avoid ip conflicts

Skylink
Skylink Posts: 32  Freshman Member
First Comment Friend Collector Fifth Anniversary
edited April 2021 in Security

Hi.

I have enabled IP/Mac Binding for the class 192.168.0.XXX (used for our LAN).

No DHCP service and IP firewall is 192.168.0.1

We have another class 192.168.2.xxx used to test devices with the DHCP service active.

Today my colleague attached an IP Camera with a fixed IP (192.168.0.202, that is the same of our NAS). (but the CAM has a different gateway 192.168.0.254)

I thought that the firewall would have blocked the camera making it unreachable to our network PCs. But opening the address 192.168.0.202 i found the IPCam and not our NAS!

Disconnecting the CAM the NAS was there again.

ANSWER:

what is the correct way to "protect" the 192.168.0.xxx network from any device (also with fixed IP) that can be connected to our LAN (and avoid any possible IP Conflict) ?

(i don't want to make VLAN on my switch)

Accepted Solution

All Replies

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    So use two switches. And two LANS Interface. Once for test device, one for your inner network.

  • Skylink
    Skylink Posts: 32  Freshman Member
    First Comment Friend Collector Fifth Anniversary

    Thanks for suggest but..

    is not possible because the test of devices could be done on wired or wireless network ..and from any desk (where the connections are shared with our PC).

    The firewall is the only node i should use to manage potential IP conflict.. but i don't know how (and if it possibile).

  • imaohw
    imaohw Posts: 124  Ally Member
    First Comment First Answer Friend Collector Sixth Anniversary

    If the devices in the same subnet are all connected to the same switch then the traffic will never get to the firewall. The switch will forward the traffic between the relevant ports.

    Stopping devices with unauthorized static IP addresses from connecting to your network would need to be handled at the switch.

    Just curious, not that it would address the issue, but why do you object to Vlans?

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So you have a USG with wireless?

  • Skylink
    Skylink Posts: 32  Freshman Member
    First Comment Friend Collector Fifth Anniversary

    Off topic:

    Why not Vlans?

    i'm newbie and i never configured Vlan, and maybe I misunderstood, but I could not share the server files through different Vlan

    it seems absurd to me and if you confirm to me that it is possible... perhaps I should take it back into consideration.

  • Skylink
    Skylink Posts: 32  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    edited December 2019


    Done.

    If I understand correctly, in this way I "close" the physical port of the main switch to accept packets only from a specific ip address that must be associated with a specific mac-address.

    Good but...

    But if on a port is connected a switch (in another office) ...

    I guess I should create a similar rule on the secondary switch port (giving it local control of IP conflicts).

    But if so, it seems to me that there could be problems in the architecture if someone is able to physically attach a cable to an "uncontrolled" port, isn't it?

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    But what you going to do for wireless? You would need a stand alone AP with Wireless Client Security Separation a managed switch doing DAI then to have clients connect to each other the USG doing proxy ARP.

    So your best option is to not use unmanaged switches.

    Theirs only so much you can do to stop conflicts ARP spoofing.

  • imaohw
    imaohw Posts: 124  Ally Member
    First Comment First Answer Friend Collector Sixth Anniversary

    @Skylink - the SG550x is a pretty advanced switch. If I was in your shoes I would do a bunch of reading before implementing new functions.

    Vlans are not that complicated and would help to bring some structure to you network.