Topic: DHCP

[Doug M.]

Is there a way to deny a dhcp connection from the internal network based on the network cards mac address? I am trying to limit the times my kids can connect to the internet from their computers.

[Steven Thomson]

Have a look at dans-guardian, I think it has all sorts of control options as well as content filtering.

[Doug M.]

I use Dans Guardian with the dungog server-panel. It's a great content filter. It does have an option for passworded connection which is close but once I give out the password each user(kid) there username/password they can connect any time. I'm trying to limit the amount of time and/or when they can use internet.

[Doug M.]

Darn it, here I go answering my our question again. At least for my needs anyway.

My solution is the "deny unknown-client;" options in the dhcpd.conf file.

# This option does as it says denies acces to unkown hosts.
deny unknown-clients;

# Next you define the allowed systems.
    host LAPTOP  { hardware ethernet 00:xx:55:xx:65:xx; }
    host amiga1    { hardware ethernet 00:xx:0f:xx:3f:xx; }
    host Diva         { hardware ethernet 00:xx:c7:xx:72:xx; }

---

To acomplish the restrictions I created a cron item that will copy a custom template fragment for the restricted time to dhcpd.conf file, rebuild the dhcpd.conf and restart the dhcpd server. Then a second cron item to copy, rebuild and restart for the unrestricted time.

Addmittedly this is not that elegant but as a start it works. I might think about trying to make a server panel to impliment this. If anyone else think this would be usefull?

[del]

Definitely!

[Craig]

Does this work?

If you only allow connections to the internet from 9am to 6pm and some one connects during this time and uses the internet with no problems.

What happens is when it comes to 6.01pm?  They have the ip address and should still be able to connect to the internet.  It's only when it comes to getting an update on the IP address that they will be rejected, and even then the computer will keep it's ip address until the time to live runs out.

Craig

[Jaime Nebrera]

Hi Doug,

  Its done better at a "firewall" level.

  As you guessed, you can use DHCP to assign "static" IP's to some power users.

  Then configure iptables to allow Internet to only a given set of IP's/MAC's. To change this rules you should run a cron that changes firewalls rules on the fly. Be careful as this rules are built using a template. You could just "add" the rules before the default SME rules.

  As Craig said, DHCP is not the way to do it, as you will only prohibit to get an IP on that schedule but nothing more.

  Hope it helps.

[Doug M.]

Ok, for the time being this is working for me.  By setting the default lease time for the same amount of time. The kids will figure out the glitch to this method eventually. Still this is not a true solution to my problem. I will look into the iptables method but I am also looking at adding a pppoe-server (pppoed).