LANProtector Example Project 02
Mixed public and private network addresses, blocking private network addresses
Network Setup
- Network has public IP addresses assigned but unknown number, unknown subnet and they are all allowed
- One server uses private network IP address range 172.16.1.1 to 172.16.1.3 and has MAC address 11-11-11-11-11-11
- Routers and modems with private IP addresses from 10.0.0.1 to 10.0.0.254 and from 172.16.1.1 to 172.16.1.254 are allowed
- Any other private network IP address usage is not allowed
Solution
Download the example Security Project file from Here (right-click and select Save As).
The Ruleset is set to Allow All Default Action in order to allow all public IP addresses which are unknown. That is why the following Rules are defined to deny private address subnets:
Deny 10-addresses Rule to deny all private IP addresses starting with 10 (private subnet 10.0.0.0/8)
Deny 192.168-addresses Rule to deny all private IP addresses starting with 192.168 (private subnet 192.168.0.0/16)
Deny 172.16/12 Subnet Rule to deny all private IP addresses in private subnet 172.16.0.0/12
As some private equipment is allowed in private address range, the following allow Rules are defined before the deny Rules:
Allow Private Equipment to specifically allow two network IP address ranges where private equipment might be
And in order to prevent any private equipment from taking over server-reserved IP addresses, a deny Rule is defined before the allow Rules:
Deny Non-Server to block a specific intruder identified MAC address to obtain any network IP address
Testing
1. A computer tries to obtain private network address in the 10.0.0.0/24 subnet:
2. A computer tries to obtain private network address in the 172.20.1.0/24 subnet:
3. Network device tries to obtain private address reserved for server only:
4. Network device tries to obtain private address in permitted address range:
5. Server tries to obtain one reserved address:
