I have created a Hotspot and now I want to restrict clients that have manualy put a static IP to their connection to access the Internet and thus bypassing the Hotspot.
I have read that you have to set the arp mode to “reply only” on the Hotspot interface and add the “add ARP for leases” option in the DHCP server configuration. Well I have done that (on interface “Bridge “FREE””, also tried the “AP “FREE”” interface), but it isn’t working - the client with the static IP can browse the Internet bypassing the Hotspot.
If the client has IP settings listed below and the bridge (Bridge
“FREE”) is set to reply-only, the Hotspot works as it should - it
denies access to the Internet without logging-in and allows access if
logged-in :
IP : 192.168.11.199
MASK : 255.255.255.0
GW : 192.168.11.2
DNS : 192.168.1.1
But, if the client has this IP settings (notice the GATEWAY) :
IP : 192.168.11.199
MASK : 255.255.255.0
GW : 192.168.11.1
DNS : 192.168.1.1
it allows access to the Internet thus bypassing the Hotspot.
Is this behaviour normal? If yes, how to solve this “security hole”?
I think you are using vlans because you have few ethers on your board, otherwise I would suggest to test your setup without them (could be easier to debug).
Still haven’t got time to test my setup without VLANs, but this is what I got back from the support :
"I believe that you could use firewall rules in order to adjust your setup as you
want. You could probably just drop all traffic which is not coming from hotspot
network or something similar. Action=drop in-interface(src-address)=!hotspot. Of
course before configuration create backup files in case something goes wrong. "
Still don’t know if the situation I’m experiencing (“reply-only arp” not working with GW set to 192.168.1.1) is a bug or not - any ideas?
