Solved

Restrict NT NIC to only allow certain IP addresses?

Posted on 2002-04-03
16
409 Views
Last Modified: 2013-12-23
Running windows NT4 SP6a, would like to find a way to allow only certain IP addresses to communicate with certain NIC in machine (I have 3)
Other than subnet mask, any ideas.

Thanks,

Rick
0
Comment
Question by:RickWillkins
16 Comments
 
LVL 2

Accepted Solution

by:
jbunting earned 75 total points
ID: 6915813
how about a router and/or firewall?  you don't give any details about what you're trying to accomplish.  

0
 
LVL 1

Assisted Solution

by:amoisant
amoisant earned 50 total points
ID: 6916138
Unfortunatley, with the NT you cannot do this, by enabling Advanced Security on your NIC you can stop access to certain ports but not IP Addresses.
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6918031
I am rejecting simply because at this point i'd like to hear some more suggestions/ideas about this.

I have a firewall and a router, however, i'm trying to block certain nic's from getting traffic from all but certain nodes in this network

I know I can subnet them, but unless i'm wrong, subnetting can only pass ip's outside of ranges like:

.1 - .8, .1 - .128, but cannot allow ranges like from say .24 to .64 excluding even .1 to .23. Am I correct in this?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 55

Assisted Solution

by:andyalder
andyalder earned 50 total points
ID: 6918121
You could block them with ISA server or there is the unbelievably messy bodge of adding false static ARP entries so the server can't respond. A vlan switch is the neatest way.
0
 
LVL 2

Expert Comment

by:jbunting
ID: 6918274
yes, if you subnet you'll need to allow a contiguous block of addresses, you can't pick and choose.

you could make persistent static routes that go nowhere for those certain ips you wish to block.  traffic would still get to the server, but any server response wouldn't get back to the initiating host.  If you've got a lot of addresses to block this could be cumbersome, but for a handful it would probably work fine.  
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6918318
I'd like to allow a block, like say from .12 to .22, but is there a way to block addresses BELOW the range as well as above?
0
 
LVL 3

Assisted Solution

by:cfarca
cfarca earned 50 total points
ID: 6918574
What you like to do, if I understand corectly, you like to delegate network trafic from your network to all your 3 nic's from your server in order to split the server access from your clients pc's to all of his 3 nic's.
On NT4 server, the only way to obtain this resoult is to subnet your network in 3 subnets, asign each nic from your server to one of those subnet and as well one theird of your client's pc. Your server will become a multihomed server, serving 3 subnets in the same time.
Hope this will help, Chris.
0
 
LVL 3

Assisted Solution

by:UkWizard
UkWizard earned 75 total points
ID: 6919476
As a cheat, you could create a route for each clients ip address on the server pointing to a non-valid entry.
Example, to prevent 192.168.1.25 from accessing your server which may be on 192.168.1.1.

Put a route on the box like so;

route add 192.168.1.25 mask 255.255.255.255 192.168.1.1

that way, the server will try to reply to this client back to itself and thus not working, preventing access from that computer. Downside is an entry for each client, unless you used a subnet to limit the range of ip addresses.

I am sure this would work,

HOWEVER, if you are talking about connecting all the 3 nics on the server to the same cable network, i would advise against this totally.
This could grind your server to a halt, because of microsofts tendancy for broadcasts.
Tell us why you want to do this ( redundancy,load balancing ) we may be able to offer a better solution. Like teaming the cards together instead.


0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6920953
OK, the skinny is this. I have a network set up in 3 sections. Admin, Production and a separate nic for the servers to communicate with each other. (replication, backup)

The production people are all on on lan hub, the MIS people are all on one hub, and the servers all have a 3rd nic connected to one hub. i'm trying to make sure all the servers communicate with each other on the hub reserved for that. (hence the 192.168 subnet)

I am also trying to restrict the traffic so that the production computers ONLY talk to the servers thru a specific NIC and the MIS computers the same. when I took over this network, the wiring is a mess of spaghetti, and i'm sure there's some redundant paths from place to place. I'd like to force specific nodes, depending on their department, to communicate with a specific NIC on the server. I don't have the option of adding another  subnet at this point (though that would make  my life infinitely easier).


Thanks,

Rick
0
 
LVL 2

Expert Comment

by:jbunting
ID: 6921072
What you want to do is subnet the departments and make each respective nic the default gateway for its department.  As long as it is properly subnetted, directed traffic will only be sent over one nic.  You may also see some benefit by replacing the hubs with switches if you have the funds for that.

Without subnetting, you can't stop the traffic from being broadcast everywhere.  Since you say you don't have the option to subnet, I think adding switch would be the best solution to direct traffic.

Creating the bogus routes as I and UKWizard suggested won't help anything in this situation as the traffic is still being generated.
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6921099
the traffic is a reason not to do the bogus routes. trying to minimize traffic and, for lack of a better term, i'll use one from my radio days, crosstalk.

I'll try this stuff out.

Rick
0
 
LVL 2

Expert Comment

by:jbunting
ID: 6921207
yes, that's what I was saying.  Making the bogus routes was thinking along the lines of jsut preventing a particular client from accessing a particular nic and perhaps a particular service bound to that nic.  

A switch will help some with the traffic without having to subnet.  You'll still have broadcast traffic that will go everywhere.  The non-broadcast traffic will be limited to a parituclar department.  The server won't use the individual nics to respond unless subnetted, but whichever one is the default gateway.  The switch should direct the traffic to the correct hub however.  A combination of subnetting and a switch will yield you the best resutlts.
0
 

Expert Comment

by:quirkyquirky
ID: 7299524
0
 

Expert Comment

by:ComTech
ID: 7300334
This person has been suspended for multiple violations of the Member Agreement, and will reject the proposed answer, and return your question to the Active Questions List.
 
Thank you,
ComTech
CS Admin @ EE
0
 

Expert Comment

by:CleanupPing
ID: 9160146
RickWillkins:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 9170228
I split the points equally, with ther exception of jbunting, as he offered the most in the way of quantity.
I never did get this resolved, the owner of the company folded up shop and left folks hanging in the breeze.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question