Irritating Uni internet/network problem

too_funky

Active Member
Hi, iv recently moved into uni halls. However coming from home with unrestricted networking, the halls internet networking policy is really irritating me.

Basically you can register as many MAC addresses for as many different devices as you like. However you cannot connect more than one device to the halls internet at once. For example i can go online with both my pc and ps3, but not at the same time. I have a ethernet switch and lots of cables but i cant seem to use any of them. Even if i only have have one thing online at once, if it is connected via a switch it still wont work. Is there anyway to get around this, to fool the network into thinking there is only one device connected? I have researched cloning MAC addresses but the conclusion i came to that this wouldnt work. Is that true? Another idea was setting up internet connection sharing via my pc. Would this work?

Any other ideas or help about how to get round this problem?

Thanks.
 

hedges1011

Standard Member
I don't know whether there is a way round it however I would not recomend you try. This is because you will proberly be going against the Uni's network usage policy and you could find yourself in a lot of trouble. You will have to decide if it's worth it or not.
 

too_funky

Active Member
i think the biggest factor as to wether its worth it or not is how difficult/how well concealed a work around would be, i dont think internet connection sharing would violate policy either, i just dont know if it would work in theory or not.
 

ajay16

Active Member
Buy a wireless router (not modem router), then register the MAC address of that peice of kit.

Then you should be able to connect wirelessly with ur PS3 and PC at the same time?
 

bruffterman

Standard Member
yeah I think you just need a router. The system is likely set up to only supply one IP address, I doubt the restriction is MAC based. a router will be assigned the external IP and then use Network Address Translation to forward the right information to the right device inside your own mini-network.

I doubt the Uni will mind you doing this, I'm sure it's not them trying to restrict your access but rather than there's only 255 IP addresses per subnet, and they're probably configured with only a single subnet to cover the whole of the halls.

I wouldn't go asking people tho, there's probably only one guy who has any idea what he's doing and who set it up, who you won't be able to speak to. and anyone else, if you're not using AOL on a mac will think you're hacking.
 

bonchai

Standard Member
A switch wont work, but a router may work but it will more than likely violate the network policy.
 

t72bogie

Novice Member
just buy a basic wireless router - a Netgear WGR614 would do the job nicely

you will then only be using one single MAC address and have your own private network in your room :up

Im sure thousands of students do this......
 

welshy

Active Member
Maybe you already sorted out your problem but I can explain what is probably going on in your Uni as we have setup our Uni switches in a similar way probably.

The Uni switches will have 'sticky mac-address' applied to each access port of the Uni switches only allowing one mac address. The solutions given here about using a router may or may not work depending on other features your Uni has applied to the switches.

We also apply a feature called BPDU Guard on all our access ports on our switches which will stop any device (like a router) from sending BPDU's. If it does send one, which routers do, then the port will be shutdown. As well as routers causing loops, routers also act as DHCP servers and this can cause havoc in a Uni halls setup. So to avoid this we also use DHCP Snooping on all our switches to stop any unwanted DHCP traffic from non designated DHCP servers.

With all these features enabled correctly you will only be able to use one device at a time in your Uni setup. We don't use sticky mac-addresses in our students halls, we allow our students to use as many devices as they want. However we do use BPDU Guard and DHCP Snooping.

Ome other important factor about 'sticky mac-addresses' is that depending how its setup the first MAC address the Uni switch port sees can be stored in the configuration and you will not be able to use any other MAC address until one of your IT guys clears the sticky mac-address table entry for that port on the switch. Because you can use both devices but not at the same time probably means that this is not an issue for you but is something we apply to our PC cluster rooms for example.
 

Anthony-Howard

Well-known Member
Not wishing to contradict the previous poster but I don't believe that the explanation given is quite true.

Sticky mac-addresses can be configured on a switchport for a number of reasons such as preventing attacks based on address flooding or spoofing. It is difficult to second guess the reasons in this case although it is reasonable to assume that it is designed to prevent sharing of services (I suspect in a good location, and with a flexible moral code, that you could make quite a bit of income sharing the high speed university JaNET internet link to non-students)

As previously suggested a router is the obvious solution to your problem. It is unlikely that the university can block the use of a router through technical means and I suspect that any policy to prevent you would more than likely be aimed at stopping unauthorised usage rather than preventing an authorised user (Such as yourself) from using multiple devices simultaneously. Typically you would connect the WAN interface of the router to the university network and all your devices to the LAN. NAT is almost certainly required but is secondary as it is the the decapsulation of the Ethernet frame at the LAN interface into an IP packet and its subsequent encapsulation into another Ethernet frame at the WAN interface, that has the effect of masquerading your local mac addresses into the single address of the WAN interface of your router.

BPDUs are a special frame that are part of the spanning tree protocol (STP) that prevents forwarding loops in some protocols at layer 2 of the OSI model. Routers operate at layer 3 and do not send BPDUs. BPDU guard aims to stabilise STP topologies by controlling updates and mitigating the effects of rogue STP bridges. Switches segment collison domains and routers segment broadcast domains. As such routers do not and cannot cause switching loops (There are such things as routing loops but these are a whole other issue that we don't need to worry about). Routers do not act as DHCP servers - they route traffic between broadcast domains, although some (Actually most, if not all) routers have the capability of running local DHCP services in addition to their core function. Most of these services will only bind to LAN designated interfaces and should not cause an issue for the university when the router physically connected correctly. DHCP snooping prevents unauthorised servers from allocating IP addresses.

As such neither BPDU guard or DHCP snooping prevent you from from only using a single device either by design or intent.

Sticky mac-addresses can be utilised with timers so the last paragraph is largely correct in that once a timer expires the next mac-address seen on the port is then the authorised address. If the timer is disabled or set to infinity then only the first address seen on a port will be authorised until manually cleared.

Should anyone such as welshy be interested then I would recommend looking at arp inspection and 802.1x to further secure the network perimeter.

In any case the bottom line is that by getting a consumer router and deploying it using factory default settings, or the initial configuration wizard, will solve your problem 99% of the time in about 5 minutes.

Please forgive the long nature of this post, as I know that nobody really cares (At least anyone who hasn't moved on in boredom), but I am bored, slightly drunk and need to prove to myself that I can still remember this stuff.

Cheers,

Tony.
 

welshy

Active Member
Should anyone such as welshy be interested then I would recommend looking at arp inspection and 802.1x to further secure the network perimeter.
This is something we are going to implement next summer but this year too many students still have Windows XP machines which require too much work at the client end.

As for stating that you could get a solution working in 5 minutes to allow multiple devices well, I ask you to come here and try. We have stopped the use of all unauthorised routers and switches by using only the IOS features of Cisco switches. I don't want to argue this with you ;)
 

mickevh

Distinguished Member
Should anyone such as welshy be interested then I would recommend looking at arp inspection and 802.1x to further secure the network perimeter.
I can be boring too... :D

802.1X is what I did a few years ago. It worked "nicely" in that it provided the same student computer authentication regime/experience for both wired and wireless access in that you have to provide your campus userid & p/w (A/D domain credentials) to "get-on-the-network" whenever/however you connect.

Works for XP, OSX, Vista and only require a minor bit of fiddling on student computers. We published instructions on the intranet for them to do it themselves, most managed OK though there were always a few that had problems or couldn't be bothered to try for themselves.

Of course, 802.1X is highly unlikely to work for things like games console, so I bet this years intake are moaning like hell (I don't work there any more.)

Was great for "company" laptops too - I set them up using exactly the same 802.1X mechanism, except they login using their "computer" accounts instead of the "user" account (you can put a key in the registry to make this happen.) So by the time the laptop has booted to the login screen, it's already attached to the wifi LAN - so no "double login."

JANet impose some pretty strict criteria on their service. I can't remember all of it, but the two that stick in my mind are that you cannot resell the JANet link for profit in any way and you cannot use it for any kind of business. So - sorry students, you can't set up a small business web server in your dorm room.

I never managed to persuade the management to stump up the cost of cabling the dorms, so never had to face the decision about routers. Wired routers I couldn't care less about, but wireless perplexed me: On the one hand I want say, do what you like and let the chaos ensue (channel wars etc.) but the thing I'm paranoid about is anyone putting up unsecured wifi AP's obviously providing a path to the Internet for the spammers & peodiphiles so I'd have to ban them. But how to police it...?

Fortunately, most of my student are way too "cool" to want to use wired ethernet, so providing wifi only in the dorms negated the issue. (And it was cheaper than installing cabling.)
 
Last edited:

Anthony-Howard

Well-known Member
As for stating that you could get a solution working in 5 minutes to allow multiple devices well, I ask you to come here and try. We have stopped the use of all unauthorised routers and switches by using only the IOS features of Cisco switches. I don't want to argue this with you ;)
Not at all but I would be very interested to hear how you accomplish this. I am always keen to learn more so would be grateful of an overview so I can do a little research. Especially if you are just using Cisco IOS features and not something extra like Great Bay.

You now have me very interested indeed.

Cheers,

Tony.
 

The latest video from AVForums

Podcast: Marantz SR7015 & NAD T 778 AVR + Mission LX2 MKII Speaker Reviews, AV & Film News and More
Top Bottom