avoid ip conflicts

Skylink
Skylink Posts: 32  Freshman Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security

Hi.

I have enabled IP/Mac Binding for the class 192.168.0.XXX (used for our LAN).

No DHCP service and IP firewall is 192.168.0.1

We have another class 192.168.2.xxx used to test devices with the DHCP service active.

Today my colleague attached an IP Camera with a fixed IP (192.168.0.202, that is the same of our NAS). (but the CAM has a different gateway 192.168.0.254)

I thought that the firewall would have blocked the camera making it unreachable to our network PCs. But opening the address 192.168.0.202 i found the IPCam and not our NAS!

Disconnecting the CAM the NAS was there again.

ANSWER:

what is the correct way to "protect" the 192.168.0.xxx network from any device (also with fixed IP) that can be connected to our LAN (and avoid any possible IP Conflict) ?

(i don't want to make VLAN on my switch)

Accepted Solution

All Replies

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    So use two switches. And two LANS Interface. Once for test device, one for your inner network.

  • Skylink
    Skylink Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector

    Thanks for suggest but..

    is not possible because the test of devices could be done on wired or wireless network ..and from any desk (where the connections are shared with our PC).

    The firewall is the only node i should use to manage potential IP conflict.. but i don't know how (and if it possibile).

  • imaohw
    imaohw Posts: 123  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer

    If the devices in the same subnet are all connected to the same switch then the traffic will never get to the firewall. The switch will forward the traffic between the relevant ports.

    Stopping devices with unauthorized static IP addresses from connecting to your network would need to be handled at the switch.

    Just curious, not that it would address the issue, but why do you object to Vlans?

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    So you have a USG with wireless?

  • Skylink
    Skylink Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector

    Off topic:

    Why not Vlans?

    i'm newbie and i never configured Vlan, and maybe I misunderstood, but I could not share the server files through different Vlan

    it seems absurd to me and if you confirm to me that it is possible... perhaps I should take it back into consideration.

  • Skylink
    Skylink Posts: 32  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited December 2019


    Done.

    If I understand correctly, in this way I "close" the physical port of the main switch to accept packets only from a specific ip address that must be associated with a specific mac-address.

    Good but...

    But if on a port is connected a switch (in another office) ...

    I guess I should create a similar rule on the secondary switch port (giving it local control of IP conflicts).

    But if so, it seems to me that there could be problems in the architecture if someone is able to physically attach a cable to an "uncontrolled" port, isn't it?

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    But what you going to do for wireless? You would need a stand alone AP with Wireless Client Security Separation a managed switch doing DAI then to have clients connect to each other the USG doing proxy ARP.

    So your best option is to not use unmanaged switches.

    Theirs only so much you can do to stop conflicts ARP spoofing.

  • imaohw
    imaohw Posts: 123  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer

    @Skylink - the SG550x is a pretty advanced switch. If I was in your shoes I would do a bunch of reading before implementing new functions.

    Vlans are not that complicated and would help to bring some structure to you network.

Security Highlight