limiting network access
Posted: Sun Feb 17, 2013 6:46 pm
I wan't to limit access for unknown computers in my network.
I have set up eth-lan with arp: reply only; set up dhcp with pool: static only, made some static ARP addresses.
From this point - no one can get dhcp, so can't get any kind of network with just plugging in cable.
But if someone put in static ips in own laptop - they won't have access to internet, but can have access to other computers/servers in same broadcast network (/24).
so i wan't to have some monitoring/script to see:
a) if someone unknown is asking for dhcp
this code logs every dhcp request (also allowed ones). any idea to implement this excluding allowed addreses?
i was thinking about adding to address list, but there is ip addresses, not mac.
b) if someone has set up static ip
here i figured out that i could add for all static dhcp leases address-list parameter
then i have a filter which allows access for computers and log & block access to internet/other networks:
i know this one won't block access to that broadcasting /24 network, but my idea is that if computer will have set up all ips (not only ip and mask, everything else left blank), it will genereate some traffic, that will be catched in log.
ideally it would be great to receive an email with computers MAC address. problem is to filter only one entry, not to have 100 emails in minute (because log fills up pretty quickly).
does anyone could give some ideas?
i can't find to have an option for running some script in rules action, so there problably none!?
I have set up eth-lan with arp: reply only; set up dhcp with pool: static only, made some static ARP addresses.
From this point - no one can get dhcp, so can't get any kind of network with just plugging in cable.
But if someone put in static ips in own laptop - they won't have access to internet, but can have access to other computers/servers in same broadcast network (/24).
so i wan't to have some monitoring/script to see:
a) if someone unknown is asking for dhcp
Code: Select all
/ip firewall filter add action=log chain=input comment="DHCP block" dst-address=255.255.255.255 dst-port=67 in-interface=ether1-i-lan log-prefix=askdhcp_ protocol=udp src-port=68
i was thinking about adding to address list, but there is ip addresses, not mac.
b) if someone has set up static ip
here i figured out that i could add for all static dhcp leases address-list parameter
Code: Select all
/ip dhcp-server lease
add address=192.168.1.20 address-list=computers mac-address=XX:XX:XX:XX:XX:XX server=dhcp-int
Code: Select all
/ip firewall filter
add chain=forward in-interface=ether1-i-lan src-address-list=computers
add action=log chain=forward comment=INL-block in-interface=ether1-i-lan log-prefix=T_
add action=drop chain=forward comment=INL-block in-interface=ether1-i-lan
ideally it would be great to receive an email with computers MAC address. problem is to filter only one entry, not to have 100 emails in minute (because log fills up pretty quickly).
does anyone could give some ideas?
i can't find to have an option for running some script in rules action, so there problably none!?
