As requested by a virtual friend, who have a small network in a rural area with lower amount of bandwidth, & he wanted to block access to client who are using WIFI / Client ROUTER and doing sharing with other members. For this reason the operator is loosing ‘POTENTIAL’ customers. Following trick worked like a charm in order to block client router access.
At your main router, add following rule,
/ip firewall mangle add action=change-ttl chain=forward comment="Block Client NAT/Router / zaib" disabled=no in-interface=LAN new-ttl=set:1 passthrough=no
The above rule will decrement the TTL by value 1 . This way when the packet will move towards client router, it will not go beyond that point to client. BUT if the client uses normal PC, he will be able to access the internet.
Do remember one point, the above method is not 100%. There are always workaround for about anything. None of any security is 100% fool proof.
If client uses Mikrotik Router, he can create another mangle rule which can increment TTL value then above restrictions will be useless.Something like following
/ip firewall mangle add action=change-ttl chain=prerouting in-interface=WAN new-ttl=increment:1
But you can create a script that can keep tracking of another mikrotik box on your network by mikrotik discovery protocol, as only very few admins secure there Mikrotik Router at full extent by blocking discovery, change winbox default ports, block any access on WAN port etc etc.
Happy Fire-walling !!! Jz
Personally I am not in favor of imposing harsh restrictions on clients except for the Bandwidth or Quota, but since Mikrotik is capable of creating solutions out of the box, its just one tiny example 😉