exclude addresses

Sten Carlsen sten at s-carlsen.dk
Thu Jan 10 08:08:58 UTC 2008

I would say that it depends on the actual network setup and size. In my 
case I have a small ntwork and there is no router I could use for that. 
I also want this to be a "catch all" solution, so if you are not known 
you get no real access even if you have not been seen before.

In your case I understand there is a big network with routers you can 
use, so that is one obvious solution.

It depends on the situation also, is this a device that should not be in 
the network and that you can not remove physically? Is it operated by 
some smart guy, then he could just give it a new MAC address, that would 
take a few minutes in most cases. If it is a laptop, you would have to 
block that MAC in all routers.

On the other hand it has to be a very large network to actually use all 
the space in the private ranges, 10.x.x.x alone is 16mill addresses. Or 
a very large assignment for every subnet.

You could use some of the bogon addresses and filter for those 
(http://www.cymru.com/Bogons/). Using such an address would also 
minimise the access it could get to the world.

As mentioned the cure depends on the task.

Ron Croonenberg wrote:
> where I work we have a pretty large network and those private nets are 
> already in use  by different depts
> as for @ home, why not use  MAC based filtering on the router?
> Sten Carlsen wrote:
>> Hi
>> I have set this up at my house, I use an address range for normal 
>> hosts 192.168.x.x, I have set up another range for unknown hosts 
>> 10.0.0.x, gateway, DNS, ... is set differently than the ones for 
>> normal access.
>> This looks to the uninvited like the standard setup you will get from 
>> an unprotected AP in its default setup. The idea is that the "guest" 
>> will believe that I have some AP in its default setup but have so few 
>> abilities that I have not been able to get it connected to the 
>> internet. The hope is that he will go to the next place.
>> So basically I give these guys an address but a non-functional address.
>> If people really want access, you have only routers and VLANs to play 
>> with. None of this dhcpd setup will prevent manually set addresses.
>> Ron Croonenberg wrote:
>>> Hi Stan,
>>> I tried assigning   and 169.254.x.y   but somehow that 
>>> client sees that it is a 'worthless' address ad keeps using the old 
>>> address it 'stole'.
>>> I noticed that with 'deny booting'  it uses the old address too  
>>> even after trying to get an address with dhcp
>>> Sten Carlsen wrote:
>>>> How about a host declaration with "deny booting"?
>>>> On the other hand you could give him a special IP, that has no 
>>>> routing anywhere. Make a new range, set all parameters seemingly 
>>>> like they should be, but make sure your firewall knows that this 
>>>> range must not go anywhere.
>>>> This way the unwanted guest will have a harder time to figure out 
>>>> what happened.
>>>> In the archives there is an example on this. Somewhere.
>>>> Brian Raaen wrote:
>>>>> you can try creating a class that has that mac address in a 
>>>>> subclass.  Then you can block that mac address in any pool you 
>>>>> want.  I have attached the relevant part of the dhcpd.conf man page.

Best regards

Sten Carlsen

No improvements come from shouting:


More information about the dhcp-users mailing list