Community discussions

 
Robinco
just joined
Topic Author
Posts: 12
Joined: Tue Apr 22, 2014 11:00 pm

Protecting against public IP abuse

Tue May 13, 2014 7:12 am

We have a /24 and starting to provide public IP addresses to business clients when needed.

Is there a way to protect a client's correctly assigned and entered IP address from getting clobbered if a different client mistakenly enters the same IP address?

Is there a way to protect against a customer that has a single IP from using a second IP in your series of unallocated addresses? Obviously the customer would have one connection from a CPE coming in, but if the CPE is bridged, what prevents the customer from plugging it into a switch and then using two routers or two different pc's with two IP addresses, same gateway?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protecting against public IP abuse

Tue May 13, 2014 8:24 am

How you assign IP to the client?

How is possilbe than your client can pick any IP they want?
I'm Italian, not English. Sorry for my imperfect grammar.
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Protecting against public IP abuse

Tue May 13, 2014 11:51 am

How you assign IP to the client?

How is possilbe than your client can pick any IP they want?
That's pretty legitimate question here.. I think the best way is to use automatic address allocation via DHCP. That's what DHCP is designed for.
If the question is though... whether we would like to protect our network from clients who deliberately assign IP addresses from the pool they know, than I can't think of a RouterOS feature that can protect from that. There has to be a setting where the router/firewall checks whether the incoming packets have the correct source MAC/source IP pair. If not, the packet is not serviced at all.
I just checked that the IP Firewall in Router OS supports checking source MAC address checking, so in theory it should be possible to check for valid source MAC/source IP pairs and let them through, but for a /24 network this would mean you'll need 254 such entries in your IP Firewall Filter...
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protecting against public IP abuse

Tue May 13, 2014 12:06 pm

I have understand:
you not using Gateway/CPE system, you provide only connection for one LAN.


It's very hard to prevent any...
If the user can sniff on any way the LAN traffic, can also clone MAC not only IP...

I suggest: when you provide public IP, give it via EoIP or PPTP... and you have done... :)
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 200
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:

Re: Protecting against public IP abuse

Tue May 13, 2014 12:29 pm

Hi lz1dsb,
The things are easier! Get up a PPPoE server and it provides a IP from a ip pool. Let's chek the WIKI.

Santiago
ImageImage
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: Protecting against public IP abuse

Tue May 13, 2014 1:25 pm

Hi lz1dsb,
The things are easier! Get up a PPPoE server and it provides a IP from a ip pool. Let's chek the WIKI.

Santiago
I agree that PPPoE would work in this case... but to me this is an additional overhead. You'll need additional configuration on every user to establish a PPPoE tunnel to the server.
I was thinking about a more dynamic way to achieve this. And I know how to do it in Cisco IOS, two features are needed, they call them:
- dhcp snooping -> the switch dynamically snoops every dhcp request and keeps track of the active bindings.
- ip source guiard -> based on the above bindings, the switch will prevent the traffic originated from sources which are not listed in the dynamic IP/MAC bindings.

I was looking at a similar feature in RouterOS, but I wasn't able to find any. So having IP Firewall Filter rules is the only thing I can come up with, but it's an ugly solution because it's not dynamic...

Who is online

Users browsing this forum: MSN [Bot] and 55 guests