How do I protect a low budget network from rogue DHCP servers?

Question

I am helping a friend manage a shared internet connection in an apartment buildling with 80 apartments - 8 stairways with 10 apartments in each. The network is laid out with the internet router at one end of the building, connected to a cheap non-managed 16 port switch in the first stairway where the first 10 apartments are also connected. One port is connected to another 16 port cheapo switch in the next stairway, where those 10 apartments are connected, and so forth. Sort of a daisy chain of switches, with 10 apartments as spokes on each "daisy". The building is a U-shape, approximately 50 x 50 meters, 20 meters high - so from the router to the farthest apartment it’s probably around 200 meters including up-and-down stairways.

We have a fair bit of problems with people hooking up wifi-routers the wrong way, creating rogue DHCP servers which interrupt large groups of the users and we wish to solve this problem by making the network smarter (instead of doing a physical unplugging binary search).

With my limited networking skills, I see two ways - DHCP-snooping or splitting the entire network into separate VLANS for each apartment. Separate VLANS gives each apartment their own private connection to the router, while DHCP snooping will still allow LAN gaming and file sharing.

Will DHCP snooping work with this kind of network topology, or does that rely on the network being in a proper hub-and-spoke-configuration? I am not sure if there are different levels of DHCP snooping - say like expensive Cisco switches will do anything, but inexpensive ones like TP-Link, D-Link or Netgear will only do it in certain topologies?

And will basic VLAN support be good enough for this topology? I guess even cheap managed switches can tag traffic from each port with it’s own VLAN tag, but when the next switch in the daisy chain receives the packet on it’s “downlink” port, wouldn’t it strip or replace the VLAN tag with it’s own trunk-tag (or whatever the name is for the backbone traffic).

Money is tight, and I don’t think we can afford professional grade Cisco (I have been campaigning for this for years), so I’d love some advice on which solution has the best support on low-end network equipment and if there are some specific models that are recommended? For instance low-end HP switches or even budget brands like TP-Link, D-Link etc.

If I have overlooked another way to solve this problem it is due to my lack of knowledge. :)

Answer 1

I think you should go the multi-VLAN route - and not just because of the DHCP server issue. At the moment, you have one big flat network and while to some degree, users should be expected to take care of their own security, I'd personally find it a pretty unacceptable setup.

The only switches that need to be managed are yours. Beyond that, you give each apartment a single port on a specific VLAN - anything downstream of that will be completely unaware of the VLAN and you can function normally.

In terms of your switches - the switch-to-switch ports will need configuring as trunk ports and you will need to be consistent with your VLAN ID's. In other words, VLAN100 MUST correspond to VLAN100 everywhere else on the network.

Other than that, you can set up a "Router-on-a-stick" configuration, with each VLAN (And it's associated pool of IP's*) configured only to route back and forth to the internet and NOT to other internal networks.

*I couldn't think of anywhere else to stick this, but remember that ideally you should be giving your VLANs their own pool of IP's. The easiest way to do this is to keep one of the octets same as the VLAN ID, e.g.

192.168.100.x - VLAN100
192.168.101.x - VLAN101
192.168.102.x - VLAN102

Once all of this is in place, you can really start to take it places with things like Quality-Of-Service, traffic monitoring and so on if you wish!

The "LAN Games" request seems to be a relatively niche request, to me, and certainly not one I'd think about. They can still game normally through NAT by going out to the Internet and back - not ideal, but no different to each apartment having it's own connection which is the norm over here in the UK. On a case by case basis, though, you could add full inter-VLAN routing between apartments which want to share their network in that way.

In fact, you COULD add full Inter-VLAN routing everywhere - that would fix your DHCP issues, allow QoS but is still a massive security issue in my opinion.

Te one thing I've not covered here is your DHCP - presumably you have a single scope at the moment for all of your clients. If you put them onto separate networks then you'll need to manage a separate scope for each VLAN. That's really device and infrastructure dependant, so I'll leave this off for now.

Answer 2

Depending on your budget, at the very least pick up one managed switch and put each floor on a VLAN.

To completely solve your security and DHCP problem, if cabling allows, get a 24-port managed switch for every two floors. If cabling doesn't allow, using patch panels to extend the runs are likely cheaper than more switches.

You could save on gear by getting used 10/100 managed switches, however, depending on the vendor it might require a great deal of expertise to set up (Cisco).

As a programmer thrown into setting up a 1000+ port network in an 8 story office building with fiber, I can say that the D-link managed switches GUI paired with the manual will allow you to do anything you need. I'm not saying you have to use D-Link, I'm just saying I don't think you'll be disappointed. D-Link managed switches (Level 2+) are affordable and can run DHCP on the switch (not recommending this, but it is an option). They have a lower "Smart" switch tier that may do everything you need.

If you do a VLAN per floor a /23 (512 hosts) should be sufficient (go bigger if you plan to ever roll out wireless). If you do a VLAN per apartment, a /27 (30 hosts) should do.

The easiest way to do DHCP for multiple VLANs in my opinion would be to grab a raspberry PI and use ISC DHCP. You can use any low-power machine that has a NIC which supports VLANs. (Personally, I'd grab an EdgeMax router for $99 and run DHCP on that!)

Just pick an IP range/subnet per each VLAN, your ISC DHCP config for a VLAN might look something like this:

subnet 10.4.0.0 netmask 255.255.192.0 {
        interface net0;
        option routers 10.4.0.20;
        option subnet-mask 255.255.192.0;
        pool {
                range 10.4.1.1 10.4.63.254;
        }
}

You can stick global options outside of each scope, so at the very least you'll end up with something like this:

option domain-name "well-wired--apts.org";
option domain-name-servers 4.2.2.2, 8.8.8.8, 8.8.4.4;
default-lease-time 3600;
ddns-update-style none;

If each apartment has multiple network jacks set up spanning tree protocol to avoid loops. This can slow things down if you don't configure it properly causing each port to take 30 seconds or more to come up, so make sure you test it. There's an option you'll want to enable, I believe Cisco calls it PortFast.

I haven't done this personally, but apparently Windows server makes it very easy to set this up.

Also consider:

• A local caching DNS forwarder, traffic shaping and perhaps QoS for VoIP would improve overall responsiveness (should your hardware be capable running said services at line speed).

• If you plan on upgrading security cameras or rolling out wireless, it may be worth getting POE gear.

• Since many cheap Wireless Routers don't function as standalone APs, the best you can hope are that the tenants will be using a Double NAT. If everyone were to plugin their router to your network through the WAN/Internet port that would improve security and eliminate the DHCP problem as well. A well printed instruction sheet with common router brands might save you some equipment and trouble; however, full compliance would be difficult.

• Use a tool like namebench to find the fastest DNS servers for your ISP.

Good luck!

Answer 3

If you have a decent router, one possible solution is to set up one VLAN per apartment and assign a /30 address to each VLAN. Also create a DHCP scope for each VLAN that only assigns one IP address.

For example:

• vlan 100
  • subnet 10.0.1.0/30
  • router 10.0.1.1
  • user 10.0.1.2
• vlan 104
  • subnet 10.0.1.4/30
  • router 10.0.1.5
  • user 10.0.1.6

This solves the problem of gaming between apartments because the router can route between apartments. It also solves the rogue DHCP problem because the DHCP traffic is isolated to that apartment's VLAN and they only get one IP address.

Answer 4

I would choose PPPOE and a simple server, like...mikrotik or whatever supports it. This would seem the easy way. I am sure you solved it by now, but for anyone will have this problem...pppoe is the fastest answer.