Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » kerio DHCP server (how to disallow static IP)
  •  
cybersans

Messages: 46
Karma: 0
Send a private message to this user
hello,


any idea how to setup dhcp server inside kwf so that static ip will be disallowed?

right now i'm running dhcp server to assign ip to client, but client that still using static ip still can access the internet.

tq.
  •  
Trololo

Messages: 12
Karma: 0
Send a private message to this user
You problem isn't clear. Do you need to cut internet access for some computers and allow for rest of them?

Concerning DHCP.
If computer wants to use static IP it can do regardless of configuration DHCP server.
But you can create a rule to allow go to Internet for a range of dynamic IP-addresses and blocked access for other.

  •  
cybersans

Messages: 46
Karma: 0
Send a private message to this user
trololo, thanks for the reply

i saw a router that can do dhcp, assigning IP to every client, and if one of the client try to manually assign its own static IP, router will not allow that client to go to the internet. which mean, router only allow a client who assigned ip by that router via dhcp only.

so thats is what i mean in my question. can built-it dhcp inside kwf do that? only allow dhcp-assigned client to be allow to the internet? even i put scope 10.1.1.1-10.1.1.10, when one of the client put static ip 10.1.1.2 still can access the internet via kwf.

tq.
  •  
Trololo

Messages: 12
Karma: 0
Send a private message to this user
ok, you have a rule doing NAT for all computers in your LAN.
Just create a range of addresses for DHCP clients and change Source:ANY to Source:DHCPscope in the rule.
  •  
cybersans

Messages: 46
Karma: 0
Send a private message to this user
trololo thanks for reply. but i think you do not understand me. what i mean:

a DHCP server which "locks" client to only accept ip given by dhcp. if they assign static ip by themselves, they cannot access the internet. trust me, i've seen this kind of setup before, where i try to put ip address manually, and gateway IP same as what dhcp give, but i cannot through the internet.

you idea is to create a dhcp ip range and assign it into traffic policy rules. but, if some client use the ip within the range, it can go to the internet throught kwf.

so, again, my question, can kwf do this kind of "feature"? like kind of dhcp server that i saw did?
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
cybersans: trololo is understanding you just fine and telling you how you can achieve what you want...
  •  
cybersans

Messages: 46
Karma: 0
Send a private message to this user
winkelman: i understand his/her suggestion about "dhcpscope" for source. let say dhcp range is 10.1.1.2-10.1.1.200 named as "DHCP"

so source = DHCP.
but, if any of client pc manually assigned ip from "dhcp" group range (static ip), lets say 10.1.1.3, still can access the internet, even though that it is not using dhcp assigned ip, still can access the internet because ip used still in "dhcp group" range.
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Ah, okay. That makes sense. Although if users would go through this trouble to bypass you, you might need to consider making security more tight on the end-users machine. Why let them have the ability to change IP settings in the first place?

To come back to your question: you would like to give access only to those IP addresses that are present in the DHCP lease table (IP's actually handed out by the DHCP server). Right? Don't know if that is possible in Kerio. I don't think so... Still, even if it were: how can the server detect if I'm not simply spoofing someone else's IP+MAC address? If the client PC's are not under strict control, you never know... (Although this may be somewhat farfetched Smile)
  •  
cybersans

Messages: 46
Karma: 0
Send a private message to this user
...and my question is still the same. how do dhcp server do that? i saw it in some corporate network, which using subnet 10.1.1.0/16 for example. if i manually assigned ip 10.1.1.3 at my pc, i cannot access the gateway BUT, if that pc assigned the same ip by dhcp server, then i can access the internet.

tq.
  •  
Goran

Messages: 332
Karma: 5
Send a private message to this user
If i understand question....
Did you enter gateway ip and DNS in static?
so if your kerio is on ip: 10.1.1.1 then your static sttings must be:
ip:10.1.1.3
gateway: 10.1.1.1
Primary DNS: 10.1.1.1

and if you have wins server you must enter this in wins settings... etc...

Question cannot be stupid, but some of the answers can.
  •  
moro666

Messages: 90

Karma: 0
Send a private message to this user
Quote:
winkelman: i understand his/her suggestion about "dhcpscope" for source. let say dhcp range is 10.1.1.2-10.1.1.200 named as "DHCP"

so source = DHCP.
but, if any of client pc manually assigned ip from "dhcp" group range (static ip), lets say 10.1.1.3, still can access the internet, even though that it is not using dhcp assigned ip, still can access the internet because ip used still in "dhcp group" range.




cybersans.. I understand your question,, because I need the same thing Sad

Guys, simply.. We want this :

When DHCP give an IP address whiten the specified range, the user can access the internet.

let us say, DHCP give this IP ( 10.1.1.3 ) to the client PC
AND sure the DHCP server 'll give all data needed to access the internet ( Gateway, subnet mask, DNS )


BUT...... BUT..... BUT.....

when that user change his sitting FROM ( Obtain an IP address automatically ) TO ( Use the following address )

and type the same IP ( 10.1.1.3 ) manually ( by his Keyboard and NOT automatically by DHCP )


at this case.. the user CAN access the internet as normal
( as if the DHCP assign that IP )

what we want.. is to prevent the user to access internet, or to Fail to inter the network,

OR to whatever make this user go back to and forced to use (DHCP) !!


is this make things clear ???

we hope to find the answer for this real problem that annoy any network admin.

By the way.. we can't access clients PCs to play with permissions, gpedit, etc etc....

Help please ....

Mohammad Habeeb
  •  
Goran

Messages: 332
Karma: 5
Send a private message to this user
Oh yes... Sorry...
Use DOMAIN's...
Or you can turn on in Kerio that he must login (sing in) to use Internet...
Or if you using only reserved IP's then you know what IP's is not used you can create a group of Non used ip's and stuck this group of user on one name. Where you can put small bandwith or put him on nont when quota is out.

[Updated on: Fri, 01 October 2010 16:49]


Question cannot be stupid, but some of the answers can.
Previous Topic: What does "Functionality Limitations on License Expiration" Mean?
Next Topic: qos
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 15:59:02 CET 2017

Total time taken to generate the page: 0.00472 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.