Comodo and Internet Connection Sharing

I’m trying (and struggling!) to use Comodo Firewall ( to control internet Connecton Sharing (ICS) on Windows 2000.

What I have is a 3G mobile Internet connection on a laptop, which is shared using Windows ICS. ICS acts as a DHCP server on, and a gateway and DNS proxy on

The laptop’s ethernet port is connected to the WAN port of a wireless broadband router, which gets an IP via DHCP from the laptop, and creates its own subnet ( which wireless clients connect to.

All of this works without a firewall, but I want to limit the type of data that the connection can be used for.

What I would like to do is block everything to start with, then allow some exceptions.

Question 1:

In particular I need to enable DHCP so the wireless can get its connection details. That’s where I’m stuck. If I give the router static IP (eg I have managed to give wireless clients Internet access, but I can’t work out what I need to enable to allow the laptop to act as a DHCP server. Nothing gets logged, the router just times out requesting an address.

Question 2:

If I need to, am I able to block (or enable) traffic from specific wireless clients on the subnet (keeping in mind that they will be seen by Comodo as NAT traffic from the router on

Question 3:

I would like to give the laptop itself unrestricted access to the Internet, and just limit the traffic through the subnet. I haven’t really looked at that yet, but a pointer as to where to start would be appreciated.


did you check for nat/ proxy software with limiters?

i dont think a firewall is usefull there?


PS: dhcp - start with fixed ips, in comodo u need a dhcp ruleset and untick block connections while boot in advaced.

at least you can make trusted connection ruleset for each ip on host lappy and then allow or disallow

but then you dont need dhcp then fixed ips. not sure v3 is the right deal for you since it handles MAC
but then your router must allow it.

make your decision, its a rough overview so you get a idea

I’ve been working off-line with another poster in a related topic, and what we’ve been finding is that it isn’t possible. The limitation is in the wireless NIC hardware: it doesn’t support “promiscuous mode”. DHCP uses broadcast packets, and without the promiscuous mode, those packets don’t make it across from the wireless into the wired LAN. Predefined addresses, as you’ve found, will work fine. It’s just that the DHCP server has to be on the same side of the wall. What this means, to answer your question, is that ICS can’t be used as a DHCP server for wireless clients.

There is a hack that could, maybe, allow ICS that is also a host wireless access point, to be used as a DHCP server. The hack involves changing the wireless NIC adapter settings to simulate a broadcast bridge. That’s not something that can be done when using a separate wireless router.

Nope. Once thru the NAT, all devices behind the NAT appear as a single device. The packets all have the same IP address, and the same Ethernet MAC: that of the NAT interface.

If I understand you correctly, you’re wanting to give access to the Internet, but not allow any Internet access to

From the perspective of the laptop at, there will be wired Ethernet traffic with source addresses in both and To restrict the 2.0/24 traffic, you’d need a sequence of rules something like this:

allow protocol IP from to
allow protocol IP from to
deny&log protocol IP from to any
… any other 0.0/24 rules…
default deny&log everything

That will keep all the 2.0/24 traffic talking only to 0.0/24 addresses.

It occurred to me a few minutes ago, that I was mixing configurations in my answer to Question 3.
In my answer, I was assuming the wireless router was functioning as a router and a DHCP server, and not as a NAT device.

If you disable NAT, then in your Question2, yes you can control individual clients access to the Internet by IP address. If you know their IP address. If those addresses are assigned by the wireless DHCP, then you don’t know which is which until the address is assigned. If you give a fixed static address, then you probably don’t need the DHCP service running either. In which case, you have a wireless access point running simply as a router.

Does that make sense?