Help kill off DHCP/ARP Binding "feature"

Discussion in 'Tomato Firmware' started by lightsword, Aug 30, 2013.

  1. lightsword

    lightsword Serious Server Member

    I started using some of the newer tomato builds and ran into this huge problem. Someone apparently make this security feature that locks out all non-directly connected wireless clients and on top of that made it so there was no way to disable the so called "feature". For many situations ARP binding seems to cripple networks by preventing many devices from having a way to connect to the internet if they are using bridging devices or repeaters. So far I haven't found any way to kill this thing off. There are a lot of new features in the toastman and shibby builds that would be very useful but this "feature" is so crippling it makes everything nearly unusable. Is there a process I can kill or a script that would disable this, I've spent hours looking but all I find are others who have been unable to solve this and have had to resort to performance crippling things such as WDS? WDS is also extremely finicky and just doesn't work right for some devices hence the need for bridges.
  2. mstombs

    mstombs Network Guru Member

  3. Toastman

    Toastman Super Moderator Staff Member Member

    If you don't like it, don't use it.

    Doesn't removing the tick in the "bound to" column work?

    NB - I have changed the thread title to remove the emotive desciption of static arp as "useless and network crippling". If it does this in your installation, then you must be using it wrongly. Using these words in your thread title is spreading misinformation.
    Last edited: Sep 1, 2013
  4. jerrm

    jerrm Network Guru Member

    I personally would not want it gone. Although limited as an actual security measure, I find it useful for management. I have scripts that assume it is checked - although they could probably be re-written without too much grief.

    I just tested here with Shibby and unchecking removes the arp table entry. Not sure what else would need to be done to consider it disabled.
  5. Toastman

    Toastman Super Moderator Staff Member Member

    I agree that MAC (and even IP) spoofing may be relatively easy, but as "geeks" we often do not remember that very, very few people out there in the real world actually know how to do it, or are even capable of doing it. Indeed, many people I have tried to explain the concept of IP and MAC spoofing to still couldn't do it. Even most technical support staff working for the ISP's have no idea that it can be done or how to do it, in my experience.

    Ultimately, there isn't any way to make an installation 100% bombproof, internet protocols and systems were never designed with security in mind.

    Incidentally, I have many, many installations some of which are 6 (??) years old, and I haven't ever noticed or suspected spoofing, and this is in environments where people might well be expected to try it to avoid payment ;)
    Last edited: Sep 1, 2013
  6. jerrm

    jerrm Network Guru Member

    I agree. Many of the "easily circumvented" security measures are enough to stop 99% of casual users trying to get around some limitation.

    Sort of like locking the front door on your house. Anyone that really wants to get in will, but you should do it anyway. There is a saying "keeping an honest person honest."

    The trick is not to be fooled into a fall sense of security and think the measures do more than they really do.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice