Prevent IP messing


We have a few clients who are NOT behind NAT. due to the fact that we have a bandwidth manager that enforces bandwidth management by IP, we have had a clever alec who changed the IP on his PC to one that had a better bandwidth class allocation.

Of course after about an hour we realised and shut him off. My question is… how can we prevent our clients from doing this?


I had this problem as well, so i install a cheapie broadband router at every client and password lock it. Also allows me to change ip information and port forawarding etc remotely.

Thanks for your reply.

THat, however, does not stop an enterprising kid from unplugging the network cable from the router and sticking it into his LAN card on his PC and messing with the IPs.

Are there better solutions to this?

our bandwidth manager does ip-mac binding, so they can only use the assigned ip address on one lan interface.

I see. What bandwidth manager do you use?

We currently use the Allot NetEnforcer.

i’m using Planet BM-2010A, not the best on the market but its doing the job for now. If you dont mind me asking, what sort of price did you pay for the netenforcer? ive been trying to get a quote but they not responding.

I bought ours on Ebay so I paid a fraction of what it would cost as new.

It seems there is really no way to prevent a user from changing their IP short of NAT at the SM. Someone clever enough to change their ip to avoid bandwith caps, knows that they can remove the locked router from the picture entirely, and replace it with a switch. NAT the SM… or, reduce the allowed bandwith on the SM, and give some bursting

We had a problem a while ago with someone trying to use up the gaps in our public IP ranges,we have Mikrotik that everything passes through and only accepts our IPs,the only way I stopped him was to enter all the unused IP addresses into Queues and give them a 1k/1k bandwidth allowance which stopped the nifty little bugger !

satseeker1 wrote:
the only way I stopped him was to enter all the unused IP addresses into Queues and give them a 1k/1k bandwidth allowance which stopped the nifty little bugger !


that doesnt stop him from using a previous IP that allowed a certian bandwidth. I use BAM to control bandwidth but i had customers taking eachother offline by stealing IP’s. this made me sad so i went to a dhcp network.

I would enforce the cap inside the sm if you dont have bam. That way no matter what Ip he has he can only get the right amount of bandwidth

put the cheap router locked and go back to fixed ip.
That way users dont know the ips at the wan side.

unless they go to

I would suspend service for 7 days. If it happened again I would disconnect him.

I would agree with Jerry, if anyone starts doing that on our network they are kicked off per our AUP/TOS agreement. Period.

We handle this by always doing bandwidth allotment in the SM. All SM’s are in NAT mode unless the customer can give me a good enough reason not to. (ie we have one who has a cisco pix router at her house and has to have a public address in that). Also if they need port forwarding we use the DMZ in the router. If for some reason the DMZ does not work for a VPN we can provide the IP address in the WAN side of the router, but we supply the router and maintain control of it. We use the Belkin F5D7231-4 for this.

Use authentication by MAC address. This way if the device asking for an IP address does not have a MAC address that matches their account it wont be assigned an address by the DHCP server. This also solves the issue of them sing a switch and pugging in several computers.

Satseeker1 the Mikrotik has a user database that will handle this and will also control their bandwidth individually.

If they just enter an IP address manually, then the fact that the DHCP server does not allocate an IP address does not really solve anything.

it does if you set a rule in you’re firewall or router to drop all traffic from IP’s that are not dynamically assigned.