Gateway on LAN?

B

bjjzpp2018-12-17 17:05:16

linux

bjjzpp, 2018-12-17 17:05:16

Gateway on LAN?

hello day!
Please advise how to implement the following.
There is a network without a domain (workgroup), addresses in the network are assigned statically, only 130 ip-addresses.
It turned out that people connected to the local network without asking, purely by selecting a free ip, they got access to local resources.
How it was looked at the ip address on one engineering PC, the name of the working group, then the ip address, mask and gateway.
Tell me how you can do the following, add unused addresses to the ban list and do not allow access to ports 137,138,138,445 on tcp and udp protocols ...
Preferably on Linux systems.
Making a dhcp network is not an option.

Reply

Answer the question

In order to leave comments, you need to log in

7 answer(s)

A

AntHTML, 2018-12-18
@bjjzpp

- 130 hosts in a peer-to-peer network - well, you give, at 50 it is already advisable to run it, otherwise it's good if 70% of your gigabit is udp-storms.
- The network must be cut at least into: administrative, production, server. You can use the existing microtome if it pulls in performance, if not, buy a couple more.
- Balls for> 20 clients are password-only, otherwise you will be tired of looking for someone who has spoiled where.
- IP in DHCP, DHCP in MAC and on the same micros in iptables, this is one of the standard functions there.
- In the production network, kill everything except the necessary resources, all the balls are only on the servers.

C

cssman, 2018-12-17
@cssman

do you have a hub there?
it is most correct to separate the "engineering" network and the user network by l2 vlans and (or) switching.
if the task is to "ban" - then you need to "ban" on something - the server, or write the correct allowing rules on the network equipment, and prohibit the rest.

A

Adamos, 2018-12-17
@Adamos

iptables, DROP all incoming from the range that you consider illegitimate.
It just won't help you.
Nobody prevents "people" from taking the used IP before the "legitimate" owner, for example.

T

TyzhSysAdmin, 2018-12-17
@POS_troi

Computers inside the same broadcast domain, communicate "past" the gateway.
If you want to give access to computers only to certain IPs, then you will have to set up a whitelisted firewall on each computer and run it periodically.
Your problem is solved with the help of managed switches, it is still possible with the help of a bit.

F

fdroid, 2018-12-17
@fdroid

Google "L2 port security managed switch".

B

bjjzpp, 2018-12-18
@bjjzpp

mmm, well, how left are the employees of the enterprise, who are ordinary stokers. they came with their piece of iron, looked at the network settings and off they went.
I have a Mikrotik managed router, 3 checks come into it and a wire goes from it to the switches.
Why doesn’t the dhcp of the boss give the go-ahead for him, reasons xs like when something didn’t go well.
802.1x equipment is what for example? - at the moment there are tp-link not managed switches modern because, the grid is 1gb / s.
Hubs were all removed before.
There is no domain, only a working group.