Hi Eric, I had that problem in the past in a (small) wifi service that was sold to a few customers outside our cable network. I had a couple of customers connecting new routers to evade charges of extra Internet usage.
I solved it changing my provisioning software to create static addresses and ARP entries to all IP addresses of that network at the router side, Obviously it could be circumvented with MAC spoofing, however it worked pretty well preventing random people from "inventing" different IP addresses. Regards On 5 October 2017 at 05:47, Eric Johnson <eri...@colossus.gruver.net> wrote: > > I'm at a small Wireless ISP in a small town and have only a Class C block > of addresses. A couple of years, one local store sold to a new buyer and > they wanted an Internet connection which I happily supplied with a single > IPv4 address fro the store. > > A couple of weeks ago, the outside company that handles their Point of > Sale (POS) modified their firewall and added a new IP address that created > problems for another local business because of the resulting conflict. > > According to an employee of the POS company, he merely used another IP > address in their subnet. I replied that they had an address, not a > subnet. So far, nobody has ever asked for a subnet and we have never > provided one. > > The address he poached was an address in the NAT pool. Since we have more > customers than we do IP addresses, nearly all customers except businesses > have addresses in the CGN address space, 100.64/10, and most of our IP > addresses are used in a NAT pool to service those addresses. > > I couldn't help wondering how intelligent one has to be to question > whether whether or not a small store in a small town with a single IP > address could possibly be assigned a block of 256 addresses. It should > have made him curious, but it didn't. It should have been glaringly > obvious that something didn't quite fit. > > Since then, I have configured their radio that if they ever do it again, > it won't pass any traffic for whatever address they try to poach. It will > work for their addresses only. > > The employee of the POS customer was surprised that he could possibly > assign an address and have it appear to work. That got me to wondering > how one would block it. > > The only thing I could think of off the top of my head was to configure > the firewall rules on their radio which is what I did to limit them to the > address. I've also modified the pf.conf rules to block any host spoofing > the NAT pool addresses. > > That still leaves open the question of what is the best way to set it up > so that a customer cannot change his IP address to interfere with another. > For example, if someone's SonicWall firewall has an IP address of > 203.0.113.10 and they change it to 203.0.113.20 which is already in use by > someone else, then we would still have a problem. > > Fortunately, all but a handful of our customers have radios that act as a > NAT device and with addresses assigned by the kea server on one machine. > Those customers would have to climb up on their roof or tower and press > the reset button to return to factory defaults before they could configure > another IP address and anyone who does that will find themselves having to > switch to another internet service because I'll come pick up their radio > as soon as possible. > > In the meantime, since there aren't all that many businesses with static > addresses on our network, I'll probably configure firewall rules on all > their radios in the next few days to cover the problem. > > Does anyone know a good way to automatically enforce requirements that > they use only those addresses that have been assigned to them? > > Eric > > -- Regards, -- Rui Ribeiro Senior Linux Architect and Network Administrator ISCTE-IUL https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
