Re: Blocking Rogue DHCP

Author	All Replies
wirelessdog join:2008-07-15 Queen Anne, MD kudos:1	reply to raytaylor Re: Blocking Rogue DHCP Running the CPE's in router mode would create double NAT issues on my network...
wirelessdog join:2008-07-15 Queen Anne, MD kudos:1	to forum · permalink · 2012-05-16 07:20:48 ·
Inssomniak The Glitch Premium join:2005-04-06 Cayuga, ON kudos:1	said by wirelessdog: Running the CPE's in router mode would create double NAT issues on my network... Ive never had a problem with that But yea there is a checkbox to block multicast even in bridge mode but not sure it blocks the DHCP broadcasts. Some quick google looks like the firewall is still active even in bridge mode, you can simply block the ports. (v5.5) Also using non WDS also works. -- OptionsDSL Wireless Internet »www.optionsdsl.ca
	to forum · permalink · 2012-05-16 08:55:49 ·
jcremin join:2009-12-22 Siren, WI kudos:2	reply to wirelessdog said by wirelessdog: Running the CPE's in router mode would create double NAT issues on my network... What issues does it cause you? I have never... ever... had an issue by double natting. In fact, most of my customers with a wireless router are triple natted with the public IP at the core, and a private IP at the CPE and another one at the router. The only time I have a problem with NAT is when a customer needs ports open publicly, which makes port forwarding more of a pain. In those cases, I give the CPE a public IP to eliminate the first layer of NAT. Then I disable DHCP on their router, plug the cable from the CPE into one of the LAN ports, set the router to x.x.x.2 (x.x.x.1 is the LAN side of the CPE) and then simply forward the ports in the CPE to whichever device they need access to. A bit more work than simply bridging them a static IP, but so far I've only had to do it maybe 10 out of 350 installs. It is a small price to pay considering the benefits of not allowing anyone on my layer 2 network.
jcremin join:2009-12-22 Siren, WI kudos:2	to forum · permalink · 2012-05-16 10:38:25 ·
raytaylor join:2009-07-28 kudos:1	reply to wirelessdog said by wirelessdog: Running the CPE's in router mode would create double NAT issues on my network... You assign the public or first layer ip to the CPE radio, and then set the customers router as the DMZ to offset the second layer of NAT. Then the customer's own router can handle the upnp, port forwarding or anything else it wants to. You can use DHCP with a pool of 1 single ip address, so when the customer plugs their router in using the wan port, it is issued the DMZ address and automatically works. Or you can do what i do where i give customers the option of using a router or not. If they want their own router and port managment then they manually set its wan port to 10.1.1.254. Or if they want a device such as a playstation or xbox to be the DMZ they just manually set whatever device they want to 10.1.1.254. The DHCP will issue ip's 10.1.1.10-25 to any device so that they are firewalled by default.
raytaylor join:2009-07-28 kudos:1	to forum · permalink · 2012-05-18 07:22:37 ·

Industry Forums > Wireless Service Providers > Blocking Rogue DHCP