How to deny static IP
I'm trying to deny access to clients who manually asigned their IP to fall into the range with full access to the internet.
Here's my scenario
-I configured DCHP with static mappings for some clients in the range 192.168.1.2 -> 192.168.1.20
-Everybody else should fall into 192.168.1.21 -> 192.168.1.254
-With squidguard I gave FULL ACCESS to the range 192.168.1.2 -> 192.168.1.20 and limited to the rest
Everything works fine, except when somebody manually configure his IP to 192.168.1.19 for example =(
What can I do?
(apart from map every mac address on the net, which would be tedious and impractical)
Without using static ARP (coding in all the MACs of good clients) then this is not possible really. You might be able to pull off some layer2 tricks on a switch to block certain things, but ultimately it still comes down to knowing which MACs are supposed to have access.
You can define "static" entries with only a MAC and without a static IP, this just lets the DHCP server know that they are allowed to pull addresses from the normal pool.
ok thanks, but what if some clever guy statically assign himself one IP that falls in the range of "allowed"
my problem is that
- if I deny unknown clients then I would have to manually assign EVERY guest for them to have limited internet
- if I allow unknown clients then the clever guys would assign their pc's some IP that falls in the range of FULL access
Maybe using the captive portal?? have everyone used it for this?
You may be able to use captive portal or some other means of further auth (e.g. VPN or PPPoE) to lock it down, but only CP would require no extra settings on the guest PCs.
but Captive portal doesn's assign IP
so my filters FULL ACCESS LIMITED ACCESS wouldn't work right?
I'm trying to:
- five computers with FULL ACCESS except for porn
- all employees and guests (100+) only allowed for hotmail, gmail, yahoo
- minimum manteinance or nothing at all, because I don't work there, I'm doing it and then leave
- stop the clever guys who know how to configure their IP's for them to fall into the FULL ACCESS group =/
If I use "deny unknown clients" in the DHCP then I can't 2) and 3)
If I don't use "deny unknown clients" then 4)
If I use captive portal then (I think) I give FULL ACCESS or nothing at all for guests…
Put the untrusted guest users behind captive portal on an OPT interface
Put the full access users on LAN
Segregate them with separate switches or VLANs.
If you don't want the full access users to get to porn and such, you'll also need to run squid+squidGuard and such. I'm not sure how well that plays with captive portal these days though.