在MONO中如何限制内网的MAC上网

laotoulyh

我想让设置了MAC地址的电脑才能上网，其他则不能。
Captive portal ->Allowed IP addresses 设置IP就可以
但是在Pass-through MAC加进去就不行

anywhere

我也碰到同样的问题，请问有高手可以指点吗？

analyst

我的办法是m0n0wall 上面开dhcp，在dhcp里面指定使用的mac，其他全部禁止。

wuxj

没啥用吧，我自己指定ip和网关，不用dhcp应该也能上网吧。

analyst

原帖由 wuxj 于 2006-3-20 20:58 发表
没啥用吧，我自己指定ip和网关，不用dhcp应该也能上网吧。

好早以前做过的，不知道现在怎么样了，你试试呢。

做过了，前面说的方法不行，呵呵，纠正。

可以官网上说可以，以前好像是可以的。

[ 本帖最后由 analyst 于 2006-3-21 15:53 编辑 ]

analyst

16.6. Does m0n0wall support MAC address filtering?
Short answer: Not yet. (i.e. you cannot specify MAC addresses in firewall rules)

Long answer: There are several "hacks" you may be able to use to achieve the desired end result.

Note
There is no bulletproof method of access control by MAC address. Keep in mind that MAC addresses are easy to change and spoof.
16.6.1. Using Captive Portal and MAC pass-through
You can utilize Captive Portal and its MAC pass-through functionality for rudimentary MAC address restrictions.

Enable Captive Portal on the desired interface (e.g. LAN) at the Services -> Captive Portal screen. Create a HTML page of your liking that does not include the submit button so the user cannot authenticate with the captive portal. Other settings can all be left at their defaults.
Click the "Pass-through MAC" tab on the Captive Portal screen. Click the + to start adding permitted MAC addresses. In the MAC address box, type in the six hex octets separated by colons (e.g. ab:cd:ef:12:34:56), optionally (but recommended) enter a description, and click Save. Repeat for every authorized host on your network.
16.6.2. Using DHCP reservations and firewall rules
First, set up your DHCP scope. At the bottom of the Services -> DHCP screen, add every authorized MAC address on your network, and check the "Deny unknown clients" box. This will prevent an unauthorized machine from getting an IP address from DHCP.

16.6.3. Using Static ARP
You can ensure certain MAC addresses can only use a certain IP by using static ARP.

To add a static ARP entry, use /exec.php to run the arp command.

arp -s 192.168.1.11 ab:cd:ef:12:34:56
To verify this addition, run 'arp -a' in exec.php and you'll see the following in the list.

? (192.168.1.11) at ab:cd:ef:12:34:56 on sis2 [ethernet]
This change will not survive a reboot. You need to put the arp -s command in your config.xml in . See this FAQ entry for more information on hidden config.xml options

Note
An unauthorized user with a clue will be able to get around this second method more easily than the first method by just assigning a static IP address that isn't in use. Either method is easy enough to get around for a user with a decent amount of knowledge.

wuxj

16.6.3. Using Static ARP

这个应该是可行的。

analyst

原帖由 wuxj 于 2006-3-22 04:17 发表
16.6.3. Using Static ARP

这个应该是可行的。

Using DHCP reservations and firewall rules

这个也是可以的，我前面没有说 firewall rules，呵呵。

samenlia

Pass-through MAC没问题的，但是留意一点：在Pass-through MAC添加mac之后，这些mac的计算机还是需要登录的，但是不需要使用帐户了，只需在每次开机后上网之前先用浏览器打开一个网站，这样在Captive portal产生一个session就行了。如果不这样操作，直接用qq、outlook等软件是不能上网的。

为了让没有列入Pass-through MAC的计算机不能上网，可以制作一个没有提交按钮的captive portal登录页面，这样，没有列入Pass-through MAC的计算机，用浏览器浏览网站的时候，看到的只是登录页面，但是没法登录，也就不能上网了。

anywhere

原帖由 analyst 于 2006-3-21 15:53 发表
16.6. Does m0n0wall support MAC address filtering?
Short answer: Not yet. (i.e. you cannot specify MAC addresses in firewall rules)

Long answer: There are several "hacks" you may be a ...

这种方法是可行，但也要在客户机运行 arp -s 网关ip 网关mac ，每次开机都要运行，很不方便，请问有没有更好的方法？

analyst

原帖由 anywhere 于 2006-3-24 00:13 发表


这种方法是可行，但也要在客户机运行 arp -s 网关ip 网关mac ，每次开机都要运行，很不方便，请问有没有更好的方法？

加入自动运行。

[ 本帖最后由 analyst 于 2006-3-24 08:58 编辑 ]

wuxj

原帖由 analyst 于 2006-3-22 07:57 发表

Using DHCP reservations and firewall rules

这个也是可以的，我前面没有说 firewall rules，呵呵。

firewall rules 该怎么设置。
我看了手册，好像没说。给讲讲？

analyst

原帖由 wuxj 于 2006-3-24 05:29 发表


firewall rules 该怎么设置。
我看了手册，好像没说。给讲讲？

把不用的地址block掉。

wuxj

倒，意思是说，如果我自己设置的ip如果在你的dhcp范围内，还是可以上网的？当然前提是那台机器没开。

anywhere

原帖由 analyst 于 2006-3-24 00:59 发表



加入自动运行。

这个对于无线网就不行！