On 06/03/2019 13:12, t...@ls83.eclipse.co.uk wrote:
Will let this run for a few days (with time limit removed) and see what happens.
Well the results are in. Connectivity was lost for a couple of hours in the middle of the night, then for around 30 minutes in the morning, returning exactly as Cost Centre #2 left for school. Lost connectivity again in the afternoon on CC#2's return, back up again on my return home. There's supposed to be a 1 hour phone internet access time for CC#2 in the evening, once homework etc. has been done, but he's obviously worked his way around all the blocks I've put in place over the years. Out of general interest, here's the setup that's subject to an ongoing game of cat and mouse. 1. Debian 9 server "Golux" running (amongst other things) ISC DHCP server and BIND9 DN, Draytek router/Wifi access point, two other wifi access points. 2. Golux forwards non-local name resolution to OpenDNS. The router firewalls are set up so that DNS port 53 is only open to Golux, so preventing casual setup of static IP address/DNS server config on devices. 3. Golux DHCP server allocates CC#2's devices dedicated IP addresses. 4. Router has bandwidth management so that specific IP addresses can be throttled back (to any level, including to nothing, so blocking internet access) on a schedule. The above setup was good for several years until CC#2 got a bit older and found that by setting up his devices with static IP addresses he could beat the internet blocking. He could also cause maximum annoyance by either switching off the router or hiding its cables. 5. Golux, router, access points, network sockets under physical lock and key (!) 6. In router, strictly bind MAC addresses to IP addresses. What this router feature means is that only specified MAC/IP address pairs have access to the internet. So, CC#2 can't change his IP address to beat his 1 hour play time. I'm not sure he can change his phone MAC address, but if he does, the same applies. A few months ago, everything starts being a bit flaky. Sometimes I can't get a DHCP response from Golux when trying to connect my own laptop to one Wifi access point, but can do from one of the others. I have my suspicions, especially as rebooting the router clears the problem. Suspicions reinforced as flushing the router ARP table also clears the problem. But can't see anything untoward in the ARP table contents. Which pretty much brings us up to date. CC#2 is unsurprisingly evasive as to what he's actually been doing, but I'm guessing that he has been setting his phone to Golux's IP address and getting some level of connectivity from that. I'm doubting he's changing his MAC address as this would be too much of a faff and he certainly makes use of his "official" 1 hour time slot which requires a specific MAC/IP pair. I was assuming that using Golux's IP would fully trash everything, rather than causing partial network paralysis, but I guess it's down to ARP caches in each device exactly how things pan out. 7. So, last night, a quick fix of blacklisting CC#2's phone MAC for Wifi access in all the access points, although longer term will change this to a whitelist and IP filtering. The saga continues... -- Next meeting: BEC, Bournemouth, Tuesday, 2019-04-02 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk/ New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
