Description:
Some scenarios require that communication in the network should be possible only for Wi-Fi users who obtain an IP address from a DHCP server in the local network. Wi-Fi users with a static IP address should be blocked. This can be implemented using the protocol filter on access points and WLAN routers.
This article describes how to use the protocol filter so that only network users allowed to communicate on the network are those who obtained an IP address via DHCP (“mandatory DHCP”).
In a WLAN controller scenario the protocol filter configuration can be rolled out to the access points via a script. The procedure is described in the Knowledge Base article Centralized script management with LANCOM WLAN controllers. Please use the attached script file.
Requirements:
- LCOS as of version 9.24 (download latest version)
- LANtools as of version 9.24 (download latest version)
- Access point or WLAN router
- The DHCP server has to be operated in the same network
- Installed and functional WLAN
Procedure:
1) Open the configuration for the device in LANconfig and switch to the menu item Interfaces → LAN → LAN bridge.
2) Go to the Protocols menu.
3) Add a new entry to allow ARP (Address Resolution Protocol) and adjust the following parameters:
- Name: Enter a descriptive name (in this example ALLOW_ARP).
- Protocol: Enter the value 0806. This stands for ARP.
- DHCP assigned IP: Check that the value is set to Irrelevant.
- Interface list: Here you select the WLAN interfaces that the protocol filter is to operate on.
- Action: Select Pass packets.
4) Add a new entry to allow DHCP (Dynamic Host Configuration Protocol) and adjust the following parameters:
- Name: Enter a descriptive name (in this example ALLOW_DHCP).
- Protocol: Enter the value 0800. This stands for IPv4.
- Subtype: Enter the value 17. This stands for UDP.
- First port: Enter port 67.
- Last port: Enter port 68.
- DHCP assigned IP: Check that the value is set to Irrelevant.
- Interface list: Here you select the WLAN interfaces that the protocol filter is to operate on.
- Action: Select Pass packets.
5) Create a new entry in order to transmit packets from Wi-Fi participants who obtained their IP address from a DHCP server. To do this, adapt the following protocols:
- Name: Enter a descriptive name (in this example ALLOW_DHCP_ONLY).
- Protocol: Enter the value 0800. This stands for IPv4.
- DHCP assigned IP: Select Yes from the drop-down menu. This checks whether the Wi-Fi user has obtained an IP address via DHCP (DHCP tracking). If this is the case, the packet is transmitted.
- Interface list: Here you select the WLAN interfaces that the protocol filter is to operate on.
- Action: Select Pass packets.
6) The Protocols table should appear as shown below.
There is no need for a deny rule that prevents data traffic for all Wi-Fi users with a static IP address, as there are rules for the Wi-Fi interfaces, but these do not apply. In this case, the standard rule comes into effect with the action Drop packets. This rule is not visible in the configuration.
7) This concludes the configuration of the protocol filter. You can now write the configuration back to the device.
