Getting Around the Quota

[Gargoyle87]

I have been using Gargoyle for several months, and every thing was working fine, until one of the users start getting around the quota by cloning other users MAC address.

There are 6 users currently sharing the internet connection (3 laptops, and 3 desktops), I assigned a static IP address for each computer, and I blocked MAC addresses assigned a static IP that connect from a different IP.

I also, restricted all the MAC addresses from connecting to the internet, excepting the 6 MAC addresses of the 6 users.

Then I added a quota for each of the 6 static IP addresses.

The problem that I am facing now, is that one of the users is scanning the local network (using a software), so he knows the MAC addresses of other users, and when his quota is consumed, he start cloning the MAC addresses (using a software) of other users and start consuming their quota.

When I asked the other users to change their MAC addresses (using a software), the annoying user scans the network again.... and that never ends.

So is their a way to prevent (using Gargoyle) the users from scanning or pinging the network (preventing them from knowing connected IP and MAC addresses).

Note: If preventing them from doing that requires blocking the local network, it will not be a problem (nobody here is playing multilayer games or sharing files with other users).

[heuristic]

So is their a way to prevent (using Gargoyle) the users from scanning or pinging the network (preventing them from knowing connected IP and MAC addresses).

Not knowing the human side of this, like is this a house full of people, a college dorm, or whatever, it would be difficult to say with certainty, but if I were you, this might be the time to read the riot act if you are the provider and they are riding for free. I would simply suggest that they cease this behaviour, and failing that, bar them completely. Sad to have to do so, but you can change SSIDs, private IP ranges, encryption, however for all that to work you need to ensure that the others don't tell him/her.

Sometimes technology is not the answer.

[Eric]

This is a real problem. For the moment, I agree with heuristic -- your best bet is to apply a social solution instead of a technological one.

Right now, there's no good way to prevent someone who is sufficiently technically capable that they can clone MAC addresses from using this technique to get around the quotas. The solution to the problem is to implement a captive portal system. I am definitely planning to do this, but have not gotten to it yet. This was discussed briefly in this thread a few months ago, but I have not gotten to it yet (right now I'm working on a new front end for the bandwidth monitor).

If you REALLY need a technology based solution instead of a social one you could do this: Get another router, and put the problematic individual behind it. (Give him the password only to the wifi on that router/only run a cable from that router to his room). Connect the WAN port of the second router to one of the LAN ports on the first (which should be running gargoyle). You can then set a quota on the first router with the WAN IP of the second, which this guy won't have the access to change, so he'll HAVE to go through the IP that has the quota. The down side, of course, is that you have to get a second router (though not necessarily one that needs to be able to run Gargoyle), and it also assumes no one will give him the password for the first router after you change it.

[Gargoyle87]

Eric and heuristic, thank you very much for your helpful posts!

I guess that, in the mean time, the social solution is the best way to solve this problem.

[ispyisail]

Depending on your hardware you should also consider ROBIN and CoovaOM as a captive portal provider!

In fact it might be good to see CoovaChilli / CoovaOM on gargoyle?

[DoesItMatter]

I vote slap up-side the head or punch them in the head.

Sometimes a 'wake-up' call is necessary.

If they're bigger than you, jump them with a phone book.
Phone books don't leave bruises, but pack a nice punch!

[ispyisail]

Or try this

http://www.digininja.org/jasager/index.php

better than a phone book

[florachan]

give him a warning if he still cloning then denied him access until he clean up his act. change the wpa and ssid ...

as what heuristic said , technology is not the answer

[Lucky75]

That still doesn't prevent him from just plugging in physically though. You'd need some sort of portal (like Eric said) to be able to prevent that. Otherwise he could just plug in and clone his macAddr again.

If it's only wireless you're concerned about then yeah, no problem, just change the key, and perhaps don't broadcast the SSID.

[Eric]

ispyisail: I agree with Lucky75, I don't see how you can use Jasager/Karma to get around this problem. If he has wired access, that really won't help. Could you elaborate on what you had in mind?