# Ping the subnet



## george_stobbart (Oct 9, 2008)

Hey, 
I want to know how to block computers in a subnet, that they do not be able to ping other computers on the same subnet, I think we have to block ICMP packets. any idea???

Thanks.:4-dontkno


----------



## Dave Atkin (Sep 4, 2009)

Hi George,

You can disable ICMP responses (Ping Responses) in the Windows Firewall.

The followign should help:
How to Stop ICMP Ping on Windows XP | eHow.com


Dave


----------



## george_stobbart (Oct 9, 2008)

Thanks Dave for your answer, 
It's not what I meant, I want to run a small ISP, and I don't have access to clients' pc.
I want computers on the subnet won't be able to ping other computers on the same subnet. I want to know what device or OS distribution do I need. I wish I could make it clear.


----------



## Dave Atkin (Sep 4, 2009)

Hi George,

Do you mean you would like to make every PC on your network unable to contact any other PC on the Network?

If so, a managed switch configured with VLAN's are probably the cheapest way of doing this.


Dave


----------



## Excabus (Nov 3, 2010)

It really depends on what hardware you use and what your goals are. If you are creating a small ISP to serve customers with your own infrastructure throughout the area and whatnot, it won't be too possible to accomplish what you want. You can make a vlan for each outgoing connection which isn't routed internally, but if a user wanted to eventually if the sent out an ICMP packet to an address in your range it will get sent back at one junction or another. If your creating an ISP in the sense of your prividing internet to a private place. Say a dorm or an apartment. What you could do then is route all your VLANs to your router and out to the internet and whatnot, but be sure to turn off any automatic VLAN routing your switch may do, and to leave out any auto routing/statements in your router. This way your clients can hit the internet, but as far as they know they are the only network on their subnet and can't hit the other ones internally, or externally.

If your trying to provide internet service in the telco sense to customers I would check legislation and policies and whatnot because I don't even know if you'd be allowed to block ICMP protocol for people paying for internet service.

Plus there is always a way around this as well, you can block ICMP but that doesn't block syn packets on other protocols from reaching out. Someone could do a...

```
nmap -sV xxx.xxx.xxx.***
```
Perhaps if you could specify a bit more clearly what your trying to accomplish we could better serve you...

If your trying to setup internet access for a dorm or apartment I would reccomend you vlan off ports and route everything correct. Use a subnet mask of /28 (IIRC) and you can assign two IP addresses in that vlan ensuring you don't have multiple users in that unrouted VLAN able to talk to other users in your network.


----------

