How to block IP conflicts automatically

SipriusPT · Jul 1, 2019, 11:33 AM

Hello everyone,

Till now I have been using arqwatch to check if there are IP conflicts being done in real time, and I fix those isues manually, but I need to be always checking, and sometimes I am not in the office to prevent that. So I am looking for a way to block those in real time, like it was an IP spoofing protection for example.

So I would like to know what you are doing to block such threats in real time.

NogBadTheBad · Jul 1, 2019, 11:49 AM

The question should be "Why am I seeing ip conflicts".

Are people assigning their own ip adddresses ?

SipriusPT · Jul 1, 2019, 11:54 AM

@NogBadTheBad sorry, but in this case it isnt.

Yes, there are situations where users have to add manual IPs to certain devices, and in this case, can collide with IPs that already are being used. There is always the human error situation.

NogBadTheBad · Jul 1, 2019, 1:16 PM

@SipriusPT said in How to block IP conflicts automatically:

@NogBadTheBad sorry, but in this case it isnt.

Yes, there are situations where users have to add manual IPs to certain devices, and in this case, can collide with IPs that already are being used. There is always the human error situation.

You can't fix stupid users

It's not a pfSense issue, you'd need to look at fixing it ( if possible ) on your switches.

stephenw10 · Jul 1, 2019, 12:00 PM

You can lock down your switches to allowed MACs on each port only. Then set static mappings for those MACs in DHCP. But that's unlikely to work for you if users have to enter their IPs currently.
There's nothing I'm aware of that can prevent user error in that situation. How would the system determine which was the correct device for an IP?

Steve

JKnott · Jul 1, 2019, 1:10 PM

@NogBadTheBad said in How to block IP conflicts automatically:

The question should be "Why am I seeing ip conflicts".
Are people assigning their own ip adddresses ?

That was my thought too.

JKnott · Jul 1, 2019, 1:12 PM

@SipriusPT said in How to block IP conflicts automatically:

@NogBadTheBad sorry, but in this case it isnt.

Yes, there are situations where users have to add manual IPs to certain devices, and in this case, can collide with IPs that already are being used. There is always the human error situation.

Is DHCP not available? Generally, you configure the DHCP server to assign a specific IP address to a MAC address. On my network, there are only 2 manually assigned addresses, pfSense and my main desktop system. Everyting else is DHCP, with assigned IP.

JKnott · Jul 1, 2019, 1:51 PM

@NogBadTheBad said in How to block IP conflicts automatically:

You can't fix stupid users

But you can shoot them.

Actually, a user should never be able to change their IP address. A big problem these days is that many people, including companies, run Windows computers with admin rights. Not only does that allow users to change/break things, it leaves them wide open to malware.

But yes, some users should be "fixed".

Gertjan · Jul 1, 2019, 1:41 PM

As above, there are no really solutions.

Try this : You could introduce several LAN's.

The third one is for everybody.
People that behave well in the third LAN could/should be upgraded to a second LAN user.
If " all hell" breaks loose only "LAN 3" will miss behave. You could mark on your door (and keep it locked) : "I know who it is .... go shoot him - take him down - and the network will be fine again". This way the problem auto-regulates.
Keep the first 'real' LAN for yourself. You should never let non trusted devices or users on your LAN.

SipriusPT · Jul 1, 2019, 2:33 PM

Thank you all for the work arounds.

Seems like I will have to get stick to VLANs to isolate those situations. Nice strategy Gertjan, I have not thought about it!

There are devices where NICs needs to be reconfigured manually in production site, and also some computers need to have administrator rights to run certain types of programs.

JKnott · Jul 1, 2019, 3:11 PM

@SipriusPT said in How to block IP conflicts automatically:

There are devices where NICs needs to be reconfigured manually in production site, and also some computers need to have administrator rights to run certain types of programs.

While that certainly used to be the case, many programs that require those rights now ask for them. You then have the needed rights in that app only. In the Linux world, we know better. We normally run as users, not root. While some apps require root privilege, they prompt for the password. It's very rare to actually log into a system as root. In my work, I have often had admin rights, as I needed them to change network settings, but that sort of thing should be limited to only those who understand the risks.