Syed Jahanzaib Personal Blog to Share Knowledge !

January 5, 2012

Mikrotik Limiting User Access via DHCP via /32 + Forcing Users to use your DHCP Server Only !


Recently a friend of mine who is operating local internet service in my area was annoyed by virus flooding / broadcast and Vypress Chat softwares via which users communicate with each other and get united against the service provider :p and he can’t afford to install manageable switches on his network to isolate users, So he asked my help to isolate them. I used this little trick to Minimize the network flooding and to isolate users.
But Remember It’s not 100% fool proof , It just makes it a bit more difficult to scan other users using this trick, but it is easier to change IP and your MAC address as client have full control over there pc’s. It just At it’s best,  prevents normal/casual users, but there is nothing to prevent people that are  determined to do so.
If you want to isolate your clients , set up client isolation on the AP’s/ OR Do Port isolation on the switch ports . Then no matter what settings user places on their PC, they will not be able to scan and find other hosts on the network.

In this example, this Operator had PPPoE Server with DHCP service. All users gets ip of 10.0.0.0/8 subnet via his mikrotik’s dhcp server , This way flooding from one pc can be broadcast to all over the pc’s on the network, so I just change the netmask to 32 , this way user will not be able to communicate with any other pc on the lan, even with the server, but You can connect the pppoe service because it works on mac address broadcast. After connecting to pppoe , user will be able to use internet without any issue.

This trick is also useful for wireless networks, where you want to minimize file sharing between users which can also be done via AP.

Goto IP > DHCP SERVER >Double click on your DHCP server,
Click on “Add ARP For Leases
As shown in the image below . . .


 

Now Goto IP > DHCP SERVER > Networks ,
CLick on + icon,
in Address, type 0.0.0.0/0
in Netmask , type 32

As shown in the image below . . .

.

Also if you want to restrict users that only those users who gets ips from your DHCP  server should be able to communicate with your server, Follow the tip below.

Goto Interface > Double Click on your LAN interface
in ARP , select reply-only


This way, You will Force anyone to use your DHCP only, If a user manually enters IP  address on his PC , he will not be able to communicate with your server and use the internet service.

Regard’s
Syed Jahanzaib

%d bloggers like this: