Will "ipconfig /release" still allow local networking?
April 10, 2013 2:45 PM Subscribe
I need to help isolate a Windows machine from the internet, but still allow it to network with a local machine.
After multiple issues with viruses, a friend has decided that he is no longer willing to allow his Windows machine to connect to the internet. He bought a new iMac and an Airport Extreme, and is quite happy.
Here's the rub: he still wants to use the PC for writing and publishing (I know...don't ask), and he wants to be able to transfer the files to and from the Mac via his LAN (specifically, via an ethernet cable from the PC to the Airport Express). In short, he wants to confine the PC to his home network, without allowing it access to the internet.
Here's the setup: new iMac, Airport Extreme, PC running XP.
Here's the question: Will "ipconfig /release" accomplish this? Every Google search yields results about PC's that are having trouble connecting to the internet; none seems to address this issue of wanting to isolate one from the internet, but still allow local access through a router.
After multiple issues with viruses, a friend has decided that he is no longer willing to allow his Windows machine to connect to the internet. He bought a new iMac and an Airport Extreme, and is quite happy.
Here's the rub: he still wants to use the PC for writing and publishing (I know...don't ask), and he wants to be able to transfer the files to and from the Mac via his LAN (specifically, via an ethernet cable from the PC to the Airport Express). In short, he wants to confine the PC to his home network, without allowing it access to the internet.
Here's the setup: new iMac, Airport Extreme, PC running XP.
Here's the question: Will "ipconfig /release" accomplish this? Every Google search yields results about PC's that are having trouble connecting to the internet; none seems to address this issue of wanting to isolate one from the internet, but still allow local access through a router.
ipconfig /release will cause the computer to give up its IP address. I don't see what it would have to do with keeping the computer from accessing the internet.
It's usually a bad thing when I play "IT guy", but I think you can do this by disabling DNS on the PC. The PC would still be able to access the internet, but any attempt to connect to "www.nakedteenagersplayyahtzee.com" would fail, because the system won't be able to convert that name to an ip address.
You may be able to do this by tweaking the router to disallow internet access by that PC. That will probably depend on your router, however.
posted by It's Never Lurgi at 2:51 PM on April 10, 2013
It's usually a bad thing when I play "IT guy", but I think you can do this by disabling DNS on the PC. The PC would still be able to access the internet, but any attempt to connect to "www.nakedteenagersplayyahtzee.com" would fail, because the system won't be able to convert that name to an ip address.
You may be able to do this by tweaking the router to disallow internet access by that PC. That will probably depend on your router, however.
posted by It's Never Lurgi at 2:51 PM on April 10, 2013
But sorta on the right track. He could configure the machine with a static IP address without a default gateway address. This would allow communication with other devices on the LAN but no way to get beyond the LAN.
posted by zengargoyle at 2:52 PM on April 10, 2013 [1 favorite]
posted by zengargoyle at 2:52 PM on April 10, 2013 [1 favorite]
Response by poster: @zengargoyle: thanks for the advice. Please understand, tho, that my only qualification for tackling this issue is that I know more about networking than my friend (who knows zilch). I also know very little about Windows, having abandoned it years ago. (I'm still forced to use it at work, but there we have IT technicians that screw it up for us, with no intervention required on our parts.)
So, would these steps you suggest be performed through the Control Panel? Is it there that I can configure a static IP address and specify no default gateway address?
posted by dinger at 3:21 PM on April 10, 2013
So, would these steps you suggest be performed through the Control Panel? Is it there that I can configure a static IP address and specify no default gateway address?
posted by dinger at 3:21 PM on April 10, 2013
Probably best to block it at the router by mac address.
You can't trust a machine you don't trust.
posted by gjc at 3:41 PM on April 10, 2013
You can't trust a machine you don't trust.
posted by gjc at 3:41 PM on April 10, 2013
Best answer: First check the router that is (most likely) providing DHCP for the LAN. In general the cable modem or DSL or whatever is handing out DHCP for all the machines. Usually the router will have a pool of addresses that it hands out to devices through DHCP, and the rest will be available for static use. You want to pick an address from the static pool so that you don't accidentally someday conflict with some other device.
Like my router does something like this:
local network: 192.168.1.0 netmask 255.255.255.0
dhcp pool: 192.168.1.100-200
gateway: 192.168.1.254
so machines set to DHCP will get an IP in the 192.168.1.100 - 192.168.1.200 range and I set my static machines with addresses like 192.168.1.10, 192.168.1.11, etc.
Then yes, you just go to the control panel and find change the configuration of the network card from DHPC/Obtain Address Automatically/whatever XP calls it to Static/Manually Configured/whatever... and give it the IP / netmask (say 192.168.1.15 netmask 255.255.255.0) and leave the Default Gateway blank. If your current DNS is provided by the router itself (it's a LAN address usually the same as the gateway address like 192.168.1.254 in my case) then you can still use it. Some routers will provide DNS for the LAN (from the DHCP addresses that it has handed out), some routers don't.
Most of the magic plug and play network stuff (like browsing for shares, printers, etc) should work fine. Nowadays all of that stuff is broadcast/multicast stuff that works fine without actual gateway addresses. (works so well that the Microsoft/Apple plug and play stuff is the bane enterprise network people. :P)
posted by zengargoyle at 3:49 PM on April 10, 2013
Like my router does something like this:
local network: 192.168.1.0 netmask 255.255.255.0
dhcp pool: 192.168.1.100-200
gateway: 192.168.1.254
so machines set to DHCP will get an IP in the 192.168.1.100 - 192.168.1.200 range and I set my static machines with addresses like 192.168.1.10, 192.168.1.11, etc.
Then yes, you just go to the control panel and find change the configuration of the network card from DHPC/Obtain Address Automatically/whatever XP calls it to Static/Manually Configured/whatever... and give it the IP / netmask (say 192.168.1.15 netmask 255.255.255.0) and leave the Default Gateway blank. If your current DNS is provided by the router itself (it's a LAN address usually the same as the gateway address like 192.168.1.254 in my case) then you can still use it. Some routers will provide DNS for the LAN (from the DHCP addresses that it has handed out), some routers don't.
Most of the magic plug and play network stuff (like browsing for shares, printers, etc) should work fine. Nowadays all of that stuff is broadcast/multicast stuff that works fine without actual gateway addresses. (works so well that the Microsoft/Apple plug and play stuff is the bane enterprise network people. :P)
posted by zengargoyle at 3:49 PM on April 10, 2013
So, your router almost certainly does not pass link local traffic (by design). Giving yourself a static IP in link local IP space is easy.
You might be able to install Bonjour on your windows box so you can see and resolve the mac's file-shares (which will need to be configured) on the windows box. The bonjour control panel lets you advertise your fileshares from the windows box.
posted by Mad_Carew at 5:06 PM on April 10, 2013
You might be able to install Bonjour on your windows box so you can see and resolve the mac's file-shares (which will need to be configured) on the windows box. The bonjour control panel lets you advertise your fileshares from the windows box.
posted by Mad_Carew at 5:06 PM on April 10, 2013
Disabling DNS will "mostly" work but will cause problems accessing local servers. As It's Never Lurgi points out, the real way to do this is to configure the router.
First thing to check is to poke around in the router's configuration web pages to see if there is an option to disallow Internet/External/WAN traffic based on local IP. If you can't find such an option the you are out of luck and disabling DNS is probably the best you can do.
If such an option exists, turn it on and configure it to disallow a single IP. Now you just need to make sure your friend's computer always gets this IP. He can set his computer to have a static IP address manually, but you can also (probably, depending again on the router) configure the DHCP on the router to always give out this IP address to the MAC address of the computer. This means your friend does not need to configure his machine at all.
Even very cheap routers have these configuration options these days, so it is worth checking if you feel up to the technical challenge.
posted by AndrewStephens at 5:32 PM on April 10, 2013
First thing to check is to poke around in the router's configuration web pages to see if there is an option to disallow Internet/External/WAN traffic based on local IP. If you can't find such an option the you are out of luck and disabling DNS is probably the best you can do.
If such an option exists, turn it on and configure it to disallow a single IP. Now you just need to make sure your friend's computer always gets this IP. He can set his computer to have a static IP address manually, but you can also (probably, depending again on the router) configure the DHCP on the router to always give out this IP address to the MAC address of the computer. This means your friend does not need to configure his machine at all.
Even very cheap routers have these configuration options these days, so it is worth checking if you feel up to the technical challenge.
posted by AndrewStephens at 5:32 PM on April 10, 2013
A lot of over-thinking going on. Windows/Mac automagic plug-n-play zeroconf bonjour blah blah blah... will all mostly work out of the box with all devices plugged into a Layer-2 switch with no router or DNS at all. It will all mostly just work with auto-configured 169.254/16 addresses, and combinations of broadcast announcements/querries and multicast DNS. Even my lacklusterly configured Linux box can reach other machines on local LAN without help from DNS because they advertise themselves over avahi or whatever.
root@io:~# host zim.local
Host zim.local not found: 3(NXDOMAIN)
root@io:~# ping zim.local
PING zim.local (192.168.1.72) 56(84) bytes of data.
64 bytes from zim.local (192.168.1.72): icmp_req=1 ttl=64 time=0.149 ms
The only likely problem is XP not being smart enough and needing to use the routers DNS (or a hosts file) to find the Apple machines. Most routers nowadays accept the client hostname in the DHCP request and will serve it up.
# dig @8.8.8.8 zim.local
...
;; QUESTION SECTION:
;zim.local. IN A
duh
# dig @192.168.1.254 zim.local
...
;; ANSWER SECTION:
zim.local. 0 IN A 192.168.1.72
yep, local router DNS knows my LAN machines that DHCP
so it's most useful to configure the XP machine pointing to the routers DNS for the case that it just might give the XP machine the ability to lookup other hosts on the LAN via DNS.
and if there's no gateway configured on the XP box then no packets destined to non local addresses will leave the machine.
I have no idea where all of this remove DNS and block on the router is in any way necessary. And in any case something like using MAC locked ACLs or otherwise twiddling firewall rules on a router is strange advice to give to the OP and friend when they're starting at `ipconfig \release`.
dinger could probably get away with just doing `ipconfig` (maybe a '\show' flag or whatnot) to find out the machines current lease information:
IP: w.x.y.z
Netmask: 255.255.255.0
Gateway: blah
DNS: w.x.y.a
and just use those minus the Gateway as a static config. Most routers will keep the same leased IP address held for the same MAC as long as possible (probably until a factory reset, reconfigure, or they run out of addresses). Mainly because Windows and some Apple machines are terribly prone to not actually accepting a changed IP address in a new DHCP lease. (I could bitch for hours about what happens if you actually configure a DHCP server to return a random new IP on renewal to Microsoft machines...)
posted by zengargoyle at 7:21 PM on April 10, 2013
root@io:~# host zim.local
Host zim.local not found: 3(NXDOMAIN)
root@io:~# ping zim.local
PING zim.local (192.168.1.72) 56(84) bytes of data.
64 bytes from zim.local (192.168.1.72): icmp_req=1 ttl=64 time=0.149 ms
The only likely problem is XP not being smart enough and needing to use the routers DNS (or a hosts file) to find the Apple machines. Most routers nowadays accept the client hostname in the DHCP request and will serve it up.
# dig @8.8.8.8 zim.local
...
;; QUESTION SECTION:
;zim.local. IN A
duh
# dig @192.168.1.254 zim.local
...
;; ANSWER SECTION:
zim.local. 0 IN A 192.168.1.72
yep, local router DNS knows my LAN machines that DHCP
so it's most useful to configure the XP machine pointing to the routers DNS for the case that it just might give the XP machine the ability to lookup other hosts on the LAN via DNS.
and if there's no gateway configured on the XP box then no packets destined to non local addresses will leave the machine.
I have no idea where all of this remove DNS and block on the router is in any way necessary. And in any case something like using MAC locked ACLs or otherwise twiddling firewall rules on a router is strange advice to give to the OP and friend when they're starting at `ipconfig \release`.
dinger could probably get away with just doing `ipconfig` (maybe a '\show' flag or whatnot) to find out the machines current lease information:
IP: w.x.y.z
Netmask: 255.255.255.0
Gateway: blah
DNS: w.x.y.a
and just use those minus the Gateway as a static config. Most routers will keep the same leased IP address held for the same MAC as long as possible (probably until a factory reset, reconfigure, or they run out of addresses). Mainly because Windows and some Apple machines are terribly prone to not actually accepting a changed IP address in a new DHCP lease. (I could bitch for hours about what happens if you actually configure a DHCP server to return a random new IP on renewal to Microsoft machines...)
posted by zengargoyle at 7:21 PM on April 10, 2013
Response by poster: Thank you all for the fine responses, many (most?) of which are over my head, but nevertheless give me a headstart in the learning process.
Because the router is working flawlessly, I'd rather not mess with it; I think I'll try solutions that are confined to the PC first. If that doesn't work, you've given me lots of other leads.
Based on my Google search results, thousands and thousands of folks around the world have trouble getting their Windows machines to connect to the internet; it's kind of funny that I should have to do so much research to achieve the same result.
posted by dinger at 3:15 AM on April 11, 2013
Because the router is working flawlessly, I'd rather not mess with it; I think I'll try solutions that are confined to the PC first. If that doesn't work, you've given me lots of other leads.
Based on my Google search results, thousands and thousands of folks around the world have trouble getting their Windows machines to connect to the internet; it's kind of funny that I should have to do so much research to achieve the same result.
posted by dinger at 3:15 AM on April 11, 2013
« Older Is there a Yelp for hang gliding or hot air... | Chicago Database of Bars seachable by beers Newer »
This thread is closed to new comments.
posted by grouse at 2:47 PM on April 10, 2013 [2 favorites]