Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Restrict NT NIC to only allow certain IP addresses?

Running windows NT4 SP6a, would like to find a way to allow only certain IP addresses to communicate with certain NIC in machine (I have 3)
Other than subnet mask, any ideas.

Thanks,

Rick
0
RickWillkins
Asked:
RickWillkins
5 Solutions
 
jbuntingCommented:
how about a router and/or firewall?  you don't give any details about what you're trying to accomplish.  

0
 
amoisantCommented:
Unfortunatley, with the NT you cannot do this, by enabling Advanced Security on your NIC you can stop access to certain ports but not IP Addresses.
0
 
RickWillkinsAuthor Commented:
I am rejecting simply because at this point i'd like to hear some more suggestions/ideas about this.

I have a firewall and a router, however, i'm trying to block certain nic's from getting traffic from all but certain nodes in this network

I know I can subnet them, but unless i'm wrong, subnetting can only pass ip's outside of ranges like:

.1 - .8, .1 - .128, but cannot allow ranges like from say .24 to .64 excluding even .1 to .23. Am I correct in this?
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
andyalderCommented:
You could block them with ISA server or there is the unbelievably messy bodge of adding false static ARP entries so the server can't respond. A vlan switch is the neatest way.
0
 
jbuntingCommented:
yes, if you subnet you'll need to allow a contiguous block of addresses, you can't pick and choose.

you could make persistent static routes that go nowhere for those certain ips you wish to block.  traffic would still get to the server, but any server response wouldn't get back to the initiating host.  If you've got a lot of addresses to block this could be cumbersome, but for a handful it would probably work fine.  
0
 
RickWillkinsAuthor Commented:
I'd like to allow a block, like say from .12 to .22, but is there a way to block addresses BELOW the range as well as above?
0
 
cfarcaCommented:
What you like to do, if I understand corectly, you like to delegate network trafic from your network to all your 3 nic's from your server in order to split the server access from your clients pc's to all of his 3 nic's.
On NT4 server, the only way to obtain this resoult is to subnet your network in 3 subnets, asign each nic from your server to one of those subnet and as well one theird of your client's pc. Your server will become a multihomed server, serving 3 subnets in the same time.
Hope this will help, Chris.
0
 
UkWizardCommented:
As a cheat, you could create a route for each clients ip address on the server pointing to a non-valid entry.
Example, to prevent 192.168.1.25 from accessing your server which may be on 192.168.1.1.

Put a route on the box like so;

route add 192.168.1.25 mask 255.255.255.255 192.168.1.1

that way, the server will try to reply to this client back to itself and thus not working, preventing access from that computer. Downside is an entry for each client, unless you used a subnet to limit the range of ip addresses.

I am sure this would work,

HOWEVER, if you are talking about connecting all the 3 nics on the server to the same cable network, i would advise against this totally.
This could grind your server to a halt, because of microsofts tendancy for broadcasts.
Tell us why you want to do this ( redundancy,load balancing ) we may be able to offer a better solution. Like teaming the cards together instead.


0
 
RickWillkinsAuthor Commented:
OK, the skinny is this. I have a network set up in 3 sections. Admin, Production and a separate nic for the servers to communicate with each other. (replication, backup)

The production people are all on on lan hub, the MIS people are all on one hub, and the servers all have a 3rd nic connected to one hub. i'm trying to make sure all the servers communicate with each other on the hub reserved for that. (hence the 192.168 subnet)

I am also trying to restrict the traffic so that the production computers ONLY talk to the servers thru a specific NIC and the MIS computers the same. when I took over this network, the wiring is a mess of spaghetti, and i'm sure there's some redundant paths from place to place. I'd like to force specific nodes, depending on their department, to communicate with a specific NIC on the server. I don't have the option of adding another  subnet at this point (though that would make  my life infinitely easier).


Thanks,

Rick
0
 
jbuntingCommented:
What you want to do is subnet the departments and make each respective nic the default gateway for its department.  As long as it is properly subnetted, directed traffic will only be sent over one nic.  You may also see some benefit by replacing the hubs with switches if you have the funds for that.

Without subnetting, you can't stop the traffic from being broadcast everywhere.  Since you say you don't have the option to subnet, I think adding switch would be the best solution to direct traffic.

Creating the bogus routes as I and UKWizard suggested won't help anything in this situation as the traffic is still being generated.
0
 
RickWillkinsAuthor Commented:
the traffic is a reason not to do the bogus routes. trying to minimize traffic and, for lack of a better term, i'll use one from my radio days, crosstalk.

I'll try this stuff out.

Rick
0
 
jbuntingCommented:
yes, that's what I was saying.  Making the bogus routes was thinking along the lines of jsut preventing a particular client from accessing a particular nic and perhaps a particular service bound to that nic.  

A switch will help some with the traffic without having to subnet.  You'll still have broadcast traffic that will go everywhere.  The non-broadcast traffic will be limited to a parituclar department.  The server won't use the individual nics to respond unless subnetted, but whichever one is the default gateway.  The switch should direct the traffic to the correct hub however.  A combination of subnetting and a switch will yield you the best resutlts.
0
 
quirkyquirkyCommented:
0
 
ComTechCommented:
This person has been suspended for multiple violations of the Member Agreement, and will reject the proposed answer, and return your question to the Active Questions List.
 
Thank you,
ComTech
CS Admin @ EE
0
 
CleanupPingCommented:
RickWillkins:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
RickWillkinsAuthor Commented:
I split the points equally, with ther exception of jbunting, as he offered the most in the way of quantity.
I never did get this resolved, the owner of the company folded up shop and left folks hanging in the breeze.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now