I'm trying to develop a DHCP enforcement extension like Microsoft NAP.
My trick to block dynamic-IP requesting machines (that don't meet certain policy) is to strip the default gateway (no default gateway) stated in the IP lease and set the lease subnet mask to 255.255.255.255.
Now I need the blocked machines to be able to reach some specific locations (IPs) on the network. To allow for this, I'm including some static routes in the lease. For example, I'm including 10.10.10.11 via router 10.10.10.254 (the one to which the blocked machine that needs to access 10.10.10.11 is connected).
Unfortunately, as soon as I set the default gateway to nothing, blocked machines cannot reach any of the added static routes. I also tried classless static routes.
Any ideas ? any one knows how MS NAP actually do it ?
Best Answer
You might need to include a route to
10.10.10.254, in your example. That route can be "it's locally attached to this interface" (for your sake, I hope it is).