Linksys router - how to block wired/LAN access

Hi all,

I have a LinkSys WRT54G Wireless-G Broadband Router. I have
successfully managed to only allow access to the wireless network for a
series of MAC addresses using the Wireless MAC filter.

I can't apply the same rule for wired/LAN access (i.e. PCs plugged
directly into the router). Has anyone had any success blocking wired
access?

Any help would be appreciated.

Thanks,

Paul

(E-Mail Removed) wrote:
> Hi all,
>
> I have a LinkSys WRT54G Wireless-G Broadband Router. I have
> successfully managed to only allow access to the wireless network for a
> series of MAC addresses using the Wireless MAC filter.
>
> I can't apply the same rule for wired/LAN access (i.e. PCs plugged
> directly into the router). Has anyone had any success blocking wired
> access?
>

Block them for what reason?

Duane

I work in a shared office space, so it's to stop people just plugging
their PC straight into our router and using our internet connection.

Paul

Duane Arnold wrote:
> (E-Mail Removed) wrote:
> > Hi all,
> >
> > I have a LinkSys WRT54G Wireless-G Broadband Router. I have
> > successfully managed to only allow access to the wireless network for a
> > series of MAC addresses using the Wireless MAC filter.
> >
> > I can't apply the same rule for wired/LAN access (i.e. PCs plugged
> > directly into the router). Has anyone had any success blocking wired
> > access?
> >
>
> Block them for what reason?
>
> Duane

On 3 Aug 2006 15:13:56 -0700, (E-Mail Removed) wrote in
<(E-Mail Removed) .com>:

>I have a LinkSys WRT54G Wireless-G Broadband Router. I have
>successfully managed to only allow access to the wireless network for a
>series of MAC addresses using the Wireless MAC filter.
>
>I can't apply the same rule for wired/LAN access (i.e. PCs plugged
>directly into the router). Has anyone had any success blocking wired
>access?

MAC filtering is essentially *useless* because valid MAC addresses are
so easily spoofed. For real security you need to use WPA.

Really controlling wired LAN access takes something like enforced
authentication (which could also be used for wireless), but that's
non-trivial to set up.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

(E-Mail Removed) wrote:
> I work in a shared office space, so it's to stop people just plugging
> their PC straight into our router and using our internet connection.
>

Well, someone may have another suggestion for you, but I would disable
the DHCP server on the router. I would then assign a static IP on the
router to each wireless machine's NIC, which you'll have to manually
assign the IP and configure each NIC manually to access the WAN/Internet
or LAN machines via the router.

You do it manually instated of letting the router's DHCP server issue an
IP to a machine wire or wireless that has the NIC configured to obtain
an IP from the router automatically.

That means anyone with a wire NIC machine wouldn't be able to just plug
the machine into the router and gain access to the WAN or LAN, because
they would have to configure the NIC to use a static IP on the router.

They wouldn't be able to do it if the computer's NIC was set to obtain a
DHCP IP from the router with the DHCP server on the router disabled. The
router will not issue the IP(s).

Most are not savvy enough to know how to configure the computer's NIC
for static IP usage on the router.

You can disable the router's DHCP server and make the machines use
static IP(s).

http://linksys.custhelp.com/cgi-bin/...hp?p_faqid=534

That's one way.

Duane



> Paul
>
> Duane Arnold wrote:
>
>>(E-Mail Removed) wrote:
>>
>>>Hi all,
>>>
>>>I have a LinkSys WRT54G Wireless-G Broadband Router. I have
>>>successfully managed to only allow access to the wireless network for a
>>>series of MAC addresses using the Wireless MAC filter.
>>>
>>>I can't apply the same rule for wired/LAN access (i.e. PCs plugged
>>>directly into the router). Has anyone had any success blocking wired
>>>access?
>>>
>>
>>Block them for what reason?
>>
>>Duane
>
>

On Fri, 04 Aug 2006 01:44:48 GMT, Duane Arnold <"Do forget about
it"@PleaeDo.BET> wrote in
<kExAg.7674$(E-Mail Removed) et>:

>(E-Mail Removed) wrote:
>> I work in a shared office space, so it's to stop people just plugging
>> their PC straight into our router and using our internet connection.
>
>Well, someone may have another suggestion for you, but I would disable
>the DHCP server on the router. I would then assign a static IP on the
>router to each wireless machine's NIC, which you'll have to manually
>assign the IP and configure each NIC manually to access the WAN/Internet
>or LAN machines via the router.
>
>You do it manually instated of letting the router's DHCP server issue an
>IP to a machine wire or wireless that has the NIC configured to obtain
>an IP from the router automatically.
>
>That means anyone with a wire NIC machine wouldn't be able to just plug
>the machine into the router and gain access to the WAN or LAN, because
>they would have to configure the NIC to use a static IP on the router.
>
>They wouldn't be able to do it if the computer's NIC was set to obtain a
>DHCP IP from the router with the DHCP server on the router disabled. The
>router will not issue the IP(s).
>
>Most are not savvy enough to know how to configure the computer's NIC
>for static IP usage on the router.

But many are, especially those you want to keep out. I personally don't
think that provides any meaningful level of security. No offense
intended.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

John Navas wrote:
> On Fri, 04 Aug 2006 01:44:48 GMT, Duane Arnold <"Do forget about
> it"@PleaeDo.BET> wrote in
> <kExAg.7674$(E-Mail Removed) et>:
>
>
>>(E-Mail Removed) wrote:
>>
>>>I work in a shared office space, so it's to stop people just plugging
>>>their PC straight into our router and using our internet connection.
>>
>>Well, someone may have another suggestion for you, but I would disable
>>the DHCP server on the router. I would then assign a static IP on the
>>router to each wireless machine's NIC, which you'll have to manually
>>assign the IP and configure each NIC manually to access the WAN/Internet
>>or LAN machines via the router.
>>
>>You do it manually instated of letting the router's DHCP server issue an
>>IP to a machine wire or wireless that has the NIC configured to obtain
>>an IP from the router automatically.
>>
>>That means anyone with a wire NIC machine wouldn't be able to just plug
>>the machine into the router and gain access to the WAN or LAN, because
>>they would have to configure the NIC to use a static IP on the router.
>>
>>They wouldn't be able to do it if the computer's NIC was set to obtain a
>>DHCP IP from the router with the DHCP server on the router disabled. The
>>router will not issue the IP(s).
>>
>>Most are not savvy enough to know how to configure the computer's NIC
>>for static IP usage on the router.
>
>
> But many are, especially those you want to keep out. I personally don't
> think that provides any meaningful level of security. No offense
> intended.
>

You do know that it has nothing to do with the wireless side of it. It
has to do with someone walking up to that router and plugging in a wire
computer right is someone's face.

I think it's an effective measure to prevent that. As for the wireless
side of it, anyone can get a DHCP IP or use a static IP on the router.
It's not stopping anything, but it will stop the average Joe Blow on the
wire.

I'll tell you right now, 90% of the people that post to this NG don't
know how to do it. They can barely turn the computer *on*.

I am sorry but I disagree.

Duane

On Fri, 04 Aug 2006 07:12:52 GMT, Duane Arnold <"Do forget about
it"@PleaeDo.BET> wrote in
<UrCAg.3315$(E-Mail Removed). net>:

>John Navas wrote:

>> But many are, especially those you want to keep out. I personally don't
>> think that provides any meaningful level of security. No offense
>> intended.
>
>You do know that it has nothing to do with the wireless side of it. It
>has to do with someone walking up to that router and plugging in a wire
>computer right is someone's face.

The assumption that wired is more secure that wireless isn't necessarily
valid. All too many switches and hubs and cables aren't physically
secured. I know of a case where a "foreign" laptop was found in a
wiring closet merrily gathering data. Never did find out who did it.
I've seen other cases where employees inserted small switches or hubs in
accessible cable runs to create more connections that were unknown to
computer people. Not to mention rogue wireless access points. Moral:
Wired networks also need to be carefully and completely secured. Just
using manual IP assignment instead of DHCP provides no real security.

>I think it's an effective measure to prevent that. As for the wireless
>side of it, anyone can get a DHCP IP or use a static IP on the router.
>It's not stopping anything, but it will stop the average Joe Blow on the
>wire.

The major worry isn't Joe Blow -- it's those with bad intent and some
skill, who won't even be slowed down by manual IP assignment.

>I'll tell you right now, 90% of the people that post to this NG don't
>know how to do it. They can barely turn the computer *on*.

The worry isn't those that can't, it's those that can, and if you stop
them, then you stop those that can't as well. Going after those that
can't still leaves you vulnerable to those that can, which makes no
sense, particularly since you'll be making life more difficult for
legitimate users.

Security is a balancing act because convenience and robustness. Make
the system inconvenient, and people will rebel, sometimes in obvious
ways, sometimes in subtle ways, defeating that security (e.g., the
PostIt with password stuck to a monitor). Using manual IP assignment
for security fails that tradeoff IMHO.

>I am sorry but I disagree.

Is that a personal opinion or a professional opinion?

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

> Well, someone may have another suggestion for you, but I would disable
> the DHCP server on the router. I would then assign a static IP on the
> router to each wireless machine's NIC, which you'll have to manually
> assign the IP and configure each NIC manually to access the WAN/Internet
> or LAN machines via the router.

Yep, then they'd have to know the subnet range in order to configure their
own stuff. Move the router to an address OTHER than x.x.x.1 while you're at
it. That way your workstations are on 172.16.88.x/255.255.0.0 with the
router on 172.16.88.100 (as an example) as the gateway. And if you're using
WPA on the wireless it'd be more work than the casual abuser would be likely
to tackle.

Private networks can use more than just the 192.168.x.x/255.255.255.0
subnet. You can use Class A (10.x.x.x/255.0.0.0) and Class B
(172.16.x.x/255.255.0.0) ranges. For either of those ranges you replace the
'x' with a number between 0 and 254. It's unlikely someone trying to guess
static addresses is going to try non-192.168.x.x ranges. Not impossible,
but pretty unlikely for casual users.

So start by moving the router to a different subnet and IP address. Then
manually configure the workstations (wired and wireless) to use that new
subnet/mask/gateway. Then go back to the router and disable DHCP services.
Set up WPA for the wireless. Then just ditch MAC filtering entirely as it's
a weak method, at best. Prevent wired connections by just locking it in a
box, drawer, cabinet or something else that doesn't also block the signal.

What you might also want to consider is arpwatch. That way you could at
least get notified if unexpect MAC addresses start connecting to your
devices.

-Bill Kearney

> I work in a shared office space, so it's to stop people just plugging
> their PC straight into our router and using our internet connection.

Lock it in a cabinet. Why bother burdening the router with the added tasks
of packet filtering? It's not like there's CPU power to spare on
residential-grade devices like the WRT54 series.

MAC filtering is a joke, all they need to do is get the address of one of
your allowed addresses and use that for their device. If they do this while
your device is active you'll have a helluva time trying to figure out what's
causing the trouble. Using MAC filtering alone will not stop them. You'd
have to go a step further and use some sort of security like RADIUS to add
another layer. They'd have to possess both the MAC address AND the
username/password used to authenticate the session.

Of course you should be using WPA security for the wireless anyway. That'd
make MAC filtering rather pointless too.

I'd start by just putting the router in a locked cabinet or box of some
kind. That'd at least stop them from jacking into it directly. But also
consider that if they're close enough to the box to jack into it, what's to
stop them from using the ethernet jack on the wall? Assuming there is one,
of course. They could just plug a hub or switch into that and leech
connectivity from there. So make sure there's decent physical security on
that too.

-Bill Kearney