I'm at a small Wireless ISP in a small town and have only a Class C block of addresses. A couple of years, one local store sold to a new buyer and they wanted an Internet connection which I happily supplied with a single IPv4 address fro the store.
A couple of weeks ago, the outside company that handles their Point of Sale (POS) modified their firewall and added a new IP address that created problems for another local business because of the resulting conflict. According to an employee of the POS company, he merely used another IP address in their subnet. I replied that they had an address, not a subnet. So far, nobody has ever asked for a subnet and we have never provided one. The address he poached was an address in the NAT pool. Since we have more customers than we do IP addresses, nearly all customers except businesses have addresses in the CGN address space, 100.64/10, and most of our IP addresses are used in a NAT pool to service those addresses. I couldn't help wondering how intelligent one has to be to question whether whether or not a small store in a small town with a single IP address could possibly be assigned a block of 256 addresses. It should have made him curious, but it didn't. It should have been glaringly obvious that something didn't quite fit. Since then, I have configured their radio that if they ever do it again, it won't pass any traffic for whatever address they try to poach. It will work for their addresses only. The employee of the POS customer was surprised that he could possibly assign an address and have it appear to work. That got me to wondering how one would block it. The only thing I could think of off the top of my head was to configure the firewall rules on their radio which is what I did to limit them to the address. I've also modified the pf.conf rules to block any host spoofing the NAT pool addresses. That still leaves open the question of what is the best way to set it up so that a customer cannot change his IP address to interfere with another. For example, if someone's SonicWall firewall has an IP address of 203.0.113.10 and they change it to 203.0.113.20 which is already in use by someone else, then we would still have a problem. Fortunately, all but a handful of our customers have radios that act as a NAT device and with addresses assigned by the kea server on one machine. Those customers would have to climb up on their roof or tower and press the reset button to return to factory defaults before they could configure another IP address and anyone who does that will find themselves having to switch to another internet service because I'll come pick up their radio as soon as possible. In the meantime, since there aren't all that many businesses with static addresses on our network, I'll probably configure firewall rules on all their radios in the next few days to cover the problem. Does anyone know a good way to automatically enforce requirements that they use only those addresses that have been assigned to them? Eric
