1

I'm new here.

I'm looking for a way to prevent my network users to connect to internet using static IPs on their devices outside DHCP range (dhcp range: 10.5.0.1-10.9.254.254). It's like denying device if IP don't mach MAC and vice versa as I have some static leases.

example:

unauthorized client with static ip (defined in device)
10.0.3.1 tries to connect to internet as he knows that
this address is registered with other computer 
and certain computer is not turned on to use internet, 
so he may get connectivity.
However, router notices that IP of clients device do
not match records stored in static leases list and thus 
it denies usage of that IP and block connection to internet

I also have static leases.

Edit: I am using Ubuntu server on IBM x3400 server with 4 NIC I also plan to implement captive portal and/or DansGuardian+privoxy or similar.

Matt Markevičius
  • 91
  • 1
  • 6
  • I don't know if your switch supports it, but this is what DHCP snooping and dynamic ARP inspection are for. They will prevent a host which doesn't match the DHCP snooping table (IP address assigned by DHCP) from sending into the switch. It is normally possible to statically assign MAC/IP address pairs for statically addressed devices like printers. – Ron Maupin Mar 11 '16 at 16:14
  • About what switch are you talking? I have 100+ static leases in form of IP+MAC – Matt Markevičius Mar 11 '16 at 16:46
  • The switch(es) to which the end-hosts connect. – Ron Maupin Mar 11 '16 at 16:49
  • It is school and as far as I know it is really crappy ones, cheapest ones, and network is connected in line like: router>switch(classroom PCs)>switch etc. – Matt Markevičius Mar 11 '16 at 17:00

1 Answers1

1

What you are looking for is an firewall egress filter.

Details of how that might work are dependent on what your router is, especially in regard to coordinating with the DHCP server.

A firewall that blocks everybody from the internet, with DHCP somehow adding and removing permissions based on leases could be possible.

infixed
  • 176
  • 4
  • Updated my question. I am using Ubuntu server on IBM x3400 server with 4 NIC I also plan to implement captive portal and/or DansGuardian+privoxy or similar. – Matt Markevičius Mar 11 '16 at 16:14