I have Mikrotik routerOS with hotspot. I have the same address pool for DHCP and hotspot. My APs IPs and mac addresses are added IP binding so I can access them behind a router.

I notice that the DHCP sometimes give user my AP IP and I won't be able to Access my AP. How to prevent that.

setting: dhcp-pool 192.168.2.2-192.168.2.254


DHCP server: dhcp-pool

Hotspot IP: 192.168.2.1
Hotspot pool : dhcp-pool

Presuming your AP is static assigned 192.168.2.2/24
Set the dhcp pool to issue 192.168.2.8-192.168.2.254.
Then make the dhcp lease to the AP static and set the address outside the dhcp-server range. Change X to the line number of the dhcp lease to the AP.

Presuming your AP is static assigned 192.168.2.2/24
Set the dhcp pool to issue 192.168.2.8-192.168.2.254.
Then make the dhcp lease to the AP static and set the address outside the dhcp-server range.

Code: Select all

/ip dhcp-server lease
set X make-static=yes
set X address=192.168.2.2

Change X to the line number of the dhcp lease to the AP.

Do I need static address on the DHCP for each AP?

I just put the IP:

192.168.2.2-192.168.2.199

and I will move all AP in 192.168.2.200-192.168.2.254 range

You will need to assign each AP a static lease. The challenge is the 1:1 universal NAT performed by the hotspot. It will assign a dynamic ip from the dhcp pool if you have not set the lease static.

You can see this in "/ip hotspot host". Under the listing for the AP mac addresses, the "address" is the static ip assigned to the AP, and the "to-address" is what the router uses. The router does not see any ips in the "address" column.

ADD: All that is really required is to make the lease static. However, the "to-address" ip is not always what you want, and the ip you want to assign may be already issued to another mac address.

Insure the clients behind the AP aren't using the mac address of the AP. That causes a bit of a problem with this first option.

The other option is disable the universal nat by removing the address-pool setting in "/ip hotspot" and removing the static assignment range (192.168.2.200-254) from "/ip pool".

the real problem is with the client AP. Client who use Ethernet station not USB adapter has two IPs : his station IP and his computer IP. Both these IPs appears with the same Mac address.


How to deal with this ?

Then your option is to disable the hotspot universal nat. Remove the "address-list" value from "/ip hotspot". Insure the dhcp-server address pool is not issuing the static ips of your APs.

Then your option is to disable the hotspot universal nat. Remove the "address-list" value from "/ip hotspot". Insure the dhcp-server address pool is not issuing the static ips of your APs.

I didn't think about the static ip of APs before so I have them at good numbers so that if I want to exclude them from the pool, I have to create several pools. Is it Ok to have the dhcp pool as 192.168.2.2-192.168.2.254 and add static dhcp for APs ip and mac.

for example APs IPs are 192.168.2.10 , 192.168.2.20, 192.168.2.30 , 192.168.2.40 ,

then I have to create several pools that doesn't has these ips.

That is up to you. I exclude a group of ips that are not in the dhcp server address pool for localnet devices (like webcams). My APs (and webcams) would be 192.168.2.2-15. It is easier for me.

Then your option is to disable the hotspot universal nat. Remove the "address-list" value from "/ip hotspot". Insure the dhcp-server address pool is not issuing the static ips of your APs.

But It is useful to have address-list for the Hotspot for users with wrong IP. Also if the user uses static ip and that ip is already assign in DHCP, the hotspot will have ip translation.

I agree. I use the universal nat feature. I use MT routers for APs and a hotspot in each with a common user database, like User Manager or FreeRADIUS. Then the client mac address is available at the hotspot, not the mac of the AP. And it makes it easy to access each router. You don't need to go through a hotspot.

That also has the benefit of keeping unauth trash off the backhauls. Only logged in users on the backhaul.

I have added the ip and Mac of APs in DHCP server.

Now , there is another problem. If someone(unauthorized) use a program to change his IP and MAC to the same one as one of APs, will I still be able to access the AP web interface?

Depends on the network layout, and is impossible to answer without an accurate and detailed drawing.

That is one of the primary reasons to VLAN off your management IPs, or use dedicated physical management ports, by the way. The other being to hide equipment from customers so that they cannot attack it in the first place. If the management address was on a different network from the customers in the first place there wouldn't be any IP/MAC to spoof.

Depends on the network layout, and is impossible to answer without an accurate and detailed drawing.

That is one of the primary reasons to VLAN off your management IPs, or use dedicated physical management ports, by the way. The other being to hide equipment from customers so that they cannot attack it in the first place. If the management address was on a different network from the customers in the first place there wouldn't be any IP/MAC to spoof.

I have Vlan and client isolation on AP and now netcut can only see the AP IPs. I block all port of AP IPs expect port 80 and now unthorized simple users can not steal mac ( at least simple user no expert one).

the problem that if someone(unauthorized) use a program to change his IP and MAC to the same one as one of APs , I won't be able to access AP until he or she give up because he is not getting internet because his action.

Can the user use the internet if all ports blocked expect port 80?