Andrew, Really, you're asking the wrong question: the problem isn't that you need to filter out a rogue DHCP server as much as it is poor separation between customers. The DHCP server is a symptom of a larger problem of having all the customers on the same layer 2 broadcast domain. Even if you "fix" the DHCP problem with filtering, you still have some pretty big security issues here.
What you need is for a means for all traffic from one customer to be separate from the other customers, below are some methods for doing that (they aren't necessarily either/or) solutions: - Many APs have client isolation, which keeps traffic from one client going to another. Some switches have this as well. - Doing a routed (as opposed to a bridged) network solves this problem. Generally is easier to troubleshoot, as well - PPPoE or similar between the customer premise and your network core Thanks, -Clint Ricker Kentnis Technologies On Thu, Sep 4, 2008 at 5:24 PM, Chuck McCown - 3 <[EMAIL PROTECTED]> wrote: > Canopy NAT and bootP filtering works like a champ to stop the mistake from > causing problems upstream. > > ----- Original Message ----- > From: "Charles Wyble" <[EMAIL PROTECTED]> > To: "WISPA General List" <wireless@wispa.org> > Sent: Thursday, September 04, 2008 8:49 AM > Subject: Re: [WISPA] Preventing backwards router problems > > > > Andrew Niemantsverdriet wrote: > >> On Wed, Sep 3, 2008 at 4:42 PM, Charles Wyble <[EMAIL PROTECTED]> > >> wrote: > >> > >>> Andrew Niemantsverdriet wrote: > >>> > >>>> How to I prevent SOHO routers from handing out bogus DHCP information > >>>> when they are plugged in backwards? > >>>> > >>>> > >>> Filter them upstream? > >>> > >>> > >> > >> How would I filter upstream? All clients go into a switch so I would > >> have to filter at the switch level, what switches provide this? > >> > > > > So what exactly did you mean by plugged in backwards? The WAN port > > instead of the LAN port? > > Can you explain your architecture a bit? > >> > >>> > >>> > >> > >> This was more of a WISP dashboard program. The captive portal stuff > >> was secondary the main part of the program was more of an access > >> controller. It allowed the admin to control IP's maintain MAC ACL's > >> > > > > Ah. Well check out ZeroShell for this. Its a very cool distro. Also > > check out Untangle. > > > > -- > > Charles Wyble (818) 280 - 7059 > > http://charlesnw.blogspot.com > > CTO Known Element Enterprises / SoCal WiFI project > > > > > > > > > -------------------------------------------------------------------------------- > > WISPA Wants You! Join today! > > http://signup.wispa.org/ > > > -------------------------------------------------------------------------------- > > > > WISPA Wireless List: wireless@wispa.org > > > > Subscribe/Unsubscribe: > > http://lists.wispa.org/mailman/listinfo/wireless > > > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
