How to deny static IP

lalo

I'm trying to deny access to clients who manually asigned their IP to fall into the range with full access to the internet.

Here's my scenario

-I configured DCHP with static mappings for some clients in the range 192.168.1.2 -> 192.168.1.20
-Everybody else should fall into 192.168.1.21 -> 192.168.1.254
-With squidguard I gave FULL ACCESS to the range 192.168.1.2 -> 192.168.1.20 and limited to the rest

Everything works fine, except when somebody manually configure his IP to 192.168.1.19 for example =(

What can I do?
(apart from map every mac address on the net, which would be tedious and impractical)

Please Help!

jimp

Without using static ARP (coding in all the MACs of good clients) then this is not possible really. You might be able to pull off some layer2 tricks on a switch to block certain things, but ultimately it still comes down to knowing which MACs are supposed to have access.

You can define "static" entries with only a MAC and without a static IP, this just lets the DHCP server know that they are allowed to pull addresses from the normal pool.

lalo

ok thanks, but what if some clever guy statically assign himself one IP that falls in the range of "allowed"

my problem is that

if I deny unknown clients then I would have to manually assign EVERY guest for them to have limited internet
if I allow unknown clients then the clever guys would assign their pc's some IP that falls in the range of FULL access

Maybe using the captive portal?? have everyone used it for this?

jimp

You may be able to use captive portal or some other means of further auth (e.g. VPN or PPPoE) to lock it down, but only CP would require no extra settings on the guest PCs.

lalo

right!

but Captive portal doesn's assign IP
so my filters FULL ACCESS LIMITED ACCESS wouldn't work right?

I'm trying to:

five computers with FULL ACCESS except for porn
all employees and guests (100+) only allowed for hotmail, gmail, yahoo
minimum manteinance or nothing at all, because I don't work there, I'm doing it and then leave
stop the clever guys who know how to configure their IP's for them to fall into the FULL ACCESS group =/

If I use "deny unknown clients" in the DHCP then I can't 2) and 3)
If I don't use "deny unknown clients" then 4)

If I use captive portal then (I think) I give FULL ACCESS or nothing at all for guests…

Any ideas??

jimp

Put the untrusted guest users behind captive portal on an OPT interface

Put the full access users on LAN

Segregate them with separate switches or VLANs.

If you don't want the full access users to get to porn and such, you'll also need to run squid+squidGuard and such. I'm not sure how well that plays with captive portal these days though.