How to restrict web browsing on nat server

Posted on 2006-05-29
Last Modified: 2010-04-12
Hello Expert,

               I need to restrict bandwidth usage on my
network, hence only email , secure websites and vpn connection
should be allowed.
I read a reponse by robwil "Restrictions of Internet Access on my router"
can this be applied to windows 2000 nat server acting as a router.

Not too sure I understand how to create a service but I Will
provide an example of my understanding
please correct if wrong

creating a service for l2tp vpn

service = vpn(port 1701)
action = allow always

Question by:jomfra
    LVL 77

    Expert Comment

    by:Rob Williams
    Hi jomfra. With many routers it is pretty hard to gain total control, especially with chat programs, but you can certainly block a lot of the unwanted traffic. What make and model router are you using, perhaps I can give you some specific suggestions.
    Also, what type of VPN connection are you using? 1701 would imply L2TP, is this terminated on the router or a VPN server behind the router such as a Windows VPN server?

    Author Comment

    Hello Robwil,

                       I am not using a hardware router.
    I am tring to see if windows 2000 nat server can block unwanted
    the vpn connection related in the question is just an example.
    This layout is a test layout . i have three computers
    connected to a windows 2000 nat server and
    i am testing to see if i can control access only to email and
    secure web sites.
    My apology . ignore the vpn example.
    The only two items should pass thru the nat server are
    (1) emails
    (2) access to secure web sites.

    Remember i am using a 2000 server with nat configured
    as my gateway to the internet.

    LVL 77

    Accepted Solution

    Must say I haven't done it this way but probably your best option with 2000 is to use the built in filtering capability. Go to:
    Control panel | Network Connections | right click on the WAN adapter and choose properties | Internet protocol -TCP/IP properties | Advanced | Options | Properties
    Here you can set your filtering rules. You don't need to check the "enable TCP/IP filtering all adapters" as you won't want to filter any traffic between the PC's and the server, just the server and the Internet. As a matter of fact it will switch on by default, make sure you disable (un-check) before applying. Also probably best to leave "IP protocols" set to permit all, at least for now. Then check Permit only for TCP and UDP ports and enter the services you wish to enable. You will need Port 53 for DNS, 110 for receiving POP mail, possibly 110 for SMTP sending e-mail, and 443 for secure web site. If you use Exchange or other mail services these ports may be different. It may take a little fiddling, as sometimes additional service that are not apparent are needed, such as 53 DNS.

    Following is rather vague but explains the basics:
    LVL 77

    Expert Comment

    by:Rob Williams
    Thanks jomfra,

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now