Good day!
I've been struggling with people who steal internet using MAC-Address spoofing/clonning. since anybody can change his device mac-address to any of my clients on the network and get access to internet and i won't know about him if i didn't check the Hostname change on DHCP-Server/Leases.
after lots of tries, i ended up setting my LAN interface ARP to "reply-only" which doesn't send internet if the MAC/IP isn't added to the ARP.
ARP List :
I've been always making Static IP's for the clients to be able to Limit their bandwidth/etc .. from IP/DHCP-Server/Leases and that's how the attackers succeed to have internet access once they change thier MAC to any of the clients .. they will take the same IP .. since every MAC is listed on Leases with Static IP.
But then i removed All the Static Leases assuming the ARP list i set will Keep the clients IP's to Static.
so once a client connect there will be generated "Dynamic" lease not "Static".
If an attacker cloned the MAC he will get a different IP and will not have internet access because i only give access to the ARP item a MAC and an IP .. if it doesn't match, no internet access will be given.
To this part everything works and MAC cloning doesn't work as i've tested and explained above. but here's the problem, as i said .. i assumed the ARP list will make the IP's static for each client.
But that didn't happen, my phone and pc can take randomly free IP address. so if the IP changes for a client, i cannot limit his bandwidth using Simple Queues (target ip & max-limit).
If there's a way to make the IP static for my clients without creating a static lease for each one, the mac cloning then will not work, because the idea is to force the attacker to get a new IP different from the client ip that is listed on ARP list. then he will not have internet access since the ARP item has to match the MAC & IP
right now i'm setting static lease IP's for clients .. temporally, hoping someone can help with this issue.
Sorry for taking long.
Thanks!