avoid ip conflicts
Freshman Member
Hi.
I have enabled IP/Mac Binding for the class 192.168.0.XXX (used for our LAN).
No DHCP service and IP firewall is 192.168.0.1
We have another class 192.168.2.xxx used to test devices with the DHCP service active.
Today my colleague attached an IP Camera with a fixed IP (192.168.0.202, that is the same of our NAS). (but the CAM has a different gateway 192.168.0.254)
I thought that the firewall would have blocked the camera making it unreachable to our network PCs. But opening the address 192.168.0.202 i found the IPCam and not our NAS!
Disconnecting the CAM the NAS was there again.
ANSWER:
what is the correct way to "protect" the 192.168.0.xxx network from any device (also with fixed IP) that can be connected to our LAN (and avoid any possible IP Conflict) ?
(i don't want to make VLAN on my switch)
Accepted Solution
-
Hi @Skylink,
Thanks for @mMontana's and @imaohw's suggestion.
It would be better to use the function such as IP source guard on switch to avoid IP conflict or IP spoofing.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community5
Zyxel Employee
All Replies
-
So use two switches. And two LANS Interface. Once for test device, one for your inner network.
0 -
Thanks for suggest but..
is not possible because the test of devices could be done on wired or wireless network ..and from any desk (where the connections are shared with our PC).
The firewall is the only node i should use to manage potential IP conflict.. but i don't know how (and if it possibile).
0 -
If the devices in the same subnet are all connected to the same switch then the traffic will never get to the firewall. The switch will forward the traffic between the relevant ports.
Stopping devices with unauthorized static IP addresses from connecting to your network would need to be handled at the switch.
Just curious, not that it would address the issue, but why do you object to Vlans?
0 -
So you have a USG with wireless?
0 -
Hi @Skylink,
Thanks for @mMontana's and @imaohw's suggestion.
It would be better to use the function such as IP source guard on switch to avoid IP conflict or IP spoofing.
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community5 -
Off topic:
Why not Vlans?
i'm newbie and i never configured Vlan, and maybe I misunderstood, but I could not share the server files through different Vlan
it seems absurd to me and if you confirm to me that it is possible... perhaps I should take it back into consideration.
0 -
yes USG60W
0 -
Done.
If I understand correctly, in this way I "close" the physical port of the main switch to accept packets only from a specific ip address that must be associated with a specific mac-address.
Good but...
But if on a port is connected a switch (in another office) ...
I guess I should create a similar rule on the secondary switch port (giving it local control of IP conflicts).
But if so, it seems to me that there could be problems in the architecture if someone is able to physically attach a cable to an "uncontrolled" port, isn't it?
0 -
But what you going to do for wireless? You would need a stand alone AP with Wireless Client Security Separation a managed switch doing DAI then to have clients connect to each other the USG doing proxy ARP.
So your best option is to not use unmanaged switches.
Theirs only so much you can do to stop conflicts ARP spoofing.
0
Guru Member
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight
