Isloate a PC

A

awsiemieniec

Gawd
Joined
Jul 2, 2004
Messages
810
I have a PC I want to run some tests on. It's part of a LAN that I don't want it to be able to access. Within the IP settings for the machine I do the following:

IP Address: 10.10.10.30
Subnet Mask: 255.255.255.255 (just the single PC)
Gateway: 10.10.10.1

So of course Windows complains that the gateway is not within range of the IP address. I understand that. How do I make that happen? ISPs do this on public IPs. I don't want 10.10.10.30 to be able to "talk" to any of the devices from 10.10.10.2-10.10.10.29

Thanks.
 
you need firewalling, can't do that with a subnet mask...

unless you could set the computer to .2, then i guess technically you could use a /30, or 255.255.255.252

would probably also need to clear the .3 address and make sure it's not being used too...
 
Firewalling - yeah. OK, that makes the most sense to me, too. I can do the rules on the firewall easy enough. So on the PC side I would just change the subnet mask to a /24, like everything else, and then adjust FW rules.

thanks.
 
Add a second IP address in the desired subnet to the gateway's LAN interface.

GW IP #2: 10.10.11.1/24
PC IP: 10.10.11.30/24

Running two subnets in the same broadcast domain like your intending is fine, but it isn't really isolation. It can prevent mistakes, but not malicious activity, for more security you'd really have to use VLANs.
 
If you have that kind of access, you could setup another vlan. Then setup appropriate rules in the firewall that handles vlan routing.

Another way would be to add a router/firewall and configure it in such a way that it's isolated. I'm guessing the PC still needs internet access? Otherwise you can just unplug it. :p Personally I would setup pfsense and just have a firewall rule that denies it access to every local IP range (10.x.x.x/8 etc).
You can still allow specific things if you want, like the local DNS server, http server etc if it's needed. You would also get to setup your own local IP range and have option of adding more PCs/VMs to that firewall if you want as you'd now have your own private NAT network. You can also turn off NAT if you don't need it.

I would not depend on any changes you make to the machine itself though. In theory a virus could just reverse those changes anyway if it's smart enough to figure out the network info it needs to put in. (sniffing traffic for arp etc).
 
If your suspecting that the machine is infected. I would pull the drive and scan it that way, of course it depends on having a way to due so.

Second option if there isn't data that is important on it, is to nuke it and start over.
 
Just unplug the network cable. Thats all you need to do. And scan away.
 
You must log in or register to reply here.
Back
Top