Using Static ARP vs IPVLAN
-
I've been using Static ARP for years to enforce schedules that disable internet access for my kids at night. The reason I need to use static arp is that most new phones and even Windows WIFI support privacy MAC's, so unless you disable privacy MAC's, you will get a new IP every time you connect to the WIFI. Recently, the OS I use for hosting docker contains (unRaid) suggested to switch from MACVLAN to IPVLAN due to constant OS crashes caused by MACVLAN. Only problem is that IPVLAN does not support MAC addresses and ultimately masquerades as the host MAC when on the network. Therefore, none of the containers can get internet because there is no static ARP entry in the router for them.
Is there any solution where I can still disable internet for "some" IPs at night while allowing the dockers with non unique MACs to access the internet. The only thing I can think of is to have the server with the docker containers behind a second router that doesn't have WIFI enabled and doesn't use static ARP, but this seems really clunky and will require me to have double the NAT rules.
-
If your access point supports VLANs and multiple SSIDs, you can give the little monsters their own SSID/VLAN and then schedule it.
-
@AK_4_Life said in Using Static ARP vs IPVLAN:
you will get a new IP every time you connect to the WIFI.
As mentioned by JKnott if you have devices that might use different macs, and not really allow for assignment of specific IPs that you can then filter or schedule in your firewall rules based on the IP, since it could change.
The best solution here is to put these devices on a common network(ssid) and then you can create your rules for the whole network/vlan and not really care what specific IPs might be in use - because all devices on this network get the same rules regardless of their specific IP.