I'm trying to find a solution for this problem for many weeks I hope someone can help me.
I have a rather simple network:
- Windows Server 2012R2 with multiple NICs
- A few subnets (VLANs) with DHCP's router-option set to the corresponding NIC of the server on that subnet
- DHCP and DNS enabled (and working) on all NICs in every subnet
Every vlan has its own subnet in the 192.168.x.0 space.
What I want:
I want clients from all subnets to be able to connect to the internet but not any other subnet.
eg. client 192.168.4.12 should be able to ping google.com but not 192.168.3.0/24
What I did:
- Since I wanted the server to route, I installed the RRAS feature as a LAN router. After that the clients of the subnets were able to ping across the subnet but couldn't access the Internet.
- I added NAT to RRAS and they were able to ping each other and the Internet.
I have tried:
- Inbound/Outbound filters on each subnet's interface in RRAS – does nothing while NAT is enabled
- Static routes to block out traffic from across subnets – no reaction either.. I might have done it wrong but I tried various configurations
- Using Windows advanced firewall but didn't find a way to block traffic from a specific subnet going to a specific subnet
Is there a way to do that, did I miss something or how do you do this?
Best Answer
I've found the solution for this in case you still need it:
Right Click on every Interface in the RRAS Console in the General section. Select properties and click on incoming filter click new and add every other vlan with its ip address range as destination network except the one you are currently configuring of course