My system Configuration is
all Interfaces arp reply-only
the android pirate device has changed in the least +- 5 hours their ip address more than 40 times
their first connect with 10.63 192.199, the last time with 10.63.192 144, he change ip address every 5 minutes
my ip-settings tcp-syn coockies is enabled
I,ve running two scripts
# runs on scheduler every 1 minute #
# Unauthorized Traffic #
{
:global limit 262144
:global bytes
:global mac
:global action1
:global action2
:global action3
:global action4
:foreach i in=[/ip hotspot host find where authorized=no bypassed=no ] do={
:set mac [/ip hotspot host get $i mac-address ];
:set bytes [/ip hotspot host get $i bytes-out ];
:if ($bytes >= $limit) do={
:if ([/interface bridge filter find where chain=input src-mac-address="$mac/FF:FF:FF:FF:FF:FF" \
comment="Unauth Byte" ] = "" ) do={
:set action1 [/interface bridge filter add action=drop chain=input src-mac-address="$mac/FF:FF:FF:FF:FF:FF" \
mac-protocol=ip ip-protocol=udp dst-port="53" comment="Unauth Byte" ];
:set action2 [/interface bridge filter add action=drop chain=input src-mac-address="$mac/FF:FF:FF:FF:FF:FF" \
mac-protocol=ip ip-protocol=udp dst-port="70-64870" comment="Unauth Byte" ];
:set action3 [/interface bridge filter add action=drop chain=input src-mac-address="$mac/FF:FF:FF:FF:FF:FF" \
mac-protocol=ip ip-protocol=tcp dst-port="70-64870" comment="Unauth Byte" ];
:set action4 [/interface bridge filter add action=drop chain=input src-mac-address="$mac/FF:FF:FF:FF:FF:FF" \
mac-protocol=ip ip-protocol=icmp comment="Unauth Byte" ];
:log warning ("UNAUTHORIZED Mac:$mac BYTES:$bytes is > $limit");
}}}}
# I've added to hotspot user by login scripts, after client login auto remove the bridge filter #
# #把授权从桥过滤器
{
:global mac
:global action
:foreach i in=[/ip hotspot active find ] do={
:set mac [/ip hotspot active get $i mac-address ];
:if ([/interface bridge filter find where chain=input src-mac-address="$mac/FF:FF:FF:FF:FF:FF" \
comment="Unauth Byte" ] != "" ) do={
:set action [/interface bridge filter remove [ find where src-mac-address="$mac/FF:FF:FF:FF:FF:FF" ]];
:log warning ("Removing Mac:$mac from Bridge Filter");
}}}
/ip hotspot walled-garden ip print
Flags: X - disabled, I - invalid
# SERVER PROTOCOL DST-HOST DST-ADDRESS DST-PORT ACTION
0 Hotspot icmp drop
1 Hotspot udp 53 drop
2 Hotspot tcp 81-64870 drop
3 Hotspot udp 81-64870 drop
4 Hotspot 10.63.192.1 accept
with all this the Pirate access Internet without my permission, you can see on the pics at least the Pirata has used more than 45 Mib's, my question is How ??????????????????
Is he using IPv6???????????????
I've disabled now the IPv6 Packet to see what the Pirata do without IPv6 on my System!!!!!!!!!
