Posted: Mon Jan 24, 2011 9:07 pm
Been thinking of how best to approach this and I need your idea for a possible solution. I am using a RB433AH as the main router in a network. The LAN is connected at ether3 and DHCP server is on this interface. I need to control connecting unapproved computers to any of the LAN ports on the network. For instant, a customer walks in, plugs into any ethernet port to use the internet. Is it possible to do MAC filtering? Please help
Posted: Mon Jan 24, 2011 9:15 pm
Routers are ill-fitted for this kind of access control. To sufficiently control users physically connecting to your network you need to control them directly on the port they connect to, which is usually a switch. 802.1x is specifically made for this purpose. Routers do not do 802.1x, switches do.
That said, you can
a) make static DHCP leases for all your valid clients
b) set the address pool on the DHCP server to 'none'
b) check "Add ARP for leases" on the DHCP server instance
c) change the ARP settings of the LAN interface to "reply only"
d) add static ARP entries for all statically IPd clients on the network
At that point the router will refuse to dynamically learn IP-MAC mappings via ARP. It will, however, respond to ARP requests from clients. Static ARP entries are used for static clients, and valid clients get their static DHCP lease, and are added to the ARP table by the DHCP server when the lease is handed out, and removed again when the lease expires. New clients do not receive a DHCP lease, aren't added to the ARP table, and can't get traffic back from the router.
Savvy clients can bypass that by sniffing a valid MAC/IP mapping and spoofing those addresses, at which point they can pass traffic through the router. You cannot work around that on the router, you'd need a switching platform with decent edge security features.