Belkin's DHCP and ip reservations help

rudeboymcc · 18 Mar 2007 at 14:19

Hi. Just bought a Belkin Wireless g router. what i'm trying to do is have a list of all the mac addresses in my house and give them all a set ip so i can turn off DHCP (easily done on my netgear router through an ip reservation table).

in the Belkin router, when you enable DHCP, you can assign an IP address to a MAC address forever, effectively an ip reservation table, but only when DHCP is on.

If DHCP is off, then it says you have to manual change the ip address on all the computers to a static one.

How can i keep the ip reservation table whilst having DHCP turned off?

tolien · 18 Mar 2007 at 14:45

You can't have both a router-assigned IP and no DHCP - you either manually assign the IP (i.e. the whole "change the ip address on all the computers to a static one"), or the router dishes out the IP (even if it is the same IP all the time, as with static binding).

rudeboymcc · 18 Mar 2007 at 19:35

so i can't asign an ip address to a specific mac address on a router?

just i was told that some people use unsecure wireless and only allow certain mac addresses to join the network, and apparently this is just as secure as a secure network.

oddjob62 · 18 Mar 2007 at 19:53

rudeboymcc said:
so i can't asign an ip address to a specific mac address on a router?

just i was told that some people use unsecure wireless and only allow certain mac addresses to join the network, and apparently this is just as secure as a secure network.

a. That would be Mac filtering on the wireless configuration, nothing to do with IPs or DHCP.

b. Not even close to being as secure as properly configured encryption. The people who told you this are wrong.

MAllen · 18 Mar 2007 at 20:27

You are confusing two different concepts. DHCP and Wireless MAC Address Filtering.

First - listen to The Tolien as he knows what he is talking about. MAC addresses can easily be faked, so no good as a security feature on your wireless.

It is much more important to properlly encrypt using WPA and a decently long key (not something in the dictionary). Once that is done, hidding SSID, restricting to specific MAC addresses, etc all help - but can all be bypassed.

Best security of all is to turn it off at the mains when you are not using it.

No hacker can break in then.

If you want the router to allocate the same IP Addresses to each PC each time they connect, then you need DHCP turned on. But you can restrict this to only the number of machines on your network, and then reserve the addresses for each of these.

I have not tested this - but I assume if you have only five PCs, and you setup a DHCP range of only 5 addresses, and each of those addresses are in your fixed DHCP reservation table, I'd asume this would stop machine number 6 from getting an address as there would be nothing left in the pool.

Problems getting the MAC Addresses? goto each PC and run ipconfig /all from a command prompt.

oddjob62 · 18 Mar 2007 at 20:37

MAllen said:
If you want the router to allocate the same IP Addresses to each PC each time they connect, then you need DHCP turned on. But you can restrict this to only the number of machines on your network, and then reserve the addresses for each of these.

I have not tested this - but I assume if you have only five PCs, and you setup a DHCP range of only 5 addresses, and each of those addresses are in your fixed DHCP reservation table, I'd asume this would stop machine number 6 from getting an address as there would be nothing left in the pool.

If someone has got past your encryption, then doing this may hold them up for 2-3 minutes. A quick packet sniff will get the ip range, then they can just assign the ip statically. Turning off DHCP would be less effective from a security standpoint than MAC filtering imo.

tolien · 18 Mar 2007 at 20:41

They're equally ineffective as a security measure - if you can sniff the IP header, you can get the MAC address as easily as the IP.

The only route to proper security is strong encryption (WPA/WPA2 with a strong passphrase is plenty in a home environment) and/or using some sort of restricted subnet for wireless, with proper authentication and encryption over the top (i.e. a VPN).

MAllen · 18 Mar 2007 at 20:54

oddjob62 - completely agree with ya as I do that all the time. I often "borrow" wifi access at a couple of sites. And there DHCP is often off. But why do they leave the router on the obvious IP of 192.168.0.1 or 192.168.0.254?

If DHCP is being disabled as a security feature, it also makes sense to use a non-standard IP Address range line 10.15.68.x with the router on a nice random number like 10.15.68.94

Still not going to stop someone with knowledge and a packet sniffer.

tolien - completely agree. But are we also not looking at different level of hackers here? From experience, there are many people dotted around Brighton who "borrow" the neighbours network because it is open. So I expect at least 80% of "stolen" WiFi Access is by non-technical people.

These people mainly want the bandwidth. Or to download their illegal data over your network. (Though I do know one guy who stores his pr0n collection on his neighbours PC....)

Then there are the 20% (probally less) who are _really_ hacking. These are the ones we really need to lock down our networks for. Changing WPA2 keys every few days is also needed for this mob

WiFi is a very good reason for knowing who your neighbours are.

tolien · 18 Mar 2007 at 21:17

MAllen said:
tolien - completely agree. But are we also not looking at different level of hackers here?

VPN tunnelling maybe, but otherwise not really - it doesn't take a genius to use Snort or whatever, and it's only getting easier with live CDs et al.

Re-reading oddjob's post (I missed the "if someone's got past your encryption"

), I'm inclined to agree, MAC filtering's stronger than DHCP from the idiots' "it don't connect, duuuuh" point of view.