D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: almamunbd on July 26, 2011, 08:49:53 PM

Title: Is it Possible to block computers from going to internet based on MAC addresses?
Post by: almamunbd on July 26, 2011, 08:49:53 PM

Hi,
I use a dfl 210 firewall in my office with 40-50 clients computers who shares internet connection using this device. I have configured the MAC to IP binding in DHCP static host setting which is working fine. But recently i have found that users are changing network interface setting to Manual and assigning free IP address in the same network(192.168.1.0). I want to block this from the firewall. I want to configure the firewall so that it only pass internet traffic based on Client computers MAC address or if some one changes his IP manually he should not get Internet Access.

Can anyone please tell if this is  possible, if yes, then how?

Thanks
Mamun

Title: Re: Is it Possible to block computers from going to internet based on MAC addresses?
Post by: scrubsguy on July 27, 2011, 02:04:10 AM

login> objects > interface adr>click add > select eth adr >

then you goto rules and create your standard rules and services... lemme know if you need more help

Title: Re: Is it Possible to block computers from going to internet based on MAC addresses?
Post by: danilovav on July 29, 2011, 02:07:16 PM

Not correct
To allow only specified MAC-IP access internet thru DFL, you need to set up static ARP at Interfaces > ARP
To disallow internet from not authorized users, make group contains all addresses of users who can use internet and replace lannet to this group in Rules > IP rules > lan_to_wan

Title: Re: Is it Possible to block computers from going to internet based on MAC addresses?
Post by: scrubsguy on July 31, 2011, 10:17:11 PM

ok... it works the way i set it up... but then yours is another way...  ;D

Title: Re: Is it Possible to block computers from going to internet based on MAC addresses?
Post by: BALance on August 09, 2011, 06:04:37 AM

Hi guys,
I've seen your discussion on how to grant access to the internet for some PCs regarding the MAC address. So it should also be possible to block access from LAN1 to LAN2 for example. Let's say we have the following configuration:
LAN1: 192.168.1.0
LAN2: 192.168.2.0

LAN1 has access to the internet (WAN1), but not to LAN2.
LAN2 has access to the internet (WAN1), and only some PCs regarding the MAC address have access to LAN1.

I couldn't follow your discussion at all. So, how would you configure this with ARP and IP rules?

Thanks in advance and best regards.

Title: Re: Is it Possible to block computers from going to internet based on MAC addresses?
Post by: danilovav on August 09, 2011, 09:59:52 AM

Objects > Address book > LocalNetwork (make folder)
Add lan2_client1, lan2_client2, ... - static clients addresses
Make group lan2_allowed = lan2_client1, lan2_client2, ...

System > DHCP servers > your_dhcp
Make reservation between each lan2_client and its MAC
(you can skip it if you use static IP)

Interfaces > ARP
Make static ARP between each lan2_client and its MAC

Rules > IP Rules
# lan1 to wan1
NAT lan1/lan1net wan1/all-nets all_services
# lan2 to wan1
NAT lan2/lan2_allowed wan1/all-nets all_services

Title: Re: Is it Possible to block computers from going to internet based on MAC addresses?
Post by: scrubsguy on August 09, 2011, 09:58:16 PM

works... on my systems