mac filter on NAT router (not DHCP server role)

Hello,

I have a Windows 2003 server set up to act as a NAT router for a private
network. I also set it up to assign IPs to the different clients in the
network (this is done by the NAT router, not by a separate DHCP server
role).

Is there any way to do mac filtering on that network?

I know of the callout dll
()
but this interacts with a DHCP server role. It doesn't seem to do anything
when it comes to the DHCP feature from the NAT router.

Yves

 

"Yves Dhondt" <yves.dhondt@gmail.com> wrote in message
news:uEyX0bDQKHA.4568@TK2MSFTNGP06.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hello,
>
> I have a Windows 2003 server set up to act as a NAT router for a private
> network. I also set it up to assign IPs to the different clients in the
> network (this is done by the NAT router, not by a separate DHCP server
> role).
>
> Is there any way to do mac filtering on that network?
>
> I know of the callout dll
> ()
> but this interacts with a DHCP server role. It doesn't seem to do anything
> when it comes to the DHCP feature from the NAT router.
>
> Yves<!--colorc--><!--/colorc-->


I'm confused with your post. You say you've configured a Windows box as a
NAT server, and this is assuming you've correctly configured it by adding
the RRAS role, then adding the NAT feature, and defined which interface is
internal, and which interface is external.

However, you satat that DHCP is done by the NAT router. Is this another
machine or device (such as your firewall/router) providing DHCP?

Or are you saying you've configured the Windows machine with ICS, which is
basically Internet Connection Sharing?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
for regional support phone numbers.

 

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:e%23Q7GSEQKHA.4244@TK2MSFTNGP06.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Yves Dhondt" <yves.dhondt@gmail.com> wrote in message
> news:uEyX0bDQKHA.4568@TK2MSFTNGP06.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> Hello,
>>
>> I have a Windows 2003 server set up to act as a NAT router for a private
>> network. I also set it up to assign IPs to the different clients in the
>> network (this is done by the NAT router, not by a separate DHCP server
>> role).
>>
>> Is there any way to do mac filtering on that network?
>>
>> I know of the callout dll
>> ()
>> but this interacts with a DHCP server role. It doesn't seem to do
>> anything when it comes to the DHCP feature from the NAT router.
>>
>> Yves<!--colorc--><!--/colorc-->
>
>
> I'm confused with your post. You say you've configured a Windows box as a
> NAT server, and this is assuming you've correctly configured it by adding
> the RRAS role, then adding the NAT feature, and defined which interface is
> internal, and which interface is external.
>
> However, you satat that DHCP is done by the NAT router. Is this another
> machine or device (such as your firewall/router) providing DHCP?
>
> Or are you saying you've configured the Windows machine with ICS, which is
> basically Internet Connection Sharing?
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
> Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> for regional support phone numbers.
><!--colorc--><!--/colorc-->

Sorry for not being clear.

I used the RRAS role then added the NAT feature, and defined which interface
is on which side. On the NAT/Basic Firewall, I did set the following
options:

Address Assignment tab:
Automatically assign IP addresses by using the DHCP allocator => checked
IP-address: 192.168.0.1
Mask: 255.255.255.0

Name Resolution:
Clients using Domain Name System (DNS) => checked

So that is what I mean by the NAT doing the DHCP. This setup works fine,
newly added machines to my internal network do get an IP in the 192.168.0.*
range.

What I would like to do is mac filtering on my internal network. The only
information I could find online regarding mac filtering was the callout dll
mentioned earlier. However, that one seems to work with a DHCP role only (it
doesn't even install when there is no DHCP role). So I was wondering if it
was possible to make it work with my setup or if there is an alternative way
to go.

The alternative that comes to mind is to disable "automatically assign IP
addresses by using the DHCP allocator" on the RRAS role. Then I could add a
DHCP role, and bind it to the network card used by my internal network. But
it seems wrong to add an extra DHCP server role if the RRAS role already
supports it.

Yves

 

"Yves Dhondt" <yves.dhondt@gmail.com> wrote in message
news:%23aOf$iEQKHA.4028@TK2MSFTNGP05.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
> news:e%23Q7GSEQKHA.4244@TK2MSFTNGP06.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> "Yves Dhondt" <yves.dhondt@gmail.com> wrote in message
>> news:uEyX0bDQKHA.4568@TK2MSFTNGP06.phx.gbl...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> Hello,
>>>
>>> I have a Windows 2003 server set up to act as a NAT router for a private
>>> network. I also set it up to assign IPs to the different clients in the
>>> network (this is done by the NAT router, not by a separate DHCP server
>>> role).
>>>
>>> Is there any way to do mac filtering on that network?
>>>
>>> I know of the callout dll
>>> ()
>>> but this interacts with a DHCP server role. It doesn't seem to do
>>> anything when it comes to the DHCP feature from the NAT router.
>>>
>>> Yves<!--colorc--><!--/colorc-->
>>
>>
>> I'm confused with your post. You say you've configured a Windows box as a
>> NAT server, and this is assuming you've correctly configured it by adding
>> the RRAS role, then adding the NAT feature, and defined which interface
>> is internal, and which interface is external.
>>
>> However, you satat that DHCP is done by the NAT router. Is this another
>> machine or device (such as your firewall/router) providing DHCP?
>>
>> Or are you saying you've configured the Windows machine with ICS, which
>> is basically Internet Connection Sharing?
>>
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among responding engineers, and to help others benefit from your
>> resolution.
>>
>> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>> Messaging
>> Microsoft Certified Trainer
>>
>> For urgent issues, please contact Microsoft PSS directly. Please check
>> for regional support phone numbers.
>><!--colorc--><!--/colorc-->
>
> Sorry for not being clear.
>
> I used the RRAS role then added the NAT feature, and defined which
> interface is on which side. On the NAT/Basic Firewall, I did set the
> following options:
>
> Address Assignment tab:
> Automatically assign IP addresses by using the DHCP allocator => checked
> IP-address: 192.168.0.1
> Mask: 255.255.255.0
>
> Name Resolution:
> Clients using Domain Name System (DNS) => checked
>
> So that is what I mean by the NAT doing the DHCP. This setup works fine,
> newly added machines to my internal network do get an IP in the
> 192.168.0.* range.
>
> What I would like to do is mac filtering on my internal network. The only
> information I could find online regarding mac filtering was the callout
> dll mentioned earlier. However, that one seems to work with a DHCP role
> only (it doesn't even install when there is no DHCP role). So I was
> wondering if it was possible to make it work with my setup or if there is
> an alternative way to go.
>
> The alternative that comes to mind is to disable "automatically assign IP
> addresses by using the DHCP allocator" on the RRAS role. Then I could add
> a DHCP role, and bind it to the network card used by my internal network.
> But it seems wrong to add an extra DHCP server role if the RRAS role
> already supports it.
>
> Yves
><!--colorc--><!--/colorc-->


Thank you, I think that's a little clearer. If I understand you correctly,
the DHCP "Allocator" under RRAS properties (assuming that's where you mean),
is meant for RRAS clients, not internal clients. Normally we install DHCP
services on a server, and in your case, on this server, setup the internal
scope, then configure Option 003 as the router address, Option 006 as only
the internal DNS server (your domain controller, whichever that is),Option
015 as the internal domain name, etc, and RRAS will pull IP addresses for
RRAS clients.

Was that how you configured your machine?
Is this machine a domain controller?

Ace

 

"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:OpFA6YFQKHA.3540@TK2MSFTNGP04.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Yves Dhondt" <yves.dhondt@gmail.com> wrote in message
> news:%23aOf$iEQKHA.4028@TK2MSFTNGP05.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>>
>> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
>> news:e%23Q7GSEQKHA.4244@TK2MSFTNGP06.phx.gbl...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> "Yves Dhondt" <yves.dhondt@gmail.com> wrote in message
>>> news:uEyX0bDQKHA.4568@TK2MSFTNGP06.phx.gbl...
>>>> Hello,
>>>>
>>>> I have a Windows 2003 server set up to act as a NAT router for a
>>>> private network. I also set it up to assign IPs to the different
>>>> clients in the network (this is done by the NAT router, not by a
>>>> separate DHCP server role).
>>>>
>>>> Is there any way to do mac filtering on that network?
>>>>
>>>> I know of the callout dll
>>>> ()
>>>> but this interacts with a DHCP server role. It doesn't seem to do
>>>> anything when it comes to the DHCP feature from the NAT router.
>>>>
>>>> Yves
>>>
>>>
>>> I'm confused with your post. You say you've configured a Windows box as
>>> a NAT server, and this is assuming you've correctly configured it by
>>> adding the RRAS role, then adding the NAT feature, and defined which
>>> interface is internal, and which interface is external.
>>>
>>> However, you satat that DHCP is done by the NAT router. Is this another
>>> machine or device (such as your firewall/router) providing DHCP?
>>>
>>> Or are you saying you've configured the Windows machine with ICS, which
>>> is basically Internet Connection Sharing?
>>>
>>>
>>> --
>>> Ace
>>>
>>> This posting is provided "AS-IS" with no warranties or guarantees and
>>> confers no rights.
>>>
>>> Please reply back to the newsgroup or forum for collaboration benefit
>>> among responding engineers, and to help others benefit from your
>>> resolution.
>>>
>>> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>>> Messaging
>>> Microsoft Certified Trainer
>>>
>>> For urgent issues, please contact Microsoft PSS directly. Please check
>>> for regional support phone numbers.
>>><!--colorc--><!--/colorc-->
>>
>> Sorry for not being clear.
>>
>> I used the RRAS role then added the NAT feature, and defined which
>> interface is on which side. On the NAT/Basic Firewall, I did set the
>> following options:
>>
>> Address Assignment tab:
>> Automatically assign IP addresses by using the DHCP allocator =>
>> checked
>> IP-address: 192.168.0.1
>> Mask: 255.255.255.0
>>
>> Name Resolution:
>> Clients using Domain Name System (DNS) => checked
>>
>> So that is what I mean by the NAT doing the DHCP. This setup works fine,
>> newly added machines to my internal network do get an IP in the
>> 192.168.0.* range.
>>
>> What I would like to do is mac filtering on my internal network. The only
>> information I could find online regarding mac filtering was the callout
>> dll mentioned earlier. However, that one seems to work with a DHCP role
>> only (it doesn't even install when there is no DHCP role). So I was
>> wondering if it was possible to make it work with my setup or if there is
>> an alternative way to go.
>>
>> The alternative that comes to mind is to disable "automatically assign IP
>> addresses by using the DHCP allocator" on the RRAS role. Then I could add
>> a DHCP role, and bind it to the network card used by my internal network.
>> But it seems wrong to add an extra DHCP server role if the RRAS role
>> already supports it.
>>
>> Yves
>><!--colorc--><!--/colorc-->
>
>
> Thank you, I think that's a little clearer. If I understand you correctly,
> the DHCP "Allocator" under RRAS properties (assuming that's where you
> mean), is meant for RRAS clients, not internal clients. Normally we
> install DHCP services on a server, and in your case, on this server, setup
> the internal scope, then configure Option 003 as the router address,
> Option 006 as only the internal DNS server (your domain controller,
> whichever that is),Option 015 as the internal domain name, etc, and RRAS
> will pull IP addresses for RRAS clients.
>
> Was that how you configured your machine?
> Is this machine a domain controller?
>
> Ace
><!--colorc--><!--/colorc-->

That was indeed what I had. I didn't know that RRAS clients were actually
different.

It seems I'm taking the wrong approach to the problem and making it overly
complex. All I wanted to do was create a separate network for wireless
clients. They need to be connected through our regular network to be able to
reach the internet. I'm thinking that if I just run a DHCP role on the one
NIC for providing the IPs to the wireless devices, I can probably create a
link to the second NIC. At least I'm going to give that a try tomorrow.

Thanks for the info on RRAS.

Yves

 

"Yves Dhondt" <yves.dhondt@gmail.com> wrote in message
news:u9w8BOHQKHA.4568@TK2MSFTNGP06.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
> news:OpFA6YFQKHA.3540@TK2MSFTNGP04.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> "Yves Dhondt" <yves.dhondt@gmail.com> wrote in message
>> news:%23aOf$iEQKHA.4028@TK2MSFTNGP05.phx.gbl...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>>
>>> "Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
>>> news:e%23Q7GSEQKHA.4244@TK2MSFTNGP06.phx.gbl...
>>>> "Yves Dhondt" <yves.dhondt@gmail.com> wrote in message
>>>> news:uEyX0bDQKHA.4568@TK2MSFTNGP06.phx.gbl...
>>>>> Hello,
>>>>>
>>>>> I have a Windows 2003 server set up to act as a NAT router for a
>>>>> private network. I also set it up to assign IPs to the different
>>>>> clients in the network (this is done by the NAT router, not by a
>>>>> separate DHCP server role).
>>>>>
>>>>> Is there any way to do mac filtering on that network?
>>>>>
>>>>> I know of the callout dll
>>>>> ()
>>>>> but this interacts with a DHCP server role. It doesn't seem to do
>>>>> anything when it comes to the DHCP feature from the NAT router.
>>>>>
>>>>> Yves
>>>>
>>>>
>>>> I'm confused with your post. You say you've configured a Windows box as
>>>> a NAT server, and this is assuming you've correctly configured it by
>>>> adding the RRAS role, then adding the NAT feature, and defined which
>>>> interface is internal, and which interface is external.
>>>>
>>>> However, you satat that DHCP is done by the NAT router. Is this another
>>>> machine or device (such as your firewall/router) providing DHCP?
>>>>
>>>> Or are you saying you've configured the Windows machine with ICS, which
>>>> is basically Internet Connection Sharing?
>>>>
>>>>
>>>> --
>>>> Ace
>>>>
>>>> This posting is provided "AS-IS" with no warranties or guarantees and
>>>> confers no rights.
>>>>
>>>> Please reply back to the newsgroup or forum for collaboration benefit
>>>> among responding engineers, and to help others benefit from your
>>>> resolution.
>>>>
>>>> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>>>> Messaging
>>>> Microsoft Certified Trainer
>>>>
>>>> For urgent issues, please contact Microsoft PSS directly. Please check
>>>> for regional support phone numbers.
>>>>
>>>
>>> Sorry for not being clear.
>>>
>>> I used the RRAS role then added the NAT feature, and defined which
>>> interface is on which side. On the NAT/Basic Firewall, I did set the
>>> following options:
>>>
>>> Address Assignment tab:
>>> Automatically assign IP addresses by using the DHCP allocator =>
>>> checked
>>> IP-address: 192.168.0.1
>>> Mask: 255.255.255.0
>>>
>>> Name Resolution:
>>> Clients using Domain Name System (DNS) => checked
>>>
>>> So that is what I mean by the NAT doing the DHCP. This setup works fine,
>>> newly added machines to my internal network do get an IP in the
>>> 192.168.0.* range.
>>>
>>> What I would like to do is mac filtering on my internal network. The
>>> only information I could find online regarding mac filtering was the
>>> callout dll mentioned earlier. However, that one seems to work with a
>>> DHCP role only (it doesn't even install when there is no DHCP role). So
>>> I was wondering if it was possible to make it work with my setup or if
>>> there is an alternative way to go.
>>>
>>> The alternative that comes to mind is to disable "automatically assign
>>> IP addresses by using the DHCP allocator" on the RRAS role. Then I could
>>> add a DHCP role, and bind it to the network card used by my internal
>>> network. But it seems wrong to add an extra DHCP server role if the RRAS
>>> role already supports it.
>>>
>>> Yves
>>><!--colorc--><!--/colorc-->
>>
>>
>> Thank you, I think that's a little clearer. If I understand you
>> correctly, the DHCP "Allocator" under RRAS properties (assuming that's
>> where you mean), is meant for RRAS clients, not internal clients.
>> Normally we install DHCP services on a server, and in your case, on this
>> server, setup the internal scope, then configure Option 003 as the router
>> address, Option 006 as only the internal DNS server (your domain
>> controller, whichever that is),Option 015 as the internal domain name,
>> etc, and RRAS will pull IP addresses for RRAS clients.
>>
>> Was that how you configured your machine?
>> Is this machine a domain controller?
>>
>> Ace
>><!--colorc--><!--/colorc-->
>
> That was indeed what I had. I didn't know that RRAS clients were actually
> different.
>
> It seems I'm taking the wrong approach to the problem and making it overly
> complex. All I wanted to do was create a separate network for wireless
> clients. They need to be connected through our regular network to be able
> to reach the internet. I'm thinking that if I just run a DHCP role on the
> one NIC for providing the IPs to the wireless devices, I can probably
> create a link to the second NIC. At least I'm going to give that a try
> tomorrow.
>
> Thanks for the info on RRAS.
>
> Yves
><!--colorc--><!--/colorc-->


No problem.

Keep in mind, that you simply install NAT under RRAS, make sure DHCP is
working internally. As for wireless, you setup an AP in "corporate" mode or
in "access Point mode" if those are available. If not, such as a Linksys
wireless router, what I've done is simply plugged a wire into oen of the LAN
ports then connected it to the office switch. Then log into it using the
default IP, for the LAN interface, give it a static IP outside of the DHCP
scope range, then set your wireless security. By the mere fact it is plugged
into the switch this way, it will allow your clients to get an IP from your
DHCP server.

This should help explain NAT a little better.

How to configure Network Address Translation in Windows Server 2003How to
configure Network Address Translation in Windows Server 2003. View products
that this article applies to. For a Microsoft Windows 2000 version of ...



Ace