Hello everybody,
I have a network with 10 VLANs (192.168.1.0 - 192.168.10.0). A Microtik 1100ahx2 is the DHCP- and Radiusserver (MAC-Adress). Everything works so far. Now I have ONE new laptop cart with one AP (Router with DDWRT as AP) and 15 laptops. I would like the laptop cart ONLY in 4 VLAN functions. In the remaining 6 VLANs the laptops should not get IPs. How can I do this?
By static dhcp lease? Static IP lease with 4 different IPs to one MAC address (= one laptop)?? How to block the other VLANs??
Please give me a tip.
Thanks and regards
-
-
VlanLearner
just joined
- Posts: 18
- Joined:
Laptop cart should only work in certain VLANs - please help!
Last edited by VlanLearner on Sun Jul 02, 2017 7:46 pm, edited 1 time in total.
-
-
VlanLearner
just joined
- Posts: 18
- Joined:
Re: Laptop cart should only work in certain VLANs - please help!
Sorry for push up! I realy need some help and the first posting was very late 
VLanLearner
VLanLearner
-
-
VlanLearner
just joined
- Posts: 18
- Joined:
Re: Laptop cart should only work in certain VLANs - please help!
PLEASE - anybody out there?
Re: Laptop cart should only work in certain VLANs - please help!
Maybe it's the radius part that scares people off. Normally you can add "blocking lease" like this:
Code: Select all
/ip dhcp-server lease
add server=<server> mac-address=<mac address> block-access=yes-
-
VlanLearner
just joined
- Posts: 18
- Joined:
Re: Laptop cart should only work in certain VLANs - please help!
Hello Sob,
many thanks for your response!!
It's like you wrote it, the respect for the Radiusserver.
Is there a way to write the MAC addresses only once and then assign these to all 6 "forbidden" VlANs (= 6DHCP server)?
So for example: block (this) MAC address on all 10 DHCP Server and allow only on DHCPServer1 + DHCPServer2 + DHCPServer3 + DHCPServer4 ??
I am grateful about every tip!
VlanLearner
P.S. can I block a single dhcp server for (one) MAC-Adresses via firewall-rules e.g. 11:22:33:44:55:66 for dhcp-ServerNr.7. Is there a address list available for MAC addresses?
many thanks for your response!!
It's like you wrote it, the respect for the Radiusserver.
Is there a way to write the MAC addresses only once and then assign these to all 6 "forbidden" VlANs (= 6DHCP server)?So for example: block (this) MAC address on all 10 DHCP Server and allow only on DHCPServer1 + DHCPServer2 + DHCPServer3 + DHCPServer4 ??
I am grateful about every tip!
VlanLearner
P.S. can I block a single dhcp server for (one) MAC-Adresses via firewall-rules e.g. 11:22:33:44:55:66 for dhcp-ServerNr.7. Is there a address list available for MAC addresses?
Re: Laptop cart should only work in certain VLANs - please help!
I didn't test it, but perhaps this could work:
But it still requires you to enter MAC address multiple times. At least it would be "safe" (see below) by default.
Another way could be writing a script, which would take all blocking leases from one dhcp server instance and synchronize them with others (add new and delete old). That way, you could enter each MAC address only once.
Also remember that not giving address might not be enough, because it's still possible to assign one manually. You can use DHCP's add-arp=yes option together with arp=reply-only, but it only prevents communication through router, not with other devices in LAN. But this would be dead end anyway, you can really deal with only accidental connections to wrong LAN. Anyone trying to do it on purpose can simply change device's MAC address.
Code: Select all
/ip dhcp-server lease
add mac-address=xx:xx:xx:xx:xx:xx block-access=yes comment="block by default"
add mac-address=xx:xx:xx:xx:xx:xx server=<name> address=<address or pool> comment="allow for this server"Another way could be writing a script, which would take all blocking leases from one dhcp server instance and synchronize them with others (add new and delete old). That way, you could enter each MAC address only once.
Also remember that not giving address might not be enough, because it's still possible to assign one manually. You can use DHCP's add-arp=yes option together with arp=reply-only, but it only prevents communication through router, not with other devices in LAN. But this would be dead end anyway, you can really deal with only accidental connections to wrong LAN. Anyone trying to do it on purpose can simply change device's MAC address.