As requested by a virtual friend, who have a small network in a rural area with lower amount of bandwidth, & he wanted to block access to client who are using WIFI / Client ROUTER and doing sharing with other members. For this reason the operator is loosing ‘POTENTIAL’ customers. Following trick worked like a charm in order to block client router access.
At your main router, add following rule,
/ip firewall mangle add action=change-ttl chain=forward comment="Block Client NAT/Router / zaib" disabled=no in-interface=LAN new-ttl=set:1 passthrough=noThe above rule will decrement the TTL by value 1 . This way when the packet will move towards client router, it will not go beyond that point to client. BUT if the client uses normal PC, he will be able to access the internet.
Other methods includes Bandwidth limit, Quota implantation.
Along with above, you may also limit TCP/UDP connection limit from every client using firewall rules, this way if they are using a single PC, few connections would be fine, But if user is using router for sharing purposes , additional TCP connection will be rejected thus user will face problem when he will be sharing internet connection.
DISCLAIMER:
Do remember one point, the above method is not 100%. There are always workaround for about anything. None of any security is 100% fool proof.
If client uses Mikrotik Router, he can create another mangle rule which can increment TTL value then above restrictions will be useless. Something like following/ip firewall mangle add action=change-ttl chain=prerouting in-interface=WAN new-ttl=increment:1lolz
But you can create a script that can keep tracking of another mikrotik box on your network by mikrotik discovery protocol, as only very few admins secure there Mikrotik Router at full extent by blocking discovery, change winbox default ports, block any access on WAN port etc etc.
Happy Fire-walling !!! Jz
Personally I am not in favor of imposing harsh restrictions on clients except for the Bandwidth or Quota, but since Mikrotik is capable of creating solutions out of the box, its just one tiny example 😉
Regard’s
Syed Jahanzaib
Syed Jahanzaib - Personal Blog to Share Knowledge ! 
How To block Dhcp pool coming from client side to base station
LikeLike
Comment by Deep — March 7, 2014 @ 5:23 PM
Wow,
What an amazing and helpfull post.
I have searched for that since long time ago.
Thanks SYED
2014-03-07 11:14 GMT+00:00 Syed Jahanzaib Personnel Blog to Share Knowledge ! :
> Syed Jahanzaib / Pinochio~:) posted: ” As requested by a virtual > friend, who have a small network in a rural area with lower amount of > bandwidth, & he wanted to block access to client who are using WIFI / > Client ROUTER and doing sharing with other members. For this reason the > operator “
LikeLike
Comment by spacemindpt — March 7, 2014 @ 5:48 PM
frankly speak good idea
mr syed what about subject for squid cache server and mikrotik integration and we have online package tool https://susestudio.com/ to build our virtual appliance by suse
i see good idea for some network pro to build squid cache by Raspberry Pi hardware (have alook) http://blog.stevebaker.org/2013/02/raspberry-pi-as-transparent-squid.html
finally accept me as find and brother
LikeLike
Comment by mctnetwork — March 7, 2014 @ 6:05 PM
The new-ttl=set:1 ? in this case the wireless network cannot pass the internet …… :-
LikeLike
Comment by Abubaker SIddiq Lasania — March 7, 2014 @ 9:16 PM
So So Nice Article bro thnx
LikeLike
Comment by Azeem Zebi — March 8, 2014 @ 6:40 PM
salam , jahanzaib bhai plz send me script (discover another mikrotik router on a network)
LikeLike
Comment by khurram — March 10, 2014 @ 1:04 AM
if we want to allow particular router then what to do ? for example i want to only2 to 3 routers and block other then what i have to do ?
LikeLike
Comment by Malik kamran — March 15, 2014 @ 1:14 PM
Not possible.
LikeLike
Comment by Syed Jahanzaib / Pinochio~:) — March 17, 2014 @ 3:56 PM
i don’t know but some one said that sky is the only limit. .if it is possible plz lemme know
LikeLike
Comment by Malik kamran — April 27, 2014 @ 1:17 PM
in this case the wireless network cannot pass the internet
LikeLike
Comment by emad — May 7, 2014 @ 10:37 AM
@syed, i must commend your efforts for the blog of yours… its really informative and educative…for those of us who cant afford to go for mikrotik training, blogs like this really help us a lot.. Anyway i dont know if mobile careers use mikrotik on their own end, i have been trying to relate this post of yours to mobile phones where internet access beyond phones (mobile tethering and hotspot setup) are being blocked by their firewall..
Here in my country, bandwidths are really expensive, setting your own network lab can be very frustrating.. they tend to give blackberry users cheap subscriptions even though they are capped, but for us that use 3g modems, we pay higher and they tell us data is been compressed on RIM server while broadband access users pay through their nose not to talk about client on fibre channels. Can i implement something like this if i enable hotspot or tether my internet connection from my mobile phone and channel it via WAN interface on a mikrotik router…
Please if there are other workarounds on this, i would appreciate any links, books or any other stuff that can help me with this..
LikeLike
Comment by Oghenekaro Ewhedoma — May 31, 2014 @ 12:41 PM
How To block Dhcp pool coming from client(Router or DHCP access point )
side to base station
LikeLike
Comment by mohammed — June 10, 2014 @ 8:02 AM
http://wiki.mikrotik.com/wiki/Bridge_Filter_-_Blocking_DHCP_Traffic
i found this address , in mikrotik site , but not sure work or not
LikeLike
Comment by mohammed — June 17, 2014 @ 7:25 AM
Hello Bro,
Need some help for setting up a Mac Filter based on Vendor ID, can you please give a script to block mac address
LikeLike
Comment by Amit — June 30, 2014 @ 12:11 AM
Reblogged this on เหลา Blog and commented:
ยังไม่ได้ลอง แต่น่าสนใจมากๆ 🙂
LikeLike
Comment by LAO — July 23, 2014 @ 8:34 AM
Any others way to block Client Router access? Cause some router still running smoothly with this rules …Router like : smc and also tp link………
LikeLike
Comment by shriful Islam — August 20, 2014 @ 9:48 AM
didn’t work 😦
LikeLike
Comment by surya — September 22, 2014 @ 8:11 AM
Don`t work for me.
LikeLike
Comment by Masudul Islam — November 25, 2014 @ 4:58 PM
Hi zaib bro i am beginner for mikrotik ,dear please tell me which interface i use you have mention lan ??? means i have either1 either 2 etc board 433 i config ppp and hotspot on either2 so in this script which one i use interface either1 (data+poe) or either2 (hotspot,ppp)
regards
LikeLike
Comment by rahul — November 29, 2014 @ 12:49 PM
help me i want to limit upload but no limitation on download how i do
LikeLike
Comment by a2m — August 20, 2016 @ 3:04 AM
MAN hahahaha ! I love you ! just 1 question, may the ISP know that i am bybassing these rules ?
dear sir, i am a local ISP and i need to contact you for special work and u know other stuffs…please reply when ur free !
LikeLike
Comment by abdelfattah — November 30, 2016 @ 3:13 AM
thank you brother .but I have a problem when I use (in-interface=LAN) all netwok stopped .so ,I changed it to out-interface.anyway I tested it in order to stop sharing internet with (netshare pro) this app still working .it is deferent of bluetooth and conectify.we need your help to block this app in mikrotik .you can find this app on google store.
LikeLike
Comment by saad — November 19, 2018 @ 8:53 PM