Routers and DHCP Policy Enforcement

[af3]

If DHCP has no free IPs to loan, can a user set a static IP and be served by the router even if the set range is 192.168.2.1-192.168.2.4? (lease time: forever)

[Fox]

I always set my LAN computers up with static IPs. This makes port forwarding much easier. The only thing you have to do (with Windows, that is) is make sure that you define the gateway address (the address of your router) and the DNS servers you'd like to use, before hand. I usually just set my static machines up under ips 192.168.1.150 and higher and let the router allocate the lower register for any machines that happen to come on the network, like friends' computers and random devices.

Yours must be a truly immense network if your router has run out of dhcp addresses though...

[af3]

I am talking about limiting IPs as to prevent unauthorized WIFI clients from accessing the network. There must be a non-WPA solution to successfully denying access (not securing privacy - who cares) to unauthorized clients.

If one were to clone the MAC address and the host is active, the IPs will confilict and the outsider can effectively disrupt normal activity. This is an undesired effect prevented by WPA, but I would like to avoid that if possible. WEP would be out of the question too...

[Fox]

Quote:

There must be a non-WPA solution to successfully denying access (not securing privacy - who cares) to unauthorized clients.

Unfortunately, there isn't.

Even mac filtering will not guarantee that an unauthorized client won't access your network. In fact, it is incredibly easy to spoof a mac address and it doesn't necessarily disrupt anything.

The ramifications of a compromised network go way beyond privacy. Someone could poison the DNS or ARP settings of you LAN and then you have a man-in-the-middle attack on your hands. What this means is that the attacker can listen and repeat your traffic. If you happening to be visiting a site where the authentication is not encrypted, this is very bad. If he uses ARP poisoning to serve you up a copy of paypal.com and you log into it, he now has your paypal password.

[johnwill]

The ONLY effective security on a personal wireless network is WPA or WPA2 security with a strong random key.

A good read: The Six Dumbest Ways to Secure A Wireless LAN

[Cellus]

Well hold on a second... why would you decide to not use WPA?

And whether an address is served via DHCP or set as static, if it is a legitimate IP address it is a legitimate IP address. Period. End of story. Whatever security system is set up to obtain/set an IP address is completely bypassed if you simply set a static IP that is recognized by the network.

This is why security is set up in layers. Even if an intruder was able to get on the network with a legitimate IP, they still have other security hurdles to overcome such as account authentication and so forth.

[af3]

Can anyone recommend a brand of router that can handle encryption? Mine slows down and drops packets. The Buffalo Turbo G with amplification looks good...

Also, encryption drains my battery faster on my PDA and laptop.

[johnwill]

I'm using a ZyXEL NBG-415N and a D-Link DIR-615, both have had no problems with WPA encryption. They also work with WEP, though I only turn that on to test old computers. Both have also had no issue in handling the 15mbit WAN traffic from my ISP.

Depending on the specific adapter in the PDA and laptop, the encryption may be done using the processor, which would tend to drain the battery. I've never noticed this effect myself, but then I've never looked for it either.