I have installed several RB1100AHx2 units at a school I work for and they've been working perfectly for several months.
Recently the DHCP leases have been being used up by devices with 00:00:00:00:00:00 MAC addresses.
When I try to ping the IP addresses issued to these all 0 MACs I get a message saying that the TTL has expired in transit.
Could this be some sort of hacking attempt? MAC spoofing maybe?
Any advice you can give is greatly appreciated

Hi,

What about mangle rules?
Drop packets with source Mac 00:00:00:00:00:00, that's easy
DHCP Requests are sent as UDP Broadcast to 255.255.255.255, as i remember. Please double-check it before apply it.
Also, you could rate-limit DHCP-Requests with an input-rule.
Also, you should review the lease time. In school environment i think 6h is fine.

What type of access medium are you using? WiFi?
In case of Switches check if they are manageable - if yes set mac learning to one mac per port.

Give some more informations, please

The MikroTik units are sitting between the school network and a 100Mb/s fiber optic WAN connection back to the county office. There's no NAT or any advanced routing taking place, all that is done on a Cisco ME3400 which is set up and maintained by the county office. The network consists of mainly older Cisco switches and uses a class A address scheme with a 24 bit subnet mask. There is a managed wireless system from Ruckus as well. This information holds true with both sites.
The MikroTik boxes aren't really doing much other than DHCP at this point.

Hé redflag237
how to drop packets with source Mac 00:00:00:00:00:00