Strict MAC binding not working

GiuseppeR

Hello everyone,

I set MAC to IP binding from here:

So I expected to have a reserved IP for a specific MAC address.

Then I booted a new PC inside the network, with a static IP that could go in confilct with the above mentioned reserved IP and the new PC was online with that reserved IP.

That is a bug, because if I set 192.168.1.10 for AA:BB:CC:11:22:33 I expect to see that ONLY that MAC address could take the 192.168.1.10 address.

It was not so.

How could I fix that?

StevieG

Due to you putting a static IP on the device, then it will bypass the DHCP server/ignore the IP you reserved on that address and just try and use the IP you have given it.

This will then cause conflicts on the network as both devices will try and use the given IP address.

If you are going to give devices a static IP address, make sure they are out of the DHCP range and make a note of what's been used so you do not get conflicts.

The IP reserving can sometimes be useful if say a printer was connected to the network and you want to print to that device via the IP address is was assigned. Then reversing the IP address in the firewall interface would work OK, as no other device would then be allowed/given this address.

GiuseppeR

Hello @StevieG

as I set the DHCP from 192.168.1.50 to 192.168.1.100 I expect that every thing inside the LAN in DHCP goes there.

I expect also that static IP works smooth if it is NOT in conflict with some other rules, like telling the firewall to assign 192.168.1.10 ONLY to a specific MAC address. Something easy to get from the firewall itself. So if something else asks for a reserved IP the firewall itself should deny it to get an IP and generate traffic.

You can see that binding MAC to IP is explained also here, on premise:

https://support.zyxel.eu/hc/en-us/articles/360002858959-USG-Series-IP-MAC-Binding

So it is a nonsense to have a place where to bind MAC to IP and if something strange has a static IP has the ability to bypass the firewall control.

Following the statement here its traffic should be blocked:

PeterUK

on FLEX200 standalone their is a option "Enable IP/MAC Binding and DHCP Enforcement"

When a PC1 with MAC1 get a reserved IP 192.168.255.41 if PC2 MAC2 is set with the same static IP as PC1 then PC2 is blocked however if PC2 copies the MAC1 of PC1 then PC2 is allowed

GiuseppeR

Yes @PeterUK

if PC2 copies MAC1 address could be possible to get IP1 (reserved as said) because the firewall see the "correct" MAC to assign the reserved IP.

In my case the MAC addresses were completely different each other.

So it is a bug inside Nebula platform to allow that.

I set the rules for PC1 MAC1 IP1 and then plugged the RJ45 of PC2 with MAC2 and a static IP set on the PC2 equal to IP1 and PC2 was online.

I discovered that because PC1 highlighted me conflict in IPs.

StevieG

I think PeterUK is right, the setting to block other static IP assigned devices, if not listed in the IP/MAC (DHCP) binding table is to enable the setting:  "Enable IP/MAC Binding and DHCP Enforcement" found within the on-premise configuration.

I am unsure if this setting is available in Nebula as I can only see settings for NSG100 or USG60ax firewalls in my clients setup, and this function is not listed.

If this is the case, then listing the devices in the static DHCP table is only making sure DHCP does not give another device the same IP as what you are wanting the listed device to use. Maybe this is another setting that is not available in Nebula still.

I usually still keep the firewalls on-premise for configuring as Nebula lacked a lot of required features when it first came out.

GiuseppeR

@StevieG

I know about some lack of features in Nebula, but I'm speaking about a firewall that is a Flex100 onboarded on Nebula years ago.

Setting a MAC/IP value in interfaces page and seeing the firewall that is not strict binding it with MAC/IP is something not acceptable, it is a bug not a lack of feature because the feature that is present is NOT working as expected.

Zyxel_Melen

Hi @GiuseppeR,

Let me clarify whether the configuration you set to is the static DHCP table or the IP MAC binding table? Below is static DHCP table.

GiuseppeR

Hello @Zyxel_Melen

on premise you have this table:

on Nebula I see only this one:

Is there another place on Nebula where to declare IP/MAC Binding like on premise?

PeterUK

Due to how IPv4 works for ARP due to no device authentication on a unmanaged switch

when say MAC1 PC1 does DHCP for a given IP 192.168.255.41 it will do a ARP probe to see if any thing has that IP if not the device uses the IP but even with “Enable IP/MAC Binding and DHCP Enforcement” this will not stop a device MAC2 PC2 from setting a static IP 192.168.255.41 at the switch level but will stop it ping out to the Internet.

So MAC1 PC1 does DHCP for a given IP 192.168.255.41 it will do a ARP probe all good but if PC1 goes off line MAC2 PC2 with a static IP 192.168.255.41 it does ARP probe to see if any thing has that IP then use that IP so then if PC1 goes back on line it does DHCP gets the IP does ARP probe sees it in use then PC1 can't go on line.

With a managed switch you can bock MAC on given ports so that this can't happen or DAI (IP source guard) I think takes care of that too by the client must DHCP in order to ARP on the network.

Zyxel_Melen

Hi @GiuseppeR,

The Nebula CC static DHCP table only reserves an IP address for a specific MAC address. It doesn't support the function "IP-MAC Binding". If this feature is required in your network, please consider cloud monitoring mode for the USG FLEX/ATP.