Koozali.org: home of the SME Server

Filter with MAC Address is it possible on smeserver

Offline akinomatics

  • 5
  • +0/-0
Filter with MAC Address is it possible on smeserver
« on: March 10, 2017, 01:58:58 PM »
Hello All,  I want to configure smeserver such that only the MAC address of the PC i entered on the server that the DHCP will allocate the IP to.
Kindly Help me out, I use smeserver 7.5 now

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #1 on: March 10, 2017, 02:19:50 PM »
Hi there
SME 7.5 is unsupported
First thing to do is upgrade your SME to 9
Unfortunately there's no direct update path, even if I successfully migrated some SME7.6 to 9 with no issues at all
Can you give US as much details as you can about your server?

Offline akinomatics

  • 5
  • +0/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #2 on: March 10, 2017, 02:41:07 PM »
Thank you for the response,
Really I can install SMEserver 9, so far i can get the filtration done. I am still using sme 7.5 because i have an old joomla site on it Joomla 1.0. I want to update both the smeserver and the joomla. The smeserver to 9.0 and joomla to 3.5 but the condition to change it will be if I can get the MAC filtration done.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #3 on: March 10, 2017, 02:47:00 PM »
well.. first of all SME7.5 and joomla 1.X are potentially very unsecure..
I guess your SME is exposed to WAN and that's really dangerous.

that said, I'm quite sure we can achieve your need using a custom fragment.. but, before working on it, you'd upgrade asap

Offline akinomatics

  • 5
  • +0/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #4 on: March 10, 2017, 02:58:10 PM »
Thank you, I have already installed another server with smeserver 9.0 and I have upgraded on another system to Joomla 3.5 though I have to upgrade the PHP to 5.4 using the instructions on smeserver site.
Which contrib can I download to get the filtration done or how can i get the to do custom fragment you mentioned.

thanks

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #5 on: March 10, 2017, 05:03:44 PM »
ok

setup your dhcp as you prefer and let it enabled
login as root

Code: [Select]
cd /etc/e-smith/templates/etc/dhcpd.conf
mkdir -p /etc/e-smith/templates-custom/etc/dhcpd.conf
cp 25Range /etc/e-smith/templates-custom/etc/dhcpd.conf
cd /etc/e-smith/templates-custom/etc/dhcpd.conf

nano 25Range

edit your file adding a # in from of the word "range"..
you'd have something like:

Code: [Select]
{
    $OUT .= "    #range    $startDynamicIPRange $endDynamicIPRange;";
}

save (Ctrl-X, Y)

now go to server-manager and add all your reservations.. be aware you can't add a reservation into the dhcp range

you'd done..
tested a bit with only 2 clients, works as expected.. let us know


Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #6 on: March 10, 2017, 05:58:11 PM »
akinomatics

Quote
Which contrib can I download to get the filtration done or how can i get the to do custom fragment you mentioned.

I am not aware of the need for a custom template.

I do what you want in server manager Hostnames & addresses panel.
Add the workststion name, the mac address (obtained previously from the workstation NIC) & then the LAN IP you want DHCP to allocate to that mac/workstation (or device).

Usually I run the admin console first & in the Configure this server screens, I narrow down the DHCP range (of IPs that are automatically allocated by the system when not forcing the IP).

As Stefano says, the workstations IPs you want to forcibly allocate by mac address, must be outside of the DHCP auto allocate range.

Remember if you change NICs or workstation hardware, then you need to reconfigure the mac address & IP in the Hostnames panel (ie delete old, add new).

This functionality has been part of sme server since very early (eg v3.x).

« Last Edit: March 10, 2017, 06:00:10 PM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #7 on: March 10, 2017, 06:45:35 PM »
I do what you want in server manager Hostnames & addresses panel.
Add the workststion name, the mac address (obtained previously from the workstation NIC) & then the LAN IP you want DHCP to allocate to that mac/workstation (or device).

Janet, he wants only reserver IPs to be available.. AFAIK there's no way to avoid a mac address to obtain a dhcp lease but filtering with iptables (which is an harder task to accomplish here)

dhcp range must cover at least 1 ip (IOW, dhcp start=dhcp end range), but the single IP will be still available.

I tested my solution.. if I don't create any reservation, no dhcp client were able to obtain an IP, while dhcp was still active and with no error reported..
once I created reservations, all clients were able to connect as expected

just my 2c

guest22

Re: Filter with MAC Address is it possible on smeserver
« Reply #8 on: March 10, 2017, 10:09:51 PM »
I have to upgrade the PHP to 5.4 using the instructions on smeserver site.


Please be aware that PHP 5.4 is EOL, so is PHP 5.5 very soon. You should at least put your efforts in upgrading to PHP 5.6 via Software Collections. There is an easy contrib for that. Please see wiki 'software Collections'. This can *only* be achieved on SME Server 9.x 64-bit versions!

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #9 on: March 11, 2017, 01:04:33 AM »
Stefano

Quote
he wants only reserved IPs to be available..

I did not interpret the OP question as requiring that.
But if so, then your answer re custom template seems OK.
I will try it.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Online Jean-Philippe Pialasse

  • *
  • 2,744
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Filter with MAC Address is it possible on smeserver
« Reply #10 on: March 12, 2017, 08:38:39 PM »
ok

setup your dhcp as you prefer and let it enabled
login as root

Code: [Select]
cd /etc/e-smith/templates/etc/dhcpd.conf
mkdir -p /etc/e-smith/templates-custom/etc/dhcpd.conf
cp 25Range /etc/e-smith/templates-custom/etc/dhcpd.conf
cd /etc/e-smith/templates-custom/etc/dhcpd.conf

nano 25Range

edit your file adding a # in from of the word "range"..
you'd have something like:

Code: [Select]
{
    $OUT .= "    #range    $startDynamicIPRange $endDynamicIPRange;";
}

save (Ctrl-X, Y)

now go to server-manager and add all your reservations.. be aware you can't add a reservation into the dhcp range

you'd done..
tested a bit with only 2 clients, works as expected.. let us know

looks to me as a nice NFR for SME10....

would post it in bugzilla against sme10 nfr ?

Offline akinomatics

  • 5
  • +0/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #11 on: March 13, 2017, 05:18:51 PM »
Hello janet,

What happen is that I worked in a library of a university, the library is big and i have connected the server to all the network jack in the library. But latter I want to stop all every one just bring in there laptop and connecting it to the network jark rather they should use the wifi in the library which runs on another subnet. So I want a situation in which i will only enter the MAC addresses of the library systems, so that all others that connected to the network jark will be given IP address by the DHCP and will not have access to network.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #12 on: March 13, 2017, 05:31:23 PM »
So I want a situation in which i will only enter the MAC addresses of the library systems, so that all others that connected to the network jark will be given IP address by the DHCP and will not have access to network.

well.. with my solution only hosts/MACs with reservation will get an IP from dhcpd.. all other devices won't have any IP

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Filter with MAC Address is it possible on smeserver
« Reply #13 on: March 13, 2017, 05:40:05 PM »
This solution just prevents dhcpd to provides an IP address to unknown clients. It won't prevent clients with a fixed address to access anything. Blocking clients by MAC address is possible (with iptables/ebtables) but it'll be harder to implement, and won't be a lot more reliable (as a smart guy would only have to find an allowed MAC addr and he will be able to use it)
C'est la fin du monde !!! :lol:

guest22

Re: Filter with MAC Address is it possible on smeserver
« Reply #14 on: March 14, 2017, 12:06:49 AM »
So what would be a secure solution to 'white/black list' any device? Just asking out loud.

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Filter with MAC Address is it possible on smeserver
« Reply #15 on: March 14, 2017, 08:41:53 AM »
Using iptables/ebtables is better than just playing with dhcp, as it prevents simple static IP assignment. But if you really want something serious, then you need to deploy 802.1x auth everywhere. And this is out of scope for SME as it's mainly configured at the switches layer. SME should be able to act as a radius server for those though
C'est la fin du monde !!! :lol:

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Filter with MAC Address is it possible on smeserver
« Reply #16 on: March 14, 2017, 10:38:05 AM »
thank you Dani for your explanation..

so, just using SME we'd:
- add a key to enable just reserved IP (it will comment the "range" line as explained above)
- add a fragment to the masq template to permit traffic just from known mac addresses (we have them listed in hosts db)

something like
Code: [Select]
# Create the DHCP_clients chain in the 'raw' table
iptables -t raw -N DHCP_clients

# Incoming DHCP, pass to chain processing DHCP
iptables -t raw -A PREROUTING -p udp --dport 67 -j DHCP_clients

# Allowed DHCP clients
iptables -t raw -A DHCP_clients -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
iptables -t raw -A DHCP_clients -m mac --mac-source 00:11:22:33:44:56 -j ACCEPT
iptables -t raw -A DHCP_clients -m mac --mac-source 00:11:22:33:44:57 -j ACCEPT

# Deny other clients not listed above
iptables -t raw -A DHCP_clients -j DROP
(found on http://serverfault.com/questions/302445/how-do-i-mac-filter-with-dhcp-server)

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: Filter with MAC Address is it possible on smeserver
« Reply #17 on: March 14, 2017, 10:49:42 AM »
so, just using SME we'd:
- add a key to enable just reserved IP (it will comment the "range" line as explained above)
- add a fragment to the masq template to permit traffic just from known mac addresses (we have them listed in hosts db)

No need to do both, if we filter by MAC address, it doesn't matter if clients get an IP from the dynamic pool. As for the custom template, yes, something like this (but it needs to be tested and inserted correctly in the masq templates

C'est la fin du monde !!! :lol: