Dear sir
I have problem from hotspot service, Customer can see gateway from connect hotspot , Then customer use net cut attack to gateway

Question
1. How to hide or protect gateway from customer

best regard

knowing the topology is necessary to design a solution

This is our solution
1. use Load balance EMCP
2. use Capman control Access point
3. use hotspot for login

problem
1. I found some customer check our gateway , and use some software attach our gateway

this is problem

You're approaching it wrong way - what you trying to do is called "security by obsecurity"
You should at least read http://wiki.mikrotik.com/wiki/Protecting_your_customers

Certainly wireless client isolation would help here, but I guess it's not going to help protect a client on AP1 from attacks by a client on AP2 - unless CAPsMAN is clever enough to cover this?

Other ideas - make every ethernet port on the router routed [it's not clear from your diagram if eth3-eth9 are routed or bridged]. That way the damage from a malicious user is limited to the port they're on.

User Isolation is the key here. (Horizon Bridging and Wireless isolation)

Just make sure there is no Layer-2 connectivity between the users.

knowing the topology is necessary to design a solution

Thank you for your information , I try to setting your comment already

You're approaching it wrong way - what you trying to do is called "security by obsecurity"
You should at least read http://wiki.mikrotik.com/wiki/Protecting_your_customers

Dear sir
I read this is column already , But I cannot see how to protect our gateway , Please explain me how to do

best regard

Certainly wireless client isolation would help here, but I guess it's not going to help protect a client on AP1 from attacks by a client on AP2 - unless CAPsMAN is clever enough to cover this?

Other ideas - make every ethernet port on the router routed [it's not clear from your diagram if eth3-eth9 are routed or bridged]. That way the damage from a malicious user is limited to the port they're on.

Dear sir
Isolate it mean protect between client and client cannot see , But I don't understand between server and client , How to protect , Please tell me if my understand not correct

best regard

If you "hide" the gateway from the clients, how do you expect the clients to get any internet access?

You asked about protecting against the 'netcut' attack. A quick google suggests netcut is an ARP poisoning attack, where a malicious user sends out ARP packets pretending to be the gateway. If you isolate the clients from each other, then a malicious client isn't going to be able to send spoofed ARP packets to other clients, pretending to be the gateway.

One more idea - change the ARP setting on your client-facing interface to reply-only [so the router will ignore all ARP responses on it] and change the DHCP settings to add leases to ARP table [/ip dhcp-server add-arp]. This means that the router will only be able to communicate with clients that have DHCP leases from the router.
At this point you would need to add static ARP entries for anything that isn't a DHCP client, so I suggest [if you haven't done so already] put your APs and other network infrastructure into their own VLAN with normal ARP settings.

If you "hide" the gateway from the clients, how do you expect the clients to get any internet access?

You asked about protecting against the 'netcut' attack. A quick google suggests netcut is an ARP poisoning attack, where a malicious user sends out ARP packets pretending to be the gateway. If you isolate the clients from each other, then a malicious client isn't going to be able to send spoofed ARP packets to other clients, pretending to be the gateway.

One more idea - change the ARP setting on your client-facing interface to reply-only [so the router will ignore all ARP responses on it] and change the DHCP settings to add leases to ARP table [/ip dhcp-server add-arp]. This means that the router will only be able to communicate with clients that have DHCP leases from the router.
At this point you would need to add static ARP entries for anything that isn't a DHCP client, so I suggest [if you haven't done so already] put your APs and other network infrastructure into their own VLAN with normal ARP settings.

Thank you for your information
in this content
At this point you would need to add static ARP entries for anything that isn't a DHCP client, so I suggest [if you haven't done so already] put your APs and other network infrastructure into their own VLAN with normal ARP settings.[/quote]

Can you have example , Because I don't understand in this content

If you "hide" the gateway from the clients, how do you expect the clients to get any internet access?

You asked about protecting against the 'netcut' attack. A quick google suggests netcut is an ARP poisoning attack, where a malicious user sends out ARP packets pretending to be the gateway. If you isolate the clients from each other, then a malicious client isn't going to be able to send spoofed ARP packets to other clients, pretending to be the gateway.

One more idea - change the ARP setting on your client-facing interface to reply-only [so the router will ignore all ARP responses on it] and change the DHCP settings to add leases to ARP table [/ip dhcp-server add-arp]. This means that the router will only be able to communicate with clients that have DHCP leases from the router.
At this point you would need to add static ARP entries for anything that isn't a DHCP client, so I suggest [if you haven't done so already] put your APs and other network infrastructure into their own VLAN with normal ARP settings.

In your command
One more idea
That mean you able a static setting for arp and dhcp?
That mean in DHCP you can add static mac and ip from leases? That's right
And in ARP you can add ip and mac static?

I am a follower of the subject
To how block, drop
Netcut

if you can isolate clients between them, proxy arp and setting arp to reply only on interface can help assuring arp will be configured other service dynamically like dhcp

if you can isolate clients between them, proxy arp and setting arp to reply only on interface can help assuring arp will be configured other service dynamically like dhcp

I am using static dhcp that mean,, DHCP static only,, when add new customer.. Going in dhcp, leases add mac our computer of coustmer and write range from ip
Your method arp affected by my dhcp leases??

if you can isolate clients between them, proxy arp and setting arp to reply only on interface can help assuring arp will be configured other service dynamically like dhcp

I am using static dhcp that mean,, DHCP static only,, when add new customer.. Going in dhcp, leases add mac our computer of coustmer and write range from ip
Your method arp affected by my dhcp leases??

like troffasky says

in dhcp server configuration check the add arp for leases option for dhcp server facing users interface

then on the interface set the arp option to reply-only

remember keep your clients isolated at access layer