Recently a friend of mine who is operating local internet service in my area was annoyed by virus flooding / broadcast and Vypress Chat softwares via which users communicate with each other and get united against the service provider :p and he can’t afford to install manageable switches on his network to isolate users, So he asked my help to isolate them. I used this little trick to Minimize the network flooding and to isolate users.
But Remember It’s not 100% fool proof , It just makes it a bit more difficult to scan other users using this trick, but it is easier to change IP and your MAC address as client have full control over there pc’s. It just At it’s best, prevents normal/casual users, but there is nothing to prevent people that are determined to do so.
If you want to isolate your clients , set up client isolation on the AP’s/ OR Do Port isolation on the switch ports . Then no matter what settings user places on their PC, they will not be able to scan and find other hosts on the network.
In this example, this Operator had PPPoE Server with DHCP service. All users gets ip of 10.0.0.0/8 subnet via his mikrotik’s dhcp server , This way flooding from one pc can be broadcast to all over the pc’s on the network, so I just change the netmask to 32 , this way user will not be able to communicate with any other pc on the lan, even with the server, but You can connect the pppoe service because it works on mac address broadcast. After connecting to pppoe , user will be able to use internet without any issue.
This trick is also useful for wireless networks, where you want to minimize file sharing between users which can also be done via AP.
Goto IP > DHCP SERVER >Double click on your DHCP server,
Click on “Add ARP For Leases ”
As shown in the image below . . .
Now Goto IP > DHCP SERVER > Networks ,
CLick on + icon,
in Address, type 0.0.0.0/0
in Netmask , type 32
As shown in the image below . . .
.
Also if you want to restrict users that only those users who gets ips from your DHCP server should be able to communicate with your server, Follow the tip below.
Goto Interface > Double Click on your LAN interface
in ARP , select reply-only
This way, You will Force anyone to use your DHCP only, If a user manually enters IP address on his PC , he will not be able to communicate with your server and use the internet service.
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
we have three pool
one for pppoe (all is live ip)
2nd for hotspot with fake ip
3rd for hotspot with live ip.
how i can stop flood?
LikeLike
Comment by Lovely — January 5, 2012 @ 2:11 PM
Jahanzaib bhai Version Supported? which version it supports ?
LikeLike
Comment by Naveed — January 5, 2012 @ 8:55 PM
Any Version.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 6, 2012 @ 10:53 AM
2nd for hotspot with fake ip ?
LikeLike
Comment by Naveed — January 6, 2012 @ 6:42 PM
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\xp>cd desktop
C:\Documents and Settings\xp\Desktop>cd key
C:\Documents and Settings\xp\Desktop\key>ssh.exe 192.168.1.2
connect: Connection refused
C:\Documents and Settings\xp\Desktop\key>
my problum solve mara pass ya masla aaraha ha mikrotik man
LikeLike
Comment by sheeraz — January 9, 2012 @ 9:16 PM
special thank for article writer
LikeLike
Comment by hasancooo — January 10, 2012 @ 9:27 PM
Jahanzaib Bhai main nay server Banana nay Mikrotik ka
LikeLike
Comment by Owais — January 12, 2012 @ 1:11 PM
Post your complete Query.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 12, 2012 @ 3:23 PM
sir will u please write a complete tutorial on setting up a mikrotik dhcp, dns, ppoe server?
LikeLike
Comment by Asgher Ali Qambrani — March 6, 2012 @ 5:19 PM
find me a solution for hotspot and i’ll be happy.
LikeLike
Comment by ahmad almosawi — March 11, 2012 @ 1:03 AM
you not give gateway for users?
LikeLike
Comment by kerensa — April 3, 2012 @ 11:03 PM
If you are using PPPoE Server, you don’t need GW.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — April 5, 2012 @ 1:10 PM
bhai jaan meri bullet ka massla aa geya he us men sending hoti he magar receving nahi hoti
LikeLike
Comment by hammad — May 17, 2012 @ 6:11 PM
/32 doesn’t work for android …
LikeLike
Comment by PJD — June 27, 2012 @ 1:20 PM
Hi, I’m reading the article and I find very interesting,
just wanted to see if it applies to an environment where dhcp server but not enabled pppoe server –
thanks
LikeLike
Comment by Aroel — July 2, 2012 @ 11:40 PM
This works best with pppoe.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — July 3, 2012 @ 9:15 AM
kya MIkrotik main Access log ban sakti hay
LikeLike
Comment by lksjdlaskj — January 10, 2013 @ 4:45 PM
If you are talking about Mikrotik web proxy log, Donot store access logs in mikrotik, as they grow huge in size and can eat up all you mikroik, also mikrotik processor will be highly utilized, probably 100% if there is some good amount of load. better to use external cache like squid for caching and logging.
Also try checking this guide to log on remote windows.
http://www.wifitech.com.pk/create-user-log-in-mikrotik-monitor-internet-activity/
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 11, 2013 @ 8:29 AM
salam bhai jan ap na ya website di ha es ma user web logs or user internet activity logs bas us software k zareay usi local network per hi dekh sakty ha laken mujhy wo logs mikrotik k ander chaheay q k ma na apna mikrotik router ma ddns install kia ha or wo kahi kafi door ha es leay ma us ko apny ghar ma beth kar moniter karna chahta hu or user kia open karty ha wo sub mikrotik k ander hi dekhna chahta hu plz help pr thnx
LikeLike
Comment by waqar haider — May 8, 2013 @ 3:09 AM
how to isolate users in mikrotik hotspot?
or this config can work on hotspot?
LikeLike
Comment by nomi — February 8, 2013 @ 6:54 PM
it will work on pppoe better.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — February 9, 2013 @ 8:49 PM
hi Sir
may be this is new topic,but i need your help,i had configured dhcp server with radius user manager
it is working without data accounting. for 512kbps unlimted for a user no problem in this profile,when we going to
limit user data like 512kbps /5GB limit.the problem is no accounting in usermanager. the plan also like unlimited a data.if you have any idea will be appreciated
LikeLike
Comment by saravanan — December 23, 2013 @ 8:15 PM
Jahanzaib Bhai App Kaa Bhut Name Sunaa Hay Maii Nay Plz Bhai App Mara EEk Masla Solve Kar Daii Bhai Plzzzzzzz Maii Hotspot or PPPoe Both Live Chala Raha Hoon or Maray Pass Shearing Server 8 TB Par Chal Raha Hayy Jab Maii Apnay Users Ko Hotspot Par Services Provide Karta Hoon Tu Shearing Set Chalte Hay 12 Mb/Sec Speed Ahtee Hayy or maii jab PPPoE System Par Kartaa Hoon Tu Tab Be Set hotee Hayy Shearing Sai Speed But Jab Maii Tp-Link Yha Kisee Be Router Par PPPoE Configure Karta Hoon Tu Shearing Bandwidth K Saath Restrict Hoo Jatee Hayy or Mai Jab Router ko Dynimic Setting Par Lay Jata Hoon Means Hotspot par tuu Shearing Sai Speed again set ho jatee hayy now plz help me what can i do it PPPoE Par Muj Ko Shearing Speed Set Karnee Hay Tuu
LikeLike
Comment by Syed Tahir Nisar — January 30, 2014 @ 7:43 PM
You should mark packets In/OUT destined for FTP server, and create QUEUE to allow LAN speed for FTP.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — January 31, 2014 @ 9:22 AM
Maray Pass Tu DMZ Server He Nahe Hayy
LikeLike
Comment by Syed Tahir Nisar — January 31, 2014 @ 8:59 PM
Jahanzaib Bhai, aap se ye guzarish hai k DMZ server mere pas nahi hai or muje is k baarey mei maaloom bhi nahi hai. Mai simple ek mikrotik server chala raha hoon jis mei maine Hotspot configure kiya hua hai or ek Web Server jo k FreeNas pe hai. Or muje karna ye hai ab k mai chahta hoon mere users theek 1 month baad automatic redirect hojaen Non-Payment Page pe or unke pas WebServer bhi access na ho. Or ………. Jin users ne routers lagaey hue hen unke pas bhi koi masla na aey. Per ye sab muje Hotspot pe karna hai. Pls help me out in this regards. I will be highly thankful to you. Mere Mikrotik 5.20 ki I.P hai 192.168.1.1 or WebServer ki I.P hai 192.168.1.2 or DHCP lease jo hai wo 192.168.1.11-192.168.1.255 tak karwai hai. I hope aap meri help zarur karenge with diagram.
LikeLike
Comment by Syed Tahir Nisar — January 31, 2014 @ 11:17 PM
Waiting 4 your Reply
LikeLike
Comment by Syed Tahir Nisar — February 5, 2014 @ 9:08 PM
Kiya Howaa Jahanzaib Bhai
LikeLike
Comment by Syed Tahir Nisar — February 11, 2014 @ 11:43 PM
Assalam o Alaiqum and have a Good day.
Technically, concept is great.
I want to know, how can we make two or more IP Pools with large number of ranges-in thousands. In such a way, dhcp server assigns IPs to particular VLANs.
Let’s say in my scenario:
2000 IPs on VLAN100
and another
2000 IPs on VLAN200
most importantly, all hopes (L3/L2 switches)- 5 Hopes each VLAN. Instead of limited to locations and assigns IPs in between 253 IPs of particular subnets, they assign IPs available in range of 2000 IPs for associate VLANs.
1 thing concern here also. how can a Pool of 2000 IPs work as a single pool for that VLAN, instead of assigning IPs available in different subnets for that pool to each hope. Thanx.
LikeLike
Comment by Ahmed Hanif — March 20, 2015 @ 10:23 AM
Hi,
We have a huge network. The overview of a design is as follows.
FireWall -> Core Switch-> Links to several departments
Their are also DC’s connected to Core Switch
2 ISP Links —- One is connected to Firewall.
2nd ISP Link is directly terminated on RouterOS PC / Router / Server with Live / Public IP address on WAN interface.
The LAN Interface of the RouterOS is connected to the Core Switch.
Their are 2 Networks. One is for Office use, Class B network, which is used by Static IP’s on all Office PC’s
And the 2nd Network is a Class A network for Wireless users or any Laptops / PC who operate on DHCP.
We have configured RouterOS with Hotspot Setup with DHCP.
The Hotspot is working perfectly fine, we are able to see the login page and we are able to login and do browsing.
But the Issue is ” The PC’s which are set on Static IP from Class B network, are getting the Hotspot page on their browser and they are not able to Browse the Internet.
If we try to Ping the Class B Office Network Gateway (which is a Firewall), we get Destination not reachable from our RouterOS Gateway.
We tried all the Troubleshooting steps, we checked all the switches in the network, but the issue is still their.
Both the networks are completely different, and I don’t understand how a Hotspot Login Page is appearing on the PC which is on other Network.
Let me know if you need any more details in the matter.
Thanks in Advance for your Help.
LikeLike
Comment by Omkar — June 16, 2015 @ 8:03 PM
not able to get gateway and cannot access the net
LikeLike
Comment by JoJo — April 5, 2017 @ 9:02 AM