Ask a question
Search in U-verse Forums

U-verse Forums

Reply
Posted Dec 28, 2009
6:11:50 AM
View profile
Configuring DMZPlus or port-forwarding for LAN access

Happy Holidays to all! I'm hoping someone can help me out here...

 

About 2 weeks ago, I switched from a local DSL provider to AT&T U-Verse at my new home, and am trying to get the AT&T 3800HGV-B Gateway to allow access to my LAN machines from the public internet (web, cvs/svn, mail, imap, nfs, etc.) and am not having the best of luck with many different configuration attempts.

 

In my previous DSL configuration, I had a DSL modem directly attached to the phone line, and a Buffalo Wireless WHR-HP-G54 attached to that, handling the firewalling and routing. The WHR's WAN side had the public IP of the DSL connection, and routed all traffic hitting that public interface into the local LAN clients that were on the 10.0.1.x segment. All machines were connected to ports on a switch that was plugged into one of the switched ports on the back of the WHR. This all worked flawlessly for about 3 years.

 

Now I'm on U-Verse with the 3800HGV-B, and I can't seem to replicate the same sort of function. Here's what I have tried and my current configuration: 

 

The 3800HGV-B has a public IP of 99.16.211.3 on the WAN side and a local IP of 10.0.1.1 on the LAN side. I've connected the WHR to the 3800 via the WAN port on the WHR, and configured it with "DMZPlus", in the hopes that the WHR's WAN side would be given the 99.16.211.3 address. 

 

When that happens, the WHR has 99.16.211.3 on the WAN side, and 10.0.1.2 on the local LAN side. 

 

At this point, I have the 3800 assigned with 10.0.1.1, acting as a bridge, using DMZPlus to pass all traffic to the WHR sitting at 10.0.1.2, with a WAN IP of 99.16.211.3. 

 

On the WHR, I configure some port-forward rules so that all incoming requests on 99.16.211.3 for port 80, go through the WHR, and get forwarded to the internal webserver sitting on 10.0.1.4. 

 

This fails. Traffic never gets through to the webserver machine. Likewise for any other services on any other port of any other internal LAN machine. 

 

So then I unset the DMZPlus and tried to just use the 3800's onboard Firewall Settings option to point "SSH Server" and "Web Server" to two different internal machines. This also fails. No traffic seems to get past the 3800 into the WHR, and into the local LAN segment. 

 

What I found interesting, is that the 99.16.211.3 IP is publicly accessible, but I have a block of 8 static IPs (5 usable) on a completely different subnet. In the "Local Network" -> "Advanced Settings" dialog of the 3800's config, I see: 


Public Routed Subinterface    
Router Address: 75.54.193.190 
Subnet Mask:    255.255.255.248


The IP block I have begins with the 5 IPs prior to .190 there. Shouldn't the WAN IP that the 3800 uses and the WHR receives be one of those IPs, and not the 99.16.211.3 IP?

What is the "right" way to configure this, so public access from the live Internet, can interact with services running on my local LAN machines on the 10.0.1.x segment? 

 

Thanks in advance!

Happy Holidays to all! I'm hoping someone can help me out here...

 

About 2 weeks ago, I switched from a local DSL provider to AT&T U-Verse at my new home, and am trying to get the AT&T 3800HGV-B Gateway to allow access to my LAN machines from the public internet (web, cvs/svn, mail, imap, nfs, etc.) and am not having the best of luck with many different configuration attempts.

 

In my previous DSL configuration, I had a DSL modem directly attached to the phone line, and a Buffalo Wireless WHR-HP-G54 attached to that, handling the firewalling and routing. The WHR's WAN side had the public IP of the DSL connection, and routed all traffic hitting that public interface into the local LAN clients that were on the 10.0.1.x segment. All machines were connected to ports on a switch that was plugged into one of the switched ports on the back of the WHR. This all worked flawlessly for about 3 years.

 

Now I'm on U-Verse with the 3800HGV-B, and I can't seem to replicate the same sort of function. Here's what I have tried and my current configuration: 

 

The 3800HGV-B has a public IP of 99.16.211.3 on the WAN side and a local IP of 10.0.1.1 on the LAN side. I've connected the WHR to the 3800 via the WAN port on the WHR, and configured it with "DMZPlus", in the hopes that the WHR's WAN side would be given the 99.16.211.3 address. 

 

When that happens, the WHR has 99.16.211.3 on the WAN side, and 10.0.1.2 on the local LAN side. 

 

At this point, I have the 3800 assigned with 10.0.1.1, acting as a bridge, using DMZPlus to pass all traffic to the WHR sitting at 10.0.1.2, with a WAN IP of 99.16.211.3. 

 

On the WHR, I configure some port-forward rules so that all incoming requests on 99.16.211.3 for port 80, go through the WHR, and get forwarded to the internal webserver sitting on 10.0.1.4. 

 

This fails. Traffic never gets through to the webserver machine. Likewise for any other services on any other port of any other internal LAN machine. 

 

So then I unset the DMZPlus and tried to just use the 3800's onboard Firewall Settings option to point "SSH Server" and "Web Server" to two different internal machines. This also fails. No traffic seems to get past the 3800 into the WHR, and into the local LAN segment. 

 

What I found interesting, is that the 99.16.211.3 IP is publicly accessible, but I have a block of 8 static IPs (5 usable) on a completely different subnet. In the "Local Network" -> "Advanced Settings" dialog of the 3800's config, I see: 


Public Routed Subinterface    
Router Address: 75.54.193.190 
Subnet Mask:    255.255.255.248


The IP block I have begins with the 5 IPs prior to .190 there. Shouldn't the WAN IP that the 3800 uses and the WHR receives be one of those IPs, and not the 99.16.211.3 IP?

What is the "right" way to configure this, so public access from the live Internet, can interact with services running on my local LAN machines on the 10.0.1.x segment? 

 

Thanks in advance!

Configuring DMZPlus or port-forwarding for LAN access

1,897 views
36 replies
(0) Me too
(0) Me too
Reply
View all replies
(36)
0
(0)
  • Rate this reply
View profile
Dec 29, 2009 4:06:26 PM
0
(0)
Teacher

It would appear.... that this router.... does not route. This is the first time in my 15+ years experience with networking, that I've come across a fully functional router, that does nothing of the sort.

 

The manual for the 3800 is completely useless and does not explain these concepts at all (pages 67 and 68 allude to it, but don't seem to apply or work with the current firmware being pushed to these devices). 

 

I'm all out of ideas here. If I can't set the servers on my LAN to the public statics, and I can't set them to private statics, and setting them to DHCP forbids me from routing them to the public WAN IPs... what else left is there? 

 

Can I just replace this with a proper router? A Cisco device? Some other higher-quality/higher-function RG that isn't so "entry-level"? 

 

I'm just looking for ideas here, and I now have 2 days to get this working before the end of the month. 

 

I'm trying to avoid having my current hosting provider ding me for another $200 for using their services, when I've migrated everything off of them. Without the ability to reach those services from the public Internet, this isn't very useful. 

 

Isn't there some sort of HOWTO or walkthrough somewhere, that describes how to set this up? 

It would appear.... that this router.... does not route. This is the first time in my 15+ years experience with networking, that I've come across a fully functional router, that does nothing of the sort.

 

The manual for the 3800 is completely useless and does not explain these concepts at all (pages 67 and 68 allude to it, but don't seem to apply or work with the current firmware being pushed to these devices). 

 

I'm all out of ideas here. If I can't set the servers on my LAN to the public statics, and I can't set them to private statics, and setting them to DHCP forbids me from routing them to the public WAN IPs... what else left is there? 

 

Can I just replace this with a proper router? A Cisco device? Some other higher-quality/higher-function RG that isn't so "entry-level"? 

 

I'm just looking for ideas here, and I now have 2 days to get this working before the end of the month. 

 

I'm trying to avoid having my current hosting provider ding me for another $200 for using their services, when I've migrated everything off of them. Without the ability to reach those services from the public Internet, this isn't very useful. 

 

Isn't there some sort of HOWTO or walkthrough somewhere, that describes how to set this up? 

Re: Configuring DMZPlus or port-forwarding for LAN access

31 of 37 (542 Views)
0
(0)
  • Rate this reply
View profile
Dec 29, 2009 4:57:19 PM
0
(0)
Scholar

setuid wrote:

I tried what you've suggested, statically assigning two of the public IP addresses to two of my servers (thank god I have physical access, because the RG blocks everything going to them from the LAN side once you do this).

 

I did the following: 

 

allow-hotplug eth0
iface eth0 inet static
        address 75.54.193.185

        netmask 255.255.255.248

        # this gateway is odd, but this is what the

        # RG sets when you use DHCP for this address 

        gateway 0.0.0.0

 

auto eth0:1
iface eth0:1 inet static

        address 10.0.1.5
        netmask 255.255.255.0

        gateway 10.0.1.1

 

When I reboot these machines using this config, it takes about 40 minutes each before the RG sees them to allocate addresses (even after generating network traffic on the segment to wake the RG up).

 

The RG still does not let me route traffic from the public Internet into these machines by mapping the addresses. If you define anything as static, you can't configure any mappings for it using the RG, which is ludicrous.

 

Configuring servers with DHCP addresses is flat-out wrong, and I can't even reserve statics in the DHCP pool, nor can I release those back to the pool for the RG to reuse correctly. 

 

What should I try next? 

 

Message Edited by setuid on 12-29-2009 06:35 PM

Sorry but you do not have your first adapter setup correctly.  Your first adapter does not have a gateway set and it really needs to be set as 75.54.193.190. You have to enter the IP, subnet and gateway set correctly, without the valid gateway value it will not work!

 

The first step is to confirm that you have the RG correctly configured and working, the static IP block is working and that you can send and receive traffic using one of the IP addresses within your public block.

 

You do not have to use DHCP to manage your pubic IP block but the recommended option is to use Mode 3: DHCP Fixed Address. The network client is permanently assigned one of the public block IP addresess. The address will not change until the gateway is reconfigured via the Address Allocation page. This will be the most common configuration for publicly accessible network devices.

 

Dave


setuid wrote:

I tried what you've suggested, statically assigning two of the public IP addresses to two of my servers (thank god I have physical access, because the RG blocks everything going to them from the LAN side once you do this).

 

I did the following: 

 

allow-hotplug eth0
iface eth0 inet static
        address 75.54.193.185

        netmask 255.255.255.248

        # this gateway is odd, but this is what the

        # RG sets when you use DHCP for this address 

        gateway 0.0.0.0

 

auto eth0:1
iface eth0:1 inet static

        address 10.0.1.5
        netmask 255.255.255.0

        gateway 10.0.1.1

 

When I reboot these machines using this config, it takes about 40 minutes each before the RG sees them to allocate addresses (even after generating network traffic on the segment to wake the RG up).

 

The RG still does not let me route traffic from the public Internet into these machines by mapping the addresses. If you define anything as static, you can't configure any mappings for it using the RG, which is ludicrous.

 

Configuring servers with DHCP addresses is flat-out wrong, and I can't even reserve statics in the DHCP pool, nor can I release those back to the pool for the RG to reuse correctly. 

 

What should I try next? 

 

Message Edited by setuid on 12-29-2009 06:35 PM

Sorry but you do not have your first adapter setup correctly.  Your first adapter does not have a gateway set and it really needs to be set as 75.54.193.190. You have to enter the IP, subnet and gateway set correctly, without the valid gateway value it will not work!

 

The first step is to confirm that you have the RG correctly configured and working, the static IP block is working and that you can send and receive traffic using one of the IP addresses within your public block.

 

You do not have to use DHCP to manage your pubic IP block but the recommended option is to use Mode 3: DHCP Fixed Address. The network client is permanently assigned one of the public block IP addresess. The address will not change until the gateway is reconfigured via the Address Allocation page. This will be the most common configuration for publicly accessible network devices.

 

Dave

Re: Configuring DMZPlus or port-forwarding for LAN access

32 of 37 (542 Views)
0
(0)
  • Rate this reply
View profile
Dec 29, 2009 5:11:54 PM
0
(0)
Teacher

dave006 wrote:

Sorry but you do not have your first adapter setup correctly.  Your first adapter does not have a gateway set and it really needs to be set as 75.54.193.190. You have to enter the IP, subnet and gateway set correctly, without the valid gateway value it will not work!

 

The first step is to confirm that you have the RG correctly configured and working, the static IP block is working and that you can send and receive traffic using one of the IP addresses within your public block.

 

You do not have to use DHCP to manage your pubic IP block but the recommended option is to use Mode 3: DHCP Fixed Address. The network client is permanently assigned one of the public block IP addresess. The address will not change until the gateway is reconfigured via the Address Allocation page. This will be the most common configuration for publicly accessible network devices.

 

Dave


You lost me on that last (bolded) part. How is the RG going to redefine the statically-define network addressing on the server sitting behind it?

 

When I configured the machine with the static and .190 as the gateway, nothing could get out of the machine; ping, ntp, wget, lynx, nothing. 

 

It would appear that there's some additional blocking/firewalling going on here, that I don't have the ability to turn off or disable. I put my WHR back in the DMZ and plugged the switch into that, so all LAN machines are now clients of the WHR, which is in the DMZ, and I still can't get to the internal clients from the outside, when I punch a hole through from the WAN side of the WHR (99.16.211.3) on port 80 to the LAN side of 10.0.1.5 on port 80 (currently my webserver). Other apps/protocols/ports also don't seem to be opening up, even though I've punched them through. 

 

The  "Edit Address Allocation Settings" page shows the WHR at 99.16.211.3 and lists it as "DMZ Device", with the "Firewalled" checkbox cleared. 

 

I've repeatedly rebooted the RG, because it seems to get "stuck" thinking settings I've cleared and reset, are still valid. 

 

I'll give this one last try, pulling the WHR out again, setting the internal machines to static 75.x and 10.x addresses and see what I can come up with. 

 

If that doesn't work, I'm terminating my U-Verse and going back to DSL. I thought this service had more capabilty than base DSL, but it seems to have significantly less. :smileysad:


dave006 wrote:

Sorry but you do not have your first adapter setup correctly.  Your first adapter does not have a gateway set and it really needs to be set as 75.54.193.190. You have to enter the IP, subnet and gateway set correctly, without the valid gateway value it will not work!

 

The first step is to confirm that you have the RG correctly configured and working, the static IP block is working and that you can send and receive traffic using one of the IP addresses within your public block.

 

You do not have to use DHCP to manage your pubic IP block but the recommended option is to use Mode 3: DHCP Fixed Address. The network client is permanently assigned one of the public block IP addresess. The address will not change until the gateway is reconfigured via the Address Allocation page. This will be the most common configuration for publicly accessible network devices.

 

Dave


You lost me on that last (bolded) part. How is the RG going to redefine the statically-define network addressing on the server sitting behind it?

 

When I configured the machine with the static and .190 as the gateway, nothing could get out of the machine; ping, ntp, wget, lynx, nothing. 

 

It would appear that there's some additional blocking/firewalling going on here, that I don't have the ability to turn off or disable. I put my WHR back in the DMZ and plugged the switch into that, so all LAN machines are now clients of the WHR, which is in the DMZ, and I still can't get to the internal clients from the outside, when I punch a hole through from the WAN side of the WHR (99.16.211.3) on port 80 to the LAN side of 10.0.1.5 on port 80 (currently my webserver). Other apps/protocols/ports also don't seem to be opening up, even though I've punched them through. 

 

The  "Edit Address Allocation Settings" page shows the WHR at 99.16.211.3 and lists it as "DMZ Device", with the "Firewalled" checkbox cleared. 

 

I've repeatedly rebooted the RG, because it seems to get "stuck" thinking settings I've cleared and reset, are still valid. 

 

I'll give this one last try, pulling the WHR out again, setting the internal machines to static 75.x and 10.x addresses and see what I can come up with. 

 

If that doesn't work, I'm terminating my U-Verse and going back to DSL. I thought this service had more capabilty than base DSL, but it seems to have significantly less. :smileysad:

Re: Configuring DMZPlus or port-forwarding for LAN access

33 of 37 (542 Views)
0
(0)
  • Rate this reply
View profile
Dec 29, 2009 6:46:24 PM
0
(0)
Teacher

Ok,.when I set the two main servers that I'm working with to their respective public, static IP addresses (and supplement that with their local static addresses, so I can ssh into them from the LAN side), the RG only ever sees their local addresses, and not the public static addresses. They look like this:

 

 eth0      Link encap:Ethernet  HWaddr 12:34:ea:61:43:d4  
          inet addr:75.54.193.185  Bcast:75.54.193.191  Mask:255.255.255.248
          inet6 addr: fe80::20f:eaff:fe61:43d4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1307 errors:0 dropped:0 overruns:0 frame:0
          TX packets:742 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:241238 (235.5 KiB)  TX bytes:195702 (191.1 KiB)
          Interrupt:23

eth0:1    Link encap:Ethernet  HWaddr 12:34:ea:61:43:d4  
          inet addr:10.0.1.5  Bcast:10.0.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:23

 

Which was defined with: 

 

 iface eth0 inet static
        address 75.54.193.185
        netmask 255.255.255.248

        broadcast 75.54.193.190

        gateway 75.54.193.190

auto eth0:1
iface eth0:1 inet static
        address 10.0.1.5
        netmask 255.255.255.0
        gateway 10.0.1.1

 

I went into the mdc side and cleared the network settings (flushes the dhcp cache, I assume?), and rebooted both sides (servers and RG), and when they all came back up, same story... no routing, no visibility from the outside. 

 

Just for giggles, I also tried NOT adding the additional vip for the local interface, flushed the RG, rebooted everything... sams story. 

 

Something just doesn't seem right here. Under any number of these configuration attempts, I should have been able to get to the inside from the outside. Not a single success with anything I've tried. 

 

 

 

Ok,.when I set the two main servers that I'm working with to their respective public, static IP addresses (and supplement that with their local static addresses, so I can ssh into them from the LAN side), the RG only ever sees their local addresses, and not the public static addresses. They look like this:

 

 eth0      Link encap:Ethernet  HWaddr 12:34:ea:61:43:d4  
          inet addr:75.54.193.185  Bcast:75.54.193.191  Mask:255.255.255.248
          inet6 addr: fe80::20f:eaff:fe61:43d4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1307 errors:0 dropped:0 overruns:0 frame:0
          TX packets:742 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:241238 (235.5 KiB)  TX bytes:195702 (191.1 KiB)
          Interrupt:23

eth0:1    Link encap:Ethernet  HWaddr 12:34:ea:61:43:d4  
          inet addr:10.0.1.5  Bcast:10.0.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:23

 

Which was defined with: 

 

 iface eth0 inet static
        address 75.54.193.185
        netmask 255.255.255.248

        broadcast 75.54.193.190

        gateway 75.54.193.190

auto eth0:1
iface eth0:1 inet static
        address 10.0.1.5
        netmask 255.255.255.0
        gateway 10.0.1.1

 

I went into the mdc side and cleared the network settings (flushes the dhcp cache, I assume?), and rebooted both sides (servers and RG), and when they all came back up, same story... no routing, no visibility from the outside. 

 

Just for giggles, I also tried NOT adding the additional vip for the local interface, flushed the RG, rebooted everything... sams story. 

 

Something just doesn't seem right here. Under any number of these configuration attempts, I should have been able to get to the inside from the outside. Not a single success with anything I've tried. 

 

 

 

Re: Configuring DMZPlus or port-forwarding for LAN access

34 of 37 (542 Views)
0
(0)
  • Rate this reply
View profile
Dec 29, 2009 8:41:08 PM
0
(0)
Scholar

setuid wrote:

dave006 wrote:

Sorry but you do not have your first adapter setup correctly.  Your first adapter does not have a gateway set and it really needs to be set as 75.54.193.190. You have to enter the IP, subnet and gateway set correctly, without the valid gateway value it will not work!

 

The first step is to confirm that you have the RG correctly configured and working, the static IP block is working and that you can send and receive traffic using one of the IP addresses within your public block.

 

You do not have to use DHCP to manage your pubic IP block but the recommended option is to use Mode 3: DHCP Fixed Address. The network client is permanently assigned one of the public block IP addresses. The address will not change until the gateway is reconfigured via the Address Allocation page. This will be the most common configuration for publicly accessible network devices.

 

Dave


You lost me on that last (bolded) part. How is the RG going to redefine the statically-define network addressing on the server sitting behind it?

 


All that paragraph says is that if you use what 2Wire calls Option 3 DHCP Fixed Address mode, your host will be offered exactly the same IP each time it makes a DHCP request (similar to a DHCP reservation) to the RG until you change (reconfigure) it using the Address Allocation page to select another address from the list. Yes, you are correct that the RG can't change a static IP that is assigned directly by you on an Ethernet adapter.

 

You also keep adding an additional 10.0.1.x IP address on the same MAC. Every time you do that only the last one that the RG sees is going to be stored in it's device table. Again, the RG manages all IP devices by a unique MAC. If you really want to add a private IP address at this stage, make sure that it is outside of the private DHCP range set for the RG. If it is not in the RG's scope then it will not care about managing the IP to MAC mapping ( this is what I was suggesting earlier in the thread ).

 

For the basic test, please keep it simple and only assign a single public IP to a single server.

 

For example:

 

1. Assign 75.54.193.185 with a subnet of 255.255.255.248 and a default gateway of  75.54.193.190

 

2. Restart the Ethernet adapter or the host

 

3. Verify the IP configuration is set and the adapter is in the "UP" state

 

4. Ping google.com by address for example: 74.125.159.103

 

5. If the ping does not work go back to step 1 or provide us the output of the ping and your hosts route table. It may take 1-3 pings before you get your first response.

 

Note: This will still not enable unsolicited inbound requests to be sent to 75.54.193.185. To enable your selected service, for example port 80 for Web services, you will still need to configure the Firewall on the RG. Again, by default all of the Public IP addresses are still protected by the SPI Firewall in the RG.

 

Dave


setuid wrote:

dave006 wrote:

Sorry but you do not have your first adapter setup correctly.  Your first adapter does not have a gateway set and it really needs to be set as 75.54.193.190. You have to enter the IP, subnet and gateway set correctly, without the valid gateway value it will not work!

 

The first step is to confirm that you have the RG correctly configured and working, the static IP block is working and that you can send and receive traffic using one of the IP addresses within your public block.

 

You do not have to use DHCP to manage your pubic IP block but the recommended option is to use Mode 3: DHCP Fixed Address. The network client is permanently assigned one of the public block IP addresses. The address will not change until the gateway is reconfigured via the Address Allocation page. This will be the most common configuration for publicly accessible network devices.

 

Dave


You lost me on that last (bolded) part. How is the RG going to redefine the statically-define network addressing on the server sitting behind it?

 


All that paragraph says is that if you use what 2Wire calls Option 3 DHCP Fixed Address mode, your host will be offered exactly the same IP each time it makes a DHCP request (similar to a DHCP reservation) to the RG until you change (reconfigure) it using the Address Allocation page to select another address from the list. Yes, you are correct that the RG can't change a static IP that is assigned directly by you on an Ethernet adapter.

 

You also keep adding an additional 10.0.1.x IP address on the same MAC. Every time you do that only the last one that the RG sees is going to be stored in it's device table. Again, the RG manages all IP devices by a unique MAC. If you really want to add a private IP address at this stage, make sure that it is outside of the private DHCP range set for the RG. If it is not in the RG's scope then it will not care about managing the IP to MAC mapping ( this is what I was suggesting earlier in the thread ).

 

For the basic test, please keep it simple and only assign a single public IP to a single server.

 

For example:

 

1. Assign 75.54.193.185 with a subnet of 255.255.255.248 and a default gateway of  75.54.193.190

 

2. Restart the Ethernet adapter or the host

 

3. Verify the IP configuration is set and the adapter is in the "UP" state

 

4. Ping google.com by address for example: 74.125.159.103

 

5. If the ping does not work go back to step 1 or provide us the output of the ping and your hosts route table. It may take 1-3 pings before you get your first response.

 

Note: This will still not enable unsolicited inbound requests to be sent to 75.54.193.185. To enable your selected service, for example port 80 for Web services, you will still need to configure the Firewall on the RG. Again, by default all of the Public IP addresses are still protected by the SPI Firewall in the RG.

 

Dave

Re: Configuring DMZPlus or port-forwarding for LAN access

35 of 37 (542 Views)
0
(0)
  • Rate this reply
View profile
Dec 29, 2009 9:40:04 PM
0
(0)
Teacher

I managed to get some web traffic into the .185 host after statically assigning it an IP, waiting about 40 minutes for the RG to recognize it (after numerous pings, broadcasts, uploads, downloads, etc to try to force the RG to see it).

 

So "web" is working, to one host (the .185). I configured a second machine at .186 in an identical fashion (1 single, public static defined, etc.) and it's been about 2 hours and it still hasn't been "seen" by the RG, so I can begin pinholing services to it. 

 

How long should it take? 

 

The other thing I've noticed, is that the RG (or something upstream from the RG) is sending TCP RST packets when traffic comes over port 80, which breaks connections mid-stream.

 

I can sit here on the LAN side, and repeatedly click reload in a browser on a page coming off of the .185 server, and it will work about 20% of the time. The other 80% of the time, I'll either get "Unable to connect" messages or very odd-looking 404 Error pages. My Apache instance has a custom 404 page for all vhosts, and this 404 page is coming from somewhere else. 

 

I hope AT&T isn't playing games with the connection state, by breaking TCP frames or dropping packets mid-handshake, but there's nothing in the configuration of the server, Apache or local LAN segment that would cause this. 

 

I'll keep beating on this, but at least I have 1/10th of the puzzle "working", so far. 

 

I managed to get some web traffic into the .185 host after statically assigning it an IP, waiting about 40 minutes for the RG to recognize it (after numerous pings, broadcasts, uploads, downloads, etc to try to force the RG to see it).

 

So "web" is working, to one host (the .185). I configured a second machine at .186 in an identical fashion (1 single, public static defined, etc.) and it's been about 2 hours and it still hasn't been "seen" by the RG, so I can begin pinholing services to it. 

 

How long should it take? 

 

The other thing I've noticed, is that the RG (or something upstream from the RG) is sending TCP RST packets when traffic comes over port 80, which breaks connections mid-stream.

 

I can sit here on the LAN side, and repeatedly click reload in a browser on a page coming off of the .185 server, and it will work about 20% of the time. The other 80% of the time, I'll either get "Unable to connect" messages or very odd-looking 404 Error pages. My Apache instance has a custom 404 page for all vhosts, and this 404 page is coming from somewhere else. 

 

I hope AT&T isn't playing games with the connection state, by breaking TCP frames or dropping packets mid-handshake, but there's nothing in the configuration of the server, Apache or local LAN segment that would cause this. 

 

I'll keep beating on this, but at least I have 1/10th of the puzzle "working", so far. 

 

Re: Configuring DMZPlus or port-forwarding for LAN access

36 of 37 (542 Views)
Highlighted
0
(0)
  • Rate this reply
View profile
Dec 30, 2009 6:15:58 AM
0
(0)
Teacher

It's been about 8 hours and the two servers (configured with only one IP; the public statics) are still not showing up in the mdc or RG setup menus, so I can't even pinhole them, which means services are down.

 

How do I configure the firewall and port-forwarding, if the RG doesn't "see" them on the LAN at all anymore? 

 

I've rebooted the servers, RG, flushed the client tables, reset the broadband link, and everything else I can think of. The RG refuses to see them. 

 

 

It's been about 8 hours and the two servers (configured with only one IP; the public statics) are still not showing up in the mdc or RG setup menus, so I can't even pinhole them, which means services are down.

 

How do I configure the firewall and port-forwarding, if the RG doesn't "see" them on the LAN at all anymore? 

 

I've rebooted the servers, RG, flushed the client tables, reset the broadband link, and everything else I can think of. The RG refuses to see them. 

 

 

Re: Configuring DMZPlus or port-forwarding for LAN access

37 of 37 (542 Views)
Advanced
You must be signed in to add attachments
Share this post
Share this post