Hy all!

I'd like to achieve the following: On a private wired ethernet network, I'd use DHCP for clients, all clients are static, so every time a client being connected it would be given the same IP based on it's mac address... In the firewall I'd like to let ONLY those clients through whom connected with dhcp. (So if someone statically assigns an address, it couldn't go to the net.)

Is it possible ith routeros? Maybe I have to parse the dhcp leases periodically (15 secs) and regenerate the firewall rules each time?

I cannot use PPPOE. (With profiles, this can be made, but I have bridged vlans and other stuffs, so I need exactly the above solution...)


Thank you in advance!

You could use DHCP w/ RADIUS authentication. That way every mac address would be checked against the radius database and you could control which IP's those MAC's were given. Now someone could still set their IP address statically in the same subnet..

To work around that this may work... Set the DHCP server to add arp for leases. Then set ARP to reply only on the DHCP interface. That way the ARP table should only contain entries statically entered, and dynamically created by DHCP (which is authenticated via RADIUS).

I don't know how you would firewall this because you're dealing with IP/MAC addresses that are not constant. The only way I can think to limit access would be to either disable ARP completely and create static entries for every user. Or use the method above.

I guess you could code some fancy script to pull the current leases from the DHCP server and then create an address-list to use in conjunction with the firewall.. It seems possible to me.

You could also use the hotspot package and use MAC based authentication... I do this for a MDU (multiple dwelling unit) we have setup fiber to each building and ethernet in every tenant. I use MAC-based auth + hotspot to keep rouge users from just plugging in and getting on.

thank you for the answers, RADIUS and ARPing seems to be a good idea! I give them a try. Mikrotik does not support dynamic firewall rules like cisco for example?

For example creating a dynamic list based on leases for example in every x seconds. Will the firewall rule that is assigned to it (source-list) will be applied to the current list content? By this way it should work I think.

I'm sure you could create a dynamic list based on IP addresses, you'd need to create a script and run it at x interval. I haven't used cisco's products much, but Mikrotik doesn't have a built in "variable" or address list for the DHCP Leases. That's where a script would come in.

From a management and security prospective I think the ARP/RADIUS solution would be better, and definately more scalabale.

For a quick and easy fix, setting up the script might take less time than configuring the RADIUS server. However, what's to keep that user from just setting his computer up for DHCP? You'd need some kind of MAC based authentication or static ARP entries to keep rouge users from connecting statically or dynamically. So I still think ARP/RADIUS is going to be more effective.

i think generate dynamic firewall bassed dhcp leased is not simple way, but if you only want to allow people who connected DHCP not static ip have internet connection, managing radius authentication and add arp leases and configure arp reply-only is enough.

rgrds

Note, that DHCP leases are processed before the firewall rules.
That's why to secure DHCP leases you need to use static-leases and disallow dynamic leases.

Sounds interesting, I've been looking for something like this,

I've got one other question though, the clients for DHCP that arent authorized, they will get an automatic private address (169.254.0.0/16). Is there anyway that we can add a gateway to it, or some other work around, the idea is, clients that arent authorized by the DHCP + Radius would be shown a message that they either haven't paid their bill or just aren't authorized.

Thanks in advance.