Community discussions

 
User avatar
smurphy
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Feb 06, 2008 6:48 pm
Location: Clermont / France
Contact:

How to limit IP's provided by DHCP Server to "static" ones ?

Tue Sep 13, 2016 8:03 pm

Hi folks,

I have a little question here. In my household I seem to have a "little" hacker (10 year old girl) who does not agree with Dad's network access configuration.
Thing is, I have configured the Kids systems to have Internet and NAS Access times based on the day of the week and hour.

Now - this little beast (and I have to say that I'm quite proud of her :lol: ) has started to change the MAC Address of her Android Tablet to bypass this security.

and here goes my secured time-plan for the kids...

What I can do however, is make all IP's static incl. MAC Addresses.
How can I configure the DHCP Server in such a way that it will only deliver IP/MAC's that are "Known" and marked as "Static".
Is that possible in routerOS or is one other way of achieving this?

Thx for any hints.
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to limit IP's provided by DHCP Server to "static" ones ?

Tue Sep 13, 2016 8:38 pm

You can set address-pool=static-only for dhcp server, then it will serve only known clients with static leases. Then to prevent manually assigned addresses, add also add-arp=yes. And finally set arp=reply-only for LAN interface.

Way around that would be to "borrow" MAC address of your notebook/tablet/phone and use it when you're not at home. So difficulty level is not really much higher.

Next level would be dedicated kid network, limited as whole, so it wouldn't matter what and how is connected. For tablet I'm assuming it's just wireless, so you can create virtual AP with different SSID and then keep password for unlimited one for yourself.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
smurphy
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Feb 06, 2008 6:48 pm
Location: Clermont / France
Contact:

Re: How to limit IP's provided by DHCP Server to "static" ones ?

Tue Sep 13, 2016 10:27 pm

Thx for the hint on the dhcp-server (static-only). Wonder how long it will take my little hacker to figure something out :}

I was thinking about the dedicated Kid network.
I have a router that can do 2.4Ghz and 5Ghz - Kids devices on 2.4Ghz, others on 5Ghz. But we have some old device that would not work on 5Ghz. And 2 Network on 2.4Ghz ? Dunno yet.

Thx again for the hints.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: How to limit IP's provided by DHCP Server to "static" ones ?

Tue Sep 13, 2016 11:26 pm

Very cool kid. I have two girls (7 and 12), both too smart for their own good.

For my house, I ended up with a virtual AP on a vlan that is time based. As long as I keep the router and access point security, I'm all good.
You could also go with static MAC's and disable ARP. Or maybe even WPA2/EAP.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
User avatar
smurphy
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Feb 06, 2008 6:48 pm
Location: Clermont / France
Contact:

Re: How to limit IP's provided by DHCP Server to "static" ones ?

Wed Sep 14, 2016 10:28 am

Very cool kid. I have two girls (7 and 12), both too smart for their own good.

For my house, I ended up with a virtual AP on a vlan that is time based. As long as I keep the router and access point security, I'm all good.
You could also go with static MAC's and disable ARP. Or maybe even WPA2/EAP.
yes - they definitely are too smart for their age (Got 10, 12 and 13 years old girls). The little one is the devil in disguise :)

Question - how did you set the Time-control into the vlan?

And - if I understood it correctly, the Virtual AP is just adding a new bridge-ap to an already configured wireless card?
I do lots under Linux (cli), and I knew that virtual intrerfaces existed also in RouterOS. I admit though that I never thought to add a virtual AP for the girls...

Thx.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1290
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: How to limit IP's provided by DHCP Server to "static" ones ?

Wed Sep 14, 2016 6:06 pm

I created a separate (virtual) access point on a different vlan. Then setup a time-based drop rule for the vlan in the filter. at 8pm the forward rules turns off and a reject rule turns on.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
Sob
Forum Guru
Forum Guru
Posts: 4806
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to limit IP's provided by DHCP Server to "static" ones ?

Wed Sep 14, 2016 6:19 pm

Virtual AP uses same radio and frequency as base AP (it doesn't really have much choice there), but has different SSID and behaves as independent interface. So it can have own DHCP server, filtering and everything.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
User avatar
smurphy
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Feb 06, 2008 6:48 pm
Location: Clermont / France
Contact:

Re: How to limit IP's provided by DHCP Server to "static" ones ?

Wed Sep 14, 2016 8:04 pm

I created a separate (virtual) access point on a different vlan. Then setup a time-based drop rule for the vlan in the filter. at 8pm the forward rules turns off and a reject rule turns on.
Thx. Thought it would be something like that ;)
 
elitebb
just joined
Posts: 11
Joined: Fri Sep 16, 2016 8:00 pm

Re: How to limit IP's provided by DHCP Server to "static" ones ?

Sat Sep 17, 2016 5:35 pm

Hello .

You could use access list for time based authentication , too.

Regards
Nikem


Sent from my Le X507 using Tapatalk
 
User avatar
smurphy
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Wed Feb 06, 2008 6:48 pm
Location: Clermont / France
Contact:

Re: How to limit IP's provided by DHCP Server to "static" ones ?

Sun Sep 18, 2016 12:49 pm

Hello .

You could use access list for time based authentication , too.

Regards
Nikem


Sent from my Le X507 using Tapatalk
Yes, I would probably have to test that out too... Thx for the hint.

Who is online

Users browsing this forum: MSN [Bot] and 56 guests