Page 1 of 1
Quota's and changing ip address
Posted: Tue Jun 26, 2012 2:38 pm
by renekalff
I've bandwidth quota's working perfectly but I can't find any way to block clients which didn't get their ip through dhcp. When I reached the quota limit I just go to my network settings, fill in the dhcp assigned information manually and change the ip address and I'm good to go for another quota round. Is there any way to prevent this?
Re: Quota's and changing ip address
Posted: Tue Jun 26, 2012 6:09 pm
by pbix
You would have to add each computer in the static IP section on the DHCP screen to block this behavior. Then check the box "Block MAC addresses assigned a static IP that connect from a different IP".
Re: Quota's and changing ip address
Posted: Wed Jun 27, 2012 2:34 am
by renekalff
I'm afraid that isn't practical in my situation. I'd like to use the quota's on a small camping site.
Re: Quota's and changing ip address
Posted: Wed Oct 24, 2012 2:04 pm
by UltraZelda64
I am planning on giving Gargoyle a try soon and setting up a public wireless access point, and I intend to do something similar. Is there any chance of this eventually being added to the firmware? The quota system seems like a dream come true for a carefully crafted, controlled personal LANs, but a public hotspot is anything but those three things. Yet still, these "unknown" machines are exactly the type I want to enforce such strict rules on.
I would like to set up the DHCP the server to automatically hand out an available IP address to every computer that connects, and then give the entire range of allocatable DHCP IP addresses daily quotas on upload/download limits. Meanwhile, all computers that were not given an IP address with DHCP would be unable to connect to the Internet at all (unless they were specifically given a static IP address). And if a computer disconnects and then re-connects, obtaining a new IP address in the process, it would keep its quota from the last time it was connected, based on the MAC address. Exceptions could be systems set up with a static IP address outside of the range of DHCP, although since I likely won't be using the network myself this is unimportant to me.
Setting up a list of static IP addresses would be impractical in this situation, because to be honest I simply don't care what any device's IP address is, as long as the router gives it out through DHCP and all computers with IP addresses not handed out in this way would be denied access. It's something that's likely to be chaotic, with new machines appearing randomly out of nowhere and getting all they want before being capped, and then disappearing and never showing up again. It will just be an unpredictable solution with some people getting quotas, some people sneaking past them, and yet others getting through for a while before having a quota set. My personal LAN is carefully set up with different IP address ranges for known machines that make it easy for me to tell what is what and DHCP takes care of any random devices that someone happens to bring in and connect with, but in the case of a public access point none of that matters; a computer is a computer, and my intention in this case would be to give each individual machine its own quota of, say, 50-75MB/day, that carries over even if they disconnect and then re-connect to obtain a new IP address.
The ways I can think of to make this work would be:
-Automatically add a static IP address for every new computer/MAC address configured through DHCP.
-Add an option to apply quotas based primarily and natively on MAC address instead of IP address.
The first method would be messier and IMO a kludge, but I guess it would fit into the way things currently seem to work. The problem is, if someone really did want to set up static IP addresses for their own known computers, the list could get pretty nasty. The second method would be cleaner, since theoretically no IP address list would need to be maintained, nor would some special static IP address list. The DHCP server would just give the device the next available IP address, and then the firmware would check to see if the MAC address is already in its quota tables. If it is, it receives the same quota it left with; if not, it is given a new quota.
By the way--sorry for the bump, but I figured it would be better to use an existing, few-month-old topic instead of littering the forums with yet another duplicate post. I just happened to stumble across this one in my search on Google to find information. At first I thought my plan would work based on everything I read, but this topic unfortunately indicates that I originally misunderstood and that it would most likely not work.
Re: Quota's and changing ip address
Posted: Mon Nov 05, 2012 11:36 am
by anasazi
Ultrazelda64 nailed it pretty well.
The quota based on IP will not be as useful if not locked onto machines
which pop in/out of use in a public environment. I have been keeping few
IPs available in Tomato so that I could manually manage each one's
QOS/BW limits. I set them to short ownership periods (15min) so they
would be available to the next takers. If an abuser of BW I was manually
converting them to a static IP (out of the DHCP range) and then locking
them to an IP I could limit.
I saw this feature in Gargoyle and was thrilled, however once I got setup
I realized the IPs would not 'lock down to a user/MAC'. The quota used
would simply impede the next user of the IP. Some users would realize
the quota impact and reboot or disconnected/reconnect to get a fresh
start.
The only thing I can see to do is to set a rather long time to the DHCP
ownership of IPs so while they are around here (a B&B) they will get the
same IP and can then be regulated (our case 24 to 72 hours). I will open
up most of the range for this, but might run out of IPs after a couple of
days. Also, I'm not sure what happens if the user manually puts in an IP
which was not given out by Gargoyle, I need to test this yet.
This feature needs to be tied to a dynamic MAC==IP assignment table!
MACs are remembered during the lease period anyways, would it be that
hard to have a 'lifetime' of MAC to IP association table which keeps this
great new quota feature working as intended? An auxiliary table which
would restore quotas for a MAC or clear them out after a set period of
inactivity.
Ultazelda64, did you get any further ideas on how this would be done?
Re: Quota's and changing ip address
Posted: Tue Nov 13, 2012 6:13 am
by UltraZelda64
"Ultazelda64, did you get any further ideas on how this would be done?"
No... unfortunately, as far as I can tell, the current setup is just infeasable for the kind of network that we want to run in the way that we want.
There would be endless problems, and some very serious ones at that. The problems would get even worse as you increased the quota and DHCP lease times (second one being a bad idea to begin with for a public hotspot), which you would have to attempt to fix by increasing the DHCP IP address pool (another bad idea for a public network). You may then even start running out of IP addresses to allocate if you set your DHCP lease time too high, and need to use a larger address space like 10.x.x.x just to be able to hold all the all the unused addresses the DHCP server refuses to release as well as the ones that are actually still being used.
Meanwhile, that might be enough to take a toll on the entire network by requiring unnecessary amounts of memory and/or processing power. And even if it didn't bring the whole router down, I'd still rather my router runs fast, cool and efficient, not weighed down by incredibly inefficient solutions that raise the operating temperature of the router, potentially reducing its life.
I was typing a post in response to you, but with all the problems I began to foresee as I thought more about it, it literally became an essay. And so I scrapped it to just say, basically... no, the way things work right now, you just can't make it work reliably. You're honestly better off not even attempting to set it up in such a way. I'll just end this with a cut-and-paste of what I originally was going to originally end my post with:
"My suggestion? Honestly, the current quota system is just no good for this kind of chaotic setup. You can try it if you want, but it's destined to treat users unfairly and even treat the same people differently every day (or longer, however you have your quota/DHCP lease time set up). Unless something is done to actually fix this, you're seriously probably better off just aggressively throttling the speed of *all* users on the network and just allow them to connect at will. Use extreme throttling to prevent anyone from even wanting to download, say, hours worth of high-definition videos on YouTube.
Maybe ban their MAC address if you catch them continuously trying to download extremely large amounts of data over time, since in its current state the quota system cannot do so reliably. At least with that method you're treating them all the same way (attempting, anyway), no surprises to you or them... until you catch them trying to leech your bandwidth and ban them. You just have to babysit them yourself, instead of allowing the router to do that for you... which, really, means that Tomato and DD-WRT would work just as well in this case... :\"