Hello,
I need to make that only and one device (ap) can connect to a ethernet port.
What I’m assuming is to use ARP static table, but the the AP must have local dhcp server etc… I want to use the same subnet.
I see that cannot filter packets that origin from that AP and drop others.
VLAN isn’t a solution, beacuse can be sniffed easily.
for PPPoE need powerfull hardware and not every AP support it.
QOS is appliable for mikrotik products too.
As I understand mikrotik doesn’t support 802.1x so RADUIS can’t work.
Any other ideas or I’missing something on the above solutions?
Your solution could be easily sniffed too. All that is needed is a transparent bridge, between the network cable and the switch. You could encrypt. But, then, You would need a more powerful hardware…
He wants something that only cryptography will provide: the assurance that no man in the middle could sniff the traffic. Problem is: he doesn’t want to pay the CPU price of the crypto. I don’t know how to solve this, given the constraints. Without crypto there is no way to protect against a transparent bridge sniffing everything.
Paternot, this is what Chupaka suggests. Make a script that monitors the link. Once cable is disconnected (presumably to implant the rogue sniffer), do some actions (like warn the admin)
It can, at best, warns the admin. Once the bridge is in place, there would be no way to tell if it is there.
To prevent the warning one could prepare the whole setup, and pull the plug on everything. It would show on the logs as a quick energy problem, nothing more. And the bridge would be in place.
I know this is some work. But if he is looking to “marry” one to another is because he had some problems with this. So, yes. We can make it hard, we can make it inconvenient. But I can’t see a way to guarantee it without cryptography and authentication.
