Feature request

[dr_lucas]

I am using merlin amazing firmware, love it.
1 thing that I really miss from my previous Draytek router is the "Bind IP to MAC" option.
It has 3 options:
- Disabled
- Enabled (every MAC registered gets the assigned IP, machines with no MAC listed get any available IP from DHCP).
- Forced (only machines with the registered MAC get IP, all others do not, thus can't connect) Machines that have manually assigned IP addresses also can't connect (can't get packets).

Can this feature please be added to the firmware?

 

[wouterv]

The feature is for 2/3 available in the DHCP Server function.
Only the strict option is missing.
With the ability of MAC cloning, the strict function is less effective or safe as you may think.

 

[dr_lucas]

Yes, that's more or less correct. The strict option is probably the most important (for most IT people I know FWIW)

 

[RMerlin]

Read the dnsmasq documentation concerning "--dhcp-host". You should be able to achieve what you are looking for by customizing the dnsmasq configuration.

 

[dr_lucas]

Thanks, Merlin, the request is more for a user-friendly UI option to enable/disable strict mode.

 

[R1-Limited]

CMaybe I am not understanding but you can accomplish this view the clients under network map cant you

 

[dr_lucas]

Yes, you are right, this is probably for the "Enabled" mode, but not strict mode that I am requesting (the 3rd option in my OP)

 

[RMerlin]

Thanks, Merlin, the request is more for a user-friendly UI option to enable/disable strict mode.

I want to avoid going down the path of feature-bloat, especially for features that virtually no one needs, and those few who do can manually implement it through a custom config file.

 

[dr_lucas]

I guess this is one of those features that actually many do need and would absolutely use, but they don't know they need it and the great benefit of having it until they actually have it...

 

[MarioCaires]

I guess this is one of those features that actually many do need and would absolutely use, but they don't know they need it and the great benefit of having it until they actually have it...

And what are really the benefits?

 

[Mikeyy]

If I understood correctly, that option prevents connections to your network/internet even when they can plug in cable in router or break your wifi password.
Few people already asked for that on forum.

If you have script for that, I would be interested.

 

[Badlandz]

If I understood correctly, that option prevents connections to your network/internet even when they can plug in cable in router or break your wifi password.
Few people already asked for that on forum.

If you have script for that, I would be interested.

I would like to do this as well. Can a postconf script of dnsmasq.conf (or something else) be altered to change the bind variable from dynamic to strict? Please advise.

 

[Cake]

I like this feature, could it be included in the wiki or the README-merlin.TXT file?
Search works good too though

 

[ColinTaylor]

I would like to do this as well. Can a postconf script of dnsmasq.conf (or something else) be altered to change the bind variable from dynamic to strict? Please advise.

Trying to use dnsmasq to block access is pointless. All dnsmasq does is hand out IP addresses. It is trivial to set the IP addresses manually on the client.

What you are asking for is something like a port-based ACL (i.e. http://www.cisco.com/c/en/us/td/doc...SY/configuration/guide/sy_swcg/port_acls.html). However I don't think this is possible on the ASUS because the LAN ports are all part of the same switch. You could probably block access to the routers functions or wireless clients but not to other devices plugged into the same switch.

The only thing I can think of that might work is to separate each LAN port into its own VLAN, bridge them together and then use ebtables to control access. Maybe.

 

[kvic]

I guess this is one of those features that actually many do need and would absolutely use, but they don't know they need it and the great benefit of having it until they actually have it...

I doubt home users will benefit much for the "forced" feature. Perhaps small businesses (e.g. providing hotspots for customers in their premise) will benefit to some extent.

Business in need for higher security shall consider Draytek or Fortigate. That's a worthwhile investment to me.

 

[dr_lucas]

Home users who care about their network security will definitely benefit from the "forced" feature, but you are right that it is usually a feature more targeted at SMBs and Enterprises.
Apparently there are many SMBs using ASUS routers and many of them use Merlin's firmware (at least many businesses in my area, including my own, switched from DrayTek), and it doesn't seem like a too complex feature to add to the UI based on Merlin's reply.
Although I know Merlin doesn't work for ASUS and thus probably doesn't care much about their sales, I am sure that adding such feature will help increase sales of their routers, especially to SMBs, and it's not really a feature-bloat to add just 1 more button.

 

[kvic]

I'm sure asus see the trend of their wifi routers being deployed in SME's. I won't be surprised if some folks in their managers' cubicles are dreaming of capturing that market segment. asus had the record of starting products in consumes and then enter into SME's.

However, given the feature set and quality of ASUSWRT, their software R&D will have a hard time pulling off the magic. Maybe it's just wrong to start with WRT code base. Don't be surprised if they will start a new line for SME in 5 years.

I actually would encourage Merlin to think about adding "enterprise" or "carrier grade" features into asuswrt-merlin (or maybe a different branding). For home use continue to be donation-ware. For SME/business use, charge a fixed amount of service fee. I think SME's will love it, not mind paying a small sum as long as total cost of ownership is still below competitors' products such as Draytek/Fortigate..or Ubnt..Mikrotek.

Not sure thought if GPL or similar licenses can accommodate such a business model.

 

[L&LD]

I would be interested in this feature as part of the gui too.

Many of my customers use Asus routers for their businesses as they are a much better fit (and value) than any other's right now.

Here is my post with a 'pretty please' for RMerlin to maybe reconsider this one request?

 

[RMerlin]

Adding new features is not a priority of this project. Just keeping up-to-date with new Asus releases already takes most of my available time.

The feature you are asking isn't as simple as just configuring the DHCP server. You have to figure out a way to configure the switch to reject any unauthorized MAC addresses as well, to prevent static IPs from getting LAN access. That can't be done through iptables, it has to be done within the proprietary switch - and Broadcom doesn't publicly offer any documentation.

What you are really looking for is Ethernet authentication rather - 802.1x. That's the proper way to control who gets access to a LAN. For this, you need a managed switch.

 

[dr_lucas]

I am a bit confused. Do you mean it's impossible to do it or you just don't have the time to?
I will gladly pay for a development of this feature, I am sure many others would be happy to as well.