Community discussions

MikroTik App
 
sysadmbonn
just joined
Topic Author
Posts: 6
Joined: Tue Aug 24, 2021 5:55 pm

Blocking Routers

Sat Oct 02, 2021 8:41 am

Gooooooood Morning beloved Mikrotik Fans :)

I just recently started to use Mikrotik Routers and I am really happy I found them!

I work in a Congress Venue and we use hEX S [RB760iGS] ...
In fact we use a lot of them ... Currently clocking in at 70 pieces and I'm just now looking to buy some 100 more ...

When we have a Venue in our House, our Customers order Internet or other Network demands from us directly. So we are some kind of Telco in our own house.
Our Businessmodel relies on Nodes, where as every Client needs a Node. You have two Computers, one Printer and a TV that needs Internet? That will be four Nodes ...
Technically we roll out a big WAN Infrastructure on our Premises and hook these Mikrotik Routers to them and the Customer connects to the Router ...
I toggle the DHCP Scope on each Router to refelct what the Customer orderd: from one to three Nodes or a Flatrate (after three Nodes comes the Breakeven to simple order a flatrate rather ordering more Nodes).
This suits our needs well ... BUT!
Some Customers only order ONE NODE and then hook up theire own router to mine and thus using more Nodes then orderd. Even worse, some of them hook up Access Points and provide WiFi.
This goes against our agreed contracts and the customers are violating our Terms.
Naturally I would like to have a technical go at this Problem.

So, here comes my Questions:
  • How do I block Routers behind my Router?
  • How do I reckon a Router being used?

Any Help or Ideas are highly welcomed!

Please refrain from talking to me about our Node-Price-Model or even denying our customers to set up theire own WiFi. This is a billing Issue and the Company don't like to loose Money. You wouldn't try to talk to Netflix saying your Business-Model regarding to Number of People watching is unfair, wouldn't you?
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11115
Joined: Mon Dec 04, 2017 9:19 pm

Re: Blocking Routers

Sat Oct 02, 2021 10:46 am

You can permit access only from a registered MAC address on a given port - this will cause an additional administrative load, and the customer can set the MAC address of their own router to the registered one and still connect the device from which the MAC address has been cloned behind their own router, so not a 100 % solution. You have to ask them to tell you the MAC in advance, which is a hint for them what to do.

You can watch the TTL of the incoming IP traffic from them, or reduce the TTL of the outgoing traffic towards them. The customer can adjust the TTL of their outgoing traffic, or increase the TTL of the incoming traffic. So again not a 100 % solution.

As your routers are hEXes, not hAPs, you cannot scan the wireless spectrum for SSIDs - but even if you could, you wouldn't know whether the SSIDs are broadcast by mobile phones acting as hotspots or by routers connected to your network.

From the customer perspective, a network provided by you is equally unsafe like a direct connection to the internet provided by any ISP, so I'd not connect my devices to it directly, without my own firewall device standing in between.

You are not a monopoly, so you are not in the same position like Netflix with their own unique contents and their own unique way to access it. Let's say you find out that the customer is breaking your rules. What are the next steps? If you cancel the contract, you lose even the money you were getting for the single node. If you ask them to pay the flat rate, they may cancel the contract. Take them to court - great, both of you will lose way more money than the amount in question. The customers will not stay offline without your service, because there is LTE, 5G... unless you have an agreement with the mobile operators that they will not provide data service in the area.

I've thought so far it's only politicians who approve laws that cannot be effectively enforced.

So I would differentiate the packages by bandwidth rather by the number of nodes, and limit it on a device out of the customer's physical reach so that they could not replace it, as even 802.1x can be fooled around. Such a limitation cannot be circumvented by the customer, and if the low bandwidth offers are useless enough, and the high bandwidth offer is still cheaper than mobile data while providing more bandwidth than the mobile connection, you've got both your money and a happy customer with no reasons to violate your T&C.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocking Routers

Sat Oct 02, 2021 10:54 am

Dear @sysadmbonn, every suggestion you can have on public forum,
can be read & circumvented from your user, because have mikrotik device and can search on mikrotik forum...

@sindy do a perfect relation about that.

And about identify how many user... I can do that but I'm not so stupid to reveal to anyone my methods, for avoid that method, sooner or later, go public and someone find a way to circumvent it...

I only suggest you to use the HotSpot approach, this way it is more difficult to connect "Routers", as they cannot interact with the login page...
Also you can set filters based on MAC address, for example you can block all TP-LINK devices, but again the MAC can be changed from someone...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21895
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Blocking Routers

Sat Oct 02, 2021 3:50 pm

Basically it boils down to how many nodes I have is none of your business.
If I go to a hotel and I have 3 laptops and 10 cellphones, I get a wifi password for the room that is good for all devices.
If your talking about stalls, or displays, same thing, charge should be per stall, unless your stinking greedy.
Why not also charge by the minute and also for each piece of toilet paper in the bathroom, and of course 2x if its two ply and 3x if its 3ply.

A simpler business model is easier to manage and clearer for clients. Base the client cost on an average of 3 devices as a single STALL or room cost, DONE,
no technical worries, no policing required, you get paid, everyone is happy.
 
sysadmbonn
just joined
Topic Author
Posts: 6
Joined: Tue Aug 24, 2021 5:55 pm

Re: Blocking Routers

Sun Oct 03, 2021 11:58 am

I am still waiting for someone who is willing to read and understand my post and give into a meaningfull discussion ...
 
User avatar
JohnTRIVOLTA
Member
Member
Posts: 401
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Blocking Routers

Sun Oct 03, 2021 2:04 pm

sysadmbonn, Some providers limit the maximum number of connections in this situation. You can plan the restriction by setting about 60 - 80 connections for client / device /. An example is a router with a speed plan with of up to 50 mb/ps and suitable for up to 3 devices. His net plan will be restricted up to 200 connections.It is best to run the restriction with firewall rule for limitation of established TCP connections with the source address of the client's router and another for UDP connections:
/ip fi fi 
add action=tarpit chain=forward connection-limit=180,32 connection-state=established protocol=tcp src-address=clRouterIPaddress
add action=drop chain=forward connection-limit=90,32 protocol=udp src-address=clRouterIPaddress
 
sysadmbonn
just joined
Topic Author
Posts: 6
Joined: Tue Aug 24, 2021 5:55 pm

Re: Blocking Routers

Sun Oct 03, 2021 4:13 pm

sysadmbonn, Some providers limit the maximum number of connections in this situation. You can plan the restriction by setting about 60 - 80 connections for client / device /. An example is a router with a speed plan with of up to 50 mb/ps and suitable for up to 3 devices. His net plan will be restricted up to 200 connections.It is best to run the restriction with firewall rule for limitation of established TCP connections with the source address of the client's router and another for UDP connections:
/ip fi fi 
add action=tarpit chain=forward connection-limit=180,32 connection-state=established protocol=tcp src-address=clRouterIPaddress
add action=drop chain=forward connection-limit=90,32 protocol=udp src-address=clRouterIPaddress
Okay! That is something to have a look into ...
Thank you very much for this Idea. It is really appreciated!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocking Routers

Sun Oct 03, 2021 4:29 pm

Simply one SSTP VPN, one connection, "infinite" uses.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Blocking Routers

Sun Oct 03, 2021 4:34 pm

I am still waiting for someone who is willing to read and understand my post and give into a meaningfull discussion ...
It is human nature to find a way around an obstacle.
Several ways to circumvent what you are planning to do have been given.

The # connections or limited bandwidth approach seems to be the most sensible to me. They can add their own network equipment if they want. Some might even NEED that for their purpose. Already considered that option too ?

There is otherwise no way you can close the gaps reliably and fast enough (BTW, allowing THAT for some offenders would not be fair either to those playing by the rules).

Make the rules simpler as stated before.
It's the easiest way out.
 
mada3k
Forum Veteran
Forum Veteran
Posts: 741
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Blocking Routers

Sun Oct 03, 2021 9:20 pm

You simply can't charge per client/device - because of NAT. You business model is flawed from the beginning.

The only possible way I can think of blacklist/whitelist of vendor MAC-addresses, but that can be faked in 5 minutes. OR something like unique wireless accounts.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12554
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Blocking Routers

Sun Oct 03, 2021 9:36 pm

I suggest HotSpot from the start....
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: Blocking Routers

Mon Oct 04, 2021 2:13 am

Your business model will always be able to be subverted by technical means, so further discussion is somewhat pointless.

Who is online

Users browsing this forum: kbabioch, parm, rn3dcx, Rox169 and 38 guests