Interesting Mikrotik integration question

radius

#1

Hypothetical network

  • 1 mid size (100 hosts) Layer 2 wired network (with or without VLANs)
  • All hosts assigned IP in similar range using DHCP with Radius
  • Blocking works via reject IP list in Splynx

Problem
There is no way for us to block a user if the user assigns IP address manually in the same range that the DHCP server assigns

Probable solution?

  • Mark all IP addresses as blocked in Mikrotik firewall
  • Whenever DHCP assigns an IP addresses it gets selectively (magic?) unblocked in Mikrotik

#2

Solution is to use IPoE instead DHCP.

Difference between DHCP and IPoE:

– In IPoE, a Router doesn’t send ARP-Requests. (arp reply-only setting on the IPoE Interface in Mikrotik)
– The ARP Table needs to be filled by something else otherwise there is no communication between client and router.
– The ARP Table is filled by the DHCP Server which adds a lease to the ARP table after the Lease has been authenticated by a AAA Server.
– The router doesnt send arp-requests but only replies.

So even if a user sets a static IP, as long its not entered in the routers ARP Table, the router isnt able to communicate with the client and therefore the client cannot neither.

Heiko