1

I'm trying to find a solution for this problem for many weeks I hope someone can help me.

I have a rather simple network:

  • Windows Server 2012R2 with multiple NICs
  • A few subnets (VLANs) with DHCP's router-option set to the corresponding NIC of the server on that subnet
  • DHCP and DNS enabled (and working) on all NICs in every subnet

Every vlan has its own subnet in the 192.168.x.0 space.

What I want:

I want clients from all subnets to be able to connect to the internet but not any other subnet.

eg. client 192.168.4.12 should be able to ping google.com but not 192.168.3.0/24

What I did:

  1. Since I wanted the server to route, I installed the RRAS feature as a LAN router. After that the clients of the subnets were able to ping across the subnet but couldn't access the Internet.
  2. I added NAT to RRAS and they were able to ping each other and the Internet.

I have tried:

  • Inbound/Outbound filters on each subnet's interface in RRAS - does nothing while NAT is enabled
  • Static routes to block out traffic from across subnets - no reaction either.. I might have done it wrong but I tried various configurations
  • Using Windows advanced firewall but didn't find a way to block traffic from a specific subnet going to a specific subnet

Is there a way to do that, did I miss something or how do you do this?

Christian
  • 333
  • 7
  • 18

2 Answers2

2

I've found the solution for this in case you still need it:

Right Click on every Interface in the RRAS Console in the General section. Select properties and click on incoming filter click new and add every other vlan with its ip address range as destination network except the one you are currently configuring of course

Community
  • 1
Omegavirus
  • 76
  • 1
  • 7
  • Thanks but I've already tried that serveral times in all possible configurations but it never worked. Do I need to restart RAS after changing this? How did you make it work? – Christian Jun 11 '15 at 15:09
1

It is possible to use both NAT and Static Filters together on one RRAS server. even though RRAS Static Filters are stateless and NAT requires stateful firewall.

If you view the NAT Session Mappings (right-click>view Mappings) while a NAT session is active, you'll see 3 IP addresses per session: public, private, and remote. I added both the public ip and private ip/range to a "Drop all packets except..." Inbound Static Filter on my "public" RRAS interface(s).

Inbound static filters on "public" NAT interface(s) in RRAS "General" section:

1: Source: Any, Destination: "public" ip, 255.255.255.255 subnet (to isolate to single IP address)

2: Source: Any, Destination: "private" ip/range (255.255.255.0 for /24 subnet for example)

This appears to allow NAT (Any > Public) and forwarding (Any > Private) to occur, and excludes other undesired routing.

Seems would be able to set the second filter as public>private, but this didn't work for me, I needed Any>Private

goofology
  • 382
  • 2
  • 16