Many ISP clients secretly connect a second router to share internet with neighbors or connect more users. This causes bandwidth abuse, double NAT problems, and network instability. Today, I’ll show you how to completely block a customer’s second router using MikroTik Firewall.
Why Clients Use a Second Router
- To share internet with neighbors
- To bypass your bandwidth limit
- To hide multiple users behind NAT
- To avoid MikroTik queue or speed control
- To connect more devices than allowed
Problems Caused by Second Routers
- Double NAT
- High latency
- Queue mismatch
- More bandwidth usage
- Arp table flood
- Network abuse
📑 Table of Contents
- How to Detect a Client's Second Router
- Why Blocking Second Router is Important
- MikroTik Firewall Rule to Block Second Router
- Block based from PPPoE Router
- Block based on TTL Value
- Block based on Private IP Range
- Block based on DHCP Server
- Final Thoughts
How to Detect a Client’s Second Router
Most secondary routers change the TTL value. If a client uses mobile, PC, laptop → TTL = 64 If they use another router → The TTL becomes 63
Example:Client → Router → MikroTik
Original TTL 64 → Router reduces 1 → MikroTik receives 63
Why Blocking Is Important
- Ensures fair usage
- Stops unauthorized bandwidth sharing
- Removes double NAT issues
- Keeps queue working properly
- Protects network stability
All methods for blocking
Below, we have provided several methods. By following these, you will be able to easily identify and block all customers who are using secondary routers under your MikroTik network.
I would like to recommend one important thing: try to apply these rules on your PPPoE user router or the router where your clients’ IPs are assigned. Many times, there is confusion about where to apply the rules because the core router and user router are separate.
The final point is: you will get the best performance if you apply the router-to-router blocking rules on the router where the clients are actually connected.
Warning!
Also keep one more thing in mind: no matter which router you apply this rule to, it may put some additional pressure or load on your router or device’s CPU. Keep this in mind because this is an extra task, and while your router or device processes it through the firewall, the CPU will work more to give you proper feedback. As a result, the CPU usage percentage may increase slightly.
🔥Method 1: Block based from PPPoE Router (Recommended)
First, you need to create a mangle rule. Select a source IP block and reduce the TTL value to 64 to establish the connection. I am providing the full script for this rule below. You just need to edit it and insert your correct source address.
Detecting Sec Routers/ip firewall mangle add action=add-src-to-address-list address-list=MULTI-ROUTER address-list-timeout=5s chain=forward connection-state=established in-interface=all-ppp src-address=10.20.4.0/22 ttl=less-than:62
Block Detecting Sec Routers
/ip firewall filter add action=drop chain=forward src-address-list=MULTI-ROUTER ttl=less-than:62 disabled=no
🔥Method 2: Block Second Router Using TTL
Add this rule in Firewall Filter:
/ip firewall filter add chain=forward ttl=63 action=drop comment="Block Client Second Router"
✔ This instantly blocks any device behind a second router.
👉 Alternative Rule (Drop All Below TTL 64)
/ip firewall filter add chain=forward ttl=!64 action=drop comment="Block Router NAT"
🔥 Method 3: Block Based on Private IP Detection
If the client's router gives IP like:
- 192.168.x.x
- 10.x.x.x
- 172.16.x.x
Then use this rule:
/ip firewall filter add chain=forward src-address=192.168.0.0/16 action=drop comment="Block Private IP NAT" add chain=forward src-address=10.0.0.0/8 action=drop add chain=forward src-address=172.16.0.0/12 action=drop
🔥 Method 4: Block Client Using DHCP SERVER Detection
If the customer enables DHCP in their second router, MikroTik will detect it automatically.
/ip dhcp-server alert set alert-src-address=0.0.0.0 /ip dhcp-server alert add interface=your_interface_onu
Then firewall rule:
/ip firewall filter add chain=input protocol=udp dst-port=67-68 action=drop comment="Block Illegal DHCP Server"
📝 Final Thoughts
Blocking clients’ second routers is essential for network performance, bandwidth control, and preventing unfair sharing. The TTL method is the most effective and widely used solution for ISPs.