Client Isolation

Bennylaball · 25-11-2009, 18:27

Hi all, i have had a request from one of my customers to stop his clients from being able to see each other on the network and only allowing internet traffic, I suggested a layer 2 switch and forward all the network ports to the gigabit port on the switch and feed that to the router, but i found out he has a large wireless network and cabled network. I am thinking about setting him up a PPPOE server and attaching it to the Active Directory, does anyone else have any ideas as that will be alot of messing about setting up PPPOE on all there machines!

Kymmy · 25-11-2009, 19:05

Just block all local IP's on locked down firewalls apart from the gateway/router, with it being active directory I presume you can set a global security policy blocking firewall modifications

Jon T · 25-11-2009, 19:21

Quote:

Originally Posted by Kymmy

Just block all local IP's on locked down firewalls apart from the gateway/router, with it being active directory I presume you can set a global security policy blocking firewall modifications

Windows firewall and group policy

BTW, my post has totally changed, got hold of the wrong end of the stick first reply.

BTW2, Every switch is at least Layer 2(MAC level), did you mean Layer 3?

Bennylaball · 25-11-2009, 19:30

Yes i did mean layer 3 my mistake, the client doesnt use active directory for routing, i use a cisco PIX, i was hoping i could put a linux box in line with the router as im not a windows guy.

Jon T · 25-11-2009, 19:34

Quote:

Originally Posted by Bennylaball

Yes i did mean layer 3 my mistake, the client doesnt use active directory for routing, i use a cisco PIX, i was hoping i could put a linux box in line with the router as im not a windows guy.

You wouldn't use active directory for routing, you'd set the default domain policy to enable the firewalls on the client PC's. You'd then put out a policy via AD that set each firewall to block communication to anything that isn't a server or internet connection.

Bennylaball · 25-11-2009, 21:16

Ooooo I see i will have to read a bit into active directory like i said im not a windows guy, if i get asked this again for a network with no active directory how would i go about doing this?

[MOD: removed repeated sections]

Argh, every time i refresh it re-posts my last post

Kymmy · 26-11-2009, 17:18

Quote:

Originally Posted by Bennylaball

Argh, every time i refresh it re-posts my last post

If you refresh directly after a post then it'll resubmit the post data, best to click on the thread link instead of refresh

Extra data and also the reply quoting the data - deleted

bomber_g · 27-11-2009, 12:02

you delete my post - I though it was quite funny, granted not related to the thread in any way, but still funny