Is it possible on a 2003 domain to prevent a range of IP addresses from connecting to the network? Here is the setup:

Win2003 AD DHCP/DNS domain
Network Range: 192.168.1.1-254
Static: 192.168.1.20 (server/router/printers)
Dynamic: 192.168.21-100 (clients)
Reserved: 192.168.1.101-105 (clients)

I want to force any computer or device that does not have a reservation to take from the dynamic ip pool. The dynamic pool is setup to have net access limited to certain hours of the day.

If a client uses a static ip that is outside the dynamic range then they can bypass the net restrictions.

Is there a better way to do this?

I don't know of a way to do it automatically in Windows, but if your reservation list changes infrequently why not just block the whole reserved range at the firewall and then add exceptions? It's far from foolproof but it would stop casual bypass attempts.

A better way would be to physically or VLAN split the two segments so you can force any unauthorized machines onto the restricted segment.

I am not very familiar with vlan setup. My router does support it but what would happen if someone plugs in directly to the open port?

Another option I thought about was having reservations in DHCP for all known devices that regularly connect. That would force the devices to use a specific range which could be filtered. The only way to use a different IP would be to spoof a MAC address. This is if I have a correct understanding on how reservations work.

If your router supports VLANs properly then you could simply disable the unused ports or at the very least set them to a "dead" VLAN. If someone plugged in they would get nothing.

MAC filtering on ports could also help a bit, but again could be defeated by spoofing.

It would probably be better to do all this on your switch if it supports it. What kind of network equipment do you have?

The router is a Linksys WRT54Gv8 running DD-WRT v24-sp1 micro. I think I will have to research vlan's and their setup and usage. Do you know of any online tutorials or docs?

Thanks for all the feedback!

Posted by jacunda The router is a Linksys WRT54Gv8 running DD-WRT v24-sp1 micro. I think I will have to research vlan's and their setup and usage. Do you know of any online tutorials or docs? Thanks for all the feedback!

I'm not familiar with that model, does it support vlans? Home routers usually don't support them. For doing more complicated networking like that I'd recommend a programmable switch and router combination that could handle what you need. For example, you could pick up an older cisco (like real cisco, not Linksys/cisco) and get that working with your internet connection and do the vlaning. Switches are also getting more and more intelligent these days and are also doing some network function that only routers used to be able to do. I'd google the hell out of vlans and while doing that checking out what others are using for their hardware... most likely command-line based equipment running off of config files.

Posted by trent I'm not familiar with that model, does it support vlans?

Yes, it does now. Out of the box it does not support vlans but if you upload new firmware (open source DD-WRT) it makes this consumer router have the capabilities of pro routers priced much higher. Take a look at these links:

http://www.dd-wrt.com/site/index

http://lifehacker....-into-a-600-router

Thanks for all the feedback!

Posted by jacunda Yes, it does now. Out of the box it does not support vlans but if you upload new firmware (open source DD-WRT) it makes this consumer router have the capabilities of pro routers priced much higher. Take a look at these links: http://www.dd-wrt.com/site/index http://lifehacker....-into-a-600-router Thanks for all the feedback!

Awesome. I was aware of the linksys routers there you can load custom firmware on it. I just didn't know it also added vlan functionality. That's pretty sweet.

Also, due to this thread, I now want to pick up an old Cisco 1721 or something similar for my home network. Once you get it programed, it's obviously very reliable.

Too bad they're so expensive, but instead of using the ENET card in the router to connect to the cable modem at home, you can just by a cable WIC card for the router which in theory replaces the need for a cable modem. LIke $300+ though for the card. The router only costs like $30-40 used. I think I'll just stick with my crappy cable modem for now.