laotoulyh 发表于 2006-2-17 17:34:41

在MONO中如何限制内网的MAC上网

我想让设置了MAC地址的电脑才能上网,其他则不能。
Captive portal ->Allowed IP addresses 设置IP就可以
但是在Pass-through MAC加进去就不行

anywhere 发表于 2006-3-17 16:25:59

我也碰到同样的问题,请问有高手可以指点吗?

analyst 发表于 2006-3-20 12:09:48

我的办法是m0n0wall 上面开dhcp,在dhcp里面指定使用的mac,其他全部禁止。

wuxj 发表于 2006-3-20 20:58:09

没啥用吧,我自己指定ip和网关,不用dhcp应该也能上网吧。

analyst 发表于 2006-3-21 07:22:20

原帖由 wuxj 于 2006-3-20 20:58 发表
没啥用吧,我自己指定ip和网关,不用dhcp应该也能上网吧。


好早以前做过的,不知道现在怎么样了,你试试呢。

做过了,前面说的方法不行,呵呵,纠正。

可以官网上说可以,以前好像是可以的。

[ 本帖最后由 analyst 于 2006-3-21 15:53 编辑 ]

analyst 发表于 2006-3-21 15:53:31

16.6. Does m0n0wall support MAC address filtering?
Short answer: Not yet. (i.e. you cannot specify MAC addresses in firewall rules)

Long answer: There are several "hacks" you may be able to use to achieve the desired end result.

Note
There is no bulletproof method of access control by MAC address. Keep in mind that MAC addresses are easy to change and spoof.
16.6.1. Using Captive Portal and MAC pass-through
You can utilize Captive Portal and its MAC pass-through functionality for rudimentary MAC address restrictions.

Enable Captive Portal on the desired interface (e.g. LAN) at the Services -> Captive Portal screen. Create a HTML page of your liking that does not include the submit button so the user cannot authenticate with the captive portal. Other settings can all be left at their defaults.
Click the "Pass-through MAC" tab on the Captive Portal screen. Click the + to start adding permitted MAC addresses. In the MAC address box, type in the six hex octets separated by colons (e.g. ab:cd:ef:12:34:56), optionally (but recommended) enter a description, and click Save. Repeat for every authorized host on your network.
16.6.2. Using DHCP reservations and firewall rules
First, set up your DHCP scope. At the bottom of the Services -> DHCP screen, add every authorized MAC address on your network, and check the "Deny unknown clients" box. This will prevent an unauthorized machine from getting an IP address from DHCP.

16.6.3. Using Static ARP
You can ensure certain MAC addresses can only use a certain IP by using static ARP.

To add a static ARP entry, use /exec.php to run the arp command.

arp -s 192.168.1.11 ab:cd:ef:12:34:56
To verify this addition, run 'arp -a' in exec.php and you'll see the following in the list.

? (192.168.1.11) at ab:cd:ef:12:34:56 on sis2
This change will not survive a reboot. You need to put the arp -s command in your config.xml in . See this FAQ entry for more information on hidden config.xml options

Note
An unauthorized user with a clue will be able to get around this second method more easily than the first method by just assigning a static IP address that isn't in use. Either method is easy enough to get around for a user with a decent amount of knowledge.

wuxj 发表于 2006-3-22 04:17:20

16.6.3. Using Static ARP

这个应该是可行的。

analyst 发表于 2006-3-22 07:57:50

原帖由 wuxj 于 2006-3-22 04:17 发表
16.6.3. Using Static ARP

这个应该是可行的。

Using DHCP reservations and firewall rules

这个也是可以的,我前面没有说 firewall rules,呵呵。

samenlia 发表于 2006-3-22 10:39:45

Pass-through MAC没问题的,但是留意一点:在Pass-through MAC添加mac之后,这些mac的计算机还是需要登录的,但是不需要使用帐户了,只需在每次开机后上网之前先用浏览器打开一个网站,这样在Captive portal产生一个session就行了。如果不这样操作,直接用qq、outlook等软件是不能上网的。

为了让没有列入Pass-through MAC的计算机不能上网,可以制作一个没有提交按钮的captive portal登录页面,这样,没有列入Pass-through MAC的计算机,用浏览器浏览网站的时候,看到的只是登录页面,但是没法登录,也就不能上网了。

anywhere 发表于 2006-3-24 00:13:59

原帖由 analyst 于 2006-3-21 15:53 发表
16.6. Does m0n0wall support MAC address filtering?
Short answer: Not yet. (i.e. you cannot specify MAC addresses in firewall rules)

Long answer: There are several "hacks" you may be a ...

这种方法是可行,但也要在客户机运行 arp -s 网关ip 网关mac ,每次开机都要运行,很不方便,请问有没有更好的方法?

analyst 发表于 2006-3-24 00:59:14

原帖由 anywhere 于 2006-3-24 00:13 发表


这种方法是可行,但也要在客户机运行 arp -s 网关ip 网关mac ,每次开机都要运行,很不方便,请问有没有更好的方法?


加入自动运行。

[ 本帖最后由 analyst 于 2006-3-24 08:58 编辑 ]

wuxj 发表于 2006-3-24 05:29:06

原帖由 analyst 于 2006-3-22 07:57 发表

Using DHCP reservations and firewall rules

这个也是可以的,我前面没有说 firewall rules,呵呵。

firewall rules 该怎么设置。
我看了手册,好像没说。给讲讲?

analyst 发表于 2006-3-24 08:04:10

原帖由 wuxj 于 2006-3-24 05:29 发表


firewall rules 该怎么设置。
我看了手册,好像没说。给讲讲?

把不用的地址block掉。

wuxj 发表于 2006-3-25 01:41:03

倒,意思是说,如果我自己设置的ip如果在你的dhcp范围内,还是可以上网的?当然前提是那台机器没开。

anywhere 发表于 2006-3-26 20:23:50

原帖由 analyst 于 2006-3-24 00:59 发表



加入自动运行。

这个对于无线网就不行!
页: [1] 2
查看完整版本: 在MONO中如何限制内网的MAC上网