Newbie sysadmin - How can I stop certain computers from accessing the internet?

[scauffiel]

I've got two servers, the first (Tatooine) is running Win2K Server, AD, and Exchange 2000 (DNS, DHCP, and WINS too); the second (Coruscant) is a Win2003 Server machine running SQL 2000 and acts as our file and print server. How can I stop certain computers from accessing the internet? The network is connected to the internet via a NetGear RP114 router and it's options are limited. Go easy on the n00b... 😀 Is there a way (explained fairly simply) to stop access from certain computers?

Thanks for the help,
Steve

 

[NathanBWF]

Even the most basic routers usually have an option that can prevent certain computers from accessing the internet. My $60 D-Link router even has that option. Unfortunately I'm not familiar with your router but you should have an option to filter computers that you don't want to have internet access either by MAC address or IP address, or something along those lines...RTFM for your router...you should be able to find out if it can do what you are looking for.

 

[groovin]

kill tcp/ip protocol on the machines... =)

 

[BS911]

Originally posted by: groovin
kill tcp/ip protocol on the machines... =)

He didn't say he wanted to kill there network access too! 🙂

One way I've done it in the past is to put a fake gateway in their TCP/IP setting. Or you could put a bogus DNS IP as well.

Either way no internet for them!

 

[gunrunnerjohn]

Every router I've setup has had a MAC filter to allow/prohibit access to the Internet, so it should be trivial to not allow them access.

 

[nightowl]

I would either remove the default gateway or the DNS servers from the IP configuration of the selected PCs.

 

[martind1]

first, does your router do ip filtering? I think it might. that woudl be your easiest simplest way.

 

[bozo1]

DNS needs to be there if you want AD to work properly.

Block their MAC addresses at the router or if your entire network is the same subnet, just remove the default gateway settings from the machines.

 

[Kashan]

MAC filtering would be the easiest, or just block Port 80 for whatever IP you dont want to access the net, but that would require to use a "dynamic/static" setup.

 

[p0lar]

I'm going to go with the DHCP route...

for specific MAC entries of the machines that you want to GIVE access to the internet to:

1) Don't let the users have Administrative rights on the PCs or Domain
2) when you set the reserved DHCP leases for the MACs that you DO want to access the internet, specify a default gateway as well.
3) By default, do NOT specify a default gateway (this is the most secure option) in your standard or default DHCP leases
4) Put your router on a different IP after you make the changes (of course, the CORRECT address.. (=)

It's still possible to push packets outside of your network unless the router has good ACL control; however, this will keep the honest people honest. (=