1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Advice in ARP directions?

Discussion in 'Tomato Firmware' started by jsmiddleton4, Apr 14, 2011.

  1. jsmiddleton4

    jsmiddleton4 Network Guru Member

    When using "Restrict unlisted machines":-

    * DHCP should issue a "range" with only 1 IP address, preferably the administrator's IP - e.g. 192.168.1.100-100.


    I understand the other directions regarding ARP, I don't quite understand this one.

    Is this in the Basic setup where we tell the router where to start with dhcp range? Also I don't start with the router's IP's. In setting up WDS I leave the master and slave router's IP's off the range list so as not to assign their IP's to any clients.

    Advice for ethernet bridge mode is to assign the slave an IP out of the dhcp range....
     
  2. Toastman

    Toastman Super Moderator Staff Member Member

    It is because you need to enable dnsmasq (which handles DHCP), so that it can assign clients numbers from the Static List. But we can't save the page unless some range is enabled in the web GUI for the IP pool. We are forced to set it to assign the minimum, and then make sure nobody can get that single IP, we use one that is already being used by a client, so it can't be assigned to anyone.
     
  3. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I have master/admin router set to static IP though, not dhcp. I have master and slave routers with static IP address and then dhcp range starts one more than the slave and then a range of 40 addresses. I don't have a ton of clients.

    This is as directed for WDS or WET. For WDS admin router is xxx.xxx.xxx.001 and slave is xxx.xxx.xxx.002.
     
  4. Toastman

    Toastman Super Moderator Staff Member Member

    Normally Static DHCP is used to tell the client PC's the static IP address you have assigned to them. As opposed to a "manually entered" Static IP on each client PC, which needs the user to set up.

    The "range" of IP addresses, the "pool", is available to assign to normal users who don't have an entry in the static DHCP table.

    I imagine you don't want to issue one of those 40 IP's to anyone, as that's the very reason for turning on the static ARP "restriction" function. So the pool IP's aren't needed. Hence the restriction to only 1 IP that is already issued - to make sure it can't be given to anyone because it is already assigned.

    Your own PC's are already assigned a number from the static DHCP list which is independent of the range set above. Okay, if you've set them manually on the PC's then they won't poll for an address, but that doesn't matter as far as the IP/MAC address binding is concerned. Just continue as if you had NOT set the address manually on each client.
     
  5. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I have no manually set IP's for pc's or clients. Manually set for routers only. Remember in bridge mode I needed to enter the slave IP, even though it is static, in the static DHCP table so ARP didn't cut off internet access through the master router.


    This makes sense to you?

    * DHCP should issue a "range" with only 1 IP address, preferably the administrator's IP - e.g. 192.168.1.100-100.


    Why am I creating a "range" with only 1 IP address? And where do I put the 192.168.1.100-100? (whatever the admin IP is) Which DHCP?
     
  6. TexasFlood

    TexasFlood Network Guru Member

    One more reason to put the static router IPs in the static DHCP table. Even though putting static IPs (that aren't provided via DHCP) in there really serves no purpose, I put mine in there for documentation so I have them all listed in one place.
     
  7. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I appreciate all that. But it still doesn't shed light on this:



    * DHCP should issue a "range" with only 1 IP address, preferably the administrator's IP - e.g. 192.168.1.100-100.
     
  8. TexasFlood

    TexasFlood Network Guru Member

    So from your post above, this appears when using "Restrict unlisted machines", yes?

    OK, my two cents. I looked around for a definition and found the following over on TomatoUSB:
    Now you probably already know all that, just listing it in the interest of completeness.

    Essentially you're restricting access to only clients listed in the known static IP table.

    I don't know about you, but I, rightly or wrongly, keep my static IP assignments outside of the DHCP dynamic pool. Seems like I've read before arguments that this is wrong, that both dynamic and statically assigned IPs should be in the defined pool. All I can say is I separate the two and it works for me. Having said that...

    If you are limiting access to statically assigned addresses and are keeping them separate from the dynamic DHCP pool, then it's logical to minimize the dynamic pool, which had become essentially useless, and maximize the subnet space for static IPs.
     
  9. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Not using it. Trying to understand it and the brief FAQ that goes with it in all the firmwares.

    The dots don't connect....

    Static DHCP IP assignments is still using dhcp. The clients are not statically assigned on their end. With Static DHCP the router is assigning the same IP to the same client each time a new IP is requested.

    It would sorta make sense, although not 100% as the admin IP is still in the DHCP range advice, if I was assigning an IP to each client and not using DHCP.

    In other words "listed" as compared to "unlisted" is not DHCP vs. no-dhcp as if the clients have their own static IP.

    Restrict unlisted clients is not restrict any client who needs dhcp to get an IP. Right?

    The text you posted says it this way: "Clients that that have assigned themselves a static IP address" which is fine and all. But that is not static dhcp.
     
  10. jsmiddleton4

    jsmiddleton4 Network Guru Member

    So ARP only works for clients that have static IP's and do not use DHCP at all? Each client has to be configured with static IP/gateway/DNS IP statically?
     
  11. TexasFlood

    TexasFlood Network Guru Member

    I think the reason an admin IP was suggested was so any device could get that IP for local administrative purposes but not access the Internet. As I read it, the restrict access means to not allow you access to the Internet if you're not listed by MAC address in the static DHCP table.

    Looks like that was part of an example a type of client that would lose access to the Internet once you start using static ARP binding and restricting unlisted devices. The way I read it, dynamically assigned DHCP clients would also lose access.
     
  12. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "As I read it, the restrict access means to not allow you access to the Internet if you're not listed by MAC address in the static DHCP table."

    Me too. That is why it is confusing. How would any client get an IP if the range in the DHCP server setting is limited to one ip?

    As I understand it any client not listed in the static dhcp table (even in that client has its own assigned IP like the slave router in WET mode) IF restrict access is selected, those unlisted clients lose access to the internet because the Master or main router won't let their MAC through. That ARP binding while not all the security one needs, it is a practical way to help secure a wireless system. ARP looks at the dhcp static table for its information.

    I could be wrong of course. But that is my understanding and why ARP settings being on the DHCP table page make great sense.

    But if that is the case, I continue to be befuddled by the directions about dhcp range and admin ip.
     
  13. TexasFlood

    TexasFlood Network Guru Member

    Because that's only the dynamic pool range, the static list has nothing to do with that in my experience.
     
  14. jsmiddleton4

    jsmiddleton4 Network Guru Member

    DHCP Clients can't get an IP to be listed in the dhcp static table if there is only a one IP range in the dhcp server setup.

    And we aren't talking about static IP's. We're talking about DHCP Static IP's.
     
  15. TexasFlood

    TexasFlood Network Guru Member

    Well, I disagree, I think, getting a little confused here. So just to test, I set my DHCP pool to 1 IP then released and renewed two clients connected to the router. They got their defined static IPs, as listed in the router static DHCP table, just fine through DHCP. Again, my static DHCP IP list is not, and never has been, in the same range as the dynamic pool listed in the basic network setup page.
     
  16. Toastman

    Toastman Super Moderator Staff Member Member

    Let's begin again.

    We have 3 things going on here.

    1) Static DHCP.
    2) Static ARP binding
    3) Restrict unlisted machines.

    (1) Static DHCP is where we set an IP address to be issued to a particular MAC address. If that device has an IP already manually set, it won't be issued since the device doesn't ask for it - but it must nevertheless be set here for use by (2).

    (2) This list allows us to accomplish two extra things. We use it to bind the IP address in the table to the MAC address we have listed for that device. So if a client changed his IP address to try to get past all access controls, he would be refused access. That is the primary purpose of Static ARP.

    But we also use it for a secondary purpose:

    (3) We want to restrict unlisted machines. Therefore, any machines we don't want restricted HAVE to be in the list. This is regardless of whether the device concerned actually polls for an IP address via DHCP or has one manually assigned by the client. Any client not in the list has the MAC address 00:00:00:00:00:00 entered against it, which is invalid, and therefore cannot get access.

    We set a range of 1 in the DHCP assignment at "Basic/Network/DHCP Server" only because we need to have dnsmasq running. To do that, the GUI requires at least one number to be entered here. If you don't enter anything, then dnsmasq doesn't work. Try it and see what happens.

    So we assign 1 address to keep it working, and then just to make sure it doesn't get used by anyone else we use an IP that is already being used. It's just a trick ...

    Next.

    There's a lot of misinformation about the range of IP's to be used for static DHCP. ANY address can be entered, it doesn't need any special range. It's nice to do that just to be tidy, but it isn't actually necessary.
     
  17. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Are you following me Texas? IF you limit the ip range to one IP the only way all other clients are going to have an IP/Gateway/DNS is for that client to have it hard coded. The router will give out the one IP and be done as the pool is limited to one IP by the range setting.

    You won't have any DHCP Static IP list as no one, save the one client who gets the one IP in the pool, will be listed in the device listing to be added to the DHCP static IP address table. You can't limit the available IP addresses in the DHCP pool on the one end and then act as if the client information will be available on the other.
     
  18. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "we need to have dnsmasq running."

    When did dnsmasq get in the mix?
     
  19. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "Static DHCP is where we set an IP address to be issued to a particular MAC address."

    Yes, but that is assigned from the available dhcp addresses the router is told to use. The client does not determine that. So if you tell the router it only has one IP, then all clients either get that one IP or no IP.
     
  20. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "It's nice to do that just to be tidy, but it isn't actually necessary."

    Also a bit of security to limit range to the number of authorized clients.
     
  21. TexasFlood

    TexasFlood Network Guru Member

    I thought I was following you but maybe I'm not. So I set mine to have one IP address in the dynamic pool. Doesn't change anything for me. All my clients are defined in the static DHCP table. They can all get their assignments just fine, I just tested it, and there is still one left in the dynamic pool since I don't use that. It will impact dynamic assignments, because there is only one dynamic address. It does nothing to the 41 assigned addresses in my static table.

    If that's not what you're talking about then guess I'm -not- following.
     
  22. jsmiddleton4

    jsmiddleton4 Network Guru Member

    * DHCP should issue a "range" with only 1 IP address, preferably the administrator's IP - e.g. 192.168.1.100-100.

    My question is about that direction and if it is accurate. It seems to only be true IF your clients are statically or hard coded for their own IP/Gateway/DNS information. You can't restrict DHCP pool IP's on the one hand and then on the other expect clients to be given a DHCP address to classify as a static DHCP address.
     
  23. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "All my clients are defined in the static DHCP table."

    Where did they get their IP's from if the pool is limited to one IP?

    In other words you boot one of those clients or request a refresh of their IP information, where do they get it from?

    Or maybe where did they get it from in the first place?
     
  24. TexasFlood

    TexasFlood Network Guru Member

    It's what is behind making the static DHCP allocations work I believe.

    Again, from my experience only the dynamic range is in that pool, the static assignments don't have to be in that pool and I've always kept my static assignments out of that pool.
     
  25. TexasFlood

    TexasFlood Network Guru Member

    dnsmasq allows you to define static IPs on any address on the subnet, doesn't have to be in the assigned dynamic pool, so I keep them separate.
     
  26. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Which statics?

    Where did your clients get their IP's from in the first place? And if dnsmasq is over riding the DHCP setup information than isn't that a loose end?
     
  27. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "dnsmasq allows you to define static IPs"

    Sorry but when? When did your clients first get their IP's via dhcp whether its dhcp or dnsmasq?

    If its the case that before you do any ARP stuff you need to leave the dhcp range wide open, then go through device listing, assign dhcp's statically, then once all clients are assigned, THEN, turn on ARP and change the range in the dhcp server settings, ok. Fine.

    But that is not what the little faq direction thing is saying.
     
  28. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Lets say you have a new client that can be part of your network and access the internet. You have already assigned the one IP available in the pool. The new client can't get an IP as the pool is exhausted. So to add a new client AND use restrict in the ARP piece one has to turn off restrict, open up the range, let the new client be assinged an IP, then back to device mode, add the new client to the static table, then turn on restrict... and then redo the range back to the single IP?

    Or you can manually add the MAC and whatever IP you want to assign to the client?

    This is how it works?

    That there is no connection between the available pool of ip addresses that can be assigned with using the range setting in DHCP Network setup and dnsmasq a little confusing as well. Dnsmasq is its own master?
     
  29. TexasFlood

    TexasFlood Network Guru Member

    From the static DHCP table, which is essentially an extension of the pool defined in basic setup. I consider it extending the range rather than overriding it. That table info is being fed by the firmware to dnsmasq. You can call it a loose end if you want, I call it a feature.

    My clients get their IPs via DHCP when the client interface configured for DHCP broadcasts a DHCPDISCOVER and the server may responds with a DHCPOFFER of what in my case is a static IP based on the client MAC.
     
  30. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "From the static DHCP table"

    And how do they get there? That is my question.....

    "My clients get their IPs via DHCP..."

    Not if the range is compressed to one IP in network setup and the need is for an unused IP...
     
  31. Toastman

    Toastman Super Moderator Staff Member Member

    Ah, I see where the misunderstanding is. The range we are talking about at "Basic/Network/DHCP Server is used for assigning IP's to clients who don't have static IP's. The ones that we wish to have static IP's - get them because we enter them in the Static DHCP table.

    Anything that does have a static IP set, i.e. anything in the list - will still be issued. They are treated quite separately. They don't have to have any entry in the DHCP range entry box.
     
  32. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Not quite but almost. Think new client and authorized client who is requesting an IP/Gateway/DNS assignment. Not one that has already been given a dhcp assignment that is already in the static dhcp table. Yes, they don't have their own static IP. They need one assigned. Want to make sure they always get same IP so they will need to be added to dhcp static table. But it is still dhcp. They can't get a new IP as the range is compressed to one IP.

    I don't want to manually add each new client by hand.
     
  33. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "They don't have to have any entry in the DHCP range entry box."

    The dhcp range has to be large enough to cough up an IP to a new client.
     
  34. TexasFlood

    TexasFlood Network Guru Member

    The dnsmasq man page describes the behavior better than I have.
    Go to the page linked to above and look under the following option.
    Code:
    [b]"-G, --dhcp-host=[<hwaddr>][,id:<client_id>|*][,set:<tag>][,<ipaddr>][,<hostname>][,<lease_time>][,ignore]"[/b]
     
  35. TexasFlood

    TexasFlood Network Guru Member

    A new DYNAMIC client, which as of right now I have none. All my clients DO use the DHCP dynamic host configuration protocol, but are being server static IP addresses through it.
     
  36. TexasFlood

    TexasFlood Network Guru Member

    OK, well in my case I -do- want to assign each one by hand. If you don't then that's fine, assign a bigger pool, but those clients aren't going to have the static MAC/IP relationship required for static ARP filtering to work, see Toastman's earlier post regarding this.
     
  37. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Thanks but its not about dnsmasq.

    Its about the advice in the ARP page being confusing.

    You can't compress the dhcp client IP range to one available address and then act as if new clients will get an assigned DHCP address from which you can work, add to static DHCP table and then have them have access IF ARP is using restricted access. New clients will not receive an IP address because the DHCP range compression is preventing it.

    At some point a new client has to be given an IP address IF you are using dhcp. Limiting the range makes adding new clients cumbersome or requires manually adding the client information to the dhcp static table. As I did with my slave router messing with WET mode.

    If you are saying the dhcp range compression doesn't prevent new clients from getting an IP address as DNSMASQ over rides the compressed range setting then yes that's a loose end.

    Once a client has an address and it has been added to the static dhcp table even if manually that is a different matter and has not been part of my confusion.

    You can't limit the range on one end and than act as if a dhcp assignment will be given out on the other. It doesn't work that way.

    So limiting the range will impact how new clients get added and what work the administrator has to do to allow new clients to join the network. Again IF you use restrict access.
     
  38. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "OK, well in my case I -do- want to assign each one by hand."

    That is fine. Not one way right or wrong. Its that the advice, which people do read and try to follow, on the ARP page is not accurate. Or at least it isn't the whole story. If you follow that advice AND a new authorized client taps your network, that new client will not get an IP without doing some work.

    The little faq line needs some tweaking.

    "but those clients aren't going to have the static MAC/IP relationship required for static ARP filtering to work"

    Not exactly. All that is needed for the ARP to work is to turn off restricted access for a second, they request an IP assignment, once having an assigned DHCP address from the more expansive range of available IP's in the pool the new client will be listed in device mode you add them to the dhcp static table with one click, add, save, and they are now in the table ARP looks at. If you want to use restricted access you just turn it back on.
     
  39. TexasFlood

    TexasFlood Network Guru Member

    Well it's at least in part about dnsmasq, you did ask at least one specific question, and a few related, about that.

    Having said that, I think that I get your point, finally, :wink:.

    If you mean that - if you build the static list by allowing a new client to get a dynamic address then adding them to the static list through the GUI, then having a dynamic range of only one restricts you to only being able to do so with ONE client before the range is exhausted. If that's not your point, then I'm still not following.

    This doesn't really bother me as it's not going to happen very much and I can just release the single IP afterwards. It actually makes good sense to me to maximize the space available for static addresses vs dynamic because that's what I use.

    But you can set it up however works best for you. Sounds like you believe that the advice in the ARP page should be more clear. Maybe. Didn't bother me but perhaps room for improvement there.
     
  40. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "Sounds like you believe that the advice in the ARP page should be more clear."

    Just the line about compressing the range and the admin IP. Needs to be put in context to include something like once you have all clients with IP addresses..... or if you need to add a new client then you will need to .... etc.

    I agree that if a network is adding lots of new clients regularly, ARP binding and restriction probably not a good idea.
     
  41. TexasFlood

    TexasFlood Network Guru Member

    Maybe so. I'm pretty used to working around imperfect or non-existent documentation but guess there is no reason not to strive for improvement.

    I don't see anything wrong with my statement. You described a procedure to establish the relationship after which static ARP filtering would work, which does not contradict my original statement. Anyway, I think I get what you're trying to say, the disagreements are getting pretty picky now, :smile:.
     
  42. jsmiddleton4

    jsmiddleton4 Network Guru Member

    The other way to look at this is even if I have a wide range of IP addresses in my DHCP pool IF restrict access to is set in ARP any non-listed client is not going to get an IP from the DHCP pool. They can't. They are restricted.

    I know, I've played with this.

    Being restricted means what it says. Which is why we use it.

    The only way a new client, a non-listed client, can get an IP from the dhcp pool is if you turn restricted access off. So having a wide range in the dhcp pool does not weaken restricted access. At least in my simple testing.

    So I see no advantage to limiting the range of IP addresses.
     
  43. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "the disagreements"

    What disagreements?

    "I'm pretty used to working around imperfect or non-existent documentation"

    I prefer for the documentation to at least get close and not be confusing. I guess this is where we disagree.

    I'm off to work.
     
  44. TexasFlood

    TexasFlood Network Guru Member

    Never mind, forget I said it, :smile:

    Can't argue, have a good day, evening, whatever it is where you are.
     
  45. TexasFlood

    TexasFlood Network Guru Member

    Only if you run out of IP space for static use, which I haven't yet.
     

Share This Page