use WPA encryption or PPPoE on your wireless AP. This will solve it.

Ok ‎‏ ‏normis but how in hotspot system?? Imeen login page ?? How

you can use WPA with hotspot, no problem. Just distribute the WPA key together with login/password.

You Meen in wireless??

I Need The wireless Stay Open Network For Get New Customers You Know ,,

But If you Meen Another Thing Explain It Please .. Its big Problem

You could create two access points with help of VirtualAP feature. Example:

SSID: hotspot-registration (no WPA)
SSID: hotspot-login (WPA)

when customer needs internet, they connect to hotpost-registration, register, and get login/pass/wpa key for second AP.

Thanks Mr.normis ..

But Its Maybe hard to some customers Do that ..

No any another way To do that ?? Its Big problem if mikrotik dosen't Fix It ..

We are researching how to solve this.

I hope Fix This Problem In V 5.13 Mr.normis ..

Any One Can hack My Mikrotik System !

I hope you Take This Problem Seriesly

And Thanks Normis For Help

for my hotspot with RB450G+ 3 AP netcut can't scaning other member hotspot because I use DHCP-server with netmask 32.but queue will limit all conection from any to any, thats solved if config mangle

SULTAN: Is your wireless AP from MikroTik or only the hotspot server is MikroTik? Have you actually verified that this Netcut program does what is advertised?

The ONLY way to really mitigate netcut and programs like it on a hotspot is to build out your layer2 network in such a way that prevents people from being able to use these programs. There is no solution that is built into any router that will solve this for you. If you want to to block it, this means that you MUST invest in the hardware that you install that has the very features that you need and want. This question comes up very often, and the answer is always the same, invest in the layer2 network to prevent it. Get switches that either do VLANs or port isolation, dhcp-snooping, etc. Get access points that do client isolation (turn off default forwarding on MT radios) to prevent clients from talking to each other over the radio. These will put the protection at the edge of the network where it needs to be in order to prevent people from talking to each other directly. In order for a device to prevent traffic from going between hosts, it must first go over that device. Because of this a layer3 device cannot block communication on layer2, one does not need to traverse the router to talk to another host.

Handing out a /32 is very easy to get around, all I do is have to assign myself a static IP and a larger subnet, and then I can scan the network and find the IP/MAC of any machine on the network within my subnet. It also does nothing to prevent a someone from installing their own DHCP server on their machine and handing out leases on the network, or from taking over the MAC and IP of your default gateway causing problems for clients on the network, or any other number of potential intentional or accidental things that end users do with their hardware. At most it is an annoyance to someone that wants to do this, and may prevent a general user from using a program like this, but it offers no real protection at all.

so your hotspot is on the RB450G, and the Wireless is served by RB433?

What do you see in the Log file when the "bad" client takes over the connection of the "good" client? It would be interesting to see the wireless debug log

As discussed in the forum, the problem of using /32 netmask are generally customers with linux (and android) that can not operate without manual set (or script).

As discussed in the forum, the problem of using /32 netmask are generally customers with linux (and android) that can not operate without manual set (or script).

you right, for android I use pppoe-client &database on the usermanager so config your hotspot+ppp. don't forget android your customer root pppoe-client. or you can upgrade your android becouse after upgrade my friend still conct hotspot with netmask 32

But if you turn off wireless "default forwarding" then Netcut can't scan for network hosts. Basically it cripples it's operation.

Also the old Netcut version used to ARP poison the victim host, but the new one (2.1.4) poisons RouterOS ARP table, which means the hotspot will also not work. Either way, I can't see how you can get Netcut to operate if Default Forwarding is turned off.

Ok Normis Iwill Try It And Tell You What happened ..

Ok Normis Iwill Try It And Tell You What happened ..

yes! set "default-forwarding=off" on the wireless AP and check, Netcut won't be able to operate anymore.

Hi Mr Normis ..

I try It With Disable Default-Forwarding ..

And Still Same Problem ..

Look Mr Normis .. The APs Its Bridge .. No Give IP .. i have Make It DHCP server ?? The Wireless Card I mean RB433AH ..

Ok Normis Iwill Try It And Tell You What happened ..

yes! set "default-forwarding=off" on the wireless AP and check, Netcut won't be able to operate anymore.

"default-forwarding=off" only can help to isolate clients connected on the same wireless card(AP)... to do an efficient clients isolation in a RB with more then 1 wireless AP or in a great bridged network, is needed to do this simple bridge filter rule:

/interface bridge filter
add chain=forward in-interface=!ether1-WAN out-interface=!ether1-WAN action=drop

assuming the WAN port of the RB is the "ether1-WAN"

Need to put this rule in all yours RBs... first can try with action=log

Regards!

well your setup is not optimal then. yes, default forward will protect other clients on the same AP, but because you have bridge behind the AP, netcut will see some clients from other APs. you need to implement bridge firewalls, /32 addresses or some other workarounds.

Or you need to think about different type of setup, where the devices are not all on the same network.

How about hotspot servers on each AP, with a central RADIUS database? No bridge involved. Default Forward will work then.

the solution is simple: do not bridge xD

Mr Normis .. You Mean I have To Make The APs DHCP-Server ?
And protection Is For Client On Same AP .. Right ?
Now Any One Not online With AP Than Not Have Default-Forwarding Is No protection Right ?
I have To Set Disable Default-Forwarding And Make It DHCP-server One Any APs Right ? Or Not ?

If Netcut is huge problem in your network, follow the advice from previous responses;
- remove bridges from your network;
- setup HotSpot+DHCP on every wireless interface (do not forget to disable default-forwarding);
- setup RADIUS server to share one database between all AP in your network.

Mr Normis .. You Mean I have To Make The APs DHCP-Server ?
And protection Is For Client On Same AP .. Right ?
Now Any One Not online With AP Than Not Have Default-Forwarding Is No protection Right ?
I have To Set Disable Default-Forwarding And Make It DHCP-server One Any APs Right ? Or Not ?

If Netcut is huge problem in your network, follow the advice from previous responses;
- remove bridges from your network;
- setup HotSpot+DHCP on every wireless interface (do not forget to disable default-forwarding);
- setup RADIUS server to share one database between all AP in your network.

Mr sergejs .. Thanks For Respone ,,

OK Now .. If I Do all That .. the Problem is solve 100% ? No Any NetCuts Again ?

IS Hard to do it and Find Same Problem ..

Please find my article here http://farounet.wordpress.com/2011/12/0 ... -mikrotik/

very good topic , then i'll bookmark. thanks for all.