Methods for achieving Internet access through shared campus networks in dormitories ~

 

Keywords:
ARP for no reason, same IP & MAC, ruijie client, Internet sharing


With the popularization of the campus network, more and more College Students' Computer Holding rate also increases. Generally, they connect to the Internet through various methods to share and consult information. so today, I will give a brief explanation of my school's Internet access method for your reference. I hope to criticize and correct any shortcomings. Thank you!

In terms of hardware, access layer, several access switches should be allocated to each floor, and a twisted pair of cables should be arranged to our dormitory. There is an information access point on the wall of each dormitory. After the floors are aggregated, they will be connected to the school Nic, schools lease optical fiber cables to achieve Internet outreach. in terms of software, each online user installs the ruijie authentication client, statically allocates IP addresses, enters the user name and key, and performs dial-up authentication. The server can implement static Mac binding. (I guess there should be an AAA Server in the Intranet ).

This leads to a situation where each of the six users in a dormitory must have a valid account and pay RMB 40 RMB per month.
240 RMB/month! This is too expensive !! For this reason, we want to try to achieve Internet access through sharing. So let's summarize our methods!(LAN topology Description: an eight-port Broadband Router with a star-shaped cabling structure. The static IP address CIDR Block assigned by the school is 172.16.0.0/16)

1. Try vro dialing. dormitory users divide private networks and use vronat Nat for Internet sharing.

Because the server is statically bound to our Mac when we dial for the first time, modify the MAC address on the vro to the MAC address of the host of one of the valid users, and adopt the pppoe dialing mode on the WAN interface of the router, enter the valid account name and password, and try again. Click Connect to wait for the connection (during the 15-minute wait period, frequent dialing attempts and frequent disconnection ).
Summary: we cannot simply perform dial-up authentication through the vro. We guess that the ruijie client should use its algorithm for Data Encryption when dialing, but the vro does not have this encryption mechanism, this makes the dial-up transmission data invalid after the peer identification! Therefore, the authentication fails!

2. PCA authentication in the LAN. The router wan interface uses static IP addresses to assign the legitimate IP addresses and MAC addresses of the PCA.

First, connect the internet cable and the PCA cable to the LAN interface of the router, dial on the PCA, authenticate successfully, and then configure the IP address of the WAN interface of the router as the IP address of the PCA, if the MAC address is set to Maca of PCa and the Internet cable is connected to the WAN interface, the IP address of PCA is configured with the IP address in the allocated LAN segment 192.168.1.0/24, and can be accessed through Internet tests, other users connected to the LAN can also share the Internet (their gateway points to the IP address of the LAN interface of the router rather than the PCA). However, after a few minutes, the server is disconnected, and it is assumed that the server has a periodic authentication function, after you change PCA to a lan ip address, you cannot periodically perform authentication.

Improvement +: Change the pca ip address in step 2 of the action to the IP address of the LAN to remove the IP address and maintain the valid IP address, except that the gateway points to the router interface of the LAN, namely 192.168.1.1/24.
, Re-authentication, the result fails. After analysis, we guess that the data packet may not reach PCA in the back direction, because the IP address of the router wan interface and PCA is the same as the MAC address, after the router receives the data packet, split the Layer 2 and check the IP address. If you find that the IP address is the IP address of your own interface, you will not be performing the route table query action (even if you configure the host static route on the router, it should not [not tested]). send the data packet to the upper layer of the router for processing. The upper layer does not recognize the data packet and authentication fails.

3. Single Nic sharing mode.

Connect the WAN cable to the router LAN interface, change the PCA Nic to the IP address assigned by the valid school, and log on to the router for authentication. After the authentication is successful, in the advanced options of TCP/IP attributes, configure the second IP address as the IP address of the LAN. Other users also change the IP address to the CIDR block. The Gateway points to PCA. All users connect to the LAN interface of the router and perform tests on the PCB. After a few minutes, the system message is displayed. "do not represent another user .." I guess ruijie software periodically identifies the NIC information of the Local Machine and finds two logical NICs active. A warning is displayed! Therefore, multiple active NICs cannot exist at the same time!

Improvement +: because the school allocates a CIDR block of 172.16.0.0/16 and the range is large, it tries to change the IP addresses of the other five PC users to the IP addresses of the CIDR block. PCA still uses valid IP addresses, turn off the second address. The IP gateway of another user points to PCA and tries to connect to the gateway. The test result is displayed with a warning on PCA. "Please do not use the proxy for other users to access the Internet ...", It is estimated that ruijie can identify the network card traffic. If the target Mac is its own, the target IP address is its own data packet as a valid IP packet, and the target Mac is its own, while the target IP address is not its own data protection, A warning is displayed, and proxy is not allowed.

Improved ++: Change the IP address and MAC address of the PC in the LAN segment to the same as the valid IP address of PCa and the MAC address, and cheat ARP for no reason, make it think that there is no host with the same IP address on the network, the Internet cable and Intranet cable are inserted into the router LAN interface, PCA dialing, other users can also access the Internet, at the same time, the ruijie software did not bring up a warning that all the PCs in the LAN are logically one PC, but packet loss may occur. analysis: the interface of the Broadband Router should be a typical single-arm Routing Structure, the routing module has two interfaces: One wan interface and one LAN interface. The LAN interface is associated with a six-port switch. Now, this switch connects five users and an Internet cable, the vswitch has the MAC address learning function. At this time, the IP addresses of the five users are the same as those of the MAC address. Therefore, the MAC address of the vswitch is unstable and jitters frequently, therefore, packet loss may occur !! Imagine that using hub may be better and there should be no packet loss, because it works in the physical layer, just a simple copy of data to all interfaces!

4. Dual Network Card cracking.

Finally, a young man in the dormitory next door, called "Lai Zong", cracked some key fields of ruijie Certification software to achieve dual network card sharing. Now our network structure adopts this method, PCA Internet Nic dial-up, PCA Intranet Nic acts as our proxy, cracking the operations of multiple active NICs on the host during the ruijie period. After testing, we can access the Internet and the network is stable, however, the hardware requirements for PCA may be high, so when using this method, the proxy server should be chosen !!

 
Conclusion: After one night of hard work last night, I got a good combination of theory and practice. Although I was limited by myself when I was writing this article, the above analysis may be wrong, but I am very happy and satisfied. I am very grateful to a friend of 51cto for his affirmation. Thank you for your appreciation, it seems that praise is needed in life, and casual praise may help others a lot! Oh, the fight between the Little People and the big people has been on stage. the helplessness of the grassroots and the shameless nature of the elites are a true portrayal of the current situation. Finally, I use the sentence I believe in as the end"Technical and unrestricted"!

 

It has been poisoned by ruijie !!
Your school has not yet achieved the most extraordinary step. If he has enabled MD5 detection on the server side of the ruijie dial-up client, there is no way to share it !! According to your description, your school did not do this !! I think the campus network is like this, especially ruijie. It does not seem to limit the speed of each IP address. The speed of one person using it is almost unchanged !!
1. ruijie adopts the 802.1x authentication method, but ruijie has developed its own authentication protocol on this basis. He has set up an authentication server in your school, the server can bind the IP address and MAC address, that is, when you first use the address assigned to you by the school to authenticate the Internet, the binding is complete, and he does not use the pppoe protocol, therefore, you must be unable to dial the pppoe.
2. ruijie uses periodic certification. It seems like five minutes. In addition, his client will check whether your computer has dual NICs, whether route software is installed, whether agent software is installed, and even whether multiple IP addresses are bound to one network adapter, once detected, the network is automatically disconnected. Detection is also performed cyclically!
3. You can change all the computers in your LAN to valid IP addresses and MAC addresses and connect them to the hub. One machine can dial up and others can access the Internet. It must be a hub, not a switch. As you mentioned above, a switch may cause data packet loss, which means that QQ in your LAN is often dropped. The working principle of a hub and a switch is different, the Hub does not. However, if the version of the ruijie client used by your school is too high, this method will not work!
4. in fact, for the Internet shared by ruijie on the campus network, some people on the Internet have released cracked clients. They also damaged ruijie's periodic detection routing, proxy, and multiple IP addresses for a single Nic, as well as the detection cycle of the dual Nic, ruijie will not perform self-check. There are corresponding tutorials on the Internet by modifying the 802.1X file. With this, you can do everything you want to do to share the Internet, a single Nic can be very good and stable to meet your needs for a group of people to access the Internet. At the same time, the biggest benefit is that you can use the virtual machine learning technology while still surfing the internet, no longer need to appear in the original damn pop-up window, huh, huh.
5. If your programming skills are good, you can use vro dial-up shared Internet access in a more efficient and energy-saving way. On the Internet, you can find the ruijie client written by someone in Linux, and the code seems to be open. You can modify the firmware of the route to integrate it, finally, the modified firmware is flushed into the route. Of course, this is a high requirement for individuals. If someone makes it, there must be many people who worship him.

Seeing that the students at the school are deeply poisoned by ruijie, this new graduate will also recall many things in the school. I feel that it is good for the students, have a quiet learning and technical atmosphere !! Why don't you know how to cherish it ~~~