Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Restrict NT NIC to only allow certain IP addresses?

Posted on 2002-04-03
16
Medium Priority
?
414 Views
Last Modified: 2013-12-23
Running windows NT4 SP6a, would like to find a way to allow only certain IP addresses to communicate with certain NIC in machine (I have 3)
Other than subnet mask, any ideas.

Thanks,

Rick
0
Comment
Question by:RickWillkins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 2

Accepted Solution

by:
jbunting earned 300 total points
ID: 6915813
how about a router and/or firewall?  you don't give any details about what you're trying to accomplish.  

0
 
LVL 1

Assisted Solution

by:amoisant
amoisant earned 200 total points
ID: 6916138
Unfortunatley, with the NT you cannot do this, by enabling Advanced Security on your NIC you can stop access to certain ports but not IP Addresses.
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6918031
I am rejecting simply because at this point i'd like to hear some more suggestions/ideas about this.

I have a firewall and a router, however, i'm trying to block certain nic's from getting traffic from all but certain nodes in this network

I know I can subnet them, but unless i'm wrong, subnetting can only pass ip's outside of ranges like:

.1 - .8, .1 - .128, but cannot allow ranges like from say .24 to .64 excluding even .1 to .23. Am I correct in this?
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 56

Assisted Solution

by:andyalder
andyalder earned 200 total points
ID: 6918121
You could block them with ISA server or there is the unbelievably messy bodge of adding false static ARP entries so the server can't respond. A vlan switch is the neatest way.
0
 
LVL 2

Expert Comment

by:jbunting
ID: 6918274
yes, if you subnet you'll need to allow a contiguous block of addresses, you can't pick and choose.

you could make persistent static routes that go nowhere for those certain ips you wish to block.  traffic would still get to the server, but any server response wouldn't get back to the initiating host.  If you've got a lot of addresses to block this could be cumbersome, but for a handful it would probably work fine.  
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6918318
I'd like to allow a block, like say from .12 to .22, but is there a way to block addresses BELOW the range as well as above?
0
 
LVL 3

Assisted Solution

by:cfarca
cfarca earned 200 total points
ID: 6918574
What you like to do, if I understand corectly, you like to delegate network trafic from your network to all your 3 nic's from your server in order to split the server access from your clients pc's to all of his 3 nic's.
On NT4 server, the only way to obtain this resoult is to subnet your network in 3 subnets, asign each nic from your server to one of those subnet and as well one theird of your client's pc. Your server will become a multihomed server, serving 3 subnets in the same time.
Hope this will help, Chris.
0
 
LVL 3

Assisted Solution

by:UkWizard
UkWizard earned 300 total points
ID: 6919476
As a cheat, you could create a route for each clients ip address on the server pointing to a non-valid entry.
Example, to prevent 192.168.1.25 from accessing your server which may be on 192.168.1.1.

Put a route on the box like so;

route add 192.168.1.25 mask 255.255.255.255 192.168.1.1

that way, the server will try to reply to this client back to itself and thus not working, preventing access from that computer. Downside is an entry for each client, unless you used a subnet to limit the range of ip addresses.

I am sure this would work,

HOWEVER, if you are talking about connecting all the 3 nics on the server to the same cable network, i would advise against this totally.
This could grind your server to a halt, because of microsofts tendancy for broadcasts.
Tell us why you want to do this ( redundancy,load balancing ) we may be able to offer a better solution. Like teaming the cards together instead.


0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6920953
OK, the skinny is this. I have a network set up in 3 sections. Admin, Production and a separate nic for the servers to communicate with each other. (replication, backup)

The production people are all on on lan hub, the MIS people are all on one hub, and the servers all have a 3rd nic connected to one hub. i'm trying to make sure all the servers communicate with each other on the hub reserved for that. (hence the 192.168 subnet)

I am also trying to restrict the traffic so that the production computers ONLY talk to the servers thru a specific NIC and the MIS computers the same. when I took over this network, the wiring is a mess of spaghetti, and i'm sure there's some redundant paths from place to place. I'd like to force specific nodes, depending on their department, to communicate with a specific NIC on the server. I don't have the option of adding another  subnet at this point (though that would make  my life infinitely easier).


Thanks,

Rick
0
 
LVL 2

Expert Comment

by:jbunting
ID: 6921072
What you want to do is subnet the departments and make each respective nic the default gateway for its department.  As long as it is properly subnetted, directed traffic will only be sent over one nic.  You may also see some benefit by replacing the hubs with switches if you have the funds for that.

Without subnetting, you can't stop the traffic from being broadcast everywhere.  Since you say you don't have the option to subnet, I think adding switch would be the best solution to direct traffic.

Creating the bogus routes as I and UKWizard suggested won't help anything in this situation as the traffic is still being generated.
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6921099
the traffic is a reason not to do the bogus routes. trying to minimize traffic and, for lack of a better term, i'll use one from my radio days, crosstalk.

I'll try this stuff out.

Rick
0
 
LVL 2

Expert Comment

by:jbunting
ID: 6921207
yes, that's what I was saying.  Making the bogus routes was thinking along the lines of jsut preventing a particular client from accessing a particular nic and perhaps a particular service bound to that nic.  

A switch will help some with the traffic without having to subnet.  You'll still have broadcast traffic that will go everywhere.  The non-broadcast traffic will be limited to a parituclar department.  The server won't use the individual nics to respond unless subnetted, but whichever one is the default gateway.  The switch should direct the traffic to the correct hub however.  A combination of subnetting and a switch will yield you the best resutlts.
0
 

Expert Comment

by:quirkyquirky
ID: 7299524
0
 

Expert Comment

by:ComTech
ID: 7300334
This person has been suspended for multiple violations of the Member Agreement, and will reject the proposed answer, and return your question to the Active Questions List.
 
Thank you,
ComTech
CS Admin @ EE
0
 

Expert Comment

by:CleanupPing
ID: 9160146
RickWillkins:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 9170228
I split the points equally, with ther exception of jbunting, as he offered the most in the way of quantity.
I never did get this resolved, the owner of the company folded up shop and left folks hanging in the breeze.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question