@Outworq Thus really looks like all you need, even the CC customers enter though the phone.
URGENT Advice Needed
I’ve got a client with an office building that has about ten public Voip phones and three PCs in a locked up office.
He asked me to prevent people from being able to plug out the ethernet cables from the phones, connect them to a laptop for example and surf on the internet. I was thinking of MAC filtering.
I was counting on them having already a proper router there, however they have only a modem from the ISP which acts as a router but only allows mac filtering on WLAN and not on ethernet interfaces. So basically it cannot perform packet filtering and through that reject packets from unrecognised MAC addresses. Now I need to buy urgently a Router (firewall) that inspects allows MAC filtering on ethernet frames as well. Any recommendations on something which is easy to use and fairly cheap price?
Answers are greatly appreciated!!
@Hacker26 You should replace the router for higher end router. There are many inexpensive ones Don’t you also want QoS?
@DovidStroh You mean I should replace the router totally or you mean I should put inbetween the switches and the router a highend router? Please advise what to look for… Is there a certain standard I need to look for? Thanks for your reply!
Knaper Yaden last edited by
Maybe turn Off DHCP server, set the network range to some obscure one (not the default 192.168.1.x etc), and assign static IPs to all devices that you want connecting (the question is if the VoIP phones have the IPs visible in which case they can see it and use on their device…)?
(MAC Filtering isn’t very secure, MACs can quite easily be spoofed.)
And also, what switch do they use? If it’s a Managed Switch it might have a MAC Filtering/Port Security option.
@Knaper-Yaden Thanks for your reply. They can see the IP on the phones, so I don’t think that would be a solution. The switches are unmanaged POE switches… Currently what I’m thinking of is the following:
Our router supports two subnets, so I’ll separate the pcs from the VoIP phones and place them in two separate subnets. The subnet which the VoIP phones are in, will contain a firewall whitelist, which basically only allows the destination of the sip server and maybe also only the VoIP protocol used. Does that sound sensible to you?
In the end we couldn’t setup VLANs as the switches weren’t managed, nor were they supporting 802.1q standard which allows VLAN tagging. (We couldn’t do port based VLAN because of the physical infrastructure.)
Subnets aren’t very usefull as they don’t prvide any security…
So we stayed with Mac filtering on the LAN and some basic firewall rules, which would prevent dirty stuff even in case someone has managed to get access to the network.
Thanks so much for all your help!
© 2022 | jgrp.dev