I have a wired (ethernet) network of roughly 100 users atm doing load balancing on 4x adsl lines, right now I have been running my network using simple queues for bandwidth control & giving everyone static IP’s that are entered manually, hotspot & dhcp are both disabled. This denies anyone not given an IP access to the internet & allows customers to simply open a browser and immediately have internet access without any splash pages or logins. Unfortunately I’m unable to verify if someone changed their IP or not without manually looking up the MAC’s, additionally billing is also done manually using the firewall & proxy to display a payment warning.
I’d like to be able to prevent internet access for mac’s that aren’t using the proper IP’s, I’d also like to see if I can use a billing system to make things easier. Additionally I’d still like to maintain the hassle free internet access, simply open a browser and you’re good to go. As I understand there is a way to configure hotspot/radius for use with mac addresses but I’m not quite sure how. Plus some of my users are assigned multiple IP’s and others are prone to having multiple different devices (i.e new macs everytime), so I’m not quite sure how to handle those since they would require an open login.
There are a few ways of doing some of what you wanted, but maybe not everything. Yes someone can sign in via MAC with a hotspot, you just enable the Login by MAC option under the server profile. What the router will do is post the MAC as the user name to somewhere in an attempt to sign them in. You then can have a login page setup for those you don’t have a MAC address for to make them sign in.
You can also restric access to certain MAC/IP combinations by putting the LAN port’s arp mode into reply-only. Then having a static ARP entry in the IP ARP list. For those that have multiple devices, have a DHCP server running that is set to add arp entries for leases. This way the only way someone can “talk” to the router is to have the correct MAC/IP combination, or to get an IP address via DHCP.
With all of that being said, depending on how your layer 2 network is setup, it is trivial for someone to figure out a good MAC/IP combo to get online if you don’t have the proper layer2 isolation/security between clients setup.
Billing would also be easier with Radius depending on how you handle billing. Without knowing how you do it, I cannot go into more specifics.
If someone is smart enough to change an IP to bypass your system… They are smart enough to change MAC addresses too.
I think you need to rethink your approach.
That may be true, any person smart enough and with hostile intent will still do damage no matter what I do. But given that they’re assigned their static IP’s its much easier for the average user to mess with the number they’ve recieved, rather than mess with their MAC address which most people don’t know about. Nevertheless I’d appreciate any tips to improve/change my current approach.
With all of that being said, depending on how your layer 2 network is setup, it is trivial for someone to figure out a good MAC/IP combo to get online if you don’t have the proper layer2 isolation/security between clients setup.
Right now client-side security is virtually none, it is a standard ethernet network where all clients can see/ping each other, since I’m using cheap commercial 10/100mbs switches its unlikely I’d be able to implement any kind of client security but that isn’t really a priority for me. My goal is to make it as complicated as possible for the random unapproved user to gain internet access without compromising the “ease of use” to the average approved user by simply opening a browser & gaining immediate access. For trouble makers I can still track them down manually and disconnect them permanently.
Billing would also be easier with Radius depending on how you handle billing. Without knowing how you do it, I cannot go into more specifics.
Right now its a purely manual system, I have everyone in an excel sheet, I check it every few days and if someone’s subscription date has passed I enable their address to be sent to the proxy payment page. That worked when it was a few users but its much tougher to manage this way now. When they receive the warning page, their service is temporarily disabled until they pay through regular cash transfer, no credit cards.
Hi 011.. You don’t say much about the capabilities of your ethernet switches facing the customer. I’m assuming they’re fairly basic without any filtering capabilities.
One thing you could do it put static ARP mapping on the next hop router. Tie IP addresses to certain MAC addresses. That way the user would need to change their MAC and their IP and both must match, but still not foolproof!
You could create a VLAN per customer (assuming your switch supports this) and put some filtering on the VLAN interfaces at your next hop router so only specific MAC / IP’s get through. That would be pretty tough for a user to overcome (as long as your switch can tag packets on a per-port basis to prevent VLAN hopping), but is an admin nightmare as things grow.
Hi 011.. You don’t say much about the capabilities of your ethernet switches facing the customer. I’m assuming they’re fairly basic without any filtering capabilities.
I did mention they were cheap generic switches so I can’t do much with them at all. Plus all the clients are connected directly to the MK server through a single ethernet port, so there is no other “next hop” routers in the middle. Basicly its a standard workgroup style network with a mikrotik server slapped in between it and the WAN lines coming in, for load balancing and some management.
Ever thought of using PPPOE?
I have, but it comes with its own set of challenges, isn’t supported by many non-pc devices like phones or satellite receivers …etc (without a client-side router). It also involves handing out user/passwords to people and I end up with a fairly similar system to hotspots where regular users would need to “log/dail in” to gain access everytime. Though I guess that is inevitable if I want to move to a more controllable system.
The main principle I’d like to avoid breaking in my attempt to improve the network is ease of use for the average user as many of them are older people and not very tech savvy or tend to remember user/pass logins . For them the ability to just open a browser and get internet immediately must remain. Plus some devices like I mentioned do not support login ability which further complicates matters for customers with such devices. Like I mentioned earlier, securing the network tight is not really my objective, I’d prefer to add a few extra hurdles just to avoid making it straight forward to gain access. But really my primary objective atm is figuring out how to automate billing, and from my limited understanding of radius it could help me achieve both objectives.
. For them the ability to just open a browser and get internet immediately must remain. Plus some devices like I mentioned do not support login ability which further complicates matters for customers with such devices. Like I mentioned earlier, securing the network tight is not really my objective, I’d prefer to add a few extra hurdles just to avoid making it straight forward to gain access. But really my primary objective atm is figuring out how to automate billing, and from my limited understanding of radius it could help me achieve both objectives.