Solved

Restrict NT NIC to only allow certain IP addresses?

Posted on 2002-04-03
16
406 Views
Last Modified: 2013-12-23
Running windows NT4 SP6a, would like to find a way to allow only certain IP addresses to communicate with certain NIC in machine (I have 3)
Other than subnet mask, any ideas.

Thanks,

Rick
0
Comment
Question by:RickWillkins
16 Comments
 
LVL 2

Accepted Solution

by:
jbunting earned 75 total points
ID: 6915813
how about a router and/or firewall?  you don't give any details about what you're trying to accomplish.  

0
 
LVL 1

Assisted Solution

by:amoisant
amoisant earned 50 total points
ID: 6916138
Unfortunatley, with the NT you cannot do this, by enabling Advanced Security on your NIC you can stop access to certain ports but not IP Addresses.
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6918031
I am rejecting simply because at this point i'd like to hear some more suggestions/ideas about this.

I have a firewall and a router, however, i'm trying to block certain nic's from getting traffic from all but certain nodes in this network

I know I can subnet them, but unless i'm wrong, subnetting can only pass ip's outside of ranges like:

.1 - .8, .1 - .128, but cannot allow ranges like from say .24 to .64 excluding even .1 to .23. Am I correct in this?
0
 
LVL 55

Assisted Solution

by:andyalder
andyalder earned 50 total points
ID: 6918121
You could block them with ISA server or there is the unbelievably messy bodge of adding false static ARP entries so the server can't respond. A vlan switch is the neatest way.
0
 
LVL 2

Expert Comment

by:jbunting
ID: 6918274
yes, if you subnet you'll need to allow a contiguous block of addresses, you can't pick and choose.

you could make persistent static routes that go nowhere for those certain ips you wish to block.  traffic would still get to the server, but any server response wouldn't get back to the initiating host.  If you've got a lot of addresses to block this could be cumbersome, but for a handful it would probably work fine.  
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6918318
I'd like to allow a block, like say from .12 to .22, but is there a way to block addresses BELOW the range as well as above?
0
 
LVL 3

Assisted Solution

by:cfarca
cfarca earned 50 total points
ID: 6918574
What you like to do, if I understand corectly, you like to delegate network trafic from your network to all your 3 nic's from your server in order to split the server access from your clients pc's to all of his 3 nic's.
On NT4 server, the only way to obtain this resoult is to subnet your network in 3 subnets, asign each nic from your server to one of those subnet and as well one theird of your client's pc. Your server will become a multihomed server, serving 3 subnets in the same time.
Hope this will help, Chris.
0
 
LVL 3

Assisted Solution

by:UkWizard
UkWizard earned 75 total points
ID: 6919476
As a cheat, you could create a route for each clients ip address on the server pointing to a non-valid entry.
Example, to prevent 192.168.1.25 from accessing your server which may be on 192.168.1.1.

Put a route on the box like so;

route add 192.168.1.25 mask 255.255.255.255 192.168.1.1

that way, the server will try to reply to this client back to itself and thus not working, preventing access from that computer. Downside is an entry for each client, unless you used a subnet to limit the range of ip addresses.

I am sure this would work,

HOWEVER, if you are talking about connecting all the 3 nics on the server to the same cable network, i would advise against this totally.
This could grind your server to a halt, because of microsofts tendancy for broadcasts.
Tell us why you want to do this ( redundancy,load balancing ) we may be able to offer a better solution. Like teaming the cards together instead.


0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:RickWillkins
ID: 6920953
OK, the skinny is this. I have a network set up in 3 sections. Admin, Production and a separate nic for the servers to communicate with each other. (replication, backup)

The production people are all on on lan hub, the MIS people are all on one hub, and the servers all have a 3rd nic connected to one hub. i'm trying to make sure all the servers communicate with each other on the hub reserved for that. (hence the 192.168 subnet)

I am also trying to restrict the traffic so that the production computers ONLY talk to the servers thru a specific NIC and the MIS computers the same. when I took over this network, the wiring is a mess of spaghetti, and i'm sure there's some redundant paths from place to place. I'd like to force specific nodes, depending on their department, to communicate with a specific NIC on the server. I don't have the option of adding another  subnet at this point (though that would make  my life infinitely easier).


Thanks,

Rick
0
 
LVL 2

Expert Comment

by:jbunting
ID: 6921072
What you want to do is subnet the departments and make each respective nic the default gateway for its department.  As long as it is properly subnetted, directed traffic will only be sent over one nic.  You may also see some benefit by replacing the hubs with switches if you have the funds for that.

Without subnetting, you can't stop the traffic from being broadcast everywhere.  Since you say you don't have the option to subnet, I think adding switch would be the best solution to direct traffic.

Creating the bogus routes as I and UKWizard suggested won't help anything in this situation as the traffic is still being generated.
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 6921099
the traffic is a reason not to do the bogus routes. trying to minimize traffic and, for lack of a better term, i'll use one from my radio days, crosstalk.

I'll try this stuff out.

Rick
0
 
LVL 2

Expert Comment

by:jbunting
ID: 6921207
yes, that's what I was saying.  Making the bogus routes was thinking along the lines of jsut preventing a particular client from accessing a particular nic and perhaps a particular service bound to that nic.  

A switch will help some with the traffic without having to subnet.  You'll still have broadcast traffic that will go everywhere.  The non-broadcast traffic will be limited to a parituclar department.  The server won't use the individual nics to respond unless subnetted, but whichever one is the default gateway.  The switch should direct the traffic to the correct hub however.  A combination of subnetting and a switch will yield you the best resutlts.
0
 

Expert Comment

by:quirkyquirky
ID: 7299524
0
 

Expert Comment

by:ComTech
ID: 7300334
This person has been suspended for multiple violations of the Member Agreement, and will reject the proposed answer, and return your question to the Active Questions List.
 
Thank you,
ComTech
CS Admin @ EE
0
 

Expert Comment

by:CleanupPing
ID: 9160146
RickWillkins:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 1

Author Comment

by:RickWillkins
ID: 9170228
I split the points equally, with ther exception of jbunting, as he offered the most in the way of quantity.
I never did get this resolved, the owner of the company folded up shop and left folks hanging in the breeze.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now