Prevent static IP assignment (by the client itself)

Client access to the Internet is controlled by a separate firewall by the client IP address. The assignment of IP address is done with DHCP by openwrt which is also a gateway to the client. However currently a client can manually change the IP address of his device. How do I prevent this at openwrt level? which means when a client manually set his IP address to something else other than the one mapped in static leases on openwrt, his connection will be dropped at openwrt level.

1 Like

You cannot prevent a device assigning its own IP address on Router/OpenWrt without implementing an authentication system (802.1x; Radius). If you don't have sth. like that you have to change the behavior of the device itself (e. g. to respect either DHCP settings or static IP settings). The only thing I can imagine beside that is sth. like doing periodically arp scans and kick unwanted clients in combination with a smaller IP range (192.168.1.0/27) available/managed/allowed by OpenWrt and block others with firewall.

4 Likes

Set default LAN zone policy to reject and remove LAN to WAN forwarding.
Add custom firewall rules to allow only traffic from specific IP+MAC.
See also: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge

3 Likes

Thanks Vgaetera,

I have opened up the link and read the instruction but I could not find where I should specify the IP+MAC for the bridge firewall. I have not installed it but I wanted to see at least how the MAC address is set on it.

uci -q delete firewall.client_fwd
uci set firewall.client_fwd="rule"
uci set firewall.client_fwd.name="Allow-Client-Forward"
uci set firewall.client_fwd.src="lan"
uci set firewall.client_fwd.src_mac="00:11:22:33:44:55"
uci set firewall.client_fwd.src_ip="192.168.1.2"
uci set firewall.client_fwd.dest="wan"
uci set firewall.client_fwd.proto="all"
uci set firewall.client_fwd.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
1 Like

If you want to go this way you have to be aware that you have to manage each client on the network in the same way. Which means you have to do it for each device in your network. It is like a firewall configuration with "deny all" first in place for everything. Which is very painful. But if it is a small network with just a few devices it is O.K.

What is the exact reason why you want to drop connection of a (un-)trusted device/user if its IP is changed for whatever reason (normally a client is not doing this by itself; user action is required)?

You could edit /etc/ethers also with like (even for OpenWrt itself):

00:00:11:22:33:44 192.168.1.100

Then issue

"arp -f /etc/ethers"

If all is set static (including OpenWrt device itself) you could issue "ip - s - s neigh flush all" e.g. every 10 seconds.

But I don't know if this is working on OpenWrt. E.g. if /etc/ethers has priority over other services modifying arp table.

So @vgaetera's soultion is more complete/reliable.

But if you have an "untrusted" user in your network changing client IPs to reach things which are not allowed to reach it is easy to spoof a MAC from another device (not connected currently) which is allowed to reach those targets. If this is the reason there are other (better) solutions (e.g. a "kidsafe").

2 Likes

Thank you pwned,

Yes, this is a home network with only a few devices.

Internet usage is controlled based on time so some IPs can use Internet all the times and some based on hour of the day. I want to prevent the users with time restriction from changing the device IP address to use the unrestricted one (probably by trial and error). I think this can be achieved by separating the network with VLAN or Wifi SSID but it seems to me it is quite complicated especially the routing part.

What is the reason for this command?

That maybe is correct but I am just trying to do what is possible currently.

Thanks for all the tips, really appreciate it.

You can make your life much easier if you use:

You can create mac-based and time-based firewall rules.

In short: The arp table is a list where the router is managing the participants of a network. You can edit this list. If you set all participants to static IP's you can flush the list (the command above is doing this) and re-read the list (/etc/ethers) after. So if someone registers with other IP it gets deleted ever 10 seconds. But you could set the command to 1 sec. also.

Beside that @vgaetera's solution is better then mine and the solutions mentioned under "Parental controls" are much better and the recommended way to achive that what you want.

2 Likes

Do I have to include both IP and MAC addresses as the source or MAC address is enough?

This depends on your goal.
If you consider MAC address authentication reliable enough, then you can omit the IP address and filter internet access just by MAC for both IPv4 and IPv6 protocols.
Otherwise, you may want to utilize other methods based on VLAN and/or SSID isolation.

2 Likes

This is the solution I adopted, it is not as complicated as it might seem.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.