I have my school network simulated in my apartment. I have two OpenBSD machines NATing in my apartment. So my laptop IP goes from my cable modem static to 192.168.0.1 to 10.0.0.1 to 10.0.1.2. The goal is for me to get an authorization system built where the people in the student housing would have to sign up for service on the firewall.

A OBSD machine would do an arp ping to get their MAC and check the dhcpd.leases file for their MAC, both must match. Then they'll be added to a DB and a cron will rebuild the dhcpd.conf file and exec('kill -HUP `cat /var/run/dhcpd.pid`'). Then the the nat.conf file will get rebuilt so the randomly selected dhcp address created to be statically assigned by MAC will be allowed to NAT, again by the same cron. My hope is that with ~254^3 possible addresses in the Class A 10.0.0.0/8 network that only the people that get legitimately assigned IPs will be able to get past the firewall. The only way I can see around this is to statically set an IP that has been allowed in NAT, but since there are only usually 100-120 people signed up at a time, I'm assuming that no one is going to figure out how to grab someone's already assigned IP. If someone hasn't gone through the signup process, they would get an IP from DHCP, but it wouldn't be in nat.conf, so they could only get to the HTTP signup form on the firewall. Once they sign up, their randomly assigned IP won't be allowed to access any ports on the firewall. Again, technically they could if they figured out what static address to set, but even if they did, there's no harm in going to HTTP.

I've been considering figuring out how to assign a "disallowed" IP on the 172.16.0.0/16 block when people haven't "signed up" yet, but I'm not sure if that'll throw people away from picking a 10.0.0.0/8 IP or of it'll just make it easier for them to figure out what's going on. I can assume most of the students will be too new to computing in general to figure it out, but it just takes one person to get some friends to statically set their addresses and make a mess on the network with IP conflicts, especially if they ping the whole 10.0.0.0/8 IP block to find clients that are up. I can see doing this with OpenBSD pf/nat isn't the "proper" solution, but I'm looking to do it cheaply.

I really want to be able to filter NAT by MAC address. I thought about having another cron that would arp ping the clients to make sure only one MAC was returned and that it is the same as what is in the dhcpd.leases file. But then what would I do if it doesn't match? I can't drop packets from the IP cause then the real owner would be screwed. The best I can think of if that happened would be to reassign an IP for the correct owner and hope they figure out to reboot when their access to the internet stops working.