I am providing free internet usage to guests and so want to limit abuse by throttling users when they exceed their quota. Gargoyle does all this no problems at all.
Problem is that the users have become smart and simply edit their IP address manually and then get a new quota.
I note that there is already a simialr one stating "Block MAC addresses assigned a static IP that connect from a different IP" however this assumes that I manually statically assign IP's to every single user which is not practicle in my situation.
Can we please have a tick a box feature that only allows access if the IP has been issued via DHCP?
This way I can set an appropriate lease time and achieve my goals......that is until they get even cleverer and do MAC address spoofing
Not sure if this will help you, although sounds similar to my situation with two teenage computer geniuses.
I have assigned IPs to the all computers in tour home based on their MAC.
Then set up a Quota rule that allows "All Individual Hosts Without Explicit Quotas" connection to a maximum of 10MB. (make the quota what ever you like)
This way if they want to try and change their IP (or MAC for that matter) then they aren't going to get far with the extra 10Mb.
So far they haven't been able to crack it......
I am trying to avoid hard coding MAC addresses to IP's as the site is not actively monitored and hence no admin person is available to perform these duties.
As you indicated I have already set up a Quota rule that allows "All Individual Hosts Without Explicit Quotas", and have complimented this with a "Restrictions" rule to block all except those within the DHCP range.
This goes some way towards solving the problem, however once they figure out the range (which is pretty simple to do) then they simply hard code the IP and increment one digit once quota is exceeded.
I like this idea, but it's not trivial to implement, since if an IP isn't opened up immediately after someone connects via DHCP their connection won't work and you'll have problems. That means a pretty frequent polling loop which could eat up significant resources. There might be a callback possible with dnsmasq, which would make this easier. I'll look into it, but no guarantees.
What you REALLY need is captive portal, which (I swear) I'll get to at some point, but other things keep coming up.
Thanks for the response and positive feedback that it is at least a valid idea.
If my understanding of how DHCP works is that once issued the MAC address is held in a lease reservations table on the router until the expiry time, and it is the guest that polls for updates based on certain events occurring:
- Device starts up
- Device reaches half life of TTL attempt to refresh lease renewal
- etc
If this is correct then I'm not sure where the polling loop occurs on the router?
You clearly know more than me around the effort to implement but if the above were true (or even close) then in my (very) simplistic view of the world would it not be a case of simply making the MAC address leased be allocated the bandwidth rather than the IP, so even if the IP is manually changed then the quota follows until the original lease expires or is renewed?
P.S. Yes Captive Portal would be fantastic.... add 1 vote from me on that one.
The polling loop/(or better yet, callback) would be required to connect the DHCP assignments to the restriction controls. By default all IPs would be blocked. Then someone connects via DHCP, and an IP needs to be set to open. The polling loop would need to detect this, and adjust the restrictions. A callback could be better, because dnsmasq (the program that handles DHCP on the router) could be setup to call a script to open up the restrictions for the IP that was just assigned, but without this functionality (I'm not sure if it exists in dnsmasq or not -- I need to check), you have to poll constantly to see if an IP has been assigned.
I have found a rather obscure link though which is probably more to your liking where someone has managed to get this to work using dnmasq, specifically because there was no Captive Portal available.
