Why is this static routing not working?

Question

I'm trying to develop a DHCP enforcement extension like Microsoft NAP. My trick to block dynamic-IP requesting machines (that don't meet certain policy) is to strip the default gateway (no default gateway) stated in the IP lease and set the lease subnet mask to 255.255.255.255.

Now I need the blocked machines to be able to reach some specific locations (IPs) on the network. To allow for this, I'm including some static routes in the lease. For example, I'm including 10.10.10.11 via router 10.10.10.254 (the one to which the blocked machine that needs to access 10.10.10.11 is connected).

Unfortunately, as soon as I set the default gateway to nothing, blocked machines cannot reach any of the added static routes. I also tried classless static routes.

Any ideas ? any one knows how MS NAP actually do it ?

Answer 1

You might need to include a route to 10.10.10.254, in your example. That route can be "it's locally attached to this interface" (for your sake, I hope it is).

Answer 2

I think the problem is with defining the subnet mask as 255.255.255.255. You are essentially telling the computer that it is on a network segment all by itself, and then not telling it who to talk to (ie the gateway) to communicate with other network segments. The correct solution would be to setup a private network segment with a real gateway server that does not have routing configured for the LAN, and then configure static routes from the private network to the desired LAN addresses. Alternatively you would need to place the computers on a broadcast-only network segment with a large enough subnet mask to reach the desired addresses and then configure the static routes on whichever routers the machines were connected to.

To simplify: No Gateway = Broadcast only, 255.255.255.255 subset = No Broadcast (everything routes to the gateway)

Answer 3

Bill Weiss: We tried this (adding the router address as a static route where it's gateway is te special 0.0.0.0 meaning on same link). This allowed a ping to reach the router but not the destination machine (the other static route via this router).

Greg Bray: We found a half solution where blocked machines on different network segments than those in the static route table (to be reached) can ping them. Basically we set the default gateway to 0.0.0.0 and subnet mask to 255.255.255.255 which means: please consult the static route table for any inquiries. We also set the gateway of static routes to 0.0.0.0 which means that this gateway is on the same link as the blocked machine (i think, correct me if wrong please). However, any ideas how can we ping machines on the same segment by a blocked one ?

One more thing: Imagine two blocked machines using the above setup of default gateway and subnet mask. Now for blocked machine A to ping another blocked machine B, do I also need a static route on B to A in order for B to be able to respond to this ping request (supposing that A already got a static route to B) ? I mean does the ping respond utilize the information in the ping request headers about the requester machine in order to reply to it ? or does it need explicit static routing for that response ?

Thank you guys :)

Answer 4

Part of the problem that you have going on is that you are blocking a more specific network than your static route. Routers pick which network to send stuff based on the Administrative Distance, and static routes have an Administrative Distance of 1. However, they ignore AD if a different route is a more specific network (aka has more network bits as opposed to host bits). So if you are setting your mask to 255.255.255.255, you are all network bits and your static route to a network+host is getting ignored.

Also, how is this much of an enforcement since they can just set their info manually and ignore this system completely?