Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to deny static IP

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lalo
      last edited by

      I'm trying to deny access to clients who manually asigned their IP to fall into the range with full access to the internet.

      Here's my scenario

      -I configured DCHP with static mappings for some clients in the range 192.168.1.2 -> 192.168.1.20
      -Everybody else should fall into 192.168.1.21 -> 192.168.1.254
      -With squidguard I gave FULL ACCESS to the range 192.168.1.2 -> 192.168.1.20 and limited to the rest

      Everything works fine, except when somebody manually configure his IP to 192.168.1.19 for example =(

      What can I do?
      (apart from map every mac address on the net, which would be tedious and impractical)

      Please Help!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Without using static ARP (coding in all the MACs of good clients) then this is not possible really. You might be able to pull off some layer2 tricks on a switch to block certain things, but ultimately it still comes down to knowing which MACs are supposed to have access.

        You can define "static" entries with only a MAC and without a static IP, this just lets the DHCP server know that they are allowed to pull addresses from the normal pool.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • L
          lalo
          last edited by

          ok thanks, but what if some clever guy statically assign himself one IP that falls in the range of "allowed"

          my problem is that

          1. if I deny unknown clients then I would have to manually assign EVERY guest for them to have limited internet
          2. if I allow unknown clients then the clever guys would assign their pc's some IP that falls in the range of FULL access

          Maybe using the captive portal?? have everyone used it for this?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You may be able to use captive portal or some other means of further auth (e.g. VPN or PPPoE) to lock it down, but only CP would require no extra settings on the guest PCs.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • L
              lalo
              last edited by

              right!

              but Captive portal doesn's assign IP
              so my filters FULL ACCESS LIMITED ACCESS wouldn't work right?

              I'm trying to:

              1. five computers with FULL ACCESS except for porn
              2. all employees and guests (100+) only allowed for hotmail, gmail, yahoo
              3. minimum manteinance or nothing at all, because I don't work there, I'm doing it and then leave
              4. stop the clever guys who know how to configure their IP's for them to fall into the FULL ACCESS group =/

              If I use "deny unknown clients" in the DHCP then I can't 2) and 3)
              If I don't use "deny unknown clients" then 4)

              If I use captive portal then (I think) I give FULL ACCESS or nothing at all for guests…

              Any ideas??

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Put the untrusted guest users behind captive portal on an OPT interface

                Put the full access users on LAN

                Segregate them with separate switches or VLANs.

                If you don't want the full access users to get to porn and such, you'll also need to run squid+squidGuard and such. I'm not sure how well that plays with captive portal these days though.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.