Page 1 of 1
Repeated DNS , 32 subnet mask and fake DHCP gate way
Posted: Thu Dec 16, 2010 4:40 am
by namo
Hello, I have D-link modem that is connected to Mikrotik rourer (v4.14 with hotspot setting) which in tern connected to bridge outdoor APs.
First DNS Question:
Modem setting:
WAN : IP from ISP
LAN: 192.168.0.1
DNS: two DNS from ISP
Mikrotik setting:
WAN: 192.168.0.2
LAN:192.168.1.1
DNS: two as the same as the modem one and two from google(8.8.8.8 and 8.8.4.4)
APs (bridge)
LAN: from the same subnet of 192.168.1.0/24
DNS: The ISP DNS
Since I already have DNS in the modem, is there a problem or it is good in repeating the DNS in the Mikrotik router or APs? should I leave the DNS as now, leave them blank, fill in 192.168.1.1 as DNS, or fill in diffrent DNS (for example google one)
Second netmask Question
to have the client isolated , I set the netmask in the DHCP 32 instead of 24. Does this has problem, slow the network or the internet?
Third fake gate way Question
At one point to prevent from Netcut, I set two IPs for LAN Ethernet port: 192.168.1.1/24 and 192.168.3.1/32.
my DHCP has IP 192.168.1.1/24 , netmask 32 and gateway: 192.168.3.1.
my hotspot IP is 192.168.1.1
Does this setting slow things?
I will be thankful if I get answer to those 3 Questions.
Re: Repeated DNS , 32 subnet mask and fake DHCP gate way
Posted: Thu Dec 16, 2010 5:14 pm
by Feklar
1.) You can always use whatever DNS servers you want, it never really matters, it's only an IP address that a client goes to to resolve host names. The ones the ISP give you are usually closer to you on the network than using some other serves. An access point should only be a layer2 device, and has no need for DNS servers. In fact strictly speaking, an access point, or any layer 2 device, never needs an IP address assigned to it to work, the IP address you assign to them are just for management needs. If the access points that you have are just really routers you bought off the shelf, then you are asking for TONS of problems.
2.) A /32 means a single client, by placing a /32 on your DHCP server that means it will not hand out DHCP to anyone because there are not going to be any other hosts available on that subnet. What do you mean by isolating clients? There are several ways to do it depending on your goals and setup, but most of them involve having the proper hardware in the network to support it.
3.) There have been several posts on this, and the answer has always been the same, look at them. The router never has been and will never be able to prevent things like netcut, people stealing access by MAC spoofing, or prevent people from trying to hack each other over the layer 2 network. YOU the service provider must set up these protections at the edge of your network by investing in the hardware to support this and use the necessary settings. You are basically asking a layer3 device that has no access, knowledge, or control over the edge of the layer2 network to control what goes on there. It is not possible, it can only control what it does and stuff that goes over it.
Re: Repeated DNS , 32 subnet mask and fake DHCP gate way
Posted: Thu Dec 16, 2010 9:26 pm
by namo
1.) You can always use whatever DNS servers you want, it never really matters, it's only an IP address that a client goes to to resolve host names. The ones the ISP give you are usually closer to you on the network than using some other serves. An access point should only be a layer2 device, and has no need for DNS servers. In fact strictly speaking, an access point, or any layer 2 device, never needs an IP address assigned to it to work, the IP address you assign to them are just for management needs. If the access points that you have are just really routers you bought off the shelf, then you are asking for TONS of problems.
2.) A /32 means a single client, by placing a /32 on your DHCP server that means it will not hand out DHCP to anyone because there are not going to be any other hosts available on that subnet. What do you mean by isolating clients? There are several ways to do it depending on your goals and setup, but most of them involve having the proper hardware in the network to support it.
3.) There have been several posts on this, and the answer has always been the same, look at them. The router never has been and will never be able to prevent things like netcut, people stealing access by MAC spoofing, or prevent people from trying to hack each other over the layer 2 network. YOU the service provider must set up these protections at the edge of your network by investing in the hardware to support this and use the necessary settings. You are basically asking a layer3 device that has no access, knowledge, or control over the edge of the layer2 network to control what goes on there. It is not possible, it can only control what it does and stuff that goes over it.
1) I am not talking about what DNS to use but rather if I already have DNS in the ADSL modem, Is better to leave it blank or fill 192.168.1.1 (hotspot ip)
2) the DHCP 192.168.1.0/24
netmask : 32
gateway: 192.168.3.1
and it giving IPs in the range of 192.168.1.2-192.168.1.254 with subnet mask 255.255.255.255
Re: Repeated DNS , 32 subnet mask and fake DHCP gate way
Posted: Thu Dec 16, 2010 10:49 pm
by Feklar
The MikroTik needs DNS servers because it itself needs to resolve host names with the Hotspot or if you use the proxy. It also needs DNS servers so it can pass those onto the end user via DHCP. An end user needs DNS servers so they themselves can resolve host names. A layer2 or layer3 device will never resolve host names for an end user. So the answer is yes, you need to have DNS servers on devices that need it.
If your setup for IP addresses there works at all I would be very surprised. The default gateway you are specifying is not going to be on the same subnet as the client. Since the default gateway is not on the same subnet, the client has no way to route traffic there, and there is a very good chance the DHCP client will not accept it. If you are thinking that by assigning each end user their own subnet as a way of "isolating" them is going to prevent people from scanning the LAN of the network, you are simply put very wrong. At best, all you would be doing is adding 1 very simple problem to overcome to prevent people from scanning the LAN, and at the same time VASTLY increasing the complexity of your setup. At worst and most likely outcome, you are looking at a setup that you will spend a ton of time setting up and will not work at all.
The whole reason for a hotspot is to allow anyone from anywhere to get online by going through a simple login process without them having to jump through a ton of hoops or have to modify settings on their computer. The more complicated you make it, the more you are going to upset your users, and more users will opt not to use it. In addition to making it harder on the end user, your support costs go up drastically due to how hard the network is to use.
Re: Repeated DNS , 32 subnet mask and fake DHCP gate way
Posted: Fri Dec 17, 2010 6:31 am
by namo
The MikroTik needs DNS servers because it itself needs to resolve host names with the Hotspot or if you use the proxy. It also needs DNS servers so it can pass those onto the end user via DHCP. An end user needs DNS servers so they themselves can resolve host names. A layer2 or layer3 device will never resolve host names for an end user. So the answer is yes, you need to have DNS servers on devices that need it.
If your setup for IP addresses there works at all I would be very surprised. The default gateway you are specifying is not going to be on the same subnet as the client. Since the default gateway is not on the same subnet, the client has no way to route traffic there, and there is a very good chance the DHCP client will not accept it. If you are thinking that by assigning each end user their own subnet as a way of "isolating" them is going to prevent people from scanning the LAN of the network, you are simply put very wrong. At best, all you would be doing is adding 1 very simple problem to overcome to prevent people from scanning the LAN, and at the same time VASTLY increasing the complexity of your setup. At worst and most likely outcome, you are looking at a setup that you will spend a ton of time setting up and will not work at all.
The whole reason for a hotspot is to allow anyone from anywhere to get online by going through a simple login process without them having to jump through a ton of hoops or have to modify settings on their computer. The more complicated you make it, the more you are going to upset your users, and more users will opt not to use it. In addition to making it harder on the end user, your support costs go up drastically due to how hard the network is to use.
fake IP was working but I was thinking if it is slowing things. It is working because LAN Ethernet port from the Mikrotik has IP 192.168,1,1/24 and 192.168.3.1/32. any way I removed 192.168.3.1 so it doesn't cause issues.