Prevent the Change of IP

Caci99 · September 13, 2007, 12:11pm

How would you guys prevent the change of IP address inside the LAN?
Can Mikrotik control the traffic inside the LAN?

I tried the follow, i put the arp on the LAN interface as reply-only
After that I added a static arp in /ip arp.
What happened was that when I changed the client IP it would
not connect to the outside but could easily connect to the rest
of the LAN.

Now my purpose is to create two networks, let’s say:
network 1: 192.168.0.0/24
network 2: 192.168.1.0/24
This way I can determine which host of Network 2
connects to whom host on Network 1. But I can’t prevent
any on the Network 2 to change it’s own IP in one that
belongs to Network 1, can I?

Thank you, Toni

sergejs · September 13, 2007, 12:17pm

As you cannot prevent user to change IP address from one to another, from the router point of view these clients, who have the same MAC and IP is one client.
One way to disallow clients from changing MAC-address, management switch that binds specific port to specific MAC-address.
Other way to do this on the router to use PPPoE authetnication to block unathorized clients.

fatonk · September 13, 2007, 12:27pm

In my network I had some of these intrusions, but they were easily avoided with the implementation of the PPPoE. So, I will suggest you to think about it.

Regards.

Faton

samsoft08 · September 13, 2007, 7:44pm

so its only pppoe ?
i’m using a static DHCP server , some bad ex-user , change thier IP manually , using an IP from the same subnet , most of the time he choose an offline user IP , i discover him couse I know these IP’s are belong to a user who is out of the city at the same time !!!
of course he can change his mac address easily ..
but my question is :
i’m using a DHCP server on the local interface , how come the router respond to a static IP , entered manually on user PC ??

sergejs · September 14, 2007, 11:28am

If client uses IP and MAC-address, that belongs to one of the leases. RouterOS cannot determine either it is good or bad client.

Caci99 · September 14, 2007, 3:07pm

Thank you guys for your answers, I see that a PPPoE should do it fine.
But, one thing to discuss, you are talking about users who can change
their IP and MAC address. As for the IP it is easy job to do, I find more
dificult to change the MAC address, at least inside a LAN where we do
normally have average users.
Have you have found often such users who can change their IP and the
respective MAC address? How often?

and faton, since we are neighbours, do you plan MUM in Egypt?

fatonk · September 14, 2007, 3:34pm

It is not very difficult to change the mac address, so people do that mac cloning etc etc. In this case I prefer pppoe, since it can eliminate these problems of accessing the network without permission. Regarding the MUM in Egypt I can’t go since I have no days off left from my holidays, so I catch it somewhere else and someday later.

Regards to Tirona

Faton