1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can I add MAC filtering for LAN (wired) connection?

Discussion in 'Tomato Firmware' started by BaileyMoto, Aug 4, 2009.

  1. BaileyMoto

    BaileyMoto Addicted to LI Member

    Everyone on my network is wired, we offer no wireless, but I would still like to implement MAC filters to prevent people from adding their own routers or to prevent visitors from hooking up to an existing line in an empty room. What is the best way to accomplish this?
  2. WRobertE

    WRobertE Addicted to LI Member

    You could set an Access Restriction with:
    "All Day" and "Everyday" and "Block All Internet Access" with
    "Applies To All Except" and set the MAC's that are permitted access.

    I think this would prevent unknown MAC's from using the system.
  3. fyellin

    fyellin LI Guru Member

    I'm not at home so I can't verify this for sure. I'm pretty sure that WRobertE's solution will block access to the WAN, but it will still allow access to the LAN.

    If you're worried about a casual user blocking into an existing line and downloading bit files, then this solution is more than sufficient. If you're worried about an experienced hacker breaking into other computers on your local network, then you still have a problem. But then again, an experienced hacker would have no problem changing the MAC address of his computer to be an "allowed" MAC address.
  4. BaileyMoto

    BaileyMoto Addicted to LI Member

    How about turning DHCP off and assigning static IP's to each device/MAC?

    I assume that the IP would then have to be entered into the client computer manually?

    At this point, only blocking access to the WAN would be just fine.
  5. mstombs

    mstombs Network Guru Member

  6. BaileyMoto

    BaileyMoto Addicted to LI Member

    Funny that you mention that, I was just going to ask about it.

    Now, the question is, would ARP Binding with "limit unlisted machines" yield a different outcome that the above method of "block all internet access" under "access restrictions" ? With exceptions applied to listed MAC or IP address, of course.
  7. fyellin

    fyellin LI Guru Member

    Ugg. I need to proofread my messages better. I write the text, then rearrange it, and occasionally leave gibberish behind. I just re-read my last message and realized I hit "send" a minute too soon.

    In any case. I need to repeat my original query: What's the threat that we're trying to protect against? Let's try a worst case scenario. A skilled hacker sees an unused machine. She plugs her laptop into an unused ethernet jack, and a little bit of packet sniffing reveals the IP address and mac address of that unused desktop. She unplugs the desktop and sets up her own laptop with the identical MAC and IP addresses. She's on the network. The router is none the wiser.

    So again. I think that WRobertE's solution is more than adequate. But it's important to realize its limitations, too. If BaileyMoto is worried about casual theft of his bandwidth, then great. If he's worried about top-secret info leaking, then not so great.
  8. BaileyMoto

    BaileyMoto Addicted to LI Member

    Just trying to block casual users/stealing and additions of extra devices, such as iphones, etc.

    Let me give a rundown...

    I work for a Fire/EMS company in Iraq. We have about 15 people, give or take in this station. Some pay for our private internet, others don't. We also have other firefighters and paramedics who fill spots on occasion from other stations. Each room/dorm is wired to the switch. I am just trying to prevent non-paying users from taking up our very precious bandwidth, not to mention other devices. It will also make it easy to simply cut someone off when they don't pay, as we have a couple guy who love to get behind, forcing me to front the money.

    Our internet is very slow, so anything to free up a KB or so here and there helps. To give you an idea, we share a 1024/512 satellite connection. This connection is also a 1:20, which I believe means we then share it again with 20 other accounts around iraq. We are, however, considering upgrading to a 1:10 connection, which should free things up. When downloading a file, I get right around 5KB/sec, on a good day, with it dropping below 1KB/sec (around 800 bytes/sec) during peak.

    This is mostly used for Skype, instant messengers, and regular web browsing. I am attempting to filter out anything and everything else.
  9. fyellin

    fyellin LI Guru Member

    Ouch. And I thought my Mom's house and her dial-in modem was bad!

    You'll do fine with the solutions above.
  10. Toastman

    Toastman Super Moderator Staff Member Member

    I've used the method described by WrobertE for the last 2 years, it works well and so far has not been compromised (as far as anyone knows!). Of the methods outlined, I think it is the most reliable, it is the only one that's worked 100% and never failed.
  11. baldrickturnip

    baldrickturnip LI Guru Member

    or the absolutely fool proof method - unplug the LAN cable from the switch for sockets and areas that are not allowed :D
  12. BaileyMoto

    BaileyMoto Addicted to LI Member

    The problem with that is there are 2 other switches, besides the 'server room'. We have a separate building where the medics dorms are with 1 cat5 cable running to it, which obviously then patches into another switch, which supplies 5 dorms.

    I have really no control over that switch, as it is in one of the dorms.
  13. BaileyMoto

    BaileyMoto Addicted to LI Member

    Here are some screenshots of some current QoS.

    Haven't done much with classifications yet, as I haven't had much time to read about it. Not really sure how to set things up.


Share This Page