Syed Jahanzaib Personal Blog to Share Knowledge !

March 7, 2014

Blocking Client ROUTER Access

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 4:21 PM


As requested by a virtual friend, who have a small network in a rural area with lower amount of bandwidth, & he wanted to block access to client who are using WIFI / Client ROUTER and doing sharing with other members. For this reason the operator is loosing ‘POTENTIAL’ customers. Following trick worked like a charm in order to block client router access.

At your main router, add following rule,

/ip firewall mangle
add action=change-ttl chain=forward comment="Block Client NAT/Router  / zaib" disabled=no in-interface=LAN new-ttl=set:1 passthrough=no

The above rule will decrement the TTL by value 1 . This way when the packet will move towards client router, it will not go beyond that point to client. BUT if the client uses normal PC, he will be able to access the internet.

1- block client router

Do remember one point, the above method is not 100%. There are always workaround for about anything. None of any security is 100% fool proof.
If client uses Mikrotik Router, he can create another mangle rule which can increment TTL value then above restrictions will be useless.Something like following

/ip firewall mangle add action=change-ttl chain=prerouting in-interface=WAN new-ttl=increment:1


But you can create a script that can keep tracking of another mikrotik box on your network by mikrotik discovery protocol, as only very few admins secure there Mikrotik Router at full extent by blocking discovery, change winbox default ports, block any access on WAN port etc etc.

Happy Fire-walling !!! Jz

Personally I am not in favor of imposing harsh restrictions on clients except for the Bandwidth or Quota, but since Mikrotik is capable of creating solutions out of the box, its just one tiny example 😉


Syed Jahanzaib


  1. How To block Dhcp pool coming from client side to base station


    Comment by Deep — March 7, 2014 @ 5:23 PM

  2. Wow,

    What an amazing and helpfull post.

    I have searched for that since long time ago.

    Thanks SYED

    2014-03-07 11:14 GMT+00:00 Syed Jahanzaib Personnel Blog to Share Knowledge ! :

    > Syed Jahanzaib / Pinochio~:) posted: ” As requested by a virtual > friend, who have a small network in a rural area with lower amount of > bandwidth, & he wanted to block access to client who are using WIFI / > Client ROUTER and doing sharing with other members. For this reason the > operator “


    Comment by spacemindpt — March 7, 2014 @ 5:48 PM

  3. frankly speak good idea

    mr syed what about subject for squid cache server and mikrotik integration and we have online package tool to build our virtual appliance by suse

    i see good idea for some network pro to build squid cache by Raspberry Pi hardware (have alook)

    finally accept me as find and brother


    Comment by mctnetwork — March 7, 2014 @ 6:05 PM

  4. The new-ttl=set:1 ? in this case the wireless network cannot pass the internet …… :-


    Comment by Abubaker SIddiq Lasania — March 7, 2014 @ 9:16 PM

  5. So So Nice Article bro thnx


    Comment by Azeem Zebi — March 8, 2014 @ 6:40 PM

  6. salam , jahanzaib bhai plz send me script (discover another mikrotik router on a network)


    Comment by khurram — March 10, 2014 @ 1:04 AM

  7. if we want to allow particular router then what to do ? for example i want to only2 to 3 routers and block other then what i have to do ?


    Comment by Malik kamran — March 15, 2014 @ 1:14 PM

  8. i don’t know but some one said that sky is the only limit. .if it is possible plz lemme know


    Comment by Malik kamran — April 27, 2014 @ 1:17 PM

  9. in this case the wireless network cannot pass the internet


    Comment by emad — May 7, 2014 @ 10:37 AM

  10. @syed, i must commend your efforts for the blog of yours… its really informative and educative…for those of us who cant afford to go for mikrotik training, blogs like this really help us a lot.. Anyway i dont know if mobile careers use mikrotik on their own end, i have been trying to relate this post of yours to mobile phones where internet access beyond phones (mobile tethering and hotspot setup) are being blocked by their firewall..

    Here in my country, bandwidths are really expensive, setting your own network lab can be very frustrating.. they tend to give blackberry users cheap subscriptions even though they are capped, but for us that use 3g modems, we pay higher and they tell us data is been compressed on RIM server while broadband access users pay through their nose not to talk about client on fibre channels. Can i implement something like this if i enable hotspot or tether my internet connection from my mobile phone and channel it via WAN interface on a mikrotik router…

    Please if there are other workarounds on this, i would appreciate any links, books or any other stuff that can help me with this..


    Comment by Oghenekaro Ewhedoma — May 31, 2014 @ 12:41 PM

  11. How To block Dhcp pool coming from client(Router or DHCP access point )
    side to base station


    Comment by mohammed — June 10, 2014 @ 8:02 AM

    i found this address , in mikrotik site , but not sure work or not


    Comment by mohammed — June 17, 2014 @ 7:25 AM

    • Hello Bro,

      Need some help for setting up a Mac Filter based on Vendor ID, can you please give a script to block mac address


      Comment by Amit — June 30, 2014 @ 12:11 AM

  13. Reblogged this on เหลา Blog and commented:
    ยังไม่ได้ลอง แต่น่าสนใจมากๆ 🙂


    Comment by LAO — July 23, 2014 @ 8:34 AM

  14. Any others way to block Client Router access? Cause some router still running smoothly with this rules …Router like : smc and also tp link………


    Comment by shriful Islam — August 20, 2014 @ 9:48 AM

  15. didn’t work 😦


    Comment by surya — September 22, 2014 @ 8:11 AM

  16. Don`t work for me.


    Comment by Masudul Islam — November 25, 2014 @ 4:58 PM

  17. Hi zaib bro i am beginner for mikrotik ,dear please tell me which interface i use you have mention lan ??? means i have either1 either 2 etc board 433 i config ppp and hotspot on either2 so in this script which one i use interface either1 (data+poe) or either2 (hotspot,ppp)


    Comment by rahul — November 29, 2014 @ 12:49 PM

  18. help me i want to limit upload but no limitation on download how i do


    Comment by a2m — August 20, 2016 @ 3:04 AM

  19. MAN hahahaha ! I love you ! just 1 question, may the ISP know that i am bybassing these rules ?
    dear sir, i am a local ISP and i need to contact you for special work and u know other stuffs…please reply when ur free !


    Comment by abdelfattah — November 30, 2016 @ 3:13 AM

  20. thank you brother .but I have a problem when I use (in-interface=LAN) all netwok stopped .so ,I changed it to out-interface.anyway I tested it in order to stop sharing internet with (netshare pro) this app still working .it is deferent of bluetooth and conectify.we need your help to block this app in mikrotik .you can find this app on google store.


    Comment by saad — November 19, 2018 @ 8:53 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: