modified on 22 February 2012 at 12:31 ••• 1,657 views

Simple access control

From Ubiquiti Wiki

Jump to: navigation, search

Contents

Simple Network Access Control

Introduction

Using DHCP for configuring desktop computers is very comfortable method to control many desktop computers in your network. Not everybody knows that if you use some additional features such as static ip assignment (at DHCP server) and static arp entires (in kernel) you could have a quite good network access control system which allow you to assign concrete mac address to ip address. Having this kind of assignment you could do many thing such as bandwidth control, web page redirection (usually on payment problems :-) ) and any other things which you could do for concrete user.

AirOS is using dnsmasq server for dhcp and dns cache services. In my opinion it is quite good software for not very big networks. Dnsmasq server got features what we need - static ip-mac assignment.

So if you are interested in building very simple access controll system in 15 minutes you should read this article.


Start

What we need:

1) Any AirOS device

Setting up SSH server

Unfortunately we couldn't set up static DHCP entires from www interface we have to do it from shell. For shell access telnet or ssh setup access is needed.To do this log on to your ubnt device and go to services tab and enable selected service as shown at the picture bellow. Image:Enable telnet.png‎ Save your configuration and reboot.

Setting up DHCP server

Log on your ubnt device using telnet or ssh and create DHCP configuration file: 

vi /etc/persistent/dnsmasq.conf

paste it's sample content: 

dhcp-authoritative 
interface=eth0
leasefile-ro
dhcp-leasefile=/etc/persistent/dnsmasq.leases
dhcp-range=192.168.1.2,192.168.1.5,255.255.255.240,15m
dhcp-host=00:00:00:00:00:11,192.168.1.2,ip_1_2
dhcp-host=00:00:00:00:00:22,192.168.1.3,ip_1_3
dhcp-host=00:00:00:00:00:33,192.168.1.4,ip_1_4
dhcp-host=00:00:00:00:00:44,00:00:00:00:00:55,192.168.1.5,ip_1_5

Let's describe this file quickly:

1 - Being authoritative dhcp for isp dhcp is always a good practice.

2 - Specifying an interface what dnsmasq should listen on.

3 - Setting a lases file to read-only, we could do that because our dhcp server will always set this same address for given mac.

4 - Location of lasefile (we have to create an empty file).

5 - Dhcp range should always be defined neither than on ISC server.

6 - 9 Host definitions.

If you want more complicated setup you should read Dnsmasq documentation or sample config file.

Next, we should set dnsmasq to start at system boot. To do this you should add following line: 

/sbin/dnsmasq -C /etc/persistent/dnsmasq.conf

to /etc/persistent/rc.poststart file.

This sample file gives us static IP-MAC assignment for five desktops. Address 192.168.1.5 is shared by two desktops but only one could be online at given period of time.

But still somebody could setup static IP address (for example 192.168.1.7) at his desktop and he still got internet access.

ARP blocking

Arp blocking is a method of network control by setting static arp entires on router. If static arp entire is equal to 00:00:00:00:00:00 this IP is blocked and computer with this ip won't access router (but still could access other stations on lan), also device which mac address and ip is different than written on router won;t access router.

To setup static mac for 192.168.1.4 ip you should write: 

 ip neigh replace 192.168.1.4 lladdr 00:00:00:00:00:33 nud permanent dev eth0

unused ip addresses you should fill with 00:00:00:00:00:00: 

 ip neigh replace 192.168.1.7 lladdr 00:00:00:00:00:00 nud permanent dev eth0

Simplest way to setup static arp on router startup is adding a portion of "ip neigh" to /etc/persistent/rc.poststart file. After all of course - saveconfig.

You should remember that if you change your network card you don't be able to access router until you change mac address to old one!

Finnish

Given method is only a basic setting which helps you to keep network under control with unmanaged switches. It is very simple but help me many times. But there are some things you should remember:

1) Static arp entire and dhcp entire should be this same if they are different your enduser could have problems accessing network.

2) Only one ip could be setup for static arp entire .

3) Somebody could still access your network by changing mac address on his computer.

Arbooz

Retrieved from "http://wiki.ubnt.com/Simple_access_control"