DHCP Server Callout DLL for MAC Address based filtering


DHCP Server team is excited to announce that the much appreciated and loved feature, MAC Address based filtering, (previously provided by this callout dll) is now a part of Windows Server 2008 R2 DHCP Server. Check out the blog.        The MAC Address filtering feature in Windows Server 2008 R2,   has provision for both Allow and Deny lists, with provision for wild-cards.        The Allow and Deny lists,  can be managed from within the DHCP MMC.

 

The current callout DLL shall no longer be available after December 15, 2010.

 

Ajay
Team Networking

 

This DHCP Server Callout DLL helps administrator to filter out DHCP Requests to DHCP Server based on MAC Address.  When a device or computer tries to connect to network, it shall first try to obtain ip address from DHCP Server. DHCP Server Callout DLL checks if this device MAC address is present in known list of MAC addresses configured by administrators. If it is present, device shall be allowed to obtain ip address or device requests shall be ignored based on action configured by administrator.

MAC address based filtering will allow network administrators to ensure that only know set of devices in the system are able get ip address from DHCP Server.  This DLL will help administrators to enforce additional security into network.

This callout DLL will help user in solving either of the following problems

1.       Allow Machines only belonging to set of MAC addresses to get ip address from DHCP Server.

2.       Deny Machines belonging to set of MAC addresses from getting ip address from this server.

This callout DLL shall work on Windows 2003 Server and Windows 2008 Server.

The usage is pretty simple and explained in the setup document along with the tool.

Both the dll (MacFilterCallout.dll) and the Setup document (SetupDHCPMacFilter.rtf) are copied on to %SystemRoot%\system32 folder after installation.

Updates done since initial version:

    1. Support for 32 bit and 64 bit OSs : Works on Windows 2003 and Windows 2008 Server
    2. Ease of setup : You do not have to copy the DLLs to obscure locations or edit the registry entries.    The installer copies the files into the appropriate locations and makes the necessary registry changes.
    3. Improved documentation :  Better documentation, along with a sample file.

    You can now specify upper case MAC addresses in the config file

  1. You can now check out the information log file, for information on what all addresses were allowed/denied, while the DHCP server service is running.

 Known Issue:

  1. This callout dll may not work on localized builds (non english builds).

Raunak Pandya

DHCP Server Team

 

We thank our users, for your patronage of the Server Callout DLL.     The DHCP team is interested in obtaining your feedback,   on this utility.   Please contact us at msnetworkteam_AT_live_DOT_com,   if you are willing to share your experiences and help us improve our products.

Ajay
Team DHCP

 

MacFilterCalloutInstaller.zip

Comments (304)

  1. Anonymous says:

    Sul blog del team Microsoft che si occupa del servizio DHCP è disponibile una DLL " DHCP Server

  2. Anonymous says:

    Hello Everybody, Thanks for all those who tried the MacFilterCallout dll . As you all must have checked

  3. Anonymous says:

    정책기반 보안 인프라를 만들면서 기업에서 필요로 하는 DHCP Mac address Filtering 기능이 Windows Server 2008 R2 의 DHCP 서버에서는 내장 되어있습니다

  4. Anonymous says:

    Hello Dave,

    Stopping and starting the DHCP server service, will not effect any of the existing DHCP clients which have already acquired an IP address earlier. Only clients coming onto the network at the time DHCP server is getting restarted will get affected. However, with the retry logic built into DHCP clients, clients should eventually acquire the IP address (few seconds later) as the server timeout in your case is also going to be just few seconds.

    Thanks

    Raunak Pandya

  5. Anonymous says:

    Hello Elton,

    This tool should work with vista clients as well without any issue.

    Thanks

    Raunak Pandya

  6. Anonymous says:

    Michael,

      Can you clarify on the fixes, that you are looking for?

      The callout dll must run on a Windows 2003/2008 DHCP server and can block/allow Vista or other clients from accessing the network.

    Ajay

    Team DHCP

  7. Anonymous says:

    hi

    installed today, everything works great!

    Question:

    to add a future just enter it in maclist and restart the dhcp or you must restart the server?

    Thank you very much (win sbs 2003 server and 8 client).

  8. Anonymous says:

    Hi,

    I tried this solution in a test invironment, and it works well. I have one question. Do you know of a MAC address limit? I ask because my company has over 10,000 computers, and probably a hundred different DHCP servers. I’m wondering if all MAC addresses in my company can be in one file, and then have that file replicated across the domain.

    I would like to hear your thoughts on this. Thanks for the work on this! It works good.

  9. Anonymous says:

    みなさん、こんにちは。Windows Server プリセールス担当の瀧本です。最近DHCP サーバーが話題になることが多くなってきています。地味な存在である DHCP サーバーがなぜ話題になるかと言うと

  10. Anonymous says:

    Simply uninstall using Add/ Remove programs.

    Raunak Pandya

  11. Anonymous says:

    Super! Very simple!

  12. teamdhcp says:

    Ken, since Windows Server 20008 R2 MAC address based filtering is supported inbox in DHCP server. Changes to MAC address list now will not need server restart. Would advise to use the inbox feature in Win 2008 R2.

  13. Anonymous says:

    Hey Shuja,

    Any thing written after ‘#’ is treated as comment. Use ‘#’ only for comments.

    Thanks

    Raunak Pandya

    DHCP Server Team

  14. Anonymous says:

    Hey Peter,

    Can you check the event viewer and tell me what event is logged. Alos please cross check your registry configuration(keys and values). Which OS you are using?

    Raunak Pandya

    DHCP Server Team

  15. Anonymous says:

    Correction to the previous post, the Windows Vista Business and Enterprise do not pull a ip address.

    Mike VanDusen

  16. Anonymous says:

    Hey David,

    Can you share the MACList.txt file contents?

    Thanks

    Raunak Pandya

  17. Anonymous says:

    Hey Sheldon,

    You can disable the callout dll by setting the registry key HKLMCCSServicesDHCPServerParametersCalloutEnabled to ‘0’.

    Thanks

    Raunak Pandya

    DHCP Server Team

  18. Anonymous says:

    Hey Atle,

    The dll currently works on x86(32-bit) flavours only..

    Thanks

    Raunak Pandya

    DHCP Server Team

  19. Anonymous says:

    Reservation :   You can reserve a specific IP Address, based on the MAC address for that interface.       Eg.   If your fileserver NIC has a MAC address of 01:00:11:22:33:44, you can setup a reservation,   such that it always receives an IP Address of 192.168.1.10 from the DHCP Server.

    MAC Filter : Filters are used to either allow or deny IP Addresses to specific interfaces, based on the MAC address.   Eg.   You can disable a rogue WAP from gettting an IP address, by adding it’s MAC address to the filter file.

    Ajay

    Team DHCP

  20. Anonymous says:

    Hey Samuel,

    The latest version of MacFilterCallout is present at http://connecttheworld.spaces.live.com/

    Any thing after ‘#’ in a line in MacList.txt is considered as comment.

    Thanks

    Raunak Pandya

    DHCP Server Team

  21. Anonymous says:

    Hey Nreis,

    Yes the attachment only has msi file. This will unpack the dll and the setup document.

    The location of that is mentioned in the blog:

    "Both the dll (MacFilterCallout.dll) and the Setup document (SetupDHCPMacFilter.rtf) are copied on to %SystemRoot%system32 folder after installation."

    Raunak Pandya

    DHCP Server Team

  22. Anonymous says:

    Hi Jojie

    Could you send over the macfilterinfolog, maclist files .. along with output for ipconfig /all

    Thanks

    Arun

    DHCP server team

  23. Anonymous says:

    Hey Dannoz,

    Did you check the event viewer for event 1033 whether the dll is loaded or not. Which OS you are using and on what platform?

    Thanks

    Raunak Pandya

  24. Anonymous says:

    Hello Mike,

    Deleting the InfoLog registry key (CalloutInfoLogFile) should work. However, from your reply, I see that you tried that and it failed. Can you confirm that once again? What OS are you using? Also, I would recommend you to work with the latest version of the callout dll posted on the blog above.

    Thanks

    Raunak Pandya

  25. Anonymous says:

    Hey Ali,

    I guess you processor architecture is x86 hence you need to install the MacFilterCalloutInstaller-x86.msi package. Once installed, you will find the Setup document (SetupDHCPMacFilter.rtf) copied at %SystemRoot%system32.

    A sample MACList.txt file extracted at the location of the DHCP auditlog (which is %SystemRoot%system32Dhcp if default).

    Thanks

    Raunak Pandya

  26. Anonymous says:

    Hey Joe,

    Are you using the most updated version of the callout? Can you share the content of maclist.txt and log files here.

    Thanks

    Raunak Pandya

    DHCP Server Team

  27. Anonymous says:

    Hi david ,

       Make sure your configurations are correct with regards to the MAC addresses. And also check if the "chaddr" filed in DISCOVER packet has the client’s MAC address.

    regards

    Tushar

  28. Anonymous says:

    Installing this callout dll cannot be the reason for your configuration gotten erased. However, if automatic backup config is still there, you can restore it from there.

    Command: netsh dhcp server databaserestoreflag 1

    Restart DHCP Server service.

    Thanks

    Raunak Pandya

  29. Anonymous says:

    Hi

    I am not sure what the problem is exactly.

    001ec9e4e7cd is allowed as per maclist.txt; and the action that we see is that all others are denied : 001d72fb1696 and 002185fb34db.

    Are you saying one of these is actually accessible? If so, could you also send the ipconfig /all for that machine (which is supposedly blocked). Are all denied machines getting an ip, or only one of them?

    Thanks

    Arun

    DHCP team

  30. Anonymous says:

    Hey Eric,

    Unfortunately, the callout dll doesn’t support scopelevel filtering. You will have to fallback on creating reservations.

    Thanks

    Raunak Pandya

    DHCP Server Team

  31. Anonymous says:

    Hey Omid,

    Do you see anything in the error log? Do you see event 1033/1034? Which OS you are using? Also share the platform on which you are running?

    Thanks

    Raunak Pandya

    DHCP Server Team

  32. Anonymous says:

    It can be used with Windows 2003 Standard.

    Ajay

    Team Networking

  33. Anonymous says:

    The setup document is extracted in the same folder where u install the dll from the msi package..

    Raunak Pandya

    DHCP Server Team

  34. Anonymous says:

    Hello Tom,

    Windows Server 2008 R2 has a new feature Link Layer Filtering, which has wildcard support as well (http://technet.microsoft.com/en-us/library/dd759259.aspx). You may want to check that out.

    On the other hand, if the address requested by VPN server for VPN clients belong to a specific user (or vendor) class, you may want to check out Option based callout dll (http://blogs.technet.com/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx). In this case, you would just need one DHCP server serving VPN clients and other clients from different subnets.

    If you are looking for the delay option in responding, another good news is that you can configure subnet delay in WS08 R2 to respond with some delay on secondary server to let the primary answer first.

    Thanks

    Raunak Pandya

  35. Anonymous says:

    Hey David,

    I am not quite clear on the issue here.

    You mean to say that "0018de0b0a21" is the MAC address of the wireless interface and is getting denied and "000b6c37bcf1" is the MAC address of the lan card and is denied??

    Raunak Pandya

  36. Anonymous says:

    This is a feature I have been waiting for way too long. Up until today if you wanted to have some control

  37. Anonymous says:

    Hey Paul,

    I would be interested to know about your requirement/ scenario here.

    Looks like your requirement is that these 100 devices get IP address from a subnet different than the normal DHCP clients.

    Is "Vendor Based Address Assignment" is what you are looking for?

    Raunak Pandya

  38. Anonymous says:

    I am having the same problem with Vista Buiness.  The macs on those machines are on the allow list but the do not pull a ip address from the DHCP server.

    Mike V

  39. Anonymous says:

    Hey,

    All the Clients which are shown in DHCP Server as active leases are the one which have dynamic ip. A statically configured client’s entry wont be there in DHCP. What you could do is take the MAC addresses of all the leases in at any point of time in DHCP Server and add them to allow list. All other clients would hence be automatically dened.

    Thanks

    Raunak Pandya

  40. Anonymous says:

    As of now the callout dll doesn’t support wildcards.

    Raunak Pandya

    DHCP Server Team

  41. Anonymous says:

    Just for your information David, this feature (Link layer filtering) is included in Windows Server 2008 R2 Beta DHCP Server. 🙂

    Thanks

    Raunak Pandya

  42. Anonymous says:

    Hey Shuja,

    You can set the MAC_ACTION to either ALLOW or DENY. Make sure the MAC_ACTION text in the file is one of the below.

    MAC_ACTION={ALLOW}

    MAC_ACTION={DENY}

    Thanks

    Raunak Pandya

    DHCP Server Team

  43. Anonymous says:

    is there any way to migrate from callout to win2k8R2 DHCP filtering ?

  44. Anonymous says:

    Hey David,

    I wanted to see the file format. Hence it would be sufficient if you could paste the MAC_ACTION line and the relevant mac addrresses here(the way they are used in the maclist file).

    Thanks

    Raunak Pandya

  45. Anonymous says:

    Ramesh, DHCP server will deny/allow IP address to a client based on MAC address list configured only when the client attempts to get/renew a lease. So, your observation is correct.

    This will be the case with mobile devices as well. Every client attempts to renew the lease periodically based on the lease period configured on the DHCP server.

    MAC address based filtering is inbox in DHCP server since Windows Server 2008R2. You should consider moving to this since the dll was temporary solution till it was available inbox and is unsupported.

    DHCP server in Windows Server 2012 also support DHCP policies which can be used to group mobile devices (based on a grouping defined on MAC address prefix or vendor class) and provision different DHCP options or IP addresses (including deny/allow). See the blogs

    blogs.technet.com/…/granular-dhcp-server-administration-using-dhcp-policies-in-windows-server-2012.aspx

    blogs.technet.com/…/scope-level-link-layer-filtering-using-dhcp-policies-in-windows-server-2012.aspx

  46. Anonymous says:

    Hey Jordan,

    Yes you need to restart the DHCP Server service each time after you modify the MACList.txt file.

    Thanks

    Raunak Pandya

    DHCP Server Team

  47. Anonymous says:

    Hey Jens,

    Have you checked whether the event 1033 is getting logged at the time of service start?

    Also strictly take care of all the following guidelines. It should work..

    • First line in the file should specify the action. Action can be either ALLOW or DENY

    o When action is specified as ALLOW, all requests from MAC address present in this list will be served by dhcp servers. All requests originating from MAC address not present in this list will be ignored.

    o When action is specified as DENY, all request from MAC address present in the list will be ignored by dhcp servers. All requests from MAC addresses not present in this list will be severed by dhcp server.

    o Only one action out of ALLOW or DENY can be specified in MAC Address List File

    • MAC address should be specified in format XXXXXXXXXXXX (where X can be hex digit 0 – F).There should not any delimiter such as -,  : in MAC address.  Each MAC address should be specified in separate line.

    Let me know if u still face the issue.

    Raunak Pandya

    DHCP Server Team

  48. Anonymous says:

    Hey.. You dont get an option to select the target folder while installing.. By default both the callout dll and the setup document are extracted in the system32 folder.. I dont remember the name of the setup document ( word file) but its something like SetupMacCalloutFilter.doc

    Raunak Pandya

    DHCP Server Team

  49. Anonymous says:

    Dalam Windows Server 2003 dapat dilaksanakan blocking MAC Address melalui DHCP Server. Seperti kita ketahui

  50. Anonymous says:

    Hey,

    Once the IP address is leased, the client would be able to use it till it gets expired. When this machine comes up after restart it tries to check the ip address it is holding. In the event of DHCP Server not present or not replying(which is the case if filter is configured) it would continue to use the old IP aaddress till it gets expired and after that when it tries to renew its IP, the server will not respond.

    Thanks

    Raunak Pandya

    DHCP Server Team

  51. Anonymous says:

    Hello,

    This callout dll works with Standard skus as well.

    Thanks,

    Raunak Pandya

  52. Anonymous says:

    Hey Magnus,

    When the callout dll gets loaded you should be able to see the event 1033. If you fail to see tht it means tht callout dll hasn’t been loaded yet. From the cofigurationdetails above I see that you havent enabled the callout dll. You need to create another registry entry ‘CalloutEnabled’ and set it to 1. Refer to the setup document for details.

    Thanks

    Raunak Pandya

    DHCP Server Team

  53. Anonymous says:

    Hey Paul,

    In case your requirement is just to make sure that these devices get unique addres based on MAC address (by unique I assume same address each time), you should use Reservations for them.

    Thanks

    Raunak Pandya

    DHCP Server Team

  54. Anonymous says:

    Hey Sheldon,

    Yes you would need to add MAC ADDRESSES of all the devices to allow so that you can block laptops od students.

    Raunak Pandya

    DHCP Server Team

  55. Anonymous says:

    hi Caio,

    IP address assignment based on VLAN ID is not possible currently.

    But it will be really nice if you can explain the whole scenario.

    Thanks

    Ranu

  56. Anonymous says:

    David,

    Your wireless card and lan card will have different mac addresses. In case you need to allow both you need to enter both the address in the maclist.txt with MAC_ACTION={ALLOW}

    Thanks

    Raunak Pandya

  57. Anonymous says:

    I have configured the same way …it works great.

  58. Anonymous says:

    Are there any fixes for Windows Vista Enterprise or Business yet?  This is in reference to the callout dll.

    Michael VanDusen

  59. Anonymous says:

    Do you have deny and allow both configured?

    Raunak Pandya

    DHCP Server Team

  60. Anonymous says:

    Thanks Raunak……

    Pankaj

  61. Anonymous says:

    Hey Charles,

    Yes, You are correct.

    Thanks

    Raunak Pandya

    DHCP Server Team

  62. Anonymous says:

    Hey Guenter,

    Which OS you are using and what flavour? On successful loading of dll you should see the event 1033.Also configure the log and info files. And one thing to take care here. It doesn;t support wild cards as you have specified.

    Thanks

    Raunak Pandya

    DHCP Server Team

  63. Anonymous says:

    If the client is configured with a static IP, it is not going to attempt address acquisition via DHCP and therefore not attempt to contact the DHCP server.

    Thanks,

    Mayur

    Team DHCP

  64. Anonymous says:

    Hello guys! Thanks really, it is very interesting. Someone has tested use on windows sbs server?

  65. Anonymous says:

    This is cool but how do I write the filter to give all xbox360’s with a MAC address vendor prefix of 00-17 on to a specific scope.  Eg: general population is on 192.168.50.x/24, Xbox’s should go to 192.168.51.x/24

    Thanks much for your help.

    Fizz

  66. Anonymous says:

    Hello Joshua,

    The latest version (posted long ago) does support comments as well using ‘#’. Anyhting after # in a line is treated as comment.

    Thanks

    Raunak Pandya

  67. Anonymous says:

    Hey Allan,

    This callout cannot prevent machines to come onto the network if they are configured with static IP and correct gateway address.

    This is actually not a limitation of this callout dll but unfortunately DHCP protocol itself is like this.

    Raunak Pandya

  68. Anonymous says:

    Hey Joe,

    This could probably be because in earlier versions there were some issues in specifying MAC address in uppercase. Just make sure the mac address provided is in lower case.

    This problem is solved in the latest release.

    Thanks

    Raunak Pandya

  69. Anonymous says:

    The MAC based filtering will cannot specify the scope from which a particular MAC request can get the address. It can only allow/deny a MAC based address acquisition.

    regards

    Tushar

  70. Anonymous says:

    Hey Senthil,

    Can you plz tell me what problem exactly you facing.. Can yo check the Log file and see the message.. The dll has been tested and seem to work fine for others too.. Please check your settings as mentioned in the rtf file. If you still face trouble please get back to me..

    Raunak Pandya

    DHCP Server Team

  71. Anonymous says:

    Hey Travis,

    The source code for the tool cannot be made available however you can take a look at the following blog to see the callout api usage.

    http://blogs.technet.com/teamdhcp/archive/2007/11/27/callout-api-usage.aspx

    Thanks,

    Raunak Pandya

    DHCP Server Team

  72. Anonymous says:

    Hey Joe,

    Yes you are correct. If you set the action to DENY it will deny only MAC addresses in the list and allow all others.

    Thanks

    Raunak Pandya

    DHCP Server Team

  73. Anonymous says:

    I like the idea behind the MAC Filtering, I just do not know if I want all the problems keeping up with PC moves in 25 locations across Florida. It would be nice to use DHCP as it is now aand then be able to use MAC Filtering to block a MAC that you do not want back on the network once you’ve grabbed their MAC. Can we do this, still give out IP by request and then block a MAC that you do not want.

    Joel

  74. Anonymous says:

    Hello Giancarlo,

    This tool is not tested on non-English verison of OS and hence may not work. You may still give a shot at it. Do share your observation.

    Thanks

    Raunak Pandya

  75. Anonymous says:

    Brent,

     We are looking into the feasibility of offering 64 bit support for this DLL and expect to have an answer in a couple of weeks.  

     You can contact us via email at msnetworkteam_AT_live_DOT_com, with any further queries on this topic.

    Ajay

    Team DHCP

  76. Anonymous says:

    I am not receiving any responses in the eventlog on the one that does not work except for the standard 1044. The one that works give me a 1033. I have check the registry in the parameters section for the DHCP service section on both machines an they match exactly. It is like the DHCP service is ignoring the callout hook.

  77. Anonymous says:

    Hey Tim,

    There is no such hardcoding for the no. of MAC's in MAClist.txt

    Thanks,

    Raunak Pandya

  78. Anonymous says:

    I am getting the "is not a valid Win32 application" Event ID 1034 as well and I am running a x32 version of server 2003. Whats wrong?

  79. Anonymous says:

    Hwey Pankaj,

    It doesnt seem like you are using the latest version of the callout dll. You dont need to do any registry configurations once you unpack the latest msi. Also the entries in maclist.txt were case sensitive in earlier release but has been fixed in the latest one.

    I would recommend you to try out the latest version once.

    Thanks

    Raunak Pandya

    DHCP Server Team

  80. Anonymous says:

    Hey Aries,

    Currently in this version of the tool it is not supported to enter comments.

    Thanks

    Raunak Pandya

    DHCP Server Team

  81. Anonymous says:

    Hey Senthil,

    I wonder why the tool isn’t working for you.. We have tested it here.. It works fine.. Its working fine for so many other users after posting it here.. I would once again suggest you to double check your configuration..

    Raunak Pandya

    DHCP Server Team

  82. Anonymous says:

    Thanks Victor for your acknowledgement. Unfortunately this callout can either be run in Action or Deny mode only and not both.

    The feature request you making is already there in the latest WS08R2 DHCP Server.

    Check out the blog http://blogs.technet.com/teamdhcp/archive/2009/01/21/link-layer-based-filtering.aspx

    Raunak

  83. Anonymous says:

    Hope you specifying the file path correctly in the registry. And also strictly take care of all the following guidelines. It should work..

    • First line in the file should specify the action. Action can be either ALLOW or DENY

    o When action is specified as ALLOW, all requests from MAC address present in this list will be served by dhcp servers. All requests originating from MAC address not present in this list will be ignored.

    o When action is specified as DENY, all request from MAC address present in the list will be ignored by dhcp servers. All requests from MAC addresses not present in this list will be severed by dhcp server.

    o Only one action out of ALLOW or DENY can be specified in MAC Address List File

    • MAC address should be specified in format XXXXXXXXXXXX (where X can be hex digit 0 – F).There should not any delimiter such as -,  : in MAC address.  Each MAC address should be specified in separate line.

    Let me know if u still face the issue.

  84. Anonymous says:

    Hey Bob,

    You will be unable to look into the Information Log file when DHCP Server service is running. Also, its correct that currently the file is overwritten each time the service is restarted.

    Thanks

    Raunak Pandya

    DHCP Server Team

  85. Anonymous says:

    Try using the syntax MAC_ACTION={ALLOW} or MAC_ACTION={DENY}

    Let me know if u still face problem..

    Raunak Pandya

    DHCP Server Team

  86. Anonymous says:

    MAC based filtering applies to all the scopes configured on the DHCP Server. It won’t be possible to apply scope level filters.

  87. Anonymous says:

    Hey Arthur,

    The callout dll works on W2K3 Server Standard Edition as well.

    Thanks

    Raunak Pandya

    DHCP Server Team

  88. Anonymous says:

    Hey Charles,

    If you have assigned static IP to them then you dont need to add them to MACList.txt.

    However, I had a question concerning your deployment. Why have you reserved the addresses when you assigning them statically? You could instead remove the exclusions, static addresses on printers and let just the reservations be there. By this way, the printers would be getting the same IP addresse from DHCP server.

    Note: In the second way, you would need to add the entry in the MACList.txt.

    Let me know if have any doubts here,

    Thanks

    Raunak Pandya

  89. Anonymous says:

    Hey Chris,

    It should work with 802.1x as well. However I did not understand what do you mean by saying have it added to a "Guest VLAN" / Subnet.

  90. Anonymous says:

    Hey,

    Yes it should be possible to implement this scenario.

    Thanks

    Raunak Pandya

    DHCP Server Team

  91. Anonymous says:

    Hey Joe,

    If the Callout is allowing DHCP requests and DHCP server is leasing IP address to the client, one should see the lease under the Address Leases node in MMC. I would like you to re check the configuration once. If the client is still holding the lease, you should see the lease in DHCP management console under the Address Leases node in the repective scope node.

    Raunak Pandya

  92. Anonymous says:

    Hey akira

    If u dont see any 1033 log in the event viewer.. It means your callout dll has not been correctly loaded. Please see tht you are following the setup instructions carefully. And NOTE: while creating keys in registry.. You have to create it under: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesDHCPServerParameters

    Please let me know if you still face problems..

    Raunak Pandya

    DHCP Server Team

  93. Anonymous says:

    Vista Business Problem

    I cannot find a solution for the problem.

    I am looking at using the program for blockage to stop someone that does not know the IP range from simply plugging in a foreign computer, exlcuding a range from DHCP, and using that range to statically assign IP’s to vista business machines. I still need an allowed range for my VPN Clients. Anyone finding a solution for vista business can email me directly: admin@coloabc.net

  94. Anonymous says:

    Inside the file MACList.txt you could make, and we recognize as permitted mac and mac denied

    MAC_ACTION DENY = ()

    MAC_ACTION ALLOW = ()

    Greetings and hugs

  95. Anonymous says:

    Hey Gunter,

    The format you have specified is wrong. Please see the comment above. You need to place curly braces around Action (ALLOW/DENY} like: MAC_ACTION = {ALLOW/DENY}

    Thanks

    Raunak Pandya

    DHCP Server Team

  96. Anonymous says:

    Hey Joe,

    I dont see any problem with your registry settings here. Your dll is also being loaded perfectly as you see the event 1033 in the event viewer. You get the error "File format not proper" when the MAC addreses in the file MACList.txt are not entered correctly.

    You can refer to the blog below to take a look at the format needed for this file. The following information is also there in the Setup document which is placed in the WindowsSystem32 folder when you run the msi.

    http://blogs.technet.com/teamdhcp/archive/2008/03/14/dhcp-server-callout-dll-for-mac-address-based-filtering-mac-address-list-file-format.aspx

    Thanks

    Raunak Pandya

    DHCP Server Team

  97. Anonymous says:

    This is a feature I have been waiting for way too long. Up until today if you wanted to have some control

  98. Anonymous says:

    The Attachment only have the msi file nothing else.

  99. Anonymous says:

    Vista Business not working!

    Works great for XP Pro and Vista Home, but Vista Business Machines never get an IP. Cannot determine the blockage/problem. Anyone?

  100. Anonymous says:

    This tool works great with Windows machines. I recently found that it does not work with Apple Computers. I have the MAC_ACTION set to allow and the maclist contains all MAC addresses I want to allow. Even with Apple computer MAC addresses excluded from the list they still get an ip address from the DHCP server.  Can anyone out there confirm this in their network environment?

  101. Anonymous says:

    Hi.

    I'd like to know why can't I see the 1033 event on Event Viewer.

    I did all steps in the file SetupDHCPMacFilter.rtf and it doesn't worked yet.

    Can somebody help me?

    Thx

  102. Anonymous says:

    Hey,

    We haven’t verified this but feel it shouldn crash instead should log an error message in the log file.

    Can you check if any message is logged and when you seeing the crashing while starting the service?

    Thanks

    Raunak Pandya

    DHCP Server Team

  103. Anonymous says:

    AFAIK, maclist.txt with only one mac address also works fine. You shouldn’t be facing any issues unless you did something wrong in the format in which it needs to be specified. Can you check with the output of the log whats the behavior when you specify a single mac address.

    Raunak Pandya

    DHCP Server Team

  104. Anonymous says:

    Hello Antonio,

    Please check the Information logs/ error logs. There must be some error in the format in which you have specified the mac addresses.

    Thanks

    Raunak Pandya

  105. Anonymous says:

    Hello Tom,

    I am sorry. I pointed you to incorrect link. Option based callout dll is @ the location http://blogs.technet.com/teamdhcp/archive/2009/06/12/option-based-ip-address-assignment-callout-dll.aspx

    However, I am not sure of the structure of your network. See if you can make use of the user/ vendor class option in VPN clients.

    Raunak Pandya

  106. Anonymous says:

    Hello Ali,

    Just uninstall the MSI package you installed using Add/Remove Programs. This will remove the callout dll.

    Thanks

    Raunak Pandya

  107. Anonymous says:

    Hi ,

    I need to allow only company Mac address will get IP .If some one outsider wants IP from our DHCP server until entering his/her Mac address in to  allow list he /she should not get IP  address from our DHCP server 2003 .

    Please help me the script and step by step configuration..

    Regards

    Biswal

  108. Anonymous says:

    Hi Senthil/Aaron,

    Ya. You must restart the service after you modify the MAC list as all the addresses are read at the time of service start.

    Raunak Pandya

    DHCP Server Team

  109. Anonymous says:

    Hey Gary,

    From the log file content you have pasted it doesn’t look like that DHCP Server does assign the address to the blocked client.

    Thanks

    Raunak Pandya

    DHCP Server Team

  110. Anonymous says:

    Hey Guenter,

    Which OS you are using and what flavour? On successful loading of dll you should see the event 1033.Also configure the log and info files. And one thing to take care here. It doesn;t support wild cards as you have specified.

    Thanks

    Raunak Pandya

    DHCP Server Team

  111. Anonymous says:

    Repeating the guidance from an earlier response to a similar query –

    Hope you are specifying the file path correctly in the registry. And also strictly take care of all the following guidelines. It should work..

    • First line in the file should specify the action. Action can be either ALLOW or DENY

    o When action is specified as ALLOW, all requests from MAC address present in this list will be served by dhcp servers. All requests originating from MAC address not present in this list will be ignored.

    o When action is specified as DENY, all request from MAC address present in the list will be ignored by dhcp servers. All requests from MAC addresses not present in this list will be severed by dhcp server.

    o Only one action out of ALLOW or DENY can be specified in MAC Address List File

    • MAC address should be specified in format XXXXXXXXXXXX (where X can be hex digit 0 – F).There should not any delimiter such as -,  : in MAC address.  Each MAC address should be specified in separate line.

    We would recommend to use the MAC address filter feature which is inbox since Windows Server 2008 R2.

  112. Anonymous says:

    Hi Marc,

    Thanks for sharing the details of your requirement. This is useful information.

    Thanks,

    Prasad

    Team DHCP

  113. Anonymous says:

    Hey David,

    Do you see anything in the errorlog/infolog file??

    Raunak Pandya

    DHCP Server Team

  114. Anonymous says:

    Hey Shuja,

    Good to hear that its working for you.

    Yes, the server does need a restart once you modify the MACList.txt file.

    Thanks

    Raunak Pandya

  115. Anonymous says:

    Hello Chris,

    Yes, in the latest verison of the callout dll you can open the log file even when the server is running to get a live view of the addresses being allowed and denied.

    Thanks

    Raunak Pandya

  116. Anonymous says:

    Hello Gop’s

    Please key in the MAC addresses in the txt file without hyphens ‘-‘. It should work for you. You shouldn’t b seeing any error after that.

    Thanks

    Raunak Pandya

  117. Anonymous says:

    Hello

    I have installed Macfilterdll on our DHCP serveron windows 2003 server standard. I have configured and updated the registry according the documnet. I have added the MAC address of few of the system and allowed them in the mac.txt file. When I have restarted the DHCP service than the systems were not getting the IPs from the DHCP server. In the log file I was getting the error deny.

    Also the entry of MAC address in mac.txt file is case sensitive?

    Kindly suggest???

    Thanks

    Pankaj

  118. Anonymous says:

    Hey Paul,

    Event Id 1044 is related to DHCP Server Rogue Authorization. It is not related to callout dll. If you have configured the following registry values correct, you must either see event 1033 or 1034 getting logged. If you see 1034, that means there are some issues loading the dll and we proceed further from there then. Could you please recheck and get back.

    CalloutEnabled,

    CalloutDlls

    Thanks

    Raunak Pandya

    DHCP Server Team

  119. Anonymous says:

    Hey Austin,

    You can refer to the following blog for callout api usage. However the sample code is not in .NET but is unmanaged code.

    http://blogs.technet.com/teamdhcp/archive/2007/11/27/callout-api-usage.aspx

    Thanks

    Raunak Pandya

  120. Anonymous says:

    Hey Pankaj,

    Good to hear that your issue was resolved. The new versionhas few improvemnets going in. Support for case insensitive Maclist.txt being one of them.

    Also, the installation is very simple now with no need to touch registry manually.

    You can find the complete list of improvements in the blog above..

    Thanks

    Raunak Pandya

  121. Anonymous says:

    Hello warlock88,

    I am afraid this is not possible. You will manually have to keep a copy of the log file before starting the DHCP server service after stopping.

    Raunak

  122. Anonymous says:

    Hey Paul,

    Can you have two different files for error log and info log and try again. See whats the output generated in them.

    Raunak Pandya

    DHCP Server Team

  123. Anonymous says:

    Hey Jim,

    It should be working on SBS 2003 as well. Olgam’s comment above confirms that as well.

    Thanks

    Raunak Pandya

  124. Anonymous says:

    Sorry to be stupid but I missed typed the maclist file in the registry. When I typed it properly it worked absolutely fine. Many Thanks David Hutton

  125. Anonymous says:

    Shuja,

      You should download the installer from http://connecttheworld.spaces.live.com.

    Ajay

    Team Networking

  126. Anonymous says:

    No, the NAT is a part of RRAS. DHCP server is not used in this scenario.

    Also the DHCP callout dll is supported by the DHCP server but not by the RRAS.

    -Tushar

  127. Anonymous says:

    Thanks for the feedback, Peter. Appreciate it.

    It will help us to understand your request in more detail. Can you write to us at msnetworkteam_at_live_dot_com.

    Prasad

    Team DHCP

  128. Anonymous says:

    Ok,

    Thats because %systemroot% would mean only e:windows

    Raunak Pandya

    DHCP Server Team

  129. Anonymous says:

    Hey Biswal,

    You can do the needful using this tool. You need to add all the MAC Address which you want to allow in the format specified in the setup document which gets unpacked when you install the above. The step by step configuration details are also mentioned there. Please go through it.

    Thanks

    Raunak Pandya

    DHCP Server Team

  130. Anonymous says:

    Dear Raunak

    Thanks for your suggestion. I have resolve the issue. It was due to case sensitive. Now it is working fine.

    If I will install the new package what seetings I need to perform?

    Thanks

    Pankaj

  131. Anonymous says:

    Hi Rupesh,

    This post might of help to you. blogs.technet.com/…/3253905.aspx.

    So what you may need to do is configure a user class for all your known machines. Next create two scopes on the server, one which will server your internal machines, the other for new guest machines..

    For the scope which is serving internal machines, you could configure a Classless Static Route to internal networks, and not do so for the other scope for serving guest machines.

    Thanks

    Arun, Dhcp Team

  132. Anonymous says:

    Hey Krishnan,

    Looks like that the callout dll is taking significant time in parsing the large MACList file initially as a result of which the service fails to start. I would like to know are you facing the problem for less number of entries?

    I would also like to get some more information from you. 28 MB for MACList file seems to quite huge size. Could you please tell us the scenario where you need so many entries in the file and to what extent can wildcard support help you out here?

    Thanks

    Raunak Pandya

    DHCP Server Team

  133. Anonymous says:

    David, Windows Server 2008R2 supports MAC address based filtering inbox. We encourage you to use this inbox functionality. With the introduction of DHCP policies in Windows Server 2012, you can configue MAC address based filtering for each scope separately.

  134. Anonymous says:

    Ananthi,

     Clients that have been configured with a static IP address,   will not be contacting the DHCP server for an IP address.

     If you want to ensure that the static IPs are not leased by the DHCP Server – you should have them as an exclusion range within the scope.

    Ajay

    Team DHCP

  135. Anonymous says:

    When you add a file to the mac MACList.txt only would have to stop the service dhcp it and start again?

    Greetings and hugs

  136. Anonymous says:

    I just tested this again on Windows XP Pro and it worked fine.  When testing on Windows Vista Business and Enterprise the systems do pull a ip from the DHCP server when using the call dll. It is loaded up fine and there are no filter errors on the server.  Anyone else having this issue.

    Mike VanDusen

  137. gt says:

    It’s very cool, but where is the setup document exactly?

  138. gt says:

    Uhhh, and where is this folder? Through install (on w2k3 r2) I can’t choose the target folder, and sorry, but I don’t find any files, but only a MacFilterCallout.dll in System32…

  139. gt says:

    Thank you for your help, the exact file name is SetupDHCPMacFilter.rtf.

  140. Kostas says:

    I cant seem to find the correct configuration file syntax.

    I have a file named DHCPMACFILTER.TXT, have specified its full pathname in the relevant registry key (in Parameters like said above, Win2k3 here) and inside has 2 lines:

    MAC_ACTION = ALLOW

    0020ED8E9E7E

    The error file says that "File format not proper" and the info files that the DHCP server has started.

    If I remove the MAC address and leave only the MAC_ACTION line then I get again "File format not proper" in the error file, but now the info file has:

    The DHCP server has successfully started.

    Thu Oct 18 13:54:52 2007 0018f3047478 Allow

    Please advice further…

    Thanks.

  141. Akira says:

    i cant see any logs 1033 from the event viewer.

  142. Kostas says:

    Thanks for your answer, it works perfectly.

    Gee… never thought the curly brackets where part of the syntax as their usual meaning is to specify the set of disticnt values allowed.

    Anyway, thanks again, very useful addon.

  143. Armando Ortiz says:

    What about classifying a device (VOIP phone) so that it’s thrown into a separate range of IP addresses like ISC DHCP allows for?

    I can classify my phones (all NEC) based on the first three parts of the MAC ID so that they’re assigned IP’s in the 10.30.15 range, but never into 10.30.13 or 10.30.14.

    This is a VERY DESIRED feature that isn’t addressed anywhere in the DHCP services.

  144. SVHB says:

    This seems to be nearly what we need for our application, but is it possible to use a range of MAC addresses?

    For example we have a range of addresses for an embedded system, and we want to use DHCP for assigning an IP address, without interferance with the our office network.

    Something like following will solve this :

    MAC_ACTION = DENY

    001A85******

    Thanks in advance

    Stefaan

  145. Curtis says:

    This all sounds great, but I wish that instead of doing this:

    MAC_ACTION={ALLOW}

    000b0e994401

    000b0e994402

    000b0e994403

    000b0e994404

    000b0e994405

    I could do this:

    MAC_ACTION={ALLOW}

    000b0e*

    That way I could permit DHCP to any vendor specific device and deny DHCP to all others without having to make periodic changes to the MAC list and worry about stopping/starting the service.  We have 3000+ devices (all from one vendor) that we want to get DHCP while not allowing it for anything else.  Anyone know if this will work?

  146. Tor Arne Pedersen says:

    Hi!

    This looks great, I wish I could make it work.. I have set the values, and it all looks good. The filter file maclist.txt looks like this:

    MAC_ACTION={DENY}

    000742a72dea

    the log says

    Thu Oct 18 13:54:52 2007 000742a72dea Allow

    the error file says

    file format not proper

    It looks like same error as above, but I have the {}, I have tried to add/remove spaces around =, but no luck. Text encoding is ANSI, I have tried UTF-8, but I guess this shouldnt make a diffecence. Where do I go from here?

    Tor Arne Pedersen

  147. Tor Arne Pedersen says:

    I redid it all, and it worked perfectly. Thanks for this tool. I wonder how I can make IPs be leased forewer, I guess callout.dll could do this.

  148. msdn1876 says:

    Is the Callout filtering can support wildcard if I want to deny all as to 101010 beginning MAC addresses?

  149. msdn1876 says:

    I would like to know that Infolog files have the max size constraints.

  150. SENTHIL SIVALINGAM says:

    Even after adding the mac address in the allow list, server is not serving IP to the specified pc. seems some bug on the dll.

  151. SENTHIL SIVALINGAM says:

    Hey Pandya

    I perfectly configured as per the doc, when I see the log  there were many deny messages for the Mac address which is in allow list.

    My environment is Win2k3-Sp2 and in fact I have checked with a desktop and few laptops mac addresses included in the allow list. But as per the log those are comes under denied.

    Looking for your help.

  152. SENTHIL SIVALIGAM says:

    Hey

    I have configured only Allow list.

  153. Chris G says:

    Thanks for this tool!  I see that wildcards are not supported, but are there plans to support mac wildcards in a future release?

  154. Juergen Weickl says:

    Is it planned to add wildcard feature to your tool?

    As on other post here I would like to deny all requests from e.g. IP phones.

    Best regards,

    Juergen

  155. Erik says:

    Thx so much for this addition. I was really cursing MSDHCP until I found this bit. It works great, and plan on rolling it into production soon.

  156. AdamF says:

    Is it possible for the callout to have an allowed mac address list per subnet?

    To explain: We wish to secure our devices (thin clients) from being moved physically from office to office (subnet to subnet).

  157. Jonathan says:

    I followed the directions precisely and it worked great. Thanks for including something that SHOULD have been included OEM on the DHCP server.

    Cheers

    Jonathan

  158. Oyunbat says:

    Dear Raunak Pandya

    I have configured Collect DLL for my DHCP server but it’s not running. i think my configure is OK but why not working?

    "This key specifies callout dll path for dhcp server e.g. c:calloutdll<calloutdll name>.dll" this description’s "calloutdll name" is which file ? may i put in MacFilterCallout.dll file there? is it right?

    please tell me all of configuration how do it exactly if it possible?

    thanks

  159. SENTHIL SIVALINGAM says:

    Hi Raunak

    A quick question to you. Do we need to restart the service whenever we are adding mac address on the allow list? Cos the server doesn’t supply IP’s without restart, simply denies.

    I think thats where the issue I had faced last time.

  160. Rick Ng says:

    Excuse me, but I don’t have the money to set up a W2K3 machine.  Can callout DLL work on a XP Home acting as a gateway?  And is callout DLL uninstallable?

  161. aaron says:

    Must you restart the DHCP Service when you modify the MAC filter list?

  162. jens says:

    I tested this tool on two distinct dhcp servers and they both denied all IP addresses even though there was only one MAC address in the config file with the DENY option or allowed them all, again even though there was only one MAC address in the config file with the ALLOW option :-(. This also applied after I restarted the DHCP server service..

  163. S.M. says:

    Dear Raunak Pandya

    Thanks for this tool

    Is it planned to add comments to file with MAC addresses? It would be easier to find to whom belongs specific MAC address.

    S.M.

  164. jens says:

    ok.. it seems to be working now.. my "problem" was that I wrote the MAC address with capital letters instead of small letters. If I write

    MAC_ACTION={ALLOW}

    0050569337ad

    it works but not for

    MAC_ACTION={ALLOW}

    0050569337AD

    thanks alot,

    Jens

  165. Steve says:

    Running on Server 2003 R2 x64

    When starting the DHCP Server service, I receving:

    "The DHCP service has failed to load one or more callout DLLs. The following err occured: %1 is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. is not a valid Win32 application. "

  166. Matthaus says:

    Just wondering what happens regarding existin reservations?

    Do the MAC address’s for these existing reservations need to be added to the the allowed list or will they just work any?

  167. David says:

    Can you point the callout DLL to a radius server??

  168. David says:

    Is  there an option to send request to a radius server instead of a text file??

  169. Scott Pascoe says:

    Would it be possible to put the source for this callout on http://www.codeplex.com so that the community can extend it?

    Thanks, Scott Pascoe

  170. Russel says:

    I agree with S.M.

    We need to be able to add comments.

    Great tool though.

  171. Jonathan says:

    Great tool, I´ve been wondering for a long time why the Windows DHCP-service is so "insecure". Not anymore 🙂

  172. S.M. says:

    to Matthaus:

    I think yes. I added these MAC addresses to the allowed list. Otherwise these hosts didn’t receive  config from DHCP.

  173. SAANRA says:

    Does the DHCP server crashes due to wrong MAC format entry in DHCP filter.? I mean I entered o instead of ZERO by mistake.

    Pls answer me , saanra@gmail.com

  174. johnny says:

    On my setup, using deny, I need to have two macs in the maclist.txt file for this to work. When I had only one mac addr listed, it allowed the dhcp server to assign ip anyhow. I added a second mac to the list, unused addr actually, and restarted dhcp. Now it works. Mac address being denied fine. Its funny how the {} brackets are literally needed in the action line for it to work.

  175. Has anyone tried this with a larger environment of approximately 5,000 DHCP clients?  Any performance issues?

  176. Daanoz says:

    Hey,

    The tool looks great, but somehow i can’t get it to work… installed, loaded up the reg settings, rebooted the DCHP… nothing, so i kinda made sure the maclist.txt has error’s in it and i notice that also no log files were generated. So it seems like the callout isn’t loaded…

    DHCP Reg settings: http://img527.imageshack.us/img527/4114/dhcpsettingsqo7.jpg

    Hope anyone can help

  177. Daanoz says:

    Thx, that helped 🙂 i got an error 1034 saying: The specified module could not be found.

    Solution: Changing the "%SystemRoot%" variabele to my hardcoded systemroot (e:/WINDOWS/system32/)

    running on:

    Windows server 2003 R2

  178. Ajith KUMAR says:

    Seems to be working. It can be improved, for sure.

    As we have to re-start the service everytime when there are changes in the MAClist file, is there any way to make it dynamic.

    Regards,

    Ajith KUMAR

  179. Guenter says:

    Hy Raunak

    I configured the DLL with this options, but no event 1033 and no error

    The dll is under C:CallOutMacFilterCallout.dll

    In the macfile located C:CallOutMacList.txt

    MAC_ACTION=ALLOW

    008064*

    The registry settings are the folowing

    CalloutDlls C:CallOutMacFilterCallout.dll

    CalloutEnabled = 1

    CalloutMACAddressListFile = C:CallOutMacList.txt

    What do I wrong??

    Thank`s for your help

    Günter

  180. Bruno says:

    Excellent tool.

    This tool resolved my problems.

    Thank You.

  181. Guenter says:

    Hy Raunak

    thank`s for answer.

    I use Windows Server 2003 32bit Standard Edition with SP1 german.

    The Server is a Domain Controller

    I configured the LogFile in the same path in registry.

    HKLMSystemCurrentControlSetServicesDHCPServerParameters

    CalloutErrorLogFile = C:CallOuterror.log

    CalloutInfoLogFile = C:CallOutinfolog.txt

    and I change the MacFile to the folling for testing.

    MAC_ACTION=ALLOW

    00184D33194E

    I restart my DHCP Server and nothing.

    No LogFile created, no 1033 event

    Only the event 7035 (starting DHCP) and 1044 (Authentification DHCP) as information in the eventlog are present.

    What goes wrong??

    Must I register Calloutdll with regsvr32??

    So, we have a lot of Wyse Terminal they are all beginning with 008064, so my additional question is, is it possible to configure CalloutDLL only give this

    MAC Segment a DHCP Adress or have I to write all possible adresses to the MacFile???

    Thank`s for your help

    Günter

  182. Atle says:

    Installed on Win2003 x64.  Get error 1034, The DHCP service has failed to load one or more callout DLLs.   The following error occured:

    %1 is not a valid Win32 application.  is not a valid Win32 application. Any solution? Or is it just for x32-systems?

  183. Zaid says:

    At last I regain control of DHCP lease!

    thanks for the tool, one note though; it seems that MAC addresses must be typed using lower case letters, I couldn’t get it to work while typing in  CAPITAL!

  184. Günter says:

    Hy Raunak

    I can start call-out with the event 1033 in the eventlog, but in error.log the messages

    "File format not proper" is insert always I start it.

    My MacList.txt File look like this

    MAC_ACTION=ALLOW

    00184d33194e

    What`s going wrong?

    Thanks for help

    Günter

  185. Paul Wightman says:

    Hi Guys,

    Is there any way to specify multiple mac lists, we intend to put the mac lists in DFS and have all our servers reference it so that we have a central allowed list of machines. It would be nice if you could maintain a mac list per site and have each server load all the site mac list one by one on start.

    This is just a bit more manageable than 1 big file.

    Tried the following for the CalloutMACAddressListFile Key with no luck.

    C:WINNTsystem32MiltonMAC.txt;C:WINNTsystem32RiseleyMAC.txt

    Thanks

    Paul

  186. Jim Kirk says:

    Great tool, let me add to the comments from others… ned a simple way to add a comment so we can easily associate mac addresses to users/machines. even if you read the MAC address digits and ignored anything else on the line would be fine

  187. paul says:

    Hey thanks for the tool. I don’t seem to be able to get it working. I have a 2k3 server. I did all the registry entries correct. I have check three times. the DLL seems to log the MAC addresses it has allowed and given DCHP address. Here is my maclist.txt file.

    MAC_ACTION={DENY}

    ***********

    ***********

    I have checked for spaces still nothing. the 1033 message comes up that the DLL has been loaded. not sure what is going on here..

    I have Five Registry entires under.

    HKEY_LOCAL_MACHINESystemCurrentControlSetServicesDHCPServerParameters

    CalloutDlls

    C:calloutdllMacFilterCallout.dll

    CalloutEnabled = 1

    CalloutErrorLogFile

    C:calloutdlllog.txt

    CalloutInfoLogFile

    C:calloutdlllog.txt

    CalloutMACAddressListFile

    C:calloutdllmaclist.txt

    Path to the DLL is

    C:calloutdll

    Log file out put has no errors only list of mac addresses with allow beside it.. Any help would be greatly welcome..

    Paul

  188. Craggar says:

    How do you uninstall the filter?

  189. Walter Albrecht says:

    Raunak

    Are there plans to allow this tool to work on Server 2003 R2 x64 ?

    Thanks in advance.

  190. travis says:

    Is the source code available for this project?

    I was going to write something along these lines but with additional custom features for our company and this would be a great starting point for us.

    Thanks!

  191. Krishnan says:

    I have MAC list file of around 28 MB, there is no issue in configuration everything is perfect, but DHCP Fails to start and throws error 1053, Event Viewer says dll is not loaded due to exception 3221225725

  192. Joe says:

    Hello there,

    Please help me, I’m always having an

    "File format not proper" error in my ErrorLogFile.txt. I can see the 1033 in the event veiwer. I have server 2003 installed in VMware workstation.

    HKEY_LOCAL_MACHINESystemCurrentControlSetServicesDHCPServerParameters

    CalloutDlls

    C:calloutMacFilterCallout.dll

    CalloutEnabled = 1

    CalloutErrorLogFile

    C:calloutErrorLogFile.txt

    CalloutInfoLogFile

    C:calloutInfoLogFile.txt

    CalloutMACAddressListFile

    C:calloutMACList.txt

    C:callout

  193. Brahma Biketan Biswal says:

    Hi ,

    I need to allow only company Mac address will get IP .If some one outsider wants IP from our DHCP server until entering his/her Mac address in to  allow list he /she should not get IP  address from our DHCP server 2003 .

    Please help me the script and step by step configuration..

    Thanks

    Brahma Biswal

  194. Magnus says:

    Is the 1033 event in the system event viewer the only indication that the dll is working?  I think everything is placed right but still no message. Using server 2003 SP2.

    CalloutDlls  C:calloutdllMacFilterCallout.dll

    CalloutInfoLogFile C:calloutdllinfolog.txt

    CalloutMACAdressListFile C:calloutdllMAClist.txt

  195. aries says:

    Hi Thanks for this great tool, my question is How can I put comments on each MAC address to esily determine how is the owner.

    Ex.

    MAC_ACTION={ALLOW}

    000b0e99440c (Aries’ PC)

    000b0e99440d (Guest1’s PC)

    Thanks

  196. aries says:

    Hi TeamDHCP,

      I have a question,

      I tried to ALLOW a MAC to connect, the PC able to access and get an IP then I removed the MAC address of the same PC (restart DHCP) and retry to connect. The PC can still get an IP address from the DHCP, even the log shows that it was denied.

      Is this due to the IP-MAC lease is still at the DHCP scope or at the DHCP database?

      What sould you do so once you remove the MAC from the list, it will no longer get any IP from the server.

    Thanks,

    Aries

  197. Magnus says:

    CalloutEnabled  ande set at 1

    I have it set but I still see no 1033? I see a 1044?

    Am I suppose to look in the System Event viewer?

    Magnus

  198. Joe says:

    Its working perfectly now, you are correct no problem in registry, the problem is in the MAC addresses. i change all capital letter to small letter and its work. Thanks for the Tips

    Joe

  199. Joe says:

    We have 12 subnets and each subnets we have dhcp server. the problem now is most of our user specially in sales and marketing department are shifting from one place to anther. is that possible  that in the registry of the other subnet are pointing to only one dhcp server instead of creating it one by one. as you it is a nightmare for me to add all the mac addresses of all PC’s and then restarting again the dhcp server.

    Thanks in advance

  200. Ken says:

    Is there a way to get the MAC addresses currently in use out of a log file so one doesn’t have to hand enter all of the existing clients?

    Thanks……

  201. Jeff25 says:

    New feature request:

    We have a laptop that moves between several subnets (vLANs) within an hour.  We would like to reserve an ip address in each dhcp scope (subnet) for one mac address without manual intervention.  For example,

    superscope

    scope (172.16.1.0/24):

     reserve ip address 172.16.1.1 for mac address: 0000aaaa1111

    scope (172.16.2.0/24):

     reserve ip address 172.16.2.1 for mac address: 0000aaaa1111

    scope (172.16.n.0/24):

     reserve ip address 172.16.n.1 for mac address: 0000aaaa1111

    Currently, Microsoft Windows 2003 SP2 dhcp server allows for entering the same mac address in these scopes, but fails to give the laptop the correct ip address.

    Please let me know if this tool could be modified to allow this scenario.  Or if a new tool would be needed.  In either case, when would it be available for general use if at all.

    Thank you,

  202. Jeff25 says:

    Ken,

    Create a script using the "DOS" command getmac and loop through your ip address ranges (/S ip address)…

    GETMAC [/S system [/U username [/P [password]]]] [/FO format] [/NH] [/V]

    Description:

    This command line tool enables an administrator to display the MAC address for one or more network adapters on a system.

    Hope this helps,

  203. Peter Malik says:

    I get an error in my errorlog stating "Could not open the data file"

    THe filter file is in the c:calloutdll directory, the registry matches the file name MAClist.txt and the directory and the file are readable by Admins, SYSTEM, and Users.

  204. RayRay says:

    I’m running two scopes on 1 physical dhcp server.two interface running dhcp server,Interface1 is 192.168.10.x and interface2 is 192.168.20.x..Is this tool

    possible to implement with this scenario?Thanks!

  205. Chad says:

    Is there any workaround to block with statically configured client pc?

    how do i know if there are statically configure client in my network? some users

    are capable of doing the static ip.

    anyway,i got it working flawlessly.

  206. RayRay says:

    Hi team DHCP,

    thanks again for this useful tool.i made it work with my two interface dhcp server but there’s an issue,those mac address from both interface network are all accepted on the MACList file.I need the two network(192.168.10.x & 192.168.20.x) to be independent to each other.mac address on 10.x should be deny on 20.x network and vice versa.

    is this doable?

    rayray

  207. Chris says:

    Hey DHCP Team,

    Great tool!

    Question:  How will this work with 802.1x?  If a client fails 802.1x can I add the machine MAC to the list and have it added to a "Guest VLAN" / Subnet?

    Thanks

    Chris

  208. Omid says:

    hello

    all config for me is correct but it does not run 1033 log

    please help me

  209. Jay Wilcox says:

    What would happen if a computer was introduced to the network with a proper static configured IP address but the MAC address of this computer was not in the data file of acceptable MAC addresses.

    Would the computer still gain access to the network or would there be an IP conflict.  Also what if that IP address being used by the computer in question was already assigned to a viable computer in the network/domain?

  210. Joe Z says:

    I just want to be clear..

    If i set a mac address to JUST deny- it will deny that but ALLOW everything else? or do i have to manually put in all MAC addresses in the ALLOW list?

  211. Brent says:

    Have you developed a version for x64 or is there a date that it will be available?  I received the 1034 event that it’s not a valid win32 app.

  212. JoviLeung says:

    What is the different between MACFilter and Reservation?

    What if someone knows one of the MAC address and change to it, could DHCP server detect it?

  213. paul says:

    Hello.

    I am trying to use this dll but my W2k3 machine won`t load it. The registry values seem to be corect. The paths also. In event viewer i only get 1044. No 1033 🙁

    What could be wrong? 🙁

    Help…. please..

  214. Austin says:

    Any chance there is sample source code perhaps .net source code for this?

    Thanks

  215. Jordan says:

    By the way, should I stop the DHCP Service first if I need to modify (add or remove entries) from MAClist.txt file?

  216. Ananthi.S says:

    I have successfuly configured Callout DLL and it is working fine. But how to restrict the users which are configured static IP address in their PCs themselves.

    Kindly reply me as soon as possible.

  217. charles says:

    I have reserved IP addresses in DHCP for some network equipment and printers on my network. For my servers and firewalls I have assigned static IP’s. These IP’s are also excluded from distribution.

    Do I need to add the MAC addresses for these devices to the MACList.txt?

  218. charles says:

    Servers and firewall IP’s are assigned statically, they are not reserved.However, these IP’s are in the excluded range.

    Printer IP’s are reserved, they are not assigned statically.

    So just to be clear, I would need to add the printers to the MAClist.txt but not the servers and firewalls?

  219. Tom Seether says:

    This works great!  Thank you!!!

  220. David Hutton says:

    I have installed as instructed and used an allowed function on a windows server 2003 sp 2. Everything seems to be fine and am getting the 1033 event id etc but it is allowing everything to get an address. the file is as follows

    MAC_ACTION = {ALLOW}

    001b77bebf89

    001b77db7024

    etc.

    any ideas.

  221. SHELDON says:

    It is great for filtering student laptops via wireless we only allow our equip. but I also have 350 desktops. Doesn’t the MAC list need to have ALL devices on the network or I would be denying my office worker’s machines an address?

  222. Shuja says:

    Hi All,

    I am not able to download callout DLL setup.exe to implement on windows W2K3, if any one knows download link please pass it here,

    The link that I am trying is
    http://blogs.technet.com/error.htm?aspxerrorpath=/blogs/attachment.ashx

    Regards

    Shuja  

  223. Shuja says:

    Dear Ajay,

    Thank you very much, I really appreciate it, I need for windows 2003 32bit.

    Regards

    Shuja

  224. Shuja says:

    Hi Ajay,

    I found it thanks alot

    Shuja

  225. Shuja says:

    Hi,

    I put in the mac file format as

    #MAC_ACTION={ALLOW / DENY}

    #001BXXXXXX

    and I did change the path of MACList.txt in registry as guided in the document, but it didnt work, I am trying my best to fix it, if any one have any idea or can give me structure of file format.

  226. SHELDON says:

    I’m ready to try out this exciting tool! However I don’t have a test lab so this will have to happen on our production server. Are there any possible problems that could mess up my DHCP services? What if I want to remove this in a hurry? Or can I just leave the text file blank and then everything continues running?

  227. Shuja says:

    Hi Pandya,

    I used without ‘#’ as well, in error log says, action not correct and file format not proper I tried many ways but no success. may the MACList.txt I saved in the location system32\MACList.txt is not correct?

    Thanks

  228. Shuja says:

    Hi Pandya,

    I have done with MAC filtering, but when I add a node’s MAC address then it dosent assign IP to that node, until I restart server, after server restarted it is ok,

    I mean it automatically doesnt update the list?

    Thanks

  229. Robert Vass says:

    Dear Ajay!

    Is it possible to use this tool with win2k3 standard edition?

    I read about it in the readme, but it says (system requirements) to me no.

    Gunter (tried it, comment: Friday, March 14, 2008 2:44 AM) but I don’t read about the result.

    Thanks

  230. David Hutton says:

    Hi the mac address filtering runs fine until I try to access it through a wireless access point. If I set calloutdisabled to 0 then the client machine can get a dhcp addres but not if I enable the filtering. Any ideas.

  231. David Hutton says:

    The config seems to be OK and in the infolog file I am getting

    Action specified is : ALLOW

    Successfully read mac addresses

    The DHCP server has successfully started.

    Thu Nov 27 11:42:09 2008 0018de0b0a21 Deny

    Thu Nov 27 11:42:12 2008 0018de0b0a21 Deny

    Thu Nov 27 11:42:20 2008 0018de0b0a21 Deny

    etc

    which is the coorect mac address for the wireless connection but I get

    Thu Nov 27 12:03:45 2008 000b6c37bcf1 Allow

    Thu Nov 27 12:03:45 2008 000b6c37bcf1 Allow

    if I connect the lan card

    hope you can help Dave

    but this is only if it is coming through

  232. David Hutton says:

    No the wireless card is the one that gets denied but the lan card gets allowed. It is only if the mac address is coming through the wireless that it gets denied. It recognises it but denies it. Dave

  233. David Hutton says:

    Raunak, are you wanting a copy of the log file and MAClist? Dave

  234. David Hutton says:

    Here you go

    MAC_ACTION={ALLOW}

    0013a9d72021

    00147C4F9DCE

    Dave

  235. Gary says:

    Hi

    I’ve installed this callout on W2K3 Ent and act as DC.I can see 1033 on the eventviewer.after i restarted the dhcp service,the ip address that i put on maclist,was blocked by dhcp.however,after several attempted,that pc can finally get ip from dhcp server.

    Fri Jan 16 19:44:46 2009 000c29fbdb21 Deny

    Fri Jan 16 19:44:46 2009 000c29fbdb21 Deny

    Fri Jan 16 19:44:49 2009 0002b9c45480 Allow

    Fri Jan 16 19:44:49 2009 000c29fbdb21 Deny

    Fri Jan 16 19:44:49 2009 000c29fbdb21 Deny

    MAC_ACTION={DENY}

    000c29fbdb21

    i run this pc under VM.is it something to do with VM?

  236. Eric says:

    I’m trying to decide if this tool can assist with this scenario.

    We run an 80/20 split scope across two servers and want to statically assign a small range of ip’s within each scope to certain devices with the same vendor MAC while still providing normal DHCP services to the rest of the devices. We have about 2000 devices and 200+ scopes so a MAC wildcard would be useful.

    I was thinking of ip reservations but now am leaning toward a dedicated scope with an allow filter for the controlled devices while setting a deny filter on the normal scope.

    will this even work? any suggestions?

  237. Bob Neuhardt says:

    I am unable to look at the contents of MacFilterCalloutInfoLog.txt while the DHCP Server service is running. Is this appropriate behavior? It also looks like the file is overwritten every time the DHCP Server service is restarted.

  238. Samuel says:

    Hi,

    How I put comments on MacList.txt?

    Thanks

  239. Samuel says:

    Hi, again

    Which the latest version of MacFilterCallout.dll?

    I’m using version 1.0.0.1

    Thanks

  240. tg251A says:

    In response to Joel’s question it shoudl work that way using the "Deny" option. I just found this tool and we are about to test it that way, We have 15-20 sites and over 1300 computer/device objects in AD and it would work much better as we find rogue systems just add them to the list.

  241. paul says:

    I have a question about this tool, or anthing else that might help us.  We have 100 Symbol / Motorola handheld computers that need to acquire a unique IP address based on MAC address and I was wondering if there was some way to do it with this tool and wildcards, since the first four segments of the MAC are identical.  If not, is there anything that can be done with Vendor Class or User Class?  Thanks.

  242. paul says:

    Thanks Raunak, that is probably our final option.  We need to insure they come out of a specific IP pool that is not routed the same as our primary IP pool.

  243. James C says:

    Hey teamdhcp,

    thanks for the tool.  Literally just in time to safe the day.  We’re implementing a lockdown on our network by using 3 groups. We want to allow office PC (small group) to the Internet and Datacenter.  That will be group 1.  There are people that VPN tunnel in, so we’ll put them in group 2.  Group 2 needs access to just the office.  Group 3, guests and whatnot.  They just have access to the Internet.  Our current setting is going thru a pix.  However, we want to try your tool since it seems less limiting than the Pix.  Is this possible?  if so, how would the Maclist.txt look like?  Thanks for your help.

    James

  244. Scott A. says:

    It also does not show the computers, that it is allowing even though they are not on the mac list, in DHCP – it’s not showing a lease even though they have been given an IP.

  245. Ali Busaleh says:

    when I try to install

    (MacFilterCalloutInstaller-x86.msi)

    it install ok but I cant see where it installed to use

    and when I try to install

    (MacFilterCalloutInstaller-x64.msi)

    give this error mesage

    "this installation packege is not supported by  

    this processor type

    please contact your prospect vendor "

    I use windows server 2003

  246. Joe says:

    i have one client that has been added to the list but the log on the DC keeps saying deny.  Their mac is correct.  

    Any other places i can look to see why it’s not connecting?

  247. Joe says:

    not sure of the version we’re using.  It’s been in place for a while.  We were using it as DENY but today i moved everything to ALLOW (only).  

    Here is part of the infolog

    Action specified is : ALLOW

    Successfully read mac addresses

    The DHCP server has successfully started.

    Wed May 06 14:27:06 2009 08000f390c05 Deny

    Wed May 06 14:27:16 2009 001b2450045f Deny

    Wed May 06 14:27:19 2009 001b2450045f Deny

    Wed May 06 14:27:22 2009 08000f390c05 Deny

    Wed May 06 14:27:27 2009 001b2450045f Deny

    Wed May 06 14:27:42 2009 001b2450045f Deny

    Wed May 06 14:27:53 2009 08000f390c05 Deny

    Wed May 06 14:28:44 2009 08000f390c05 Deny

    Wed May 06 14:28:51 2009 08000f390c05 Deny

    Wed May 06 14:29:07 2009 08000f390c05 Deny

    Wed May 06 14:29:38 2009 08000f390c05 Deny

    Wed May 06 14:29:53 2009 08000f390c05 Deny

    Wed May 06 14:30:01 2009 08000f390c05 Deny

    Wed May 06 14:30:09 2009 00197e948d01 Deny

  248. Joe says:

    Thank you Raunak.

    I did upgrade to the newest version.  It definitely worked after that.

    Much appreciated!

  249. Arthurafs says:

    Hello guys,

     Do you know if this tool works on Windows 2003 Standard Server or others versions? The system requirement on documentation (SetupDHCPMacFilter.rtf) is Windows 2003 Enterprise Server or higher.

    Thanks in advance,

    Arthur Fernandes.

  250. I have two DHCP servers, each having different scopes.  I am focusing on one particular scope, and have created reservations for all approved machines within that scope.  I want to be able to take this further and allow only the MAC addresses for these machines, to get an address from within that scope.  As in, if a rogue laptop or device connects to our network, an address will not be provided.

    The problem with how I understand this, is that the process will impact all my scopes, and I do not want to do that for various reasons (our phones are VOIP and are set to DHCP, for example).  

    Can I have this process apply to just one scope within the DHCP server, ignoring other scopes?

  251. mike says:

    Hi,

    Is there any way to turn off the Info log file, so this information isn’t logged any more? We have a lot of activity on our DHCP servers, and the file is growing by 7MB a day, which we can’t maintain for long.

    I’ve tried deleting the path in the CalloutInfoLogFile registry key, as well as deleting the key completely, but the DHCP service then refuses to start (throwing up an error 1032 in the event viewer)

    Thanks,

    Mike

  252. Jim Dunham says:

    Will the DHCP callout DLL work on SBS2003 as well?

  253. Gop's says:

    Hi

    I have installed th msi and even see the event 1033. i found the 3 txt files

    MacFilterCalloutErrorLog

    MacFilterCalloutInfoLog

    MACList

    in

    C:windowssystem32dhcp

    i have this error "Line Number 2 Not In Proper Format

    File format not proper" in MacFilterCalloutErrorLog.txt

    can you let me know why? and

    i have only this in MACList.txt

    MAC_ACTION={ALLOW}

    00-0d-0c-4a-67-23

    but i can see lot of MAC’s allowed.

    Thanks in advance.

    Gop’s

  254. Andre Watson says:

    ALL YOU NEED , Works great, especially on my remote network. Being unable to be everywhere, in combination with a little script to monitor the logs, sends me and other administrators real time pop up message when access is denied.

  255. Igor Sharapov says:

    I am running Windows 2003 R2 x64 server. When I try to run MacFilterCalloutInstaller-x64.msi, I get error "Proccessor Architecture not Supported." MacFilterCalloutInstaller-x32.msi terminates with the same error. Is there anything I need to do, to install this dll?

  256. Joe Tenne says:

    I have applied this solution to allow for specific mac addresses in the maclist.txt file.  However, although the log file shows that it is definitely allowing my designated mac addresses to receive IP addresses, when I look at the DHCP management console, nothing is listed under DHCP leases.  Is this a known issue?  How can I get the currently leased IP addresses to show up in the DHCP console?

    Thanks in advance for your help!

    Joe

  257. warlock88 says:

    hi…i’ve noticed that every time i restarted the dhcp server under services…the logs on MacFilterCalloutInfoLog has been deleted…is there a way to restart the dhcp service without deleting the MacFilterCalloutInfoLog logs?

  258. Yogurtu92 says:

    I installed it and it erase my DHCP Server Configuration.  Is this normal? Is there a way to restore it?

  259. Chris Roser says:

    After installing the new version I’m not able to open the CalloutInfoLogFile while dhcpserver is running. Is this an intented behaviour?

    Additional info: I changed the path to info.log in HKEY_LOCAL_MACHINESystemCurrentControlSetServicesDHCPServerParametersCalloutInfoLogFile to d:info.log

    PS: MacFilterCallout.dll  works here as well with a localized w2k3 r2 (german)

  260. warlock88 says:

    hi, is there a way where i can deny IP address?…say, a client statically configured IP address on his machine and this IP belongs to the IP address range for distribution of our DHCP server.

    My objective is that to prevent this clients or users for gaining access to our network even they statically assigned their own IP address.

  261. Victor says:

    Raunak,

    First – many thanks for this useful tool.  I fear some commenters have neglect this obvious acknowledgement in their rush to ask for more features.

    The use of {DENY} with curly brackets wasn’t clear but reading the above sorted that out.  I note that the log file now has an opening lines:

      Action specified is : DENY

      Successfully read mac addresses

      The DHCP server has successfully started.

    so it’s clear that the config file is read and understood.

    Pardon me if I’m being too simplistic but could both ALLOW and DENY features be possible by something like this:

    – two copies of the same DLL (or very nearly the same DLL)

    – the only difference is a separate set of registry entries so that the config and log files have different name or locations.

    Then users could have two config files one for Allow and another for Deny that are used by two separate but identical DLL’s?

    Not an elegant solution but I thought it might be easy for you to implement without a lot of changes to the existing DLL.

    Just a suggestion.

    Again, thanks,

    Victor

  262. yves says:

    Hello,

    I’ve used Routing and Remote Access to create a NAT server on a Win2k3 server.

    As far as I can see from the wizards, it uses it own DHCP allocator to provide IPs to my private network. Is there a way to make that DHCP service (which is not a standard DHCP server role) use the callout dll?

    My attempts to install the callout dll failed at first because it seems to require a DHCP server role, something I don’t really need in this situation. I did install the roll to be able to run the callout installer, but it doesn’t seem to work together with the NAT server.

  263. möp says:

    Hello,

    is it possible to reload the DLL only. After the MACList.txt was changed? Or exists another MacFilter for DHCP server?

    Thanks,

  264. Dave says:

    Hi there,

    Please can someone tell me what the effect stopping and starting the DHCP server will have on locally attached clients. Will they remain connected to the network and be able to function normally for the brief time the service is down or will they cease to connect while the service is down and then reconnect once it is back up again. I am a junior network engineer and work in an organisation that realistically has people connected to the network 24 hours a day. (I was trying to avoid coming into work at the weekend just to test this DLL)

    Thanks for you help in advance

    Dave

  265. Elton Andrade says:

    I’m concerned about the Vista clients.

    I saw people complaining that their Vista clients don’t get IP.

    I’m working on a virtualized environment, and I’m pretty happy with the results, works like a charm…but I don’t have a Vista VM to continue with tests.

    Can Vista/Win7 clients get an IP address from the DHCP server (with callout dll)?

    Thanks,

  266. Giancarlo Stanco says:

    Hi Pandya,

    Can Be installed the DLL on windows 2003 server in Spanish.

  267. Tom Komadowski says:

    Has any work been done to add wildcards to the callout?

    My scenario:  We have VPN clients coming in to the network that use DHCP to get their IP address.  

    Right now I have to set up static routes on a layer 3 switch to each address as it’s assigned so they can see all the subnets within our network.  

    I’d like to have 2 DHCP servers set up so that I can assign the VPN clients addresses from a specific range and the other DHCP server assigns to the rest of the network.  

    The VPN clients all start with the same 6 digits in the MAC address so that would make it easy to do the ALLOW and DENY on the DHCP servers with a wildcard in the callout DLL.

    If I can’t do the wildcard then my question is how do I specify a DHCP server to respond slower so that the main DHCP server can answer first?  I am able to direct the VPN clients to the specific DHCP server but I don’t want that one answering other requests on the network.

  268. Tom Komadowski says:

    Thanks for the response, Raunak.  

    Unfortunately I am stuck with Windows Server 2003 for now.  

    I am going to look into the Option based callout dll though.

    Thanks!

  269. Tom Komadowski says:

    Raunak, I just realized you pointed me back to the exact callout dll I was working with.

    The VPN clients are all from the same vendor and their MAC addresses start with the same 6 digits.  My problem is that without wildcards I would have to create over a million entries in the text file to cover all possible MAC addresses in that range.  The remaining 6 digits of the MAC address are randomly created when the VPN link is established.

    That is why I would REALLY like to have wildcard support in the callout DLL.  It would take care of my problems immediately.

  270. Caio says:

    Hello,

    I’m not sure to be in the right place for this question, but this seems to be an authoritative site about dhcp 🙂

    I need to configure the windows dhcp in order to release different IP according to the host VLAN ID.

    I.E. I want that the dhcp release an address taken from x.x.x.10 and x.x.x.20 if the requiring host belong to VLAN ID X and from x.x.x.21 and x.x.x.30 if the VLAN ID is Y.

    How can I set it on the windows dhcp?

    Thank you

  271. Caio says:

    Ok, thank you very much.

    I try to explain my scenario in the quickest way, hoping to be clear.

    In my situation I have a router that manages 2 vlan ID on the first 50 ports, because one Vlan ID will be assigned to voip phone devices and one to PC.

    I didn’t configure the router because is managed by another company, and I don’t know how is configured, but reasonably I think it’s ready to do a dhcp forward for the requests received (and I have verified that without the VLAN ID set up it works).

    In this situation I only want to assign a different IP Address when the devices send their request in broadcast, according to the VLAN ID assigned to the devices requesting. If I don’t mistake I can assign the VLAN ID to the phones and to the ethernet card on the host before they make the request, so when they ask for an IP the replying server should know their VLAN ID.

    How would be the correct behavior for this environment? Sould I have to configure 2 different DHCP servers (replying to different IP address) and should the router that forward the request forward it to the correct server according to the VLAN ID or whatever?

  272. Joshua says:

    teamdhcp,

    thank you for the wonderfully useful tool. this is exactly the sort of thing we have been looking for. earlier we were contemplating using your ‘DHCP Reservation Tool’ to ‘clone’ registration data from one scope to the next, but this is will solve the problem for is in a much more immediate way.

    im sure you are tired of hearing this but, if the mac address list file could have comments in it it would really be a huge benefit for most people 🙂 thanks for fixing the uppercase/lowercase problem though! 🙂

    May the LORD be with you in your endeavors 🙂

    Caio,

    Your comment is sort of hard to understand but let me tell you how we have our setup configured and maybe it will help you.

    We have 1 core L3 Switch / Router that has multiple VLANs defined on it. Each of these VLANs is on its own subnet. So, for example:

    VLAN 1 is 192.168.1.0/24

    VLAN 200 is 192.168.200.0/24

    we have 1 DHCP server (Windows 2003). In the server we have two scopes, one scope is 192.168.1.0/24, the other scope is 192.168.200.0/24.

    the server does NOT have a 802.1q NIC, so the server itself does not know at all that there are multiple VLANs.

    our core L3 switch / router has a ‘DHCP relay’ option, we configured the router to relay DHCP requests to our Windows servers address.

    so now, clients that are inside of VLAN 200 send a DHCP request, the router hears it and forwards it to the server, the server responds with a DHCP reply from the correct subnet and the client works perfectly fine.

    —of course, you have to make sure that the server has a static route configured inside of RAS to send packets destined to 192.168.200.0/24 subnet through the IP address of the L3 Switch / router… if you do not run RAS on the server you can add a persistent route with the route command through the command prompt. it would look something like this (in our case, would be the numbers):

    route add -p 192.168.200.0 mask 255.255.255.0 192.168.1.254

    that would be assuming that the IP address of the L3 switch / router that has the DHCP relay function is 192.168.1.254 and that the subnet that the VLANd devices are on is 192.168.200.0/24

    anyway. i know this is a late response but i hope it helps.

  273. Peter Boos says:

    Dear Microsoft DHCP team,

    It would be very handy if also subnet assignments of IP addresses could be filtered on vendor type mac adresses.

    using some wildcards. As some kind of advanced scope option. This would be handy if you need to assign IP-phones to specific subnets / different from desktops clients.

    I know these days this is solved through complex vlan configuration, but these phones not always get easily into the right vlan from a cold boot, a mac filter would make this a lot easier.

  274. Marc says:

    DHCP Team,

    We’re looking for exactly the same feature, and for a similar reason, as Peter in his post of January 15.  We have Aastra VoIP phones that receive their configuration, including VLAN assignments, from a tftp server specified in a DHCP requests.  Other DHCP clients have different or no tftp servers.  The ability to assign IP addresses, tftp servers and other components in the DHCP respose based on the OUI or other substrings of the client MAC address would be very useful.  

    We’re currently using dhpcd on a linux box that supports MAC filtering of this sort.  Here’s an example from the dhcpd.conf file that shows the sort of functionality that we need.  The class directive allows us to set up a class of clients based on OUI and an associated tftp server.  In the subnet directive, we assign IP addresses based on class memberships.

    class "voip-clients" {

            match if substring (hardware, 1, 3) = 00:08:5D;

            option tftp-server-name   "pbx.foo.com.";

    }

    subnet 172.17.0.0 netmask 255.255.0.0 {

      authoritative;

      option routers               172.17.0.1;

      option subnet-mask           255.255.0.0;

      option domain-name           "foo.com.";

      option domain-name-servers   172.17.0.2;

      default-lease-time 86000;

      max-lease-time  86400;

      zone foo.com. { primary 127.0.0.1; key DHCP_UPDATER;}

      zone 17.172.in-addr.arpa. { primary 127.0.0.1; key DHCP_UPDATER;}

     pool {

       allow members of "voip-clients";

       range                       172.17.200.1  172.17.200.250;

     }

     pool {

      deny members of "voip-clients";

      allow unknown-clients;

      range                        172.17.1.1  172.17.1.200;

     }

    }

    Thank you.

  275. gizmmo says:

    ok i tested the callout and it seems to work fine. one question tho, what will happen if the client decides to manualy setup his ip? any way to block that mac from the dhcp server and respond to the client with ‘ip pool full’ or ‘no more available ips’ ?

  276. mike says:

    What a great program.  And very easy to install and configure.

    Thanks Raunak Pandya and the DHCP Server Team

  277. ali says:

    this is a very nice feature, and i’ve got it working perfectly. But if i want to stop this feature and revert back to the normal DHCP settings without the filtering, how is that possible. Thanks guys

  278. Gov says:

    Can someone from Microsoft please confirm whether this is regarded by Microsoft as a ‘supported’ use of DHCP please?  What RFC governs this process?

    Many thanks.

  279. Antonio says:

    hello

    i have the problem that the DHCP continuous given IP to deny mac address, i do every thing fine, I have win2003 Server 64bit. i install the file and i create the mac address list.

    my mac address list is correctly, i am allow some mac address.

    the file macfirtelcalloutlog.txt show me the mac allow and deny correctly.

    the Event Viewer show me the message with the ID 1033 correctly when i stop and run DHCP service.

    but the Deny mac continuous getting one IP and connection to internet.

    What can I Do?

    Please Help Me…

  280. prunkster says:

    thank you so much! this was exactly i was looking for! no more race condition for my few local clients with on specific interfaces 😉

  281. Bagels says:

    This is an awesome tool!!  I have been looking for something like this and was starting to give up hope.  I am very happy that I came across this site for a resolution to our problem!!

  282. jojie says:

    Good day, Imanaged to install the program and then stop start the DHCP server and reviewed the event viewer i got 1033 value on the event, then  opened  the MACFilterCallOutInfoLog.txt and saw the following entries..

    Action specified is : ALLOW

    Successfully read mac addresses

    The DHCP server has successfully started.

    Mon Aug 23 16:05:59 2010 001d72fb1696 Allow

    Mon Aug 23 16:06:11 2010 002185fb34db Deny

    Mon Aug 23 16:06:15 2010 002185fb34db Deny

    Mon Aug 23 16:06:24 2010 002185fb34db Deny

    Mon Aug 23 16:06:43 2010 002185fb34db Deny

    Mon Aug 23 16:06:46 2010 002185fb34db Deny

    Mon Aug 23 16:07:19 2010 001d72fb1696 Allow

    Mon Aug 23 16:13:16 2010 001d72fb1696 Allow

    everything is fine until i tried to inquire the denied CPU coming from the allowed CPU, it was giving me a successfull reply that is supposed to be no reply becouse it should not be given an ip address on the first place, both CPU are in DHCP mode not static.

    Please help…

    Thanks

    jojie

  283. jojie says:

    one more thing the MACFilterCallOutErrorLog.txt is empty so i presume i did everything fine.

    Thanks again

    jojie

  284. jojie says:

    hi,

    Good day, i tried the MAC filter program again today but still it failled, from the MACFilterCall InfoLog.txt i can see that the program denies the MAC address of the CPU that is not on the MACList.txt. Even though it says deny it still gives IP address to the CPU, and from the CPU i can ping my domain server and accress remotely, please  help…

    Thanks

    jojie

  285. jojie says:

    hi,

    As per your request…

    *****MacFilterCalloutInfoLog.txt*****

    Action specified is : ALLOW

    Successfully read mac addresses

    The DHCP server has successfully started.

    Wed Aug 25 07:53:54 2010 001d72fb1696 Deny

    Wed Aug 25 07:53:54 2010 001d72fb1696 Deny

    Wed Aug 25 07:53:59 2010 001d72fb1696 Deny

    Wed Aug 25 07:53:59 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:07 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:07 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:25 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:25 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:30 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:30 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:39 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:39 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:55 2010 001d72fb1696 Deny

    Wed Aug 25 07:54:55 2010 001d72fb1696 Deny

    Wed Aug 25 13:51:44 2010 002185fb34db Deny

    Wed Aug 25 13:51:44 2010 002185fb34db Deny

    Wed Aug 25 13:51:47 2010 002185fb34db Deny

    Wed Aug 25 13:51:47 2010 002185fb34db Deny

    Wed Aug 25 13:51:55 2010 002185fb34db Deny

    Wed Aug 25 13:51:55 2010 002185fb34db Deny

    Wed Aug 25 13:52:22 2010 002185fb34db Deny

    Wed Aug 25 13:52:22 2010 002185fb34db Deny

    Wed Aug 25 13:52:25 2010 002185fb34db Deny

    Wed Aug 25 13:52:25 2010 002185fb34db Deny

    Wed Aug 25 13:53:35 2010 002185fb34db Deny

    Wed Aug 25 13:53:35 2010 002185fb34db Deny

    Wed Aug 25 13:53:38 2010 002185fb34db Deny

    Wed Aug 25 13:53:38 2010 002185fb34db Deny

    Wed Aug 25 13:54:55 2010 002185fb34db Deny

    Wed Aug 25 13:54:55 2010 002185fb34db Deny

    Wed Aug 25 13:54:58 2010 002185fb34db Deny

    Wed Aug 25 13:54:58 2010 002185fb34db Deny

    Wed Aug 25 13:56:11 2010 002185fb34db Deny

    Wed Aug 25 13:56:11 2010 002185fb34db Deny

    Wed Aug 25 13:56:14 2010 002185fb34db Deny

    Wed Aug 25 13:56:14 2010 002185fb34db Deny

    Wed Aug 25 13:57:26 2010 002185fb34db Deny

    Wed Aug 25 13:57:26 2010 002185fb34db Deny

    Wed Aug 25 13:57:30 2010 002185fb34db Deny

    Wed Aug 25 13:57:30 2010 002185fb34db Deny

    Wed Aug 25 13:58:41 2010 002185fb34db Deny

    Wed Aug 25 13:58:41 2010 002185fb34db Deny

    Wed Aug 25 13:58:44 2010 002185fb34db Deny

    Wed Aug 25 13:58:44 2010 002185fb34db Deny

    *****MACList.txt*****

    MAC_ACTION={ALLOW}

    001ec9e4e7cd #Server1

    ***** ipconfig/all*****

    Windows IP Configuration

      Host Name . . . . . . . . . . . . : svctag-582xs3j

      Primary Dns Suffix  . . . . . . . : W-ARCC.net

      Node Type . . . . . . . . . . . . : Unknown

      IP Routing Enabled. . . . . . . . : No

      WINS Proxy Enabled. . . . . . . . : No

      DNS Suffix Search List. . . . . . : W-ARCC.net

    Ethernet adapter Local Area Connection:

      Connection-specific DNS Suffix  . :

      Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)

      Physical Address. . . . . . . . . : 00-1E-C9-E4-E7-CD

      DHCP Enabled. . . . . . . . . . . : No

      IP Address. . . . . . . . . . . . : 192.168.5.10

      Subnet Mask . . . . . . . . . . . : 255.255.255.0

      Default Gateway . . . . . . . . . :

    *****MacFilterCalloutErrorLog.txt*****

    NO ENTRIES

    This is newly formated server, Windows 2003 SP2 Ent. is the only program inside (and MACFiltering program).

    Thanks, and hope you can help me on this.

    Regards,

    jojie

  286. Great work but lousy error checking... says:

    Just spent a couple hours trying to get this to work. Turns out I was generating the file in UTF instead of ASCII (had 4096 macs to add since it does not allow wildcards). Kept complaining of incorrect action but error is VERY misleading because it gives one such error for EACH mac in file and b4 that it kept complaining of incorrect syntax in MACs when I was using upper case letters…

    Thanks for the tool but you would have spent less time answering stuff here if you had done a bit more error checking when loading the file… Think I'll have to upgrade to 2008R2 soon to use the extended filter options…

  287. Vineeth says:

    I have done this… it is not working at all, and i have nt seen any  1033 error in event viewer

  288. Rupesh Shah says:

    Hi

    I  need something extra if someone can help me that will be great.

    I know my known device's & i can use DHCP server Callout dll & allow my know device to get access with my specific IP range.

    Now for walking guest , i need to give different IP range so that they can just access internet & not my all internal network.

    How can i do the same. ?

    Please reply.

    My mail id is rcs_shah@rediffmail.com

    Rupesh

  289. Paran01d says:

    Hello,

    I'd like to test the software, but according to your ID_ReadMe.rtf I need at least an Enterprise Server. So is there no chance to run it on Windows Server 2008 Standard?

    Thanks in advance,

    Paran01d

  290. Paran01d says:

    Hello,

    I'd like to test the software, but according to your ID_ReadMe.rtf I need at least an Enterprise Server. So is there no chance to run it on Windows Server 2008 Standard?

    Thanks in advance,

    Paran01d

  291. Andy says:

    Hi teamdhcp,

    Just set this up and is working great. Now blocking those pesky iphones from our wireless network.

    Will this tool work in my clustered environment? If i install on both nodes with the same settings i imagine it should continue working ok?

    The other thing i've noticed is that the MacFilterCalloutInfoLog.txt file could end up getting huge if i just left it. Is there any way around this? Otherwise i will just have to delete the entry from the registry.

    Thanks,

    Andy

  292. imran says:

    HOW TO REMOVE MACFILTERDLL FROM THE SYSTEM

  293. Tim says:

    Is there a hard limit on the number of MAC's that can be in one MACList.txt file? I want to maintain one database for all of our locations, with a total of around 8000 devices. I would then just script the updating of the remote locations list from the master list.

  294. Helder Bortolon says:

    How can I filter MAC by DHCP Scope? The Dll filter MAC for all DHCP Scope.

  295. 2003 server dhcp says:

    Brilliant!!!

  296. David Coelho says:

    Hi… I got this message "Could not open the data file" in file Macfiltercallout.txt. I´m using Windows 2008 Standard. if it isn´t possible to work in this SO, is there another possibility to implement some mac filter in this SO ?

  297. DaveL4 says:

    i have setup the call out on a windows 2003 machine.  i have the event log showing the dll is loaded.  in the callouterrorlog, getting 'MAC_ACTION' Not Specified Properly and  File format not proper.    my maclist.txt file contains

    MAC_ACTION={DENY}

    54424965efd7

  298. Rolling Lois MacTeam How to use... says:

    Great!!!!, beautifull tool, very easy, very strong, very simple…. Just rigth click at items in the Address Leases, select 'Add to Filter' and Allow or Deny

  299. Ramesh Bolaram says:

    Hello Team,

    DLL is working perfectly but have questions:

    1. this is working only after restarting the client laptop or ipconfig /release & renew

    2. what happens if apply deny policy on mobile phones (android iphone….)

  300. daviditson says:

    thanks works great!!!, I free up some addresses and they keep coming new devices

  301. Samson1234 says:

    I have did all the procedures as explained in the video by it is not working, but in MacFilterCalloutInfoLog.txt  it is showing DENY, for which i have blocked. But the blocked MAC id laptop can get the IP address through DHCP. Can any one guide me pls….

  302. teamdhcp says:

    Hi Samson, MAC based filtering functionality has been inbox since Windows Server 2008 R2. We request you to use the inbox supported functionality.

  303. Ken says:

    Great tool. Took me a second to get it working. Need to restart DHCP service for it to start working and after any changes to the MACLIST.TXT for it to take effect.

  304. mike says:

    Will this work with 2008 Enteprise within a clustered environment?