Block internal IP?

By Distant
in Microsoft (Windows)

 Share

Recommended Posts

Collaborator

Distant

Posted
Posted

So lately we have been having an issue with people viewing adult content at work.

Basically someone comes in and forgets they are on the company wireless and goes to find a site o' fun on their mobile device.

Until recently, I've been able to track down who it was. But now default device naming conventions prevent that. Android_longassstring doesn't help me.

All I know is it is 192.168.100.18.

Two questions:

1. How can I block this IP from accessing the internet while it has a DHCP lease.

2. Any other ways of tracking down the idiot?

Thanks.

Link to comment
https://www.neowin.net/forum/topic/1103809-block-internal-ip/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

What do you have in place at work for your router/firewall? How are you seeing where the people are going? Many proxies have a way of filtering.

Give me some details of what your working with for infrastructure and or budget and we can work out the best way to filter using what you have or that will fit into your budget. I can not believe a place of business does not filter internet traffic? You can do some amazing things on really 0 budget, if you have some hardware to work with and some time for setup.

As to tracking down a wireless client - yeah that can be very difficult. You could implement login to access your wireless via your AD/LDAP, etc You could setup a captive portal sort of thing even if you just allow open wireless connectivity.

There are lots and lots of options here - just need to know what your working with, and what you might be able to add to your network.

Off the cuff, some random mobile device its going to be impossible to track - simple thing would be to block his mac from getting an IP of said device... Or just setup a reservation for his mac so that he gets same IP you block at your firewall from getting to the internet. If you know his IP, you know his mac - if you know his mac you can setup a reservation so he always gets the same IP, once you know that device will always get the same IP, you can block that IP from accessing the internet. Or depending on your setup block from even getting an IP, etc.

Love to help you fix up your network so you can filter and monitor users internet traffic - just need somewhere to start, ie what do you have to work with.

Collaborator

Distant

Posted
  • Author
Posted

Pretty simple setup -

Server -> Sonicwall w/ 2 switches and an AP -> ISP -> OpenDNS

So if content manages to get by the Sonicwall, it happens - hits OpenDNS and gets stopped.

We have the filtering in place, that's not the issue. It's finding out who attempted to access these sites.

So I know the IP because of DHCP, how can I pull the MAC ID and block that? Can I block it in DHCP?

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Why allow phones to access the network anyway? Why. It throw in a content manager other than opendns. Something that can manage it better? Or have open dns integrate with ad so it requires ad auth. The auth, it creates a log of who and what the accessed. No need to hunt crap down, you know who did it based on user account.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"hits OpenDNS and gets stopped."

What?? Sorry opendns is provider of dns, it does not stop anything. You ask it for stuff like www.neowin.net or www.playboy.com, etc. and then it either returns the correct IP for you to go there, or it sends you its IP so you end up on some block page. It does not actually filter traffic, unless they have recently added proxy support?

So do you block 53 outbound to everything else other then the opendns servers? If not circumvention of your opendns filtering there any 6 year old could bypass ;) What sonicwall do you have? They provide web content filtering services - you just have to be licensed for them.

You could tie to opendns enterprise insight, sure this ties it to your AD -- I don't believe its very cost friendly?? And unless your blocking outbound udp/tcp 53 anyone can bypass it really easy.

What AP do you have? Does it tie in with your sonicwall? Model numbers of your devices would be very helpful so we know exactly what we are dealing with. But you have a sonicwall, which sc302 I believe has more exp with than me. But clearly they can block who you want, and if your AP is tied in with it you can require AD to auth to even get on your wireless.

Collaborator

Distant

Posted
  • Author
Posted

What?? Sorry opendns is provider of dns, it does not stop anything.

OpenDNS has a content filter that sometimes does better than the Sonicwall. That's what I meant about content getting stopped.

We have a Sonicwall TZ210, Cisco Aironet 1040 AP.

OpenDNS is too pricey for my budget (non profit organization) even with their "discounts".

I would imagine that either the Sonicwall or the Cisco device could tie in to AD but I've never done that before.

@sc302 - wireless is a "perk" I guess. But it's also needed so people can do their jobs and I'm not sure how much work it is to lock it all down to only X devices.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

The sonic wall appliance has a purchasable subscription package for content filtering that does a pretty good job and should be the same or better than opendns. With this, it should also tie into ad to be able to give you reports based on user. If you don't sign in with an ad account, you don't get access. Turn off anonymous access.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Well if you want to know who is going where, I would connect both of them to AD. I would require auth to get on your wireless. So its just completely open now, or you have just a PSK setup?

So do you control your AP from the sonicwall or is it standalone? You don't have a cisco wireless controller for 1 AP that is for sure. But the TZ210 can handle up to 16 sonicpoints, or AP ;)

So you do content filtering now on the sonicwall, but you don't set policy based upon AD users?

But still a bit hazy on even your original question - if your doing content filtering at the sonicwall, and you notice someone going to site X, just block site X at the sonicwall. You don't really have to know who is going there to prevent them from going. Content filtering at sonicwall clearly has ability to whitelist/blacklist urls, ie custom filtering of sites.

So do you control your AP on the sonicwall, or standalone? Either way can show you how to point to your AD. What AD do you have setup? NT, 2k, 2k3, 2k8? Or you just running LDAP on some linux box?

Grand Master

Roger H. Veteran

Posted
  • Veteran
Posted

I would do AD auth requirements, RADIUS or is it called 802.x EAP?. I was working at the City Hall for a few weeks last year and they set it up to use 802.1x EAP - which then required me to also put in my username/password. That would definitely lead back to me if I was browsing anything wrong even on my mobile phone :)

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

regardless, it still goes through the sw does it not? if you set it up where users need to auth to access the web, regardless of whether or not they are on the domain, you would easily be able to determine who is going where.

for example, when I am on my ad computer I can go out to the web where I am allowed and if I am on my phone I need to auth with my ad creds to get out to the web where I am allowed. In either case, they know where I am going and how long I have been there, or if I access a questionable site.

Collaborator

Distant

Posted
  • Author
Posted

regardless, it still goes through the sw does it not? if you set it up where users need to auth to access the web, regardless of whether or not they are on the domain, you would easily be able to determine who is going where.

for example, when I am on my ad computer I can go out to the web where I am allowed and if I am on my phone I need to auth with my ad creds to get out to the web where I am allowed. In either case, they know where I am going and how long I have been there, or if I access a questionable site.

Yeah the AP goes through the Sonicwall. I don't know where I should setup the auth tho, I'd imagine I'd do that at the AP. Would it be better on the Sonicwall? Never done either...would love it to associate with LDAP though.

Collaborator

Graimer

Posted
Posted

I don't know how Things work were you live(laws and such), but you should be aware of something called privacy. In Norway we're pretty strict about privacy. You should NEVER log computer usage like web traffic that can identify the user(without approval from the employees). If you Discover that employees often tries to Access blocked content, the right thing to do would be to: 1. Block Access(ex. using Your SW's content filtering). And 2. Send an email to ALL employees reminding them of the company's IT-policy, including accessing non-workrelated websites(or whatever you policy is).

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

@Graimer, yeah there is a huge difference between US law and say Norway for privacy.

So after you send out 140th mass email saying stay off the porn what happens? Do you finally track down the user and say Quit it?? ;)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • This Chinese company is reportedly developing a feature Apple and Samsung can only dream of

      By Liberi_Fatali · Posted

      Doogee and Ulefone regularly release phones with 10k-25k mAh batteries, but those are bricks. I don't understand how they could make it only weigh 220 grams with a battery that size.
    • Windows 10 quietly gets one more year of support and updates

      By TarasBuria · Posted

      Windows 10 quietly gets one more year of support and updates by Taras Buria Windows 10 reached its end of life at the end of 2025. Microsoft kicked off the Extended Security Updates program, aimed at giving regular consumers one more year of security-only updates. By doing so, Microsoft gave users more time and money to update their computers to a newer operating system or compatible hardware. Now, with the end of the Extended Security Updates program quickly approaching, Microsoft is making an important adjustment. Users discovered that the official support article for the program now lists a new end-of-support date: The Extended Security Updates program is not a new concept. It has been an official way for business consumers to continue receiving critical updates for unsupported Microsoft products for many years. However, all this time, it was a business-only, paid feature. With Windows 10, Microsoft brought ESU to regular consumers, allowing them to get security updates for Windows 10 past October 2025 essentially for free. When Windows 10 was approaching the end of support, many guessed that Microsoft might adjust its support timelines, and this is exactly what seems to be happening. Of course, Microsoft would love everyone to switch to new computers, such as its latest Surface devices, but in the days of ever-growing hardware prices, not everyone is lucky enough to have money for a new PC. Leaving hundreds of millions of customers with a Windows version that no longer receives security updates is a major risk that Microsoft is not willing to take. If you have a Windows 10 PC to enroll in the Extended Security Updates program, check out this guide to learn how to do so.
    • Sony announces Bungie layoffs that will affect "significant number of employees"

      By LoneWolfSL · Posted

      Sony announces Bungie layoffs that will affect "significant number of employees" by Pulasthi Ariyasinghe Sony today announced that major layoffs are happening at its first-party studio Bungie, the developer that has spawned series like Halo, Destiny, and Marathon over the past decades. The news arrives just weeks after Bungie delivered the final update to Destiny 2, and it's that team being hit with the layoffs the most. CEO of Sony Interactive Entertainment Hermen Hulst revealed the staff reduction today, calling it "painful news." "Over the past several months, together with Bungie leadership, we reviewed the studio’s long-term direction, development priorities, resource needs, and role within our broader portfolio strategy," said Hulst, explaining the decision. "We explored multiple alternatives before concluding that a reduction was necessary to align the studio’s resources with its current priorities and long-term goals." The layoffs will be hitting "a significant number of employees" across most of the Destiny franchise development team. It doesn't look like Sony is planning to continue the series following Destiny 2's sunsetting update. The studio is said to be in early stages of looking at other projects to pivot to, but it's said that keeping the size of the team at current levels is no longer feasible. "We know this decision has a profound impact on the people affected, their families, friends, and teammates," said Bungie leadership in a separate message on social media. "While these changes are necessary to best position the studio now and for the future, that does not lessen the difficulty of this moment or the impact it has on those affected." At the same time, "some" of the Marathon development team are also affected by the layoffs. The recently released multiplayer-only extraction shooter title hasn't seen a big boom of players either, but the company is reportedly hoping that the live service experience will pick up players with future updates.
    • Microsoft adds reusable skills and finance data connectors to Copilot in Excel

      By Karthik Mudaliar · Posted

      Microsoft adds reusable skills and finance data connectors to Copilot in Excel by Karthik Mudaliar Microsoft is giving Copilot in Excel a collection of new features aimed squarely at finance teams. The update introduces reusable instructions for common tasks, connections to services such as FactSet and Morningstar, and a better way to review what Copilot intends to do before it starts changing a workbook. The most interesting addition is 'Skills' finally coming to Copilot in Excel. Skills let companies teach Copilot how to handle a recurring process, so employees do not need to write the same detailed prompt every month. Users can create skills that can specify the steps Copilot should follow, along with the required layout, formulas, and formatting. Microsoft says users can create their own skills by saving a SKILL.md file in OneDrive. The file is written using Markdown and tells Copilot when and how to perform the task. Once it is available, a user can select the skill in the Copilot pane or mention it in a prompt using the @ symbol. There is also a library of prebuilt finance skills for customers who do not want to create their own. Microsoft plans to let developers distribute additional skills through the Microsoft Marketplace and the Microsoft 365 Admin Center, with LSEG, Ramp, Rogo, samaya.ai, Velixo, and Vena among the first partners involved. The company says that it is also expanding the external data that Copilot can access from inside Excel. New connectors are being added for CB Insights, Daloopa, FactSet, Morningstar, PitchBook, and S&P Global data through technology developed by Kensho. There is a catch, however. Accessing these services may require a separate subscription from the relevant data provider, so a Microsoft 365 Copilot licence will not necessarily unlock all of them. FactSet is also only available in preview for now, with general availability planned for July. Microsoft is also trying to make Copilot’s workbook edits easier to inspect. Users can switch to a planning mode that shows which sheets, cell ranges, formulas, and assumptions Copilot intends to work with before it begins making changes. Once the work is complete, the Show Changes pane can distinguish edits made by Copilot from those made by human collaborators. The update continues Microsoft’s push to turn Excel Copilot from a chatbot into an agent that can carry out longer tasks. The company previously added an Agent Mode capable of planning and completing multi-step Excel work. Microsoft also recently acquired financial AI startup Fintool, another indication that finance is becoming a key target for its Excel AI strategy. Prebuilt skills, personalization, workbook rules, external connectors, planning mode, and Copilot attribution in Show Changes are generally available to Microsoft 365 Copilot customers using Excel on the web, Windows, and macOS. Custom skills are initially available to Microsoft 365 Insiders on Windows and Mac starting today. Microsoft plans to make them generally available across Windows, Mac, and the web over the next month. Partner-built skills are expected during the third quarter of the year. Availability may still differ depending on region and licensing.
    • Rufus alternative Ventoy now supports Windows 11's mandatory update, fixes major boot bug

      By Southern Patriot · Posted

      Exactly. They serve different (although related) purposes.

  • Recent Achievements

    • First Post
      kinowa earned a badge
      First Post
    • Rookie
      krychek57 went up a rank
      Rookie
    • Grand Master
      Jaybonaut went up a rank
      Grand Master
    • One Year In
      Philsl earned a badge
      One Year In
    • Dedicated
      Scoobystu earned a badge
      Dedicated

  • Popular Contributors

    1. 1
      +primortal
      438
    2. 2
      +Edouard
      169
    3. 3
      PsYcHoKiLLa
      134
    4. 4
      Xenon
      77
    5. 5
      Michael Scrip
      75
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!