How do I protect a low budget network from rogue DHCP servers?

networking dhcp

I think you should go the multi-VLAN route - and not just because of the DHCP server issue. At the moment, you have one big flat network and while to some degree, users should be expected to take care of their own security, I'd personally find it a pretty unacceptable setup.

The only switches that need to be managed are yours. Beyond that, you give each apartment a single port on a specific VLAN - anything downstream of that will be completely unaware of the VLAN and you can function normally.

In terms of your switches - the switch-to-switch ports will need configuring as trunk ports and you will need to be consistent with your VLAN ID's. In other words, VLAN100 MUST correspond to VLAN100 everywhere else on the network.

Other than that, you can set up a "Router-on-a-stick" configuration, with each VLAN (And it's associated pool of IP's*) configured only to route back and forth to the internet and NOT to other internal networks.

*I couldn't think of anywhere else to stick this, but remember that ideally you should be giving your VLANs their own pool of IP's. The easiest way to do this is to keep one of the octets same as the VLAN ID, e.g.

192.168.100.x - VLAN100
192.168.101.x - VLAN101
192.168.102.x - VLAN102

Once all of this is in place, you can really start to take it places with things like Quality-Of-Service, traffic monitoring and so on if you wish!

The "LAN Games" request seems to be a relatively niche request, to me, and certainly not one I'd think about. They can still game normally through NAT by going out to the Internet and back - not ideal, but no different to each apartment having it's own connection which is the norm over here in the UK. On a case by case basis, though, you could add full inter-VLAN routing between apartments which want to share their network in that way.

In fact, you COULD add full Inter-VLAN routing everywhere - that would fix your DHCP issues, allow QoS but is still a massive security issue in my opinion.

Te one thing I've not covered here is your DHCP - presumably you have a single scope at the moment for all of your clients. If you put them onto separate networks then you'll need to manage a separate scope for each VLAN. That's really device and infrastructure dependant, so I'll leave this off for now.


Depending on your budget, at the very least pick up one managed switch and put each floor on a VLAN.

To completely solve your security and DHCP problem, if cabling allows, get a 24-port managed switch for every two floors. If cabling doesn't allow, using patch panels to extend the runs are likely cheaper than more switches.

You could save on gear by getting used 10/100 managed switches, however, depending on the vendor it might require a great deal of expertise to set up (Cisco).

As a programmer thrown into setting up a 1000+ port network in an 8 story office building with fiber, I can say that the D-link managed switches GUI paired with the manual will allow you to do anything you need. I'm not saying you have to use D-Link, I'm just saying I don't think you'll be disappointed. D-Link managed switches (Level 2+) are affordable and can run DHCP on the switch (not recommending this, but it is an option). They have a lower "Smart" switch tier that may do everything you need.

If you do a VLAN per floor a /23 (512 hosts) should be sufficient (go bigger if you plan to ever roll out wireless). If you do a VLAN per apartment, a /27 (30 hosts) should do.

The easiest way to do DHCP for multiple VLANs in my opinion would be to grab a raspberry PI and use ISC DHCP. You can use any low-power machine that has a NIC which supports VLANs. (Personally, I'd grab an EdgeMax router for $99 and run DHCP on that!)

Just pick an IP range/subnet per each VLAN, your ISC DHCP config for a VLAN might look something like this:

subnet 10.4.0.0 netmask 255.255.192.0 {
        interface net0;
        option routers 10.4.0.20;
        option subnet-mask 255.255.192.0;
        pool {
                range 10.4.1.1 10.4.63.254;
        }
}

You can stick global options outside of each scope, so at the very least you'll end up with something like this:

option domain-name "well-wired--apts.org";
option domain-name-servers 4.2.2.2, 8.8.8.8, 8.8.4.4;
default-lease-time 3600;
ddns-update-style none;

If each apartment has multiple network jacks set up spanning tree protocol to avoid loops. This can slow things down if you don't configure it properly causing each port to take 30 seconds or more to come up, so make sure you test it. There's an option you'll want to enable, I believe Cisco calls it PortFast.

I haven't done this personally, but apparently Windows server makes it very easy to set this up.

Also consider:

  • A local caching DNS forwarder, traffic shaping and perhaps QoS for VoIP would improve overall responsiveness (should your hardware be capable running said services at line speed).

  • If you plan on upgrading security cameras or rolling out wireless, it may be worth getting POE gear.

  • Since many cheap Wireless Routers don't function as standalone APs, the best you can hope are that the tenants will be using a Double NAT. If everyone were to plugin their router to your network through the WAN/Internet port that would improve security and eliminate the DHCP problem as well. A well printed instruction sheet with common router brands might save you some equipment and trouble; however, full compliance would be difficult.

  • Use a tool like namebench to find the fastest DNS servers for your ISP.

Good luck!


If you have a decent router, one possible solution is to set up one VLAN per apartment and assign a /30 address to each VLAN. Also create a DHCP scope for each VLAN that only assigns one IP address.

For example:

  • vlan 100
    • subnet 10.0.1.0/30
    • router 10.0.1.1
    • user 10.0.1.2
  • vlan 104
    • subnet 10.0.1.4/30
    • router 10.0.1.5
    • user 10.0.1.6

This solves the problem of gaming between apartments because the router can route between apartments. It also solves the rogue DHCP problem because the DHCP traffic is isolated to that apartment's VLAN and they only get one IP address.

Related

Fail2Ban: already banned?
Avoiding DNS timeouts when a DNSserver fails
Why does my server play an E minor arpeggio through the PC speaker every five minutes?
What do you call an individual who tolerates criticism?
What is the opposite of "hunger level"? [closed]
diurnal is to day as "..." is to morning [closed]
Is there a word or phrase for someone who strongly disapproves of smoking, drinking and gambling?
The word for discrimination against people from other regions within a country?
Another word for a game mode: Endless
Neutral to moderately offensive word for unimportant and uninteresting town
What is it called when someone asks for an opinion that almost everyone asked is going to have the same answer on?
Social Network Accounts Owned by the Same Person