Configuring DMZPlus or port-forwarding for LAN access

Highlighted
Teacher

Configuring DMZPlus or port-forwarding for LAN access

Happy Holidays to all! I'm hoping someone can help me out here...

 

About 2 weeks ago, I switched from a local DSL provider to AT&T U-Verse at my new home, and am trying to get the AT&T 3800HGV-B Gateway to allow access to my LAN machines from the public internet (web, cvs/svn, mail, imap, nfs, etc.) and am not having the best of luck with many different configuration attempts.

 

In my previous DSL configuration, I had a DSL modem directly attached to the phone line, and a Buffalo Wireless WHR-HP-G54 attached to that, handling the firewalling and routing. The WHR's WAN side had the public IP of the DSL connection, and routed all traffic hitting that public interface into the local LAN clients that were on the 10.0.1.x segment. All machines were connected to ports on a switch that was plugged into one of the switched ports on the back of the WHR. This all worked flawlessly for about 3 years.

 

Now I'm on U-Verse with the 3800HGV-B, and I can't seem to replicate the same sort of function. Here's what I have tried and my current configuration: 

 

The 3800HGV-B has a public IP of 99.16.211.3 on the WAN side and a local IP of 10.0.1.1 on the LAN side. I've connected the WHR to the 3800 via the WAN port on the WHR, and configured it with "DMZPlus", in the hopes that the WHR's WAN side would be given the 99.16.211.3 address. 

 

When that happens, the WHR has 99.16.211.3 on the WAN side, and 10.0.1.2 on the local LAN side. 

 

At this point, I have the 3800 assigned with 10.0.1.1, acting as a bridge, using DMZPlus to pass all traffic to the WHR sitting at 10.0.1.2, with a WAN IP of 99.16.211.3. 

 

On the WHR, I configure some port-forward rules so that all incoming requests on 99.16.211.3 for port 80, go through the WHR, and get forwarded to the internal webserver sitting on 10.0.1.4. 

 

This fails. Traffic never gets through to the webserver machine. Likewise for any other services on any other port of any other internal LAN machine. 

 

So then I unset the DMZPlus and tried to just use the 3800's onboard Firewall Settings option to point "SSH Server" and "Web Server" to two different internal machines. This also fails. No traffic seems to get past the 3800 into the WHR, and into the local LAN segment. 

 

What I found interesting, is that the 99.16.211.3 IP is publicly accessible, but I have a block of 8 static IPs (5 usable) on a completely different subnet. In the "Local Network" -> "Advanced Settings" dialog of the 3800's config, I see: 


Public Routed Subinterface    
Router Address: 75.54.193.190 
Subnet Mask:    255.255.255.248


The IP block I have begins with the 5 IPs prior to .190 there. Shouldn't the WAN IP that the 3800 uses and the WHR receives be one of those IPs, and not the 99.16.211.3 IP?

What is the "right" way to configure this, so public access from the live Internet, can interact with services running on my local LAN machines on the 10.0.1.x segment? 

 

Thanks in advance!

Message 1 of 37 (2,065 Views)
Scholar

Re: Configuring DMZPlus or port-forwarding for LAN access

You have the WHR using 10.0.1.0 on its LAN.

You have the RG using 10.0.1.x on its LAN, which is also the WAN interface for the WHR.

 

This is a conflict, and the result is that your WHR won't be able to communicate with devices on the RG LAN.  I'm not sure whether that is the cause of your problems, but it could well be.  I suggest you set the RG back to its default of 192.168.1.254 with 192.168.1.* as is LAN.

 

I'm not sure about that static block, as I have no experience with that.  My understanding is that you could manually configure your WHR to use one of those static IPs  on its WAN, and the RG would then recognize that.  I'm not sure whether there is a way to have the RG assign that with DHCP.  Even with that static assignment, you would still have a potential conflict between the RG LAN ips and the WHR LAN ips.

 

 

Message 2 of 37 (2,014 Views)
Teacher

Re: Configuring DMZPlus or port-forwarding for LAN access

No no... RG is 10.0.1.1, WHR is 10.0.1.2.. on the same segment.

 

The WAN port of the WHR is getting the public IP (99.16.211.3) from the RG via DHCP. This is all exactly how it is supposed to work. 

 

I want all of my LAN machines on the same network (i.e. 10.0.1.x). Right now, they're all configured to be on that segment: 

 

10.0.1.1 = RG

10.0.1.2 = WHR

10.0.1.3 = mail server

10.0.1.4 = webserver

10.0.1.5 = NFS server

 

...and so on.

 

 I just want the traffic hitting 99.16.211.3 (or is it 75.54.193.186-189?) to reach the machines sitting on 10.0.1.3-5.

 

Message 3 of 37 (2,014 Views)
Expert

Re: Configuring DMZPlus or port-forwarding for LAN access


setuid wrote:

No no... RG is 10.0.1.1, WHR is 10.0.1.2.. on the same segment.


 

They're not on the same segment.  The network between the RG LAN and the WHR WAN port is a separate network from the network on the LAN side of the WHR.

 

Those two networks MUST be on different subnets.  To have addresses from the same subnet on both sides of a router is a configuration error.

 

Reconfigure the RG to use a different subnet on the LAN.  If you don't want to use 192.168.x.x for security concerns, then use another subnet in the 10.0.x.x range.

 

Example:

 

WHR LAN: 10.0.1.1/24

RG LAN: 10.0.2.1/24

 

Message 4 of 37 (2,014 Views)
Teacher

Re: Configuring DMZPlus or port-forwarding for LAN access

 

That's not right at all. Nothing gets plugged into the WHR at all, other than the WAN port itself. It just happens to be a router on the same network as the machines physically plugged into the switch physically attached to the RG. It looks like this:

 

[internet] 

     |

[RG] = 10.0.1.1

   (x) = [switch] -> (x) = WHR  @10.0.1.2

   (x) = PlugLink    (x) = Mail @10.0.1.3

   (o) = unused      (x) = Web  @10.0.1.4

   (o) = unused      (x) = NFS  @10.0.1.5

                     (x) = port 5-10, other servers

 

All equipment is on the same LAN segment. The WHR just happens to be the next local IP on the same segment as the local IP of the RG. 

 

Again, this is EXACTLY how this worked behind DSL, and it worked fine.

 

Are you saying that the RG can't function properly, if it is on the same segment as another router? In other words, I can't have: 

 

RG  @10.0.1.1

WHR @10.0.1.2 

 

If that is indeed true, that's assinine! 

 

 

Given what you're suggesting, if I put the RG on 10.0.2.1, and the WHR on 10.0.1.1, and leave all LAN machines configured with 10.0.1.x addresses, they'll be able to route correctly from: 

 

99.16.211.3 -> 10.0.2.1 -> 10.0.1.1 -> 10.0.1.4 

 

Are you sure?

Message 5 of 37 (2,014 Views)
Expert

Re: Configuring DMZPlus or port-forwarding for LAN access

Oh my.

 


setuid wrote:

 

Nothing gets plugged into the WHR at all, other than the WAN port itself.


 

You're saying that the only thing connected to the WHR is one Ethernet cable going to it's WAN port?  And nothing plugged into it's LAN ports?

 

This is a completely incorrect setup for using your own router.  The router can't "route" anything like this.

 

 

Let's start from the beginning.  First, let's answer some questions so that we can figure out the best way to do this:

 

1. Do you have a 5 static IP block that you purchased?

2. Please list the servers and services on each that you need to have accessible from the internet.

3. Are you only doing firewalling and port forwarding from the WHR?  i.e. you're not doing anything out of the ordinary like VPN, VOIP, etc.?

 

 

Message 6 of 37 (2,014 Views)

Re: Configuring DMZPlus or port-forwarding for LAN access

It seems like you've gone from plugging your switch into the back (LAN side) of your WHR router in your DSL setup, to plugging your switch into the RG's LAN ports in your U-verse setup.

 

This seems completely wrong.  Why wouldn't you keep your switch plugged into the WHR router? 

Message 7 of 37 (2,014 Views)
Teacher

Re: Configuring DMZPlus or port-forwarding for LAN access

1. Do you have a 5 static IP block that you purchased?

 

Yes, 75.54.193.185-75.54.193.190, where 75.54.193.190 is the one identified by the RG as the router address on the "Public Routed Subinterface" (whatever they define that to be)

 

2. Please list the servers and services on each that you need to have accessible from the internet.

 

smtp (sendmail on 25), dns (using bind9 on 53), web (apache on 80/443), ssh (port-knocked on high ports), imap/imaps (dovecot on 143/993), ldap/ldaps (OpenLDAP on 389/636) cvs (2401), and a handful of others.

 

3. Are you only doing firewalling and port forwarding from the WHR?  i.e. you're not doing anything out of the ordinary like VPN, VOIP, etc.?

 

Correct, I am only port-forwarding from WHR to local servers inside my LAN segment. No VPN, no VoIP, nothing else. This connection ONLY has Internet on it, no television, no voice, no land-lines at all.

Message 8 of 37 (2,014 Views)
Expert

Re: Configuring DMZPlus or port-forwarding for LAN access

OK.  Next decision:

 

You cannot use both the static IP block AND your WHR router together, the RG cannot be configured that way.  You will need to choose one or the other.

 

From the servers and services you list, you might be better off with using the static IPs and removing the WHR from your setup.  This will also simplify the configuration.

 

Message 9 of 37 (2,014 Views)
Teacher

Re: Configuring DMZPlus or port-forwarding for LAN access

No can do. The static IPs will all point to the same physical connection, where the WHR will then port-forward services to the appropriate servers behind it, sitting on the 10.0.1.x LAN segment.

 

The servers on the 10.0.1.x LAN can't be reconfigured for the 5 statc IPs on the outside, and that won't work anyway... because some services come from different physical machines, where 5 static IPs is not enough to cover that spread. 

 

So how do I get the RG to allow the WHR to port-forward the incoming requests on those 5 static IPs to the servers behind the WHR, on my LAN? That's the real question here... 

 

Message 10 of 37 (2,014 Views)
Teacher

Re: Configuring DMZPlus or port-forwarding for LAN access

So you're suggesting that I go RG -> WHR -> switch, and plug all LAN equipment directly into the switch?

 

My LAN machines are all statically-defined with their 10.0.1.x addresses, so I should be able to disable DHCP on the switched ports of the RG, and leave DHCP on for the Wireless side of the RG, right?

 

Is that even possible? (My WHR allows this, but my WHR running dd-wrt has a LOT more function than the AT&T RG anyway). 

 

If I do that, and set the RG's internal IP to 10.0.2.1, and the WHR to 10.0.1.1, can the traffic hitting the external 99.x IP get routed correctly to those LAN machines plugged into the switch attached to one of the switch ports of the WHR?

Message 11 of 37 (1,048 Views)
Expert

Re: Configuring DMZPlus or port-forwarding for LAN access

We have some limitations here that we have to work with because of the RG:

 

1. The RG doesn't support multihomed hosts, so you cannot point all the static IPs to the WHR, that won't work.

2. You cannot turn off DHCP on the RG.  In normal U-Verse service, DHCP is required for the TV Set-Top Boxes.  I know you don't have TV service, but the RG is set up for it and DHCP cannot be turned off.

 

I am fairly confident that we can get everything you need working properly without the WHR and without the static IPs.  The RG is flexible enough to configure that, but it will require several steps.  We can also do it with some or all of the static IPs, yor choice.

 

Alternatively, we can also set it up where your WHR forwards ports, but you will not be able to use your static IP block like that.  You will have to use the single public IP that is issued to the outside interface of the RG.

 

So you tell me what you want to do, and we'll set it up.

 

Message 12 of 37 (1,048 Views)
Teacher

Re: Configuring DMZPlus or port-forwarding for LAN access

Unless I can ssh into the RG and set some firewall rules manually (as I can with the WHR), then the WHR has to stay in place. There are simply things that can't be done with the RG, that the WHR handles beautifully.

 

To that end, I've attached the WAN port of the WHR to the back of the RG, and set the WHR to DMZPlus. 

 

The RG is configured with a local IP of 10.0.2.1

The WHR is configured with a local IP of 10.0.1.1

 

I've plugged my switch into the back of the WHR, and all LAN machines (also defined with 10.0.1.x addresses) are plugged into that switch. 

 

DHCP is enabled for the LAN ports on the WHR.

WLAN is disabled on the WHR. 

 

WLAN is enabled on the RG, giving out 10.0.2.10-10.0.2.30 addresses to wireless clients. 

 

Heres's the problem... when I'm a DHCP client with a 10.0.2.11 address connected to the RG over wireless, I can't see/ping/connect to anything on the local LAN (10.0.1.1, 10.0.1.4, etc.) They're invisible to me (yes, I've disabled blocking of ICMP echo on both RG and WHR). 

 

This is what I suspected would happen. Anything on 10.0.2.x can't talk to 10.0.1.x, however machines on 10.0.1.x CAN talk to clients on 10.0.2.x and out to the live Internet. 

 

Does the RG actively deny/block anything behind a DMZPlus connection by default? I mean, if I'm on 10.0.2.11 and attempt to ssh into 10.0.1.4, it just sits there, until it times out. 

 

If I plug my laptop into the back of the switch (or a PlugLink attached to that switch) and get a 10.0.1.37 DHCP address, I CAN ssh into those LAN machines, and I CAN ping 10.0.2.1, and I CAN get out to the live Internet. 

 

It seems I'm blocked from either side, depending on how I confgure these components.

 

Sigh.

 

 

Message 13 of 37 (1,048 Views)
Expert

Re: Configuring DMZPlus or port-forwarding for LAN access

OK, I asked earlier if you were doing anything special with the WHR, to which you replied no, only firewalling and port forwarding.

 

Now you're saying that you would need to SSH into the RG because "there are simply things that can't be done with the RG, that the WHR handles beautifully".

 

What things?  Why do you need SSH into the RG?

 

Now you've reconfigured your network to have all your clients behind the WHR instead of attached to the RG as you described earlier.

 

 

Look, I can't help you if we don't follow a plan here.  I can help you if you tell me exactly what you need.  You are making judgments and suppositions about the RG that you don't actually know.

 

I am well aware of the problem you're having with RG wireless clients unable to talk to computers behind the WHR.  I would have prevented you from having to discover that on your own if you would just work with me.

 

Message 14 of 37 (1,048 Views)
Teacher

Re: Configuring DMZPlus or port-forwarding for LAN access

There aren't enough ports on the back of the RG to handle my clients behind it, which is why I need the WHR and the switch to do that, and the firewalling on the RG is very basic, and doesn't allow much flexibility there.

 

For example, how do I specify a user-defined firewall rule that allows both TCP and UDP? (for example, bind). With the RG, it only has radio buttons, and I can only do one or the other (though, I probably could create a bind_tcp and enable TCP, and a bind_udp and enable UDP as two separate rulesets).

 

I also can't specify a range of allowed IPs that can use that application (externally), while denying others outside that range. 

 

The WHR handles a lot more granular firewalling and routing than the RG does, which is why I need to use that instead of the RG as the primary router.

 

My configuration must allow the following at the very least: 

 

1. WHR doing all port-forwarding and firewalling for all LAN clients

2. All LAN clients connect to WHR via the switch, not RG 

 

All public traffic coming into the public IP block I have, needs to be routed (via the WHR) to those LAN clients, not routed via the RG to those LAN clients.

 

At this point, I managed to get the port-forwarding "working", from public Internet to the LAN clients, but I can only do that if I'm physically attached to the same LAN segment as the WHR. I can't configure the WHR (on 10.0.1.1) from the RG's DHCP pool (on 10.0.2.x)

 

10.0.1.x can 

 

How do I define a static VLAN on the RG between 10.0.2.1 and 10.0.1.1, so clients on either side can talk to clients on the other side? 

 

At this point, I could probably just disable WLAN on the RG entirely, and use my WHR's WLAN (again, more flexibliity in the configuration there; I can set the CPU speed of the device, tx/rx power, etc. which I can't do with the RG), and allow any and all LAN and WLAN clients to just exist on the 10.0.1.x segment, which CAN talk to the 10.0.2.1 RG and configure it... 

 

Unless you've got some ideas, I guess I'll try that next.

 

I do appreciate your help, but I've been hammering on this now for 3 solid days, without any real success. :smileysad:

 

Message 15 of 37 (1,048 Views)
Share this topic
Announcements

Welcome to the AT&T Community Forums!!! Stop by the Community How-To section for tips on how to get started.