Results 1 to 3 of 3
Thread: DHCP HELP "unknown-clients"
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Feb 2009
DHCP HELP "unknown-clients"
I have a dhcp server running under ubuntu with a large number clients (2000+) I would like to limit users to my network based on their MAC addresses. I know that I can set up an entry in the dhcpd.conf to assign specific IP for a specific host but I feel that would become too large and difficult to manage. I am aware of the "deny unknown-clients" entry but I do not understand how I define my known clients. What I am hoping to do is create a text file that contains all of my allowed MAC address and have the dhcp server look to this file to assign an IP
Does anyone know if this is possible and if so how to do it?
Thanks in advance
Kent City School District
Just curious... is this an attempt to keep unauthorized users/devices off your network?
If so, my personal opinion is that you're going to be spending a lot of time managing these macs and no additional protection against an even slightly persistent student/hacker. Once they can determine the IP info from a legitimate machine, or sniff it, it's over and you'll be sleeping well at night with a false sense of security.
If you wanted to get a little more protection, you could create a separate broadcast domain (vlan) for dhcp clients with an iptables firewall doing mac filtering and routing. That will prevent someone from simply guessing an IP and accessing the rest of the network. They could still however guess a valid mac and bypass the firewall, but hopefully, that would cause some networking issues with an authorized client and you would be inclined to investigate it.
Welcome to the forums!
I think what you are looking for is /etc/ethers... it's pretty straightforward
# If this line is uncommented, dnsmasq will read /etc/ethers and act # on the ethernet-address/IP pairs found there just as if they had # been given as --dhcp-host options. Useful if you keep # MAC-address/host mappings there for other purposes. #read-ethers
AdmiralBeotchs advice stands though, there are very good reasons to use a config like this but security isn't one.Can't tell an OS by it's GUI