1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible to stop others from forcing their ip outside DHCP?

Discussion in 'Tomato Firmware' started by blackjackel, Dec 27, 2008.

  1. blackjackel

    blackjackel LI Guru Member

    I am sharing my internet connection, i have OpenDNS installed and QoS and port restrictions, but I can't stop people from forcing their ip outside the 192.168.1.100-150.... is it possible to prevent people from manually forcing their ip?

    I'm giving all the computers in my house an IP via DnsMasq, and these ips are ranging from 192.168.1.2-99 I just want to stop people from forcing themselves inside this area.



    Also, is it possible to separate the wireless network from the wired network so that there is no way for wireless clients to be able to see the pc's on the wired network?


    I don't mind being pointed to a readme, I just dont know what the above procedures are called so I Dont know what to search for.
     
  2. jza80

    jza80 Network Guru Member

    So what is it exactly that you want to do? You list 2 things

    1. Not allow IP addresses outside of 192.168.1.100 - 192.168.1.150

    or

    2. Stop people from forcing an IP address in the range of 192.168.1.2 - 192.168.1.99


    192.168.1.2 - 192.168.1.150 is a big range of IP address. Do you even need or use that many?


    ...


    1. Don't share your connection. Problem solved. :)

    2. Use a smaller range of IP addresses.

    3. Use a subnet mask other then the standard 255.255.255.0 to limit the number of useable IP addresses.

    4. There maybe a way to restrict IPs through iptables, but I'm not sure.


    For seperating wireless and wired, look into VLAN or you can use 2 routers. However with 2 routers, you'll run into double NAT issues.
     
  3. blackjackel

    blackjackel LI Guru Member


    First off, thank you for the response, after several hours I thought the thread was going to go unanswered.

    You asked what I Wanted to do, my primary concern is people trying to force their IP to spoof my 192.168.1.5 to get around my network restrictions, or spoof any other IP from the computers in my house. I want the free shared connections to ONLY be from the ips 192.168.1.100-150 and I don't want them to be able to force their IP lower than 192.168.1.100 or anything outside the 100-150 range.

    I don't know ANYTHING About subnet masks WHATSOEVER. I am now researching it and trying to figure out how I can restrict IPs with it.... are you saying I should use a secret subnet mask for my computers at home and give out a different one for my wireless clients? That way the only way to get an IP on my home network they have to magically guess the subnet mask?
     
  4. humba

    humba Network Guru Member

    Let me recapitulate since I'm still not sure what you want to do:

    You have two network ranges: 192.168.1.2 - 192.168.1.99 for wired clients, with no restrictions in terms of outside connectivity (and all those clients get their IP address via DHCP), and
    192.168.1.100 - 192.168.1.150 manually configured for wireless clients.. and their outside connectivity is limited.

    Is that correct? If so, how do you prevent any wireless client from using DHCP (and thus getting an IP address in your 2 - 99 range)?

    There are threads on separating the wired from the wireless part which you should look up.. it allows you to have two separate subnets with no connectivity (or as much as you like) in between.. and when properly configured it will not be possible for either type of client (wired or wireless) to enter the other subnet because you'll have firewall rules preventing that (so assuming your wired net is 192.168.1.x and your wireless is 192.168.2.x then if you give a wired client the address 192.168.2.5 it will not even be able to talk to the router.. as the router only handles 192.168.1.x connections on its lan ports).

    Unfortunately, neither Tomato nor any of the mods have a web based firewall frontend nor support for multiple subnets and vlans so you'll have to do this all via scripting which means learning a lot of linux internals. It's definitely all doable and I've even done multiple subnets on the wired part (with different ports using a different subnet) but it'll take you a while to get the hang of it.
     
  5. Toxic

    Toxic Administrator Staff Member

    Lets get some answers first.

    1.2-99 in your house? thats 98 devices you assign to an individual computers?

    how many devices need an IP within your house?

    how do your outside clients know your house IP range in the first place?
     
  6. blackjackel

    blackjackel LI Guru Member

    I'm very confused, you say there are ways to seperate the wired and wireless via vlans... but then you say that tomato can't do it without learning a lot of scripting...

    Are these statements (and paragraphs) tied together? Or am I able to seperate the wired from wireless without learning all the linux internals and scripting?


    Well, I don't ASSIGN an IP, I just have computers at 5 12, 43,44. My router is set to DHCP at 192.168.1.100-150. I simply assign the the other ips through Dnsmasq.... the only reason I have that wide a range is so I can spread them out to prevent people from guessing what my computer's IPs are and connecting to them... (its my temporary fix)

    There are about 6 or 7 devicse in my house that need IP's
     
  7. jza80

    jza80 Network Guru Member

    Using a different subnet mask would limit/restrict the usable IP addresses within a certain range. Although you'd still have the problem of people trying to force an IP address (IE: manually setting an IP address) and no seperation between wired and wireless.

    Example: I'm using 255.255.255.248 (/29) on my network which gives me 6 usable IPs. My range of usable IP addresses is 172.25.25.1 - 172.25.25.6 or 172.25.25.0/29.

    .
    .

    To do what you want, you need 2 subnets / 2 seperate networks. Say 192.168.1.x for wired and 192.168.5.x for wireless. For this you need to look into VLAN.

    Other option is 2 routers like I mentioned in my last post. 1 router for wireless and another for wired. It would be hooked up like this: modem --> WAN port of router 1. LAN port on router 1 to WAN port of router 2.

    .
    .


    Router 1 (wireless network)
    --------------------------------

    WAN: Setup to work with your ISP

    LAN: 192.168.1.1, 255.255.255.0

    DHCP: on or off, depending on if you want to use DHCP or not.

    Wireless: setup however you want


    Router 2 (wired network)
    --------------------------

    WAN: Static ip. IP address = 192.168.1.2, Subnet mask = 255.255.255.0, gateway = 192.168.1.1, DNS = IP address of router 1 (192.168.1.1) or whatever IPs your using for DNS.

    LAN: 192.168.5.1, 255.255.255.0

    DHCP: on or off.

    wireless: disabled


    Not an ideal setup, but it does work and its easier to setup then VLANs which require using scripts and iptables commands.

    Computers behind router 2 will be double NAT'ed.

    If you need to port forward to computer(s) behind router 2, you need to port forward to router 1, then from router 1 to router 2.

    Yes to first question. No to second question.

    There is nothing in the web gui of Tomato to setup vlans. However there is guides for setting up vlans, but it still requires copying and pasting scripts.

    There cannot be duplicate IPs in the same network/subnet. It simply does not work.

    A subnet mask of 255.255.255.248 (/29) would give you 6 usable IPs. 255.255.255.240 (/28) would give you 14.
     
  8. humba

    humba Network Guru Member

    Perhaps we should roll this up from the beginning again.. please explain (in terms you would to somebody who knows nothing about your network) again what exactly it is you're trying to do.. as every person who responded to this thread is still gasping at straws - we basically guess what you're trying to do from your current setup without understanding why you have your setup the way it is (and not even fully understanding that). Make sure you explain basics like what happens if I take my computer and plug it into a lan port on your router, and what happens if I connect my computer wirelessly to your network (including do I have to enter some kind of authentication, etc.)

    I could go down a couple different roads and mention a lot of things but that seems rather a waste of time without fully understanding what you really need so I'll just say one thing: if I were to drive by your house and managed to connect to your network, then there are plenty of tools that would allow me to easily figure out behind which IPs there is actually a device.
     

Share This Page