1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Address Resolution Protocol Binding

Discussion in 'Tomato Firmware' started by jsmiddleton4, May 20, 2008.

  1. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Need to ask another basic question. Ive read about Address Resolution Protocol Binding and find lots of definitions but what I can't find is how to use this, when to use it, what context this is a valuable option to use, etc. So how do you use this feature on the new firmware from victek? How do put into practice in a home network enviroment?
     
  2. LLigetfa

    LLigetfa LI Guru Member

    I presume it is static ARP. One use for static ARP is to fix an ARP to a specific IP so that IP based rules can be applied where MAC based rules are not available.
     
  3. mstombs

    mstombs Network Guru Member

    Not sure if it is the same meaning, but I recently came across a need for static arp for a user who wanted to use WOL via port-forwarding to an IP address.

    Ethernet comms work by MAC address, the arp protocol is used to find "who has" the MAC address for a given IP address. The arp cache is dynamic - entries are removed after about 5 minutes of no -activity, so a sleeping PC doesn't respond. This can be overcome by making the IP/MAC mapping static using the command

    Code:
    arp -s [IP] [MAC]
    The stock version of Tomato doesn't have the userspace arp command (easily added as busybox config option), but you can view the contents of the kernel arp table using

    Code:
    cat /proc/net/arp
    (this information is used in the web gui device list, in addition to the dhcp table).

    The arp protocol is totally insecure (its really old...), just based on trust so there are plenty of exploits if someone has physical access to your lan (arp-spoof, arp-poison...).

    I'm guessing that with static arp binding you can turn off the auto arp discovery mechanism and only allow LAN clients with pre-defined IP/MAC to connect. This would reduce the the arp broadcast traffic (minimal) and add a small amount of security (small because MAC addresses are so easy to clone...)
     
  4. Victek

    Victek Network Guru Member

    You are right, this is the target in this feature implemented.
     
  5. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I'm sorry but I'm still missing a piece that would enable me to see what this looks like in practice. When or how does one use this in a home network setting?
     
  6. LLigetfa

    LLigetfa LI Guru Member

    In a home network where all the players are well behaved I can see no practical application for this. It's for when users don't play fair and start stealing IPs or poisioning the ARP cache to mess with each other that the feature shines.
     
  7. jsmiddleton4

    jsmiddleton4 Network Guru Member

    ok. Some times I need to see how the thing looks in practice to understand how it works behind the scenes. If that makes any sense. I didn't see how this would be applicable in a home network environment practically.

    And at the same time I'm not sure how I'd even poison and arp cache. Now poison a carp stash, sure. But an arp cache? How would you even do that?
     
  8. mstombs

    mstombs Network Guru Member

    see for starters http://en.wikipedia.org/wiki/ARP_spoofing
    To see arp (etc) in action on your home network have a look at wireshark.

    I know there are folk that use WRT54GL-type routers in commercial applications, but would like to think the Tomato mod is more likely to be used in a student house where 'users' are trying to circumvent the access restrictions put in place to share out the limited bandwidth!
     
  9. TexasFlood

    TexasFlood Network Guru Member

    Wonder if this would give some extra control to help parents with kids able to do things like change MAC addresses by not allowing an unknown MAC to get on the network? By defining only a limited number of trusted MAC/IP combinations? Maybe I'm dreaming, but always looking for creative ways to control what my kids are doing on my network.
     
  10. LLigetfa

    LLigetfa LI Guru Member

    Ja, that's exactly what I meant about not well behaved. Kids know all the tricks about stealing IPs and changing MACs. There are also cases where they kick each other off with stuff like NetCut.
     
  11. jsmiddleton4

    jsmiddleton4 Network Guru Member

    So we set it up almost like static dhcp assignments? Turn on ARP binding, put in mac's and ip's as assigned via static assignments, and then turn on limit nonlisted users?

    In a small home network that isn't that hard. I can see how it would be prohibitive in a large client setting. But me I have 4 laptops and 1 desktop to assign.

    Sorry but need to ask a few questions. When it says Limit unlisted.... what does "limit" mean? No connection? Slow connection? What is the limit in limit? Also what maybe some "gotcha's" that we may not intuitively think through with this? Should we add any wds slave router's ip/mac? Access point's ip/mac?
     
  12. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Prior to this tweaked version, not sure what the right word is, I've notice a problem with ip/mac/dhcp assignments when using bridge mode or wet mode. I'd get duplicates of the "slave" router in my main router and that made using some of the stuff like mac filters hard to do. So I've stuck with WDS mode as it works fine although just a tad slower. With this ARP feature I have assigned all IP/MAC in the ARP setup, they are also static assigned via dhcp as before, and all my IP's/MAC's/etc. work perfectly. Which IF I understand, not sure I do 100 percent, that makes sense. The ARP assignments are static now, so with the main router is picking up to display is constant.

    Although something about ip/mac/dhcp via WET mode may have been addressed and all bets are off. But I'm guessing its the ARP thing that is fixing the WET ip/mac/dhcp display thing in the main router.

    Jim
     
  13. jsmiddleton4

    jsmiddleton4 Network Guru Member

    There's a question about how to use the limit access option. At this point it seems to me that IF you have folks who may stop by with a laptop who you want to allow access, friends, family, etc., whom you trust, if you want to let them access the web, etc., without having to mess with your settings in the router you'd want to leave that unchecked. Other wise everytime they come over you have to change a setting. Although once there you can add their MAC/IP/Etc., to the arp settings and be done with it......

    I'm still trying to figure out how limited "limit" is....
     
  14. mstombs

    mstombs Network Guru Member

    MAC filtering is common for wireless connections - does this mod just extend the same concept for all including wired? Or do you still need to use the wireless MAC filter?
     
  15. jsmiddleton4

    jsmiddleton4 Network Guru Member

    ms...

    My understanding is the arp thing is similiar but different than MAC filtering. If that makes any sense.
     
  16. TexasFlood

    TexasFlood Network Guru Member

    I almost posted nearly the same question the other day. From what I'm reading, it may not work by the same mechanism as wireless MAC filtering but can effectively do the same thing for both wired and wireless. If I'm reading that right then this adds a level of MAC security to the wired connections that I haven't seen before on a home router.
     
  17. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I've gone back to wds. Still have an issue with resolving one device connected to the slave router. Its a Denon 3808 receiver. Its one of the devices that was messing up with WET mode and getting duplicates for mac/ip etc. While it seemed to be fine with using the ARP thing and WET the Denon internet radio could not get out to the web to the internet radio. I could access the Denon locally. It could not find "out there" any where. Back to WDS and its fine. Also found out that if I turn on the option to reduce packet size the Denon chokes. Gotta wonder what the network card/implementation is in it. I bet its limited in its implementation and that's part of the problem with WET issues.
     

Share This Page