Inspired by code that is in victek's tomato-RAF, Toastman and I have added a new branch to git (Static-ARP). The code in this branch adds 2 new flags to the static DHCP page which allows you to do static-ARP for the devices listed in the table (and if wanted restrict other devices from entering the network).
The code in Static-ARP branch merges easily with tomato-RT. Comments are welcome.
On Ethernet (either wired or wireless) all communication between devices goes via physical layer data packets that contain the physical address of the source of the message and the physical address of the destination of the message. We call this physical address MAC address.
Besides MAC addresses devices also have IP addresses. These are higher level addresses. The source and destination IP address of data sent on the network is put the header of IP packets. The IP packets of the devices on a LAN are encapsulated in the physical layer packets.
When the router wants to send data to a client with a certain IP-address 'X' (either obtained via DHCP or set manually as a static IP address) the router needs to know what the MAC address of that client is. Therefore the router sends an ARP request on the LAN, which is a broadcast. The ARP request basically asks all devices that are on the network "if you're the one with IP address 'X', could you tell you tell me what your MAC address is?". One client should reply: "Yes I have IP address 'X' and my MAC address is 'Y', please send your data to this MAC address".
Now the router knows how to fill in header of the physical layer packet and it can start sending data to the client.
** ARP spoofing **
Suppose there's somebody with bad intentions on the network that want to intercept data of client with MAC address X and IP address Y. This malicious client could give himself the same static IP address Y, his MAC address is Z. When the router would ask "Are you the one with IP address Y", this malicious client would reply : "yes, I am the one, please send your data to MAC address Z". So, data that was meant to go to MAC address X will go to the wrong client with MAC address Z.
** Static ARP binding **
Static ARP binding is a way to ignore ARP spoofing attempts. On the router static DHCP page you can enable Static ARP binding. When enabled the router will ignore all ARP replies (of devices listed in the table). Instead, the router will look in the static DHCP tables for finding out the MAC address that belongs to a certain IP address. Because this table is filled in by the administrator it is assumed to be correct and data will always be sent to the listed MAC address.
** Restricting unlisted devices **
Clients that that have assigned themselves a static IP address which is not in the static DHCP table normally can get Internet access if they fill in the router IP address for the gateway and router IP address for the DNS-server (when their MAC address is not restricted from entering the network).
When they try to get Internet access they will send an ARP request to the gateway and the router will reply "yes, I have this gateway IP address, my MAC address is Q". The data can now be sent to the router (with MAC address Q) and when receiving the data the router manages to fill in the ARP table by inspecting the data. So, the router will know the clients MAC address and IP address and it can sent messages back to the client. In other words: the client will have full Internet access.
But in some networks we want to avoid that unlisted clients can get Internet access. We can do this with static ARP binding. All clients within the same subnet that are not listed will get assigned to MAC address 00:00:00:00:00:00, which is an invalid MAC address. So, all other IP addresses besides those listed will not be able to receive any data. Moreover, the IPs that are listed will not be vulnerable to ARP spoofing.
** Is this useful? **
This might be useful for distributing Internet services in a network where you can not trust every client, for instance if you offer Internet access in a condominium.
When using checking the "Restrict unlisted machines" option all unknown IP addresses will be banned from the network and it will not be possible for a malicious client to hijack the IP address of another (paying) user.
Also, there's no need anymore to fill in MAC addresses in the access restriction page. All administration for the network/condominium can be done in a single page.
** How should I use this? **
This new feature which will be added to some versions of Tomato needs a little explanation.
1) When using "Restrict unlisted devices" the DHCP service with a dynamic IP range tends to overwrite the static ARP entries in the table. Therefore you should set the DHCP range to issue only one of the static IP addresses in the static DHCP table (preferably the administrators IP address). e.g. 192.168.1.100-100 (see Basic - Network - LAN - IP address range).
2) When using "Restrict unlisted devices" you MUST enter your (admin) IP address and MAC address in the table, or you may be locked out of the router.
3) Static ARP only supports one MAC address per IP address.
4) If you have access points connected to the LAN ports of your router and you use "Restrict unlisted machines", you should add their IP and MAC address to the static DHCP table.
5) Restricting unlisted devices only works for all devices in the subnet 255.255.255.0. Wider subnet masks will not be completely restricted.