Restrict internet access

  • Thread starter Thread starter Oliver
  • Start date Start date
O

Oliver

I'm trying to figure out a way to restrict internet access to non domain
users inside my LAN (i.e. Laptops who obtain from DHCP), im hoping Routing
and Remote access is my answer, here is what I did so far..

I enabled Routing and Remote access using custom configuration and selecting
VPN Access, NAT and basic firewall, LAN routing, then pointed a test machine
to gateway to the 2k3 box, launched IE, and the internet worked fine, so the
2k3 box is not NATing, its simply routing all internet traffic to it's own
gateway, now I need two more settings and I should be all set, this is
where I need your help

1) Configure the 2k3 box not to route any traffic only for one specific
domain group.

2) Configure DHCP to hand out a specific gateway to a specific MAC

if you have a better idea of how to do this feel free.

Thanks
 
Oliver said:
I'm trying to figure out a way to restrict internet access to non domain
users inside my LAN (i.e. Laptops who obtain from DHCP), im hoping Routing
and Remote access is my answer, here is what I did so far..

I enabled Routing and Remote access using custom configuration and selecting
VPN Access, NAT and basic firewall, LAN routing, then pointed a test machine
to gateway to the 2k3 box, launched IE, and the internet worked fine, so the
2k3 box is not NATing, its simply routing all internet traffic to it's own
gateway, now I need two more settings and I should be all set, this is
where I need your help

1) Configure the 2k3 box not to route any traffic only for one specific
domain group.
Click to expand...

Routing (and IP) have no concept of domain.

You cannot do it this way (without a list of each
machine's IP and even then it isn't foolprove.)
2) Configure DHCP to hand out a specific gateway to a specific MAC
Click to expand...

That can be done if you are willing to make
a reservation for every NIC on your network.

But it won't stop someone from just manually
setting their own IP settings.
if you have a better idea of how to do this feel free.
Click to expand...

Free is hard. You really need something like ISA
(Proxy server) to actually control it by Domain
account.

ISA costs money.

There are free Proxy/firewalls, but most all of the rest
of these have no concept of domain membership.

There are also schemes for using device authentication
through things like RADIUS (ISA is free with Windows
server).
 
Herd, thanks for your reply.

So say I accomplish this with IP, can I set a different IP based on logon?,
in other words if I filter this machines IP then they wouldn't have access
neither way because the IP address is assigned to the NIC not the user name,
unless there is a way set a specific IP upon logon.

As far as reservation for the NIC, isn't it only IP reservation or can I
actually reserve for a specific MAC a specific gateway
 
Oliver said:
Herd, thanks for your reply.

So say I accomplish this with IP, can I set a different IP based on logon?,
in other words if I filter this machines IP then they wouldn't have access
neither way because the IP address is assigned to the NIC not the user name,
unless there is a way set a specific IP upon logon.
Click to expand...

No, not through normal logons.

But rather than go to all that trouble you could
just keep a list (or dump you own DNS zone and
use that to feed the list).
As far as reservation for the NIC, isn't it only IP reservation or can I
actually reserve for a specific MAC a specific gateway
Click to expand...

As I said, most people think it is ONLY for IP,
but it offers the possibility of setting different
options for each such reservation.

Options include things like router (default gateway.)

BUT manual settings on the client can override this
so it is NOT any true security.
 
But rather than go to all that trouble you could
just keep a list (or dump you own DNS zone and
use that to feed the list).
Click to expand...

I think im not following you, lets say i reverse an IP for this box and set
a specific gatway, I tell RAS to block this IP, perfect they cant access the
internet, when they logon to the domain the IP is still blocked, i not
concered at this point with the user changing as long as I could make it
happan,
 
Oliver said:
I think im not following you, lets say i reverse an IP for this box and set
a specific gatway,
Click to expand...

That will work if the box is does not set it's
IP manually AND if you know all of the MAC
addresses to setup the reservations.
I tell RAS to block this IP, perfect they cant access the
internet, when they logon to the domain the IP is still blocked, i not
concered at this point with the user changing as long as I could make it
happan,
Click to expand...

Ok, then that will block those IPs that you choose.

But your original problem was to block non-domain
members so it will not affect those who have full
control of their own machine (non-domain) and who
choose to set the IP & gateway themselves.

You can get closer by only AUTHORIZING those
IPs that you hand out but then the unauthorized user
might use one of your good IPs anyway.

It will sort of work but it is neither automatic, nor
foolproof.
 
Herb, my question is, how do I assign a different IP when they are logged on
locally or logged on to the network, In general in windows XP pro, if I
change the IP settings manually for one user, does it effect everybody on
this machine?
 
Oliver said:
Herb, my question is, how do I assign a different IP when they are logged on
locally or logged on to the network,
Click to expand...

I don't understand the above question since it is
the MACHINE that has the IP address and has
nothing to do with the user logging on (with one
odd exception for RRAS.)
In general in windows XP pro, if I
change the IP settings manually for one user,
Click to expand...

You are changing if for the computer.
does it effect everybody on
this machine?
Click to expand...

Sure, since the machine has the address.

The only exception is that you can assign
an address (still to the computer) based on the
user identity when they connect with RRAS
(VPN or DIAL.)
 
If you were to configure your internal inteface without NAT access, and
allow the users you want to have internet access to VPN into the RRAS
server, and make sure that Use Default Gateway is set, you could accomplish
your goal. it would be a pain for the users, but effective.
 
Brian Higgins said:
If you were to configure your internal inteface without NAT access, and
allow the users you want to have internet access to VPN into the RRAS
server, and make sure that Use Default Gateway is set, you could accomplish
your goal. it would be a pain for the users, but effective.
Click to expand...

This can work (but it's ugly I think.)

You would likely have to override the DNS
settings assigned by the "RRAS" server (or
set them also to the INTERNAL DNS which
I do anyway but is uncommon for most people.)

It would also (likely) mean that any traffic
intended for other local subnets would go
through the VPN to the router before heading
BACK to the internal networks -- and that
these machines would now have to be treated
as having a different address range.

The VPN would also need to be NATed (as
the internal/private side.)
 
Back
Top