Block iphone / devices from getting IP add from DHCP

[jesperloh]

Hi guys, I've came across IP address that aren't enough for some users in the company. The IP addresses are more than enough to cater to the user's notebook or PC. However, some users does not know that there are actually limits to the IP we have, so quite a number of them actually uses their mobile / pads to tap the company's wireless.

I was wondering if i could restrict that particular user from tapping onto the network. I know it sounds a bit impossible because DHCP doesnt have that smart function to block whoever we sees deemed as a "nuisance". Ideas will be appreciated!

 

[ngrego]

You could always use Mac Address Filtering on Wireless network.
Add all of the Macs for the machines allowed to connect via Wifi to the Mac filter list. Other machines that try to connect wont be able. They will have to come to you so you can add them.

 

[jesperloh]

I've thought of it, and even thought of assigning static IP to every individual machines. The problem is, i dont think my manager would like this idea. =S It may seems like he's smiling all the time but you wont know what's going up in the cranky mind of his. There's actually quite a lot of machines in the company. More than 160 of them, not just normal office size.

 

[ngrego]

Other than using MAC filtering or assigning static IPs to your clients, ther'e not much else you can do. Your DHCP server has no way of knowing what kind of machines are connecting so it cand block phones or tablets.
I think that the best way to handle this is to asign static IPs to all the machines in the office, then set your DHCP pool for a certain amount of machines. That way all the static machines will always get an address and you will know who is what. You will also allow for 10-20 DHCP asigned addresses for phones etc.

 

[jesperloh]

Right, just the same idea as mine! I think i'll just have to wait till he can't take anymore of the IP nonsense and do the static assigning of ip =x.

 

[The_Prophecy]

Limit the amount of available IP addresses in the dhcp pool, and then set up an internal web page where employees can request anditional IP (or multiple IPs) for their phone and/or tablet. Expand the dhcp pool as necessary when requests are received.

 

[jesperloh]

Hmm, we dont allow the users to actually make use of the network for gadgets. Exceptions are made only for users who are of superior positions. We also reserved IP for them specifically. We dont want to waste our IPs though we have some extras, which actually cater to overseas guest that are here for meetings.

 

[MikeKF]

Why can't you extend the private IP range available?

 

[jesperloh]

We have quite a number of ip address already. It's just that we dont encourage people to tap into the network for unnecessary needs.

 

[MikeKF]

In that case the number of IP addresses is not your limiting factor as indicated in the OP.

 

[jesperloh]

Okay, i'll elaborate to let you have a clearer picture. There is enough IP add, but when it comes to users, and you should know given the current technology age, 60% of the users hold a smart phone. That is enough to fill up the rest of the IPs.....

Because you asked me why dont i add more IPs, thats the reason im telling you that we have more than enough. Now you get the picture?

 

[MikeKF]

I asked about the IP addresses you mentioned in the OP because private IP ranges, whether IPv4 or IPv6 are enormous. A private network using IPv4 addressing can have up to a total 16,777,216 Class A addresses or 65,536 Class C addresses. So can you please clear up for me why you can't add more IP addresses (other than because you don't want more devices to connect to the network)?

 

[jesperloh]

Why are you sinking so deep into your own concept! omg! Let me do it lay man for you. PCs occupys approx 80% of the total IPS. the remaining 20% are the extras that we have. If those are filled, overseas guest wont be able to get into the network. Nothing to do with bandwidth or whatsoever things that are going through your mind right now.

That's why i said we dont encourage people to tap into the network. Everyone elses gets it except you. Dont go so indepth please. Things arent as complicated as you deem it is.. You are only confusing yourself.

 

[MikeKF]

So why can't you extend the private IP range available?

 

[jesperloh]

Because there isnt any need to waste money in buying more IPs to cater for device users. That's why i will need ideas on how to block them. I can carry on going into DHCP to remove devices, but it just isnt feasible. What if one day im not here to manage the network, and users arent able to connect to the network because it's "full house".

 

[MikeKF]

Why do you need to buy private IP addresses?

 

[jesperloh]

Okay, now i know where your coming from. For my case, it is under a private address of 192.1.2.xxx. My gateway is at 192.1.2.10. Everything have to be under the same subnet for them to get the network. We reserved 192.1.2.11 - 90 for printers and for reservations. The rest are for PCs. Hope you have a clearer picture now. =)

 

[MikeKF]

192.1.2.xxx is not a private address.

Why does everything need to be under the same subnet for them to "get the network"?

Why can't the subnet be 255.255.0.0 and allow for private IP address range of 192.168.0.0 - 192.168.255.255? (There can be several genuine reasons).

 

[jesperloh]

Because the company has only one subnet. Everything needs to communicate to each other through that subnet, then connect to the gateway. On the other side, the NAT is linking the 1 public IP address we has, from all the private IPs in the subnet.

 

[MikeKF]

Why are you using a subnet of 255.255.255.0 instead of 255.255.0.0?

Can you also please clarify what private IP address range you are using?

 

[jesperloh]

Because my private ip address range is only 192.1.2.10 - 254.

 

[MikeKF]

192.1.2.10 is not a private IP address. That is a public IP address. All addresses in 192.1/16 are public.

You can have the gateway set to 192.1.2.10, have a private IP address range of 192.168.0.1-192.168.255.255 and a subnet of 255.255.0.0 allowing a possible 65,536 hosts on that network.

see http://tools.ietf.org/html/rfc1918

 

[jesperloh]

Meaning to say that i have to re-set the entire network! Also, i have another subnet at 192.168.xxx.xxx for other guest that needs only the internet and not our LAN.

 

[MikeKF]

I'm not actually sure how you managed to set up your internal network with public IP addresses without more issues.

Yes it would mean setting up the correct subnet mask on the network devices and correcting the private IP addresses so they comply, but you could leave IP address assigning to DHCP across the board. It would solve your IP address problems and be much more scalable. You could either merge both subnets into the one or route between the two. However if you route between the two and both fall under the range of 192.168/16 then you would need to set up the two subnets differently to what I have described. I imagine there are two subnets from what you have described for security purposes?

I think what I proposed is the simplest solution that is somewhat future-proofed until your organisation grows considerably. At some point, I believe what I proposed will be inevitable, if your organisation grows even a small amount.

 

[ngrego]

Any IP addresses you are assigning your network machines through DHCP are private. They are only used on your private network and not outside it. The address your ISP provides for internet is your public address. You can use any address pool you like for your private network, but you shouldn't get too technical about it that will just mix you up. The more simple the better!
Another thing is that if you don't want guests accessing your office network you should be using a Domain! That way anyone who wants to access your network will need a password to enter and all activity can be tracked!
You are right about not adding any more addresses to your DHCP pool though. Unless you have an super fast connection!