Hi guys,
Everybody knows mac cloning problem, the attacker can modify his wireless card mac by cloning a mac of authorized user, he also can get the IP of that user using simple or advanced tools, then he can surf internet without paying, all solutions presented in old posts are either not prefered by ISP or complex and have no transperancy at user side, wireless encryption is also not useful because jhackers can easily get keys from subscribers.

So, let us start working to find a perfet solution. I suggest the following one and i need your help to implement it
1. When the user log in, hotspot will run a kind of patch like javascript of VBscript or a program which will capture packets sent by user at client-side and add something like identifier or marker to the packets
2. MT firewall will distigush packets sent by good user from those sent be hacker by their marker or identifier, then accept authorized packets
3. This patch must be hidden to the hackers and compatible with all versions of windows

I think this way hackers will no more be able to surf internet and stole good users' time and quota.

So, guys i need your help to bring this idea into working.

Wireless encryption WPA/WPA2 protocols are not

wireless encryption is also not useful because jhackers can easily get keys from subscribers.

Encryption protocols are secure enough. Moreover using EAP method (even more secure), client does not have static psk key.

sergejs, if you mean using RADIUS, that's mean additional cost, also some OS and hardware don't support all EPA protocols

Authenticate users through VPN, so, if someone clones MAC, and also knows that client's username and password, you may be sure that ti is unlikely that he stole all that info.

dear pedja, you will lose all flexibility and features of hotspot when using VPN or PPPoE instead

I know that with MT it is often situation, if you want to get on one side, you have to lose on other. It ain't that flexible as it looks at the first sight.

There is an old scenario named DHCP-Pool Method describe in Hotspot chapter in Reference Manual for RouterOS 2.8 , which is show the possibility of making tow different address pools, the first address pool (Temporary address pool) for unauthorized customers, and the other address pool (Real address pool) for the authorized customers.
According to this scenario, when the customer first connected to the hotspot, he should get a temporary IP address for very short time (14 seconds±), in this period the customer should complete the authorization process and login to the hotspot. After the end of the lease, the customer will get a new IP address from the Real pool.


In this scenario, when the hacker first connected to the hotspot, he will get a Temporary IP address and when he run any scanning programs, all what he get is a few IP's / MAC's for other unauthorized customers and he will never see the authorized IP's / MAC's because they are in deferent pool (subnet mask).

Unfortunately I could not achieve this scenario in my Hotspot because I have RouterOS 2.9.29, the IP of authorized customer changed from the Temporary to the Real just inside the Router in IP/Hotspot/Hosts page.

If there is any one can ensure that he succeeds to achieve this scenario in his Hotspot, I'll be grateful to him if he share us his experience.

I believe that it is the only helpful way to solve Hacking Hotspot problem, unless if there is a way to distinguish between the real and clone MAC and then drop all connections came from cloned MAC and accept connections from real MAC.

http://forum.mikrotik.com//viewtopic.ph ... 4&start=50

I suggest the following one and i need your help to implement it
1. When the user log in, hotspot will run a kind of patch like javascript of VBscript or a program which will capture packets sent by user at client-side and add something like identifier or marker to the packets

This is not possible with neither JavaScript nor VBScript. This is too deep to play with TCP packages for scripting languages and would also be huge security problem if possible. Imagine what could crackers do to client machines if they could write such powerfull JavaScripts to access TCP level. This may be possible with some ActiveX stuff, but then what about Linux clients? So, this is not the way to go. Hotspot idea is just to use Web browser to login, not special client programs.

3. This patch must be hidden to the hackers and compatible with all versions of windows

Vista is very restrictive OS, so many things that worked on XP does not work with Vista, so something has to be done on the server side, actually our side, side of ISP's. Idea about two networks illustrated here looks promising.

but still hacker can sniff for 802.11abg frames and get them. connect to your network sniff packets and do whatever he wishes.

dear nazadnan, hackers can get working IP of clients through advanced TCP sniffing tools, it is easy
I think i will switch to PPPoE, but the problem is : How can the user know his status such as uptime and used quota? !
There are three possible solutions:
1. Using external RADIUS where the user can log in and see his status online
2. Using userman of MT last version 2.9.38 or higher
3. Using special windowless SSH tools to login to MT and get some parameters for the active user and print them

Any advise or help will be appreciated.

i switched to PPPoE solution for its high security, i just added the same users to PPP secrets and:
1) for limiting users by uptime, i used a MT script which runs every 1 min and used the comment field to enter the allowed uptime for users (because in PPP we can't use Uptime Limit as in hotspot)....i don't prefer userman of MT
2) for user status, i develpoed an ActiveX control by VB and inserted it in HTML page which log in MT by SSH and execute some commands to know session time and used quota and other info by each user...the html file can be saved to client PC or it can be hosted by MT hotspot.