Pinning user to external IP address via Windows Server DHCP

MyndFyre · August 27, 2009, 11:31:49 AM

My office intranet uses a Windows Server 2003 server for exchange and DHCP hosting.

What I'd like to do is be able to pin selected users or computers (computers would be preferable and I think the only thing that could work right) to a specific external IP range. Supposing I have an external IP address range of 192.168.1.100-110, and I want my computer to be on 105, is it possible to do this within just Windows DHCP configuration? Or do I need to go somewhere else?

iago · August 27, 2009, 12:00:28 PM

I don't exactly understand what you mean, but I'll try and offer a couple options.

You talk about having an external ip range of 192.168.1.100-110, but those are internal IPs. Are you just using those as an example?

If you're trying to link an internal ip range with an external one, so, for example, 192.168.1.105 is always 1.2.3.105, that's called Static NAT. I don't think that's what you're looking for, but eh?

If you mean that you always want computer X to get 192.168.1.105 when they request a DHCP, that's called a 'reserved ip'. On the DHCP server, you can link the MAC address of a machine to a specific IP, and that machine will always get the same IP.

Are either of those what you're asking? :P

Chavo · August 27, 2009, 12:09:00 PM

Are you talking about just reserving IP assignments? In your example, are the "external IP" addresses the address that you want the Server 2003 DHCP Server to assign to clients?

If so, you can create the IP reservations pretty simply:
Administrative Tools->DHCP->Find the right scope->Reservations->Add Reservations

MyndFyre · August 27, 2009, 12:42:57 PM

What I want is for me to go to www.whatismyip.com and always get the same external IP address. I have a range of external IP addresses assigned by my ISP. I need the same network clients, assigned by MAC address, to always get the same external IP address, because we need to whitelist them with our clients.

I figured out how to reserve internal IP addresses. Maybe what iago suggested is correct - static NAT. What I'm unclear about, though, is which part of my network plays in that space.

Newby · August 27, 2009, 02:44:28 PM

Per user (e.g. user account on Windows).... good luck. TehUser has been looking into this too. My dad thinks it's not possible.

If you mean per computer/NIC... yeah. You can reserve IPs based on MAC addresses, I'm nearly positive, but I haven't done it in a while with Windows' DHCP server. I'm not sure how a DHCP server falls into this, though -- if you're on a LAN, the DHCP server serves up internal IP addresses. Usually it'll be the gateway that would deal with making sure a machine always got the same external IP address. On my dad's network, you could one-to-one bidirectionally map an IP to a machine on the LAN. This sounds like what you're trying to do.

To be fair, I think the bidirectional mapping would ruin your capabilities to have an internal IP unless your machines all have 2 NICs.

Chavo · August 27, 2009, 03:06:21 PM

If your ISP is simply assigning you a range of IPs but not providing any DHCP function, then you should be able to assign these with just the simple IP reservation. Conversely, if you are paying for a range of IPs that your ISP is simply reserving for you, but still have to get the lease via DHCP (or some kind of static approach), then you do need to use Static NAT Routing to map these to internal IP addreses in conjunction with the IP reservation on the LAN side.

Camel · August 27, 2009, 04:19:21 PM

Quote from: MyndFyre on August 27, 2009, 12:42:57 PM
What I want is for me to go to www.whatismyip.com and always get the same external IP address. I have a range of external IP addresses assigned by my ISP. I need the same network clients, assigned by MAC address, to always get the same external IP address, because we need to whitelist them with our clients.

I figured out how to reserve internal IP addresses. Maybe what iago suggested is correct - static NAT. What I'm unclear about, though, is which part of my network plays in that space.

Is the Windows Server performing NAT? If so, I don't believe it's possible - at least, I wasn't able to figure out how to do it.

There are multiple solutions available for Linux and BSD (iptables et al); I'll elaborate if you're interested.

iago · August 27, 2009, 05:56:23 PM

Quote from: MyndFyre on August 27, 2009, 12:42:57 PM
What I want is for me to go to www.whatismyip.com and always get the same external IP address. I have a range of external IP addresses assigned by my ISP. I need the same network clients, assigned by MAC address, to always get the same external IP address, because we need to whitelist them with our clients.

I figured out how to reserve internal IP addresses. Maybe what iago suggested is correct - static NAT. What I'm unclear about, though, is which part of my network plays in that space.

I'm pretty sure static NAT is what you want. As far as I understand, it's when you have a static mapping of internal:external addresses.

But yeah, I've never used it before, you're going to have to look into it to see if it's the right solution. :)

Camel · August 27, 2009, 06:26:50 PM

Quote from: iago on August 27, 2009, 05:56:23 PM
As far as I understand, [NAT]'s when you have a static mapping of internal:external addresses.

That's what you typically see, but it needn't necessarily be static, or even a dynamic mapping from one address to another to be called NAT. For example, you could set it up so that each succesive TCP connection uses a different external IP address (round-robin, random, etc), and that could still be called NAT. That's a difficult policy to define, though, and it doesn't work well with UDP or other connectionless transport protocols for obvious reasons.

iago · August 27, 2009, 06:33:43 PM

Quote from: Camel on August 27, 2009, 06:26:50 PM
Quote from: iago on August 27, 2009, 05:56:23 PM
As far as I understand, [NAT]'s when you have a static mapping of internal:external addresses.

That's what you typically see, but it needn't necessarily be static, or even a dynamic mapping from one address to another to be called NAT. For example, you could set it up so that each succesive TCP connection uses a different external IP address (round-robin, random, etc), and that could still be called NAT. That's a difficult policy to define, though, and it doesn't work well with UDP or other connectionless transport protocols for obvious reasons.

You somehow dropped the word "static" from my post. That was kinda the key -- Static NAT is NAT with static mappings, I think.

Camel · August 27, 2009, 06:37:15 PM

Well, at least I had the sense to misquote you before I called you a liar!

But yeah, you're correct.

MyndFyre · August 27, 2009, 07:05:20 PM

Once I mentioned "static NAT" to our IT support team they knew what I needed. Thanks @iago!

iago · August 27, 2009, 07:10:03 PM

Quote from: MyndFyre on August 27, 2009, 07:05:20 PM
Once I mentioned "static NAT" to our IT support team they knew what I needed. Thanks @iago!

I hope it's right ;)

Clan x86

News:

Pinning user to external IP address via Windows Server DHCP

MyndFyre

iago

Chavo

MyndFyre

Newby

Chavo

Camel

iago

Camel

iago

Camel

MyndFyre

iago