System is Windows Server 2003.
I want to use the RRAS outbound filter to limit web access for selected
clients.
I have two NIC's, one Internet-facing configured in RRAS for NAT and one
LAN-facing. DHCP assigns reserved addresses to all LAN clients based on
MAC. I group "Internet-allowed" clients in one net block and the rest in
another. The internal network in 10.44.0.0/16. Allowed clients are in
10.44.7.0/255.
Outbound filters is set to "Drop all packets except those that meet the
criteria below". I have 3 outbound filter rules:
10.44.1.0/24 to any (allow server access to Internet)
10.44.7.0/24 to any (allow privileged clients access to Internet)
192.168.1.0/24 to any (allow outbound NIC access)
I tried to add a rule to allow other stations access to Microsoft for
Windows Updates but they lose all access, including to MS, when I move
them out of 10.44.7.0/24.
any to 207.46.0.0/16
(I attempt to ping to a known update.microsoft.com address within this
block and I just get a timeout. Telnet to port 80 also times out with no
connection, in case that server ignores pings.)
My feeling is that the RRAS snapin is showing the correct rule, but it's
not getting installed in the actual packet filter. I recall having a
similar problem 2 years ago when I first set this server up and I had to
delete all RRAS settings and recreate it from scratch to add a new filter
rule. Are there known issues "pushing" rules down into the kernel?
My own router is a Linux box and I'm very comfortable with the
flexibility and logging of iptables. I'm regretting chosing Win2003 for
this client as the GUI does not make things easier. It just makes
failures harder to diagnose.
|
Similar Threads
Linear Mode
