Sign in with
Sign up | Sign in
Your question

Gateway Port Redirection, ACL, RRAS, DHCP, DNS

Last response: in Networking
Share
April 12, 2011 5:39:20 PM

Hello,

I have a Windows Server 2003 machine serving as a gateway, dhcp and dns server.

RRAS is setup on this system and many clients are using internet via it.

I am trying to setup a MAC based filter that will allow only specific clients to use internet.

Other clients must also be able to connect to this gateway but when they browse internet, my gateway should throw a custom webpage (alerting them that they are not allowed to use internet). Those clients should be redirected to a specific port on my server running webserver.

I googled alot but couldnt find a possible way to make this work.

I have seen this behaviour in some WiMAX routers (other devices might have it too).

Is this possible in Windows at all?
April 14, 2011 7:40:29 PM

experts? pros? hello?
m
0
l
April 14, 2011 10:08:03 PM

I'll bite (since I’m not sure anyone else will).

To be honest, I haven't used RRAS in probably 10 years, so my knowledge of it specifically is very limited. That said, on the face of it, trying to control your users based on the MAC address doesn’t seem like the right approach.

If I understand you correctly, users should have access to that machine generally, but be controlled in terms of Internet access specifically. The problem with controlling this at the MAC level is that what you’ve described is a routing issue, not access issue. The MAC works at the ethernet level (layer 2) and is only involved tangentially w/ IP, namely DHCP (IP configuration). At best, you can either deny IP access completely (and by extension, no IP routing), or allow IP access (i.e., and by extension, IP routing) w/ a specific IP configuration. IOW, all or nothing. That’s why MAC filtering is really a function of DHCP, not the firewall. And thus trying to use MAC filtering for your purposes (even if it was supported) just doesn’t make sense. Instead, you should be controlling your users at the IP level (layer 3), specifically via the firewall.

Again, I haven’t used RRAS in years, but I’d be surprised if there weren’t at least some controls at the IP level for controlling access to the Internet. Then again, RRAS been around for ages and has long since been supplanted by IAS (that certainly supports IP filtering).

A word of caution. Since I don’t know your environment, I don’t know if we’re talking about trusted or untrusted users. What I mean is, since it’s relatively easy for a savvy user to circumvent MAC or IP filtering, you have to keep in mind that all of this assumes that either your users are trusted and would not intentionally try to circumvent your controls, OR, if they can’t be trusted, you’ve locked down their PCs/laptops such that they can’t spoof their MAC address or manually alter their IP configurations.

Frankly, there are probably better approachs anyway, such as keeping those with and without permission to access the Internet on different networks, perhaps sharing the same server, a server that’s connected on both networks w/ separate network adapters. Obviously I can’t provide a comprehensive alternative based on so little information, but if I was your paid consultant, these are the kinds of things I’d be investigating as I got to better understand your needs. Sometime the right solution involves more/better hardware rather than trying to forcing what you currently have to “fit”.

Anyway, just some thoughts.
m
0
l
!