I haven’t found any documentation that explains how to keep customers from changing their IP address to interfer with another customers or from using more than one IP. Static ARP is the best thing we’ve come up with. Any suggestions besides turning NAT on?
I assume that you are assigning the IP to the computer? If so, I would suggest that you to consider using the NAT feature in the radio - it works very well for 95% of residential users. It also eliminates a layer of pain. If you can log into the SM, and see that the Ethernet port has a link then you know your are good to the house. At that point, you can recommend a PC store that you partner with…
In the case where a customer needs ports opened up, they are probably sophisticated enough to know to not change their IP address. We have them go buy a router and put the IP in that and then we turn off NAT in the SM. We have them enable remote management on port 8080. We don’t even need the password, all we need to be able to do is get to the login screen of the router.
In our opinion, all business or SOHO customers should have a router so they can enable remote access, etc.
Well… At least I don’t have to feel bad that I overlooked anything. We decided that if we turned on NAT in the SM, there was no point in using public IPs at all. The problem is that people that are sophisticated enough to want port forwarding are sophisticated enough to be able to change their IP address, and wireless is challenging enough without dealing with security concerns on a daily basis. Thanks for your take on it. I appreciate it.
No I don’t think you overlooked anything, and static ARP is probably your best bet. If you assigned a PC’s ARP Table a static entry for your default gateway to the Internet and port filtered ARP requests from leaving the SM, if they would attempt to change their IP address the Link-Layer Gratuitous ARP packet would be stopped at the SM and I believe the IP address changing process would not complete, therefore their IP address wouldn’t change. When you think about it, this is not a bad solution if your customer is simply using your network for Internet access. Assign static ARP entries for your DNS Servers as well as your edge router.
The only other use for Gratuitous ARP that may get a little weird is that it updates other ARP tables on your LAN with the Link-Layer MAC address of the PC/Router. But as I type this, I just realized that you would also have to make a static ARP entries in the tables of your DNS servers and router. If the router or DNS Servers need to know the MAC of a PC, they will also send out an ARP request. Your filtered SM’s will pass this on to the PC’s and the PC’s will respond, but the response will halt at the SM since the filtering is turned on.
It would be nice if ARP/RARP/Gratuitous ARP utilized a Transport Layer Protocol with an assigned port number that you could get your hands on and simply filter that “reqeust” port number at the SM. That way you could assign your gateway and DNS addresses to the PC’s on the LAN, filter the ARP “request” port at the SM, and still allow requests to pass through and responses to pass back to your router and DNS servers.
Assigning static ARP to all the end users PCs could get a little hairy. We’re really shooting for a “plug and play” setup. That’s why we decided against PPPoE. The end user could still change their address by unplugging from the network; Gratuitous ARP wouldn’t give a responce. The packets still couldn’t leave the network since the static ARP table on the gateway wouldn’t allow it. So it’s a good idea, but it’s a management headache, and it doesn’t add much as far as security; there’s also the added side effect that the PCs on the network would not be able to talk to each other in the case of skype or being on the same bit torrent tracker.
I got to thinking that a Private VLAN with a couple of tweeks could do the trick. The setup would require:
-a unique VLAN id on each SM
-DHCP only assignes 1 IP for each VLAN
-firewall blocks everything except the VLAN/MAC/IP combination
-gateway responds to all ARP requests with it’s own MAC
I’ll let they guys shoot holes in that idea on Monday. I’ve never tried anything like this, so it might not be possible, but it’s the best thing I’ve come up with. We looking at using /30 subnets but decided that was a too expensive use of IPs, 4 per customer. Thanks for the ideas! It keeps me thinking.