB493AH)

Fri Oct 29, 2010 5:34 pm

With a proper managed switch you will have a bit more control over the network than you will with just a MikroTik acting like a switch.

For the managed switch, you get a device that is designed to be a switch and all of the features that come along with that. Things like how it handles VLANs, and you can put ports into protected mode, the rough equivalent of layer 2 isolation on the AP. You also get all of the ports that you need. If a 493 will cover all of the ports you need for your hotspot, then the horizon option on a bridge will work well. RouterOS is first and foremost what it's name implies, a router, it is not designed to be a switch.

Keep this in mind however, all of these options are only preventing clients from talking to each other over the devices/network itself. This will not prevent someone from sniffing wireless traffic and grabbing the IP and MAC off of them directly and then changing their settings accordingly. This is the nature of wireless, you broadcast everything you are sending and receiving so anyone in range can pick up what is being sent. This is especially true with wireless in a hotspot situation where the more complicated you make it for users to connect to the network, the more you have to pay for support on the network and troubleshooting issues, so it is often not very cost effective to set up encryption on the network instead of just living with people stealing access that way.
 
namo
Long time Member
Long time Member
Topic Author
Posts: 530
Joined: Sat Oct 03, 2009 4:44 pm

Re: Client isolation (PC + managed switch )

Fri Nov 12, 2010 3:54 pm

 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Client isolation (PC + managed switch )

Fri Nov 12, 2010 4:11 pm

No switch is ever going to help with someone impersonating another client on the same AP.
 
namo
Long time Member
Long time Member
Topic Author
Posts: 530
Joined: Sat Oct 03, 2009 4:44 pm

Re: Client isolation (PC + managed switch )

Sat Nov 13, 2010 6:15 am

No switch is ever going to help with someone impersonating another client on the same AP.
I have no problem with the same AP. User can get IP and MAC of other AP but they can't get the one on the same AP.

I connect to one AP and open NetCut. I can see the mac and IP of users from other AP but I can not see the one from AP that I am connected to.
 
AlexN
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Thu Feb 18, 2010 11:02 am

Re: Client isolation (PC + managed switch )

Sat Nov 13, 2010 10:52 am

Take smart smitch. Let's assume that you have 3 APs and one PC router. Than you need 4 ports. for example 1 - for PC router, 2 - for AP1, 3 - AP2, 4 - AP3. Than you need to create 3 vlans with different tags through the switch, for example with tag 1001 through ports 1 and 2, with tag 1002 through ports 1 and 3 and with tag 1003 through ports 1 and 4. Turn off passing of untagged packet on ports 1-4. If you using simple bridges on your APs than instead of ethernet interface put in bridge vlan with corresponding tag (1001 for AP1, 1002 for AP2, 1003 for AP3). Parent for this vlan must be the same ethernet that you kicked from the bridge.
 
User avatar
otgooneo
Trainer
Trainer
Posts: 587
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Client isolation (PC + managed switch )

Sat Nov 13, 2010 3:36 pm

I think, the Layer2 managed switches can solve this problem. For example Linksys SRW series switches have ACL (Access Control List) feature. I haven`t experience. But I think ACL works on Layer2 and it can block traffic sniffing.
 
namo
Long time Member
Long time Member
Topic Author
Posts: 530
Joined: Sat Oct 03, 2009 4:44 pm

Re: Client isolation (PC + managed switch )

Sat Nov 13, 2010 3:49 pm

I will try these suggestions when I get my managed switch

Who is online

Users browsing this forum: johnson73, kristovskis, mgrlobo, mihai9125, raphaps and 37 guests