Microsoft Windows DHCP Team Blog

It's very cool, but where is the setup document exactly?

Uhhh, and where is this folder? Through install (on w2k3 r2) I can't choose the target folder, and sorry, but I don't find any files, but only a MacFilterCallout.dll in System32...

Thank you for your help, the exact file name is SetupDHCPMacFilter.rtf.

I cant seem to find the correct configuration file syntax.

I have a file named DHCPMACFILTER.TXT, have specified its full pathname in the relevant registry key (in Parameters like said above, Win2k3 here) and inside has 2 lines:

MAC_ACTION = ALLOW

0020ED8E9E7E

The error file says that "File format not proper" and the info files that the DHCP server has started.

If I remove the MAC address and leave only the MAC_ACTION line then I get again "File format not proper" in the error file, but now the info file has:

The DHCP server has successfully started.

Thu Oct 18 13:54:52 2007 0018f3047478 Allow

Please advice further...

Thanks.

i cant see any logs 1033 from the event viewer.

Thanks for your answer, it works perfectly.

Gee... never thought the curly brackets where part of the syntax as their usual meaning is to specify the set of disticnt values allowed.

Anyway, thanks again, very useful addon.

This is a feature I have been waiting for way too long. Up until today if you wanted to have some control

This is a feature I have been waiting for way too long. Up until today if you wanted to have some control

What about classifying a device (VOIP phone) so that it's thrown into a separate range of IP addresses like ISC DHCP allows for?

I can classify my phones (all NEC) based on the first three parts of the MAC ID so that they're assigned IP's in the 10.30.15 range, but never into 10.30.13 or 10.30.14.

This is a VERY DESIRED feature that isn't addressed anywhere in the DHCP services.

This seems to be nearly what we need for our application, but is it possible to use a range of MAC addresses?

For example we have a range of addresses for an embedded system, and we want to use DHCP for assigning an IP address, without interferance with the our office network.

Something like following will solve this :

MAC_ACTION = DENY

001A85******

Thanks in advance

Stefaan

This all sounds great, but I wish that instead of doing this:

MAC_ACTION={ALLOW}

000b0e994401

000b0e994402

000b0e994403

000b0e994404

000b0e994405

I could do this:

MAC_ACTION={ALLOW}

000b0e*

That way I could permit DHCP to any vendor specific device and deny DHCP to all others without having to make periodic changes to the MAC list and worry about stopping/starting the service.  We have 3000+ devices (all from one vendor) that we want to get DHCP while not allowing it for anything else.  Anyone know if this will work?

Hi!

This looks great, I wish I could make it work.. I have set the values, and it all looks good. The filter file maclist.txt looks like this:

MAC_ACTION={DENY}

000742a72dea

the log says

Thu Oct 18 13:54:52 2007 000742a72dea Allow

the error file says

file format not proper

It looks like same error as above, but I have the {}, I have tried to add/remove spaces around =, but no luck. Text encoding is ANSI, I have tried UTF-8, but I guess this shouldnt make a diffecence. Where do I go from here?

Tor Arne Pedersen

I redid it all, and it worked perfectly. Thanks for this tool. I wonder how I can make IPs be leased forewer, I guess callout.dll could do this.

Is the Callout filtering can support wildcard if I want to deny all as to 101010 beginning MAC addresses?

I would like to know that Infolog files have the max size constraints.

Even after adding the mac address in the allow list, server is not serving IP to the specified pc. seems some bug on the dll.

Hey Pandya

I perfectly configured as per the doc, when I see the log  there were many deny messages for the Mac address which is in allow list.

My environment is Win2k3-Sp2 and in fact I have checked with a desktop and few laptops mac addresses included in the allow list. But as per the log those are comes under denied.

Looking for your help.

Hey

I have configured only Allow list.

Thanks for this tool!  I see that wildcards are not supported, but are there plans to support mac wildcards in a future release?

Is it planned to add wildcard feature to your tool?

As on other post here I would like to deny all requests from e.g. IP phones.

Best regards,

Juergen

Thx so much for this addition. I was really cursing MSDHCP until I found this bit. It works great, and plan on rolling it into production soon.

Is it possible for the callout to have an allowed mac address list per subnet?

To explain: We wish to secure our devices (thin clients) from being moved physically from office to office (subnet to subnet).

I followed the directions precisely and it worked great. Thanks for including something that SHOULD have been included OEM on the DHCP server.

Cheers

Jonathan

Dear Raunak Pandya

I have configured Collect DLL for my DHCP server but it's not running. i think my configure is OK but why not working?

"This key specifies callout dll path for dhcp server e.g. c:\calloutdll\<calloutdll name>.dll" this description's "calloutdll name" is which file ? may i put in MacFilterCallout.dll file there? is it right?

please tell me all of configuration how do it exactly if it possible?

thanks

Hi Raunak

A quick question to you. Do we need to restart the service whenever we are adding mac address on the allow list? Cos the server doesn't supply IP's without restart, simply denies.

I think thats where the issue I had faced last time.

Excuse me, but I don't have the money to set up a W2K3 machine.  Can callout DLL work on a XP Home acting as a gateway?  And is callout DLL uninstallable?

Must you restart the DHCP Service when you modify the MAC filter list?

I tested this tool on two distinct dhcp servers and they both denied all IP addresses even though there was only one MAC address in the config file with the DENY option or allowed them all, again even though there was only one MAC address in the config file with the ALLOW option :-(. This also applied after I restarted the DHCP server service..

Dear Raunak Pandya

Thanks for this tool

Is it planned to add comments to file with MAC addresses? It would be easier to find to whom belongs specific MAC address.

S.M.

ok.. it seems to be working now.. my "problem" was that I wrote the MAC address with capital letters instead of small letters. If I write

MAC_ACTION={ALLOW}

0050569337ad

it works but not for

MAC_ACTION={ALLOW}

0050569337AD

thanks alot,

Jens

Running on Server 2003 R2 x64

When starting the DHCP Server service, I receving:

"The DHCP service has failed to load one or more callout DLLs. The following err occured: %1 is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. "

Just wondering what happens regarding existin reservations?

Do the MAC address's for these existing reservations need to be added to the the allowed list or will they just work any?

Can you point the callout DLL to a radius server??

Is  there an option to send request to a radius server instead of a text file??

Would it be possible to put the source for this callout on www.codeplex.com so that the community can extend it?

Thanks, Scott Pascoe

I agree with S.M.

We need to be able to add comments.

Great tool though.

Great tool, I´ve been wondering for a long time why the Windows DHCP-service is so "insecure". Not anymore :)

to Matthaus:

I think yes. I added these MAC addresses to the allowed list. Otherwise these hosts didn't receive  config from DHCP.

The Attachment only have the msi file nothing else.

Does the DHCP server crashes due to wrong MAC format entry in DHCP filter.? I mean I entered o instead of ZERO by mistake.

Pls answer me , saanra@gmail.com

On my setup, using deny, I need to have two macs in the maclist.txt file for this to work. When I had only one mac addr listed, it allowed the dhcp server to assign ip anyhow. I added a second mac to the list, unused addr actually, and restarted dhcp. Now it works. Mac address being denied fine. Its funny how the {} brackets are literally needed in the action line for it to work.

Has anyone tried this with a larger environment of approximately 5,000 DHCP clients?  Any performance issues?

Hey,

The tool looks great, but somehow i can't get it to work... installed, loaded up the reg settings, rebooted the DCHP... nothing, so i kinda made sure the maclist.txt has error's in it and i notice that also no log files were generated. So it seems like the callout isn't loaded...

DHCP Reg settings: http://img527.imageshack.us/img527/4114/dhcpsettingsqo7.jpg

Hope anyone can help

Thx, that helped :) i got an error 1034 saying: The specified module could not be found.

Solution: Changing the "%SystemRoot%" variabele to my hardcoded systemroot (e:/WINDOWS/system32/)

running on:

Windows server 2003 R2

I have configured the same way ...it works great.

Seems to be working. It can be improved, for sure.

As we have to re-start the service everytime when there are changes in the MAClist file, is there any way to make it dynamic.

Regards,

Ajith KUMAR

Hy Raunak

I configured the DLL with this options, but no event 1033 and no error

The dll is under C:\CallOut\MacFilterCallout.dll

In the macfile located C:\CallOut\MacList.txt

MAC_ACTION=ALLOW

008064*

The registry settings are the folowing

CalloutDlls C:\CallOut\MacFilterCallout.dll

CalloutEnabled = 1

CalloutMACAddressListFile = C:\CallOut\MacList.txt

What do I wrong??

Thank`s for your help

Günter

Excellent tool.

This tool resolved my problems.

Thank You.

Hy Raunak

thank`s for answer.

I use Windows Server 2003 32bit Standard Edition with SP1 german.

The Server is a Domain Controller

I configured the LogFile in the same path in registry.

HKLM\System\CurrentControlSet\Services\DHCPServer\Parameters

CalloutErrorLogFile = C:\CallOut\error.log

CalloutInfoLogFile = C:\CallOut\infolog.txt

and I change the MacFile to the folling for testing.

MAC_ACTION=ALLOW

00184D33194E

I restart my DHCP Server and nothing.

No LogFile created, no 1033 event

Only the event 7035 (starting DHCP) and 1044 (Authentification DHCP) as information in the eventlog are present.

What goes wrong??

Must I register Calloutdll with regsvr32??

So, we have a lot of Wyse Terminal they are all beginning with 008064, so my additional question is, is it possible to configure CalloutDLL only give this

MAC Segment a DHCP Adress or have I to write all possible adresses to the MacFile???

Thank`s for your help

Günter

Installed on Win2003 x64.  Get error 1034, The DHCP service has failed to load one or more callout DLLs.   The following error occured:

%1 is not a valid Win32 application.  is not a valid Win32 application. Any solution? Or is it just for x32-systems?

At last I regain control of DHCP lease!

thanks for the tool, one note though; it seems that MAC addresses must be typed using lower case letters, I couldn't get it to work while typing in  CAPITAL!

Hy Raunak

I can start call-out with the event 1033 in the eventlog, but in error.log the messages

"File format not proper" is insert always I start it.

My MacList.txt File look like this

MAC_ACTION=ALLOW

00184d33194e

What`s going wrong?

Thanks for help

Günter

Hi Guys,

Is there any way to specify multiple mac lists, we intend to put the mac lists in DFS and have all our servers reference it so that we have a central allowed list of machines. It would be nice if you could maintain a mac list per site and have each server load all the site mac list one by one on start.

This is just a bit more manageable than 1 big file.

Tried the following for the CalloutMACAddressListFile Key with no luck.

C:\WINNT\system32\MiltonMAC.txt;C:\WINNT\system32\RiseleyMAC.txt

Thanks

Paul

Great tool, let me add to the comments from others... ned a simple way to add a comment so we can easily associate mac addresses to users/machines. even if you read the MAC address digits and ignored anything else on the line would be fine

Hey thanks for the tool. I don't seem to be able to get it working. I have a 2k3 server. I did all the registry entries correct. I have check three times. the DLL seems to log the MAC addresses it has allowed and given DCHP address. Here is my maclist.txt file.

MAC_ACTION={DENY}

***********

***********

I have checked for spaces still nothing. the 1033 message comes up that the DLL has been loaded. not sure what is going on here..

I have Five Registry entires under.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

CalloutDlls

C:\calloutdll\MacFilterCallout.dll

CalloutEnabled = 1

CalloutErrorLogFile

C:\calloutdll\log.txt

CalloutInfoLogFile

C:\calloutdll\log.txt

CalloutMACAddressListFile

C:\calloutdll\maclist.txt

Path to the DLL is

C:\calloutdll

Log file out put has no errors only list of mac addresses with allow beside it.. Any help would be greatly welcome..

Paul

This tool works great with Windows machines. I recently found that it does not work with Apple Computers. I have the MAC_ACTION set to allow and the maclist contains all MAC addresses I want to allow. Even with Apple computer MAC addresses excluded from the list they still get an ip address from the DHCP server.  Can anyone out there confirm this in their network environment?

How do you uninstall the filter?

Raunak

Are there plans to allow this tool to work on Server 2003 R2 x64 ?

Thanks in advance.

Is the source code available for this project?

I was going to write something along these lines but with additional custom features for our company and this would be a great starting point for us.

Thanks!

I have MAC list file of around 28 MB, there is no issue in configuration everything is perfect, but DHCP Fails to start and throws error 1053, Event Viewer says dll is not loaded due to exception 3221225725

Hello there,

Please help me, I'm always having an

"File format not proper" error in my ErrorLogFile.txt. I can see the 1033 in the event veiwer. I have server 2003 installed in VMware workstation.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters

CalloutDlls

C:\callout\MacFilterCallout.dll

CalloutEnabled = 1

CalloutErrorLogFile

C:\callout\ErrorLogFile.txt

CalloutInfoLogFile

C:\callout\InfoLogFile.txt

CalloutMACAddressListFile

C:\callout\MACList.txt

C:\callout

Dalam Windows Server 2003 dapat dilaksanakan blocking MAC Address melalui DHCP Server. Seperti kita ketahui

Hi ,

I need to allow only company Mac address will get IP .If some one outsider wants IP from our DHCP server until entering his/her Mac address in to  allow list he /she should not get IP  address from our DHCP server 2003 .

Please help me the script and step by step configuration..

Thanks

Brahma Biswal

Hi ,

I need to allow only company Mac address will get IP .If some one outsider wants IP from our DHCP server until entering his/her Mac address in to  allow list he /she should not get IP  address from our DHCP server 2003 .

Please help me the script and step by step configuration..

Regards

Biswal

Is the 1033 event in the system event viewer the only indication that the dll is working?  I think everything is placed right but still no message. Using server 2003 SP2.

CalloutDlls  C:\calloutdll\MacFilterCallout.dll

CalloutInfoLogFile C:\calloutdll\infolog.txt

CalloutMACAdressListFile C:\calloutdll\MAClist.txt

Hi Thanks for this great tool, my question is How can I put comments on each MAC address to esily determine how is the owner.

Ex.

MAC_ACTION={ALLOW}

000b0e99440c (Aries' PC)

000b0e99440d (Guest1's PC)

Thanks

Hi TeamDHCP,

  I have a question,

  I tried to ALLOW a MAC to connect, the PC able to access and get an IP then I removed the MAC address of the same PC (restart DHCP) and retry to connect. The PC can still get an IP address from the DHCP, even the log shows that it was denied.

  Is this due to the IP-MAC lease is still at the DHCP scope or at the DHCP database?

  What sould you do so once you remove the MAC from the list, it will no longer get any IP from the server.

Thanks,

Aries

CalloutEnabled  ande set at 1

I have it set but I still see no 1033? I see a 1044?

Am I suppose to look in the System Event viewer?

Magnus

Its working perfectly now, you are correct no problem in registry, the problem is in the MAC addresses. i change all capital letter to small letter and its work. Thanks for the Tips

Joe

We have 12 subnets and each subnets we have dhcp server. the problem now is most of our user specially in sales and marketing department are shifting from one place to anther. is that possible  that in the registry of the other subnet are pointing to only one dhcp server instead of creating it one by one. as you it is a nightmare for me to add all the mac addresses of all PC's and then restarting again the dhcp server.

Thanks in advance

Is there a way to get the MAC addresses currently in use out of a log file so one doesn't have to hand enter all of the existing clients?

Thanks......

New feature request:

We have a laptop that moves between several subnets (vLANs) within an hour.  We would like to reserve an ip address in each dhcp scope (subnet) for one mac address without manual intervention.  For example,

superscope

scope (172.16.1.0/24):

 reserve ip address 172.16.1.1 for mac address: 0000aaaa1111

scope (172.16.2.0/24):

 reserve ip address 172.16.2.1 for mac address: 0000aaaa1111

...

scope (172.16.n.0/24):

 reserve ip address 172.16.n.1 for mac address: 0000aaaa1111

Currently, Microsoft Windows 2003 SP2 dhcp server allows for entering the same mac address in these scopes, but fails to give the laptop the correct ip address.

Please let me know if this tool could be modified to allow this scenario.  Or if a new tool would be needed.  In either case, when would it be available for general use if at all.

Thank you,

Ken,

Create a script using the "DOS" command getmac and loop through your ip address ranges (/S ip address)...

GETMAC [/S system [/U username [/P [password]]]] [/FO format] [/NH] [/V]

Description:

This command line tool enables an administrator to display the MAC address for one or more network adapters on a system.

Hope this helps,

Sul blog del team Microsoft che si occupa del servizio DHCP &#232; disponibile una DLL &quot; DHCP Server

I get an error in my errorlog stating "Could not open the data file"

THe filter file is in the c:\calloutdll directory, the registry matches the file name MAClist.txt and the directory and the file are readable by Admins, SYSTEM, and Users.

I'm running two scopes on 1 physical dhcp server.two interface running dhcp server,Interface1 is 192.168.10.x and interface2 is 192.168.20.x..Is this tool

possible to implement with this scenario?Thanks!

Is there any workaround to block with statically configured client pc?

how do i know if there are statically configure client in my network? some users

are capable of doing the static ip.

anyway,i got it working flawlessly.

Hi team DHCP,

thanks again for this useful tool.i made it work with my two interface dhcp server but there's an issue,those mac address from both interface network are all accepted on the MACList file.I need the two network(192.168.10.x & 192.168.20.x) to be independent to each other.mac address on 10.x should be deny on 20.x network and vice versa.

is this doable?

rayray

Hey DHCP Team,

Great tool!

Question:  How will this work with 802.1x?  If a client fails 802.1x can I add the machine MAC to the list and have it added to a "Guest VLAN" / Subnet?

Thanks

Chris

hello

all config for me is correct but it does not run 1033 log

please help me

What would happen if a computer was introduced to the network with a proper static configured IP address but the MAC address of this computer was not in the data file of acceptable MAC addresses.

Would the computer still gain access to the network or would there be an IP conflict.  Also what if that IP address being used by the computer in question was already assigned to a viable computer in the network/domain?

Vista Business not working!

Works great for XP Pro and Vista Home, but Vista Business Machines never get an IP. Cannot determine the blockage/problem. Anyone?

I just want to be clear..

If i set a mac address to JUST deny- it will deny that but ALLOW everything else? or do i have to manually put in all MAC addresses in the ALLOW list?

I am having the same problem with Vista Buiness.  The macs on those machines are on the allow list but the do not pull a ip address from the DHCP server.

Mike V

I just tested this again on Windows XP Pro and it worked fine.  When testing on Windows Vista Business and Enterprise the systems do pull a ip from the DHCP server when using the call dll. It is loaded up fine and there are no filter errors on the server.  Anyone else having this issue.

Mike VanDusen

Correction to the previous post, the Windows Vista Business and Enterprise do not pull a ip address.

Mike VanDusen

Vista Business Problem

I cannot find a solution for the problem.

I am looking at using the program for blockage to stop someone that does not know the IP range from simply plugging in a foreign computer, exlcuding a range from DHCP, and using that range to statically assign IP's to vista business machines. I still need an allowed range for my VPN Clients. Anyone finding a solution for vista business can email me directly: admin@coloabc.net

Are there any fixes for Windows Vista Enterprise or Business yet?  This is in reference to the callout dll.

Michael VanDusen

Have you developed a version for x64 or is there a date that it will be available?  I received the 1034 event that it's not a valid win32 app.

What is the different between MACFilter and Reservation?

What if someone knows one of the MAC address and change to it, could DHCP server detect it?

Hello.

I am trying to use this dll but my W2k3 machine won`t load it. The registry values seem to be corect. The paths also. In event viewer i only get 1044. No 1033 :(

What could be wrong? :(

Help.... please..

Any chance there is sample source code perhaps .net source code for this?

Thanks

By the way, should I stop the DHCP Service first if I need to modify (add or remove entries) from MAClist.txt file?

I am getting the "is not a valid Win32 application" Event ID 1034 as well and I am running a x32 version of server 2003. Whats wrong?

I have successfuly configured Callout DLL and it is working fine. But how to restrict the users which are configured static IP address in their PCs themselves.

Kindly reply me as soon as possible.

I have reserved IP addresses in DHCP for some network equipment and printers on my network. For my servers and firewalls I have assigned static IP's. These IP's are also excluded from distribution.

Do I need to add the MAC addresses for these devices to the MACList.txt?

Servers and firewall IP's are assigned statically, they are not reserved.However, these IP's are in the excluded range.

Printer IP's are reserved, they are not assigned statically.

So just to be clear, I would need to add the printers to the MAClist.txt but not the servers and firewalls?

This works great!  Thank you!!!

I have installed as instructed and used an allowed function on a windows server 2003 sp 2. Everything seems to be fine and am getting the 1033 event id etc but it is allowing everything to get an address. the file is as follows

MAC_ACTION = {ALLOW}

001b77bebf89

001b77db7024

etc.

any ideas.

Sorry to be stupid but I missed typed the maclist file in the registry. When I typed it properly it worked absolutely fine. Many Thanks David Hutton

It is great for filtering student laptops via wireless we only allow our equip. but I also have 350 desktops. Doesn't the MAC list need to have ALL devices on the network or I would be denying my office worker's machines an address?

Hi All,

I am not able to download callout DLL setup.exe to implement on windows W2K3, if any one knows download link please pass it here,

The link that I am trying is http://blogs.technet.com/error.htm?aspxerrorpath=/blogs/attachment.ashx

Regards

Shuja  

Dear Ajay,

Thank you very much, I really appreciate it, I need for windows 2003 32bit.

Regards

Shuja

Hi Ajay,

I found it thanks alot

Shuja

Hi,

I put in the mac file format as

#MAC_ACTION={ALLOW / DENY}

#001BXXXXXX

and I did change the path of MACList.txt in registry as guided in the document, but it didnt work, I am trying my best to fix it, if any one have any idea or can give me structure of file format.

I'm ready to try out this exciting tool! However I don't have a test lab so this will have to happen on our production server. Are there any possible problems that could mess up my DHCP services? What if I want to remove this in a hurry? Or can I just leave the text file blank and then everything continues running?

Hi Pandya,

I used without '#' as well, in error log says, action not correct and file format not proper I tried many ways but no success. may the MACList.txt I saved in the location system32\\MACList.txt is not correct?

Thanks

Hi Pandya,

I have done with MAC filtering, but when I add a node's MAC address then it dosent assign IP to that node, until I restart server, after server restarted it is ok,

I mean it automatically doesnt update the list?

Thanks

Dear Ajay!

Is it possible to use this tool with win2k3 standard edition?

I read about it in the readme, but it says (system requirements) to me no.

Gunter (tried it, comment: Friday, March 14, 2008 2:44 AM) but I don't read about the result.

Thanks

Hi the mac address filtering runs fine until I try to access it through a wireless access point. If I set calloutdisabled to 0 then the client machine can get a dhcp addres but not if I enable the filtering. Any ideas.

The config seems to be OK and in the infolog file I am getting

Action specified is : ALLOW

Successfully read mac addresses

The DHCP server has successfully started.

Thu Nov 27 11:42:09 2008 0018de0b0a21 Deny

Thu Nov 27 11:42:12 2008 0018de0b0a21 Deny

Thu Nov 27 11:42:20 2008 0018de0b0a21 Deny

etc

which is the coorect mac address for the wireless connection but I get

Thu Nov 27 12:03:45 2008 000b6c37bcf1 Allow

Thu Nov 27 12:03:45 2008 000b6c37bcf1 Allow

if I connect the lan card

hope you can help Dave

but this is only if it is coming through

No the wireless card is the one that gets denied but the lan card gets allowed. It is only if the mac address is coming through the wireless that it gets denied. It recognises it but denies it. Dave

Inside the file MACList.txt you could make, and we recognize as permitted mac and mac denied

MAC_ACTION DENY = ()

MAC_ACTION ALLOW = ()

Greetings and hugs

When you add a file to the mac MACList.txt only would have to stop the service dhcp it and start again?

Greetings and hugs

Raunak, are you wanting a copy of the log file and MAClist? Dave

Here you go

MAC_ACTION={ALLOW}

0013a9d72021

00147C4F9DCE

Dave

Hi

I've installed this callout on W2K3 Ent and act as DC.I can see 1033 on the eventviewer.after i restarted the dhcp service,the ip address that i put on maclist,was blocked by dhcp.however,after several attempted,that pc can finally get ip from dhcp server.

Fri Jan 16 19:44:46 2009 000c29fbdb21 Deny

Fri Jan 16 19:44:46 2009 000c29fbdb21 Deny

Fri Jan 16 19:44:49 2009 0002b9c45480 Allow

Fri Jan 16 19:44:49 2009 000c29fbdb21 Deny

Fri Jan 16 19:44:49 2009 000c29fbdb21 Deny

MAC_ACTION={DENY}

000c29fbdb21

i run this pc under VM.is it something to do with VM?

I'm trying to decide if this tool can assist with this scenario.

We run an 80/20 split scope across two servers and want to statically assign a small range of ip's within each scope to certain devices with the same vendor MAC while still providing normal DHCP services to the rest of the devices. We have about 2000 devices and 200+ scopes so a MAC wildcard would be useful.

I was thinking of ip reservations but now am leaning toward a dedicated scope with an allow filter for the controlled devices while setting a deny filter on the normal scope.

will this even work? any suggestions?

I am unable to look at the contents of MacFilterCalloutInfoLog.txt while the DHCP Server service is running. Is this appropriate behavior? It also looks like the file is overwritten every time the DHCP Server service is restarted.

Hi,

How I put comments on MacList.txt?

Thanks

Hi, again

Which the latest version of MacFilterCallout.dll?

I'm using version 1.0.0.1

Thanks

I like the idea behind the MAC Filtering, I just do not know if I want all the problems keeping up with PC moves in 25 locations across Florida. It would be nice to use DHCP as it is now aand then be able to use MAC Filtering to block a MAC that you do not want back on the network once you've grabbed their MAC. Can we do this, still give out IP by request and then block a MAC that you do not want.

Joel

Hello Everybody, Thanks for all those who tried the MacFilterCallout dll . As you all must have checked

In response to Joel's question it shoudl work that way using the "Deny" option. I just found this tool and we are about to test it that way, We have 15-20 sites and over 1300 computer/device objects in AD and it would work much better as we find rogue systems just add them to the list.

I have a question about this tool, or anthing else that might help us.  We have 100 Symbol / Motorola handheld computers that need to acquire a unique IP address based on MAC address and I was wondering if there was some way to do it with this tool and wildcards, since the first four segments of the MAC are identical.  If not, is there anything that can be done with Vendor Class or User Class?  Thanks.

Thanks Raunak, that is probably our final option.  We need to insure they come out of a specific IP pool that is not routed the same as our primary IP pool.

Hey teamdhcp,

thanks for the tool.  Literally just in time to safe the day.  We're implementing a lockdown on our network by using 3 groups. We want to allow office PC (small group) to the Internet and Datacenter.  That will be group 1.  There are people that VPN tunnel in, so we'll put them in group 2.  Group 2 needs access to just the office.  Group 3, guests and whatnot.  They just have access to the Internet.  Our current setting is going thru a pix.  However, we want to try your tool since it seems less limiting than the Pix.  Is this possible?  if so, how would the Maclist.txt look like?  Thanks for your help.

James

Hello guys! Thanks really, it is very interesting. Someone has tested use on windows sbs server?

hi

installed today, everything works great!

Question:

to add a future just enter it in maclist and restart the dhcp or you must restart the server?

Thank you very much (win sbs 2003 server and 8 client).

It also does not show the computers, that it is allowing even though they are not on the mac list, in DHCP - it's not showing a lease even though they have been given an IP.

I am not receiving any responses in the eventlog on the one that does not work except for the standard 1044. The one that works give me a 1033. I have check the registry in the parameters section for the DHCP service section on both machines an they match exactly. It is like the DHCP service is ignoring the callout hook.

when I try to install

(MacFilterCalloutInstaller-x86.msi)

it install ok but I cant see where it installed to use

and when I try to install

(MacFilterCalloutInstaller-x64.msi)

give this error mesage

"this installation packege is not supported by  

this processor type

please contact your prospect vendor "

I use windows server 2003

みなさん、こんにちは。Windows Server プリセールス担当の瀧本です。最近DHCP サーバーが話題になることが多くなってきています。地味な存在である DHCP サーバーがなぜ話題になるかと言うと

Hello

I have installed Macfilterdll on our DHCP serveron windows 2003 server standard. I have configured and updated the registry according the documnet. I have added the MAC address of few of the system and allowed them in the mac.txt file. When I have restarted the DHCP service than the systems were not getting the IPs from the DHCP server. In the log file I was getting the error deny.

Also the entry of MAC address in mac.txt file is case sensitive?

Kindly suggest???

Thanks

Pankaj

i have one client that has been added to the list but the log on the DC keeps saying deny.  Their mac is correct.  

Any other places i can look to see why it's not connecting?

not sure of the version we're using.  It's been in place for a while.  We were using it as DENY but today i moved everything to ALLOW (only).  

Here is part of the infolog

Action specified is : ALLOW

Successfully read mac addresses

The DHCP server has successfully started.

Wed May 06 14:27:06 2009 08000f390c05 Deny

Wed May 06 14:27:16 2009 001b2450045f Deny

Wed May 06 14:27:19 2009 001b2450045f Deny

Wed May 06 14:27:22 2009 08000f390c05 Deny

Wed May 06 14:27:27 2009 001b2450045f Deny

Wed May 06 14:27:42 2009 001b2450045f Deny

Wed May 06 14:27:53 2009 08000f390c05 Deny

Wed May 06 14:28:44 2009 08000f390c05 Deny

Wed May 06 14:28:51 2009 08000f390c05 Deny

Wed May 06 14:29:07 2009 08000f390c05 Deny

Wed May 06 14:29:38 2009 08000f390c05 Deny

Wed May 06 14:29:53 2009 08000f390c05 Deny

Wed May 06 14:30:01 2009 08000f390c05 Deny

Wed May 06 14:30:09 2009 00197e948d01 Deny

Thank you Raunak.

I did upgrade to the newest version.  It definitely worked after that.

Much appreciated!

Dear Raunak

Thanks for your suggestion. I have resolve the issue. It was due to case sensitive. Now it is working fine.

If I will install the new package what seetings I need to perform?

Thanks

Pankaj

Thanks Raunak......

Pankaj

정책기반 보안 인프라를 만들면서 기업에서 필요로 하는 DHCP Mac address Filtering 기능이 Windows Server 2008 R2 의 DHCP 서버에서는 내장 되어있습니다

This is cool but how do I write the filter to give all xbox360's with a MAC address vendor prefix of 00-17 on to a specific scope.  Eg: general population is on 192.168.50.x/24, Xbox's should go to 192.168.51.x/24

Thanks much for your help.

Fizz

Hello guys,

 Do you know if this tool works on Windows 2003 Standard Server or others versions? The system requirement on documentation (SetupDHCPMacFilter.rtf) is Windows 2003 Enterprise Server or higher.

Thanks in advance,

Arthur Fernandes.

I have two DHCP servers, each having different scopes.  I am focusing on one particular scope, and have created reservations for all approved machines within that scope.  I want to be able to take this further and allow only the MAC addresses for these machines, to get an address from within that scope.  As in, if a rogue laptop or device connects to our network, an address will not be provided.

The problem with how I understand this, is that the process will impact all my scopes, and I do not want to do that for various reasons (our phones are VOIP and are set to DHCP, for example).  

Can I have this process apply to just one scope within the DHCP server, ignoring other scopes?

Hi,

Is there any way to turn off the Info log file, so this information isn't logged any more? We have a lot of activity on our DHCP servers, and the file is growing by 7MB a day, which we can't maintain for long.

I've tried deleting the path in the CalloutInfoLogFile registry key, as well as deleting the key completely, but the DHCP service then refuses to start (throwing up an error 1032 in the event viewer)

Thanks,

Mike

Will the DHCP callout DLL work on SBS2003 as well?

Hi

I have installed th msi and even see the event 1033. i found the 3 txt files

MacFilterCalloutErrorLog

MacFilterCalloutInfoLog

MACList

in

C:\windows\system32\dhcp

i have this error "Line Number 2 Not In Proper Format

File format not proper" in MacFilterCalloutErrorLog.txt

can you let me know why? and

i have only this in MACList.txt

MAC_ACTION={ALLOW}

00-0d-0c-4a-67-23

but i can see lot of MAC's allowed.

Thanks in advance.

Gop's

ALL YOU NEED , Works great, especially on my remote network. Being unable to be everywhere, in combination with a little script to monitor the logs, sends me and other administrators real time pop up message when access is denied.

I am running Windows 2003 R2 x64 server. When I try to run MacFilterCalloutInstaller-x64.msi, I get error "Proccessor Architecture not Supported." MacFilterCalloutInstaller-x32.msi terminates with the same error. Is there anything I need to do, to install this dll?

I have applied this solution to allow for specific mac addresses in the maclist.txt file.  However, although the log file shows that it is definitely allowing my designated mac addresses to receive IP addresses, when I look at the DHCP management console, nothing is listed under DHCP leases.  Is this a known issue?  How can I get the currently leased IP addresses to show up in the DHCP console?

Thanks in advance for your help!

Joe

hi...i've noticed that every time i restarted the dhcp server under services...the logs on MacFilterCalloutInfoLog has been deleted...is there a way to restart the dhcp service without deleting the MacFilterCalloutInfoLog logs?

I installed it and it erase my DHCP Server Configuration.  Is this normal? Is there a way to restore it?

After installing the new version I'm not able to open the CalloutInfoLogFile while dhcpserver is running. Is this an intented behaviour?

Additional info: I changed the path to info.log in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters\CalloutInfoLogFile to d:\info.log

PS: MacFilterCallout.dll  works here as well with a localized w2k3 r2 (german)

hi, is there a way where i can deny IP address?...say, a client statically configured IP address on his machine and this IP belongs to the IP address range for distribution of our DHCP server.

My objective is that to prevent this clients or users for gaining access to our network even they statically assigned their own IP address.

Raunak,

First - many thanks for this useful tool.  I fear some commenters have neglect this obvious acknowledgement in their rush to ask for more features.

The use of {DENY} with curly brackets wasn't clear but reading the above sorted that out.  I note that the log file now has an opening lines:

  Action specified is : DENY

  Successfully read mac addresses

  The DHCP server has successfully started.

so it's clear that the config file is read and understood.

Pardon me if I'm being too simplistic but could both ALLOW and DENY features be possible by something like this:

- two copies of the same DLL (or very nearly the same DLL)

- the only difference is a separate set of registry entries so that the config and log files have different name or locations.

Then users could have two config files one for Allow and another for Deny that are used by two separate but identical DLL's?

Not an elegant solution but I thought it might be easy for you to implement without a lot of changes to the existing DLL.

Just a suggestion.

Again, thanks,

Victor

Hello,

I've used Routing and Remote Access to create a NAT server on a Win2k3 server.

As far as I can see from the wizards, it uses it own DHCP allocator to provide IPs to my private network. Is there a way to make that DHCP service (which is not a standard DHCP server role) use the callout dll?

My attempts to install the callout dll failed at first because it seems to require a DHCP server role, something I don't really need in this situation. I did install the roll to be able to run the callout installer, but it doesn't seem to work together with the NAT server.

Hello,

is it possible to reload the DLL only. After the MACList.txt was changed? Or exists another MacFilter for DHCP server?

Thanks,

Hi there,

Please can someone tell me what the effect stopping and starting the DHCP server will have on locally attached clients. Will they remain connected to the network and be able to function normally for the brief time the service is down or will they cease to connect while the service is down and then reconnect once it is back up again. I am a junior network engineer and work in an organisation that realistically has people connected to the network 24 hours a day. (I was trying to avoid coming into work at the weekend just to test this DLL)

Thanks for you help in advance

Dave

I'm concerned about the Vista clients.

I saw people complaining that their Vista clients don't get IP.

I'm working on a virtualized environment, and I'm pretty happy with the results, works like a charm...but I don't have a Vista VM to continue with tests.

Can Vista/Win7 clients get an IP address from the DHCP server (with callout dll)?

Thanks,

Hi Pandya,

Can Be installed the DLL on windows 2003 server in Spanish.

Has any work been done to add wildcards to the callout?

My scenario:  We have VPN clients coming in to the network that use DHCP to get their IP address.  

Right now I have to set up static routes on a layer 3 switch to each address as it's assigned so they can see all the subnets within our network.  

I'd like to have 2 DHCP servers set up so that I can assign the VPN clients addresses from a specific range and the other DHCP server assigns to the rest of the network.  

The VPN clients all start with the same 6 digits in the MAC address so that would make it easy to do the ALLOW and DENY on the DHCP servers with a wildcard in the callout DLL.

If I can't do the wildcard then my question is how do I specify a DHCP server to respond slower so that the main DHCP server can answer first?  I am able to direct the VPN clients to the specific DHCP server but I don't want that one answering other requests on the network.

Thanks for the response, Raunak.  

Unfortunately I am stuck with Windows Server 2003 for now.  

I am going to look into the Option based callout dll though.

Thanks!

Raunak, I just realized you pointed me back to the exact callout dll I was working with.

The VPN clients are all from the same vendor and their MAC addresses start with the same 6 digits.  My problem is that without wildcards I would have to create over a million entries in the text file to cover all possible MAC addresses in that range.  The remaining 6 digits of the MAC address are randomly created when the VPN link is established.

That is why I would REALLY like to have wildcard support in the callout DLL.  It would take care of my problems immediately.

Hello,

I'm not sure to be in the right place for this question, but this seems to be an authoritative site about dhcp :-)

I need to configure the windows dhcp in order to release different IP according to the host VLAN ID.

I.E. I want that the dhcp release an address taken from x.x.x.10 and x.x.x.20 if the requiring host belong to VLAN ID X and from x.x.x.21 and x.x.x.30 if the VLAN ID is Y.

How can I set it on the windows dhcp?

Thank you

Ok, thank you very much.

I try to explain my scenario in the quickest way, hoping to be clear.

In my situation I have a router that manages 2 vlan ID on the first 50 ports, because one Vlan ID will be assigned to voip phone devices and one to PC.

I didn't configure the router because is managed by another company, and I don't know how is configured, but reasonably I think it's ready to do a dhcp forward for the requests received (and I have verified that without the VLAN ID set up it works).

In this situation I only want to assign a different IP Address when the devices send their request in broadcast, according to the VLAN ID assigned to the devices requesting. If I don't mistake I can assign the VLAN ID to the phones and to the ethernet card on the host before they make the request, so when they ask for an IP the replying server should know their VLAN ID.

How would be the correct behavior for this environment? Sould I have to configure 2 different DHCP servers (replying to different IP address) and should the router that forward the request forward it to the correct server according to the VLAN ID or whatever?

teamdhcp,

thank you for the wonderfully useful tool. this is exactly the sort of thing we have been looking for. earlier we were contemplating using your 'DHCP Reservation Tool' to 'clone' registration data from one scope to the next, but this is will solve the problem for is in a much more immediate way.

im sure you are tired of hearing this but, if the mac address list file could have comments in it it would really be a huge benefit for most people :) thanks for fixing the uppercase/lowercase problem though! :)

May the LORD be with you in your endeavors :)

---

Caio,

Your comment is sort of hard to understand but let me tell you how we have our setup configured and maybe it will help you.

We have 1 core L3 Switch / Router that has multiple VLANs defined on it. Each of these VLANs is on its own subnet. So, for example:

VLAN 1 is 192.168.1.0/24

VLAN 200 is 192.168.200.0/24

we have 1 DHCP server (Windows 2003). In the server we have two scopes, one scope is 192.168.1.0/24, the other scope is 192.168.200.0/24.

the server does NOT have a 802.1q NIC, so the server itself does not know at all that there are multiple VLANs.

our core L3 switch / router has a 'DHCP relay' option, we configured the router to relay DHCP requests to our Windows servers address.

so now, clients that are inside of VLAN 200 send a DHCP request, the router hears it and forwards it to the server, the server responds with a DHCP reply from the correct subnet and the client works perfectly fine.

---of course, you have to make sure that the server has a static route configured inside of RAS to send packets destined to 192.168.200.0/24 subnet through the IP address of the L3 Switch / router... if you do not run RAS on the server you can add a persistent route with the route command through the command prompt. it would look something like this (in our case, would be the numbers):

route add -p 192.168.200.0 mask 255.255.255.0 192.168.1.254

that would be assuming that the IP address of the L3 switch / router that has the DHCP relay function is 192.168.1.254 and that the subnet that the VLANd devices are on is 192.168.200.0/24

anyway. i know this is a late response but i hope it helps.

Dear Microsoft DHCP team,

It would be very handy if also subnet assignments of IP addresses could be filtered on vendor type mac adresses.

using some wildcards. As some kind of advanced scope option. This would be handy if you need to assign IP-phones to specific subnets / different from desktops clients.

I know these days this is solved through complex vlan configuration, but these phones not always get easily into the right vlan from a cold boot, a mac filter would make this a lot easier.

DHCP Team,

We're looking for exactly the same feature, and for a similar reason, as Peter in his post of January 15.  We have Aastra VoIP phones that receive their configuration, including VLAN assignments, from a tftp server specified in a DHCP requests.  Other DHCP clients have different or no tftp servers.  The ability to assign IP addresses, tftp servers and other components in the DHCP respose based on the OUI or other substrings of the client MAC address would be very useful.  

We're currently using dhpcd on a linux box that supports MAC filtering of this sort.  Here's an example from the dhcpd.conf file that shows the sort of functionality that we need.  The class directive allows us to set up a class of clients based on OUI and an associated tftp server.  In the subnet directive, we assign IP addresses based on class memberships.

class "voip-clients" {

        match if substring (hardware, 1, 3) = 00:08:5D;

        option tftp-server-name   "pbx.foo.com.";

}

subnet 172.17.0.0 netmask 255.255.0.0 {

  authoritative;

  option routers               172.17.0.1;

  option subnet-mask           255.255.0.0;

  option domain-name           "foo.com.";

  option domain-name-servers   172.17.0.2;

  default-lease-time 86000;

  max-lease-time  86400;

  zone foo.com. { primary 127.0.0.1; key DHCP_UPDATER;}

  zone 17.172.in-addr.arpa. { primary 127.0.0.1; key DHCP_UPDATER;}

 pool {

   allow members of "voip-clients";

   range                       172.17.200.1  172.17.200.250;

 }

 pool {

  deny members of "voip-clients";

  allow unknown-clients;

  range                        172.17.1.1  172.17.1.200;

 }

}

Thank you.