Need help understanding U-verse LAN setup (public & private on 3800HGV)

Highlighted
Tutor

Need help understanding U-verse LAN setup (public & private on 3800HGV)

Hi, I'm trying to help a friend optimize his new U-verse setup, and so have come here seeking help from the U-verse community.

 

Overview:

- gateway is 2wire 3800HGV-B

- 6 ethernet (hard-wire) devices (4 desktops, laptop, DVR)

- available 5-port 10/100 switch

- 5 static IPs

 

Current configuration:

- 5-port switch is connected to gateway to increase available ports

- 3 desktops are hard-wired and each configured with a "public" static IP

- 1 desktop, the laptop and DVR are hard-wired and using DHCP address assignment (getting a "private" IP)

- PCs are all running XP

 

Questions:

This configuration results in 2 separate subnets, a public subnet and a private.  Given a desktop, his laptop and DVR are in the private subnet, how does this limit his access to the public-addressed PCs?  e.g. From his laptop, what services will he be able to access on the private-subnet desktop that he won't be able to access for those desktops on the public network?  (Will he be able to see UPnP media servers that are running on the public PCs?  Will he be able to see network shares on the public PCs?)

 

Assuming some critical services are still desired, can the PCs or gateway be configured to allow additional services between these networks?  If so, how?  Or is some other network configuration (e.g. multiple NICs) required to priovide open access to these other PCs?

 

Thanks in advance for any insight.

Message 1 of 28 (4,169 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

Why do you have static IPs?  What is their use?  If it's for internal servers that will serve external services (like HTTP), why can't that be done with NAT?

 

Message 2 of 28 (4,167 Views)
Mentor

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

I also have  a couple of questions on this:

 

1. Where do you turn wireless off on the 2Wire router. I look at the wireless settings and I can disable SSID broadcast and security but I don't see where to disable the wireless completely?

 

2. When I put the Linksys behind the 2Wire it displayed a message that there was a router behind the router and I selected Resolve and it put the Linksys in the DMZ and internet works fine but I am getting a dialog that says "Please enter the master password for the Software Security Device." when I connect to the Linksys. I can cancel this dialog to get the Linksys Admin login but I am not sure where the former dialog is being generated from?

 

Thx

Message 3 of 28 (4,167 Views)
Master

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

To turn the wireless off in the RG go to system summary look under Home Network 2nd column Status At A Glance 3rd down Wireless Enable/Disable.
Message 4 of 28 (4,167 Views)
Master

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


stonecrd wrote:

I also have  a couple of questions on this:

 

1. Where do you turn wireless off on the 2Wire router. I look at the wireless settings and I can disable SSID broadcast and security but I don't see where to disable the wireless completely?     http://192.168.1.254/xslt?PAGE=C01&THISPAGE=B02&NEXTPAGE=C01

 

2. When I put the Linksys behind the 2Wire it displayed a message that there was a router behind the router and I selected Resolve and it put the Linksys in the DMZ and internet works fine but I am getting a dialog that says "Please enter the master password for the Software Security Device." when I connect to the Linksys. I can cancel this dialog to get the Linksys Admin login but I am not sure where the former dialog is being generated from?

 

Thx


 

            
Message 5 of 28 (4,167 Views)
Tutor

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


stonecrd wrote:

I also have  a couple of questions on this:

 

1. Where do you turn wireless off on the 2Wire router....

2. When I put the Linksys behind the 2Wire ...


Which aren't really questions related to "this" thread.  I hope any responses received help you, but understand that your posing these questions here have cluttered this thread, started to get answers to different questions, but now diluted with unrelated noise.

Message 6 of 28 (4,167 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


stonecrd wrote:

 

2. When I put the Linksys behind the 2Wire it displayed a message that there was a router behind the router and I selected Resolve and it put the Linksys in the DMZ and internet works fine but I am getting a dialog that says "Please enter the master password for the Software Security Device." when I connect to the Linksys. I can cancel this dialog to get the Linksys Admin login but I am not sure where the former dialog is being generated from?


 

That dialog is from Firefox's "Use a Master Password" option.  I you don't use it, turn it off in Tools -> Options -> Security.

 

Message 7 of 28 (4,167 Views)
Tutor

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


SomeJoe7777 wrote:

Why do you have static IPs?  What is their use?  If it's for internal servers that will serve external services (like HTTP), why can't that be done with NAT?


The static IPs are needed because the unique IP addresses are required. (NAT'd PCs would all report as the same address, from the perspective of the outside world.)

Message 8 of 28 (4,167 Views)
Scholar

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


plooger wrote:

Hi, I'm trying to help a friend optimize his new U-verse setup, and so have come here seeking help from the U-verse community.

 

Overview:

- gateway is 2wire 3800HGV-B

- 6 Ethernet (hard-wire) devices (4 desktops, laptop, DVR)

- available 5-port 10/100 switch

- 5 static IPs

 

Current configuration:

- 5-port switch is connected to gateway to increase available ports

- 3 desktops are hard-wired and each configured with a "public" static IP

- 1 desktop, the laptop and DVR are hard-wired and using DHCP address assignment (getting a "private" IP)

- PCs are all running XP

 

Questions:

This configuration results in 2 separate subnets, a public subnet and a private.  Given a desktop, his laptop and DVR are in the private subnet, how does this limit his access to the public-addressed PCs?  e.g. From his laptop, what services will he be able to access on the private-subnet desktop that he won't be able to access for those desktops on the public network?  (Will he be able to see UPnP media servers that are running on the public PCs?  Will he be able to see network shares on the public PCs?)

 

Assuming some critical services are still desired, can the PCs or gateway be configured to allow additional services between these networks?  If so, how?  Or is some other network configuration (e.g. Multiple NICs) required to provide open access to these other PCs?

 

Thanks in advance for any insight.


 

The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.

 

The question from the previous poster still stands, what are the 3 machines doing that need public IP addresses? I hope they are well configured and have the latest OS security patches in place. Make sure that you have the RGs firewall configured to only allow specific ports and not be configured to "Allow all applications" for these public addresses.

 

Yes, if you need to have local access to these devices, you will need to have multiple NICs or a complex software solution to provide what we call a multi-homed IP solution to support multiple IP addresses to one or more of these three (3) public IP machines.

 

I would strongly suggest that you and your friend reevaluate the need for the three pubic IPs and triple check the firewall settings and OS security features and settings. Unless you want them to become a new U-verse Zombie Bolt Army.

 

Dave

 

 

Message Edited by dave006 on 04-09-2009 10:13 AM
Message 9 of 28 (4,167 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

In other words, these PCs run an application where the system on the other end would not function correctly unless they have different IP addresses.

 

From a programmer's standpoint, I'd say that was a poorly designed application, but I also assume you have no control over that. :smileywink:

 

The U-Verse RG is not designed to have two separate subnets on the same physical network.  My recommendation is to place private IP devices connected directly (or through a switch) to the RG and use the 192.168.x.x subnet.  Then assign the public IPs to the other machines, and run them behind another router that's in the DMZ.  In the RG's interface, use the "Publically routable subnet" option to route all public IPs to the DMZ router.  Then create firewall holes in the DMZ router for communication between public and private machines.

 

Message 10 of 28 (4,167 Views)
Tutor

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


Dave006 wrote:
The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.

Ok, this gets me going.  I didn't know if the 2wire router had any special (non-standard), optional settings for streamlining connectivity between the private LAN and a public subnet.  (A manual for the 3800HGV sure would be handy, AT&T/2wire.)



The question from the previous poster still stands, what are the 3 machines doing that need public IP addresses? I hope they are well configured and have the latest OS security patches in place. Make sure that you have the RGs firewall configured to only allow specific ports and not be configured to "Allow all applications" for these public addresses. ... I would strongly suggest that you and your friend reevaluate the need for the three pubic IPs and triple check the firewall settings and OS security features and settings. Unless you want them to become a new U-verse Zombie Bolt Army.

Within the context of this thread, "why?" the public IPs are needed is moot -- though the stern warnings are much appreciated.  The security of the publicly-addressed computers is a separate concern being championed, understanding that providing separate local access also increases the risk, in the event that a publicly-accessible PC is compromised.
 

Yes, if you need to have local access to these devices, you will need to have multiple NICs or a complex software solution to provide what we call a multi-homed IP solution to support multiple IP addresses to one or more of these three (3) public IP machines.

If you have a link to some page describing the software approach for multi-homing, as it applies, I'd love to get my mitts on it.  I'm running multiple IPs on the PC from which I'm typing, but not multi-homing w/ just one NIC.
 
Thanks for the reply, Dave.  And, again, I appreciate the security warnings and admonishments.
 

SomeJoe7777 wrote:

 

In other words, these PCs run an application where the system on the other end would not function correctly unless they have different IP addresses. ... From a programmer's standpoint, I'd say that was a poorly designed application, but I also assume you have no control over that.


Precisely. And thank you for understanding.

 

 


The U-Verse RG is not designed to have two separate subnets on the same physical network.  My recommendation is to place private IP devices connected directly (or through a switch) to the RG and use the 192.168.x.x subnet.  Then assign the public IPs to the other machines, and run them behind another router that's in the DMZ.  In the RG's interface, use the "Publically routable subnet" option to route all public IPs to the DMZ router.  Then create firewall holes in the DMZ router for communication between public and private machines.


Yeah, not sure any router should, but I didn't know if they were doing something crazy that might prove advantageous to my friend.

 

And interesting suggestion on how to streamline the availability and protection of the publicly-addressed PCs.  I've seen a couple threads on setting-up a piggybacked router in this fashion, through the DMZ, but hadn't considered this configuration for my friend's network.  What advantage would this piggybacked/DMZ-passthrough router configuration have over configuring each publicly-addressed PC's "Internet" services in the 2wire 3800HGV's firewall setup?  Also, how would this piggybacked router setup solve the issue of private/public subnet connectivity between his networked devices?

Message 11 of 28 (2,533 Views)
Tutor

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


SomeJoe7777 wrote:

 

The U-Verse RG is not designed to have two separate subnets on the same physical network.  My recommendation is to place private IP devices connected directly (or through a switch) to the RG and use the 192.168.x.x subnet.  Then assign the public IPs to the other machines, and run them behind another router that's in the DMZ.  In the RG's interface, use the "Publically routable subnet" option to route all public IPs to the DMZ router.  Then create firewall holes in the DMZ router for communication between public and private machines.

 


Apologies.  The piggybacked DMZ router is obviously being recommended to provide a physical separation between the private LAN and the public subnet, as well as the DMZ router offering additional junction for traffic control.

 

Message 12 of 28 (2,533 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


plooger wrote:

Apologies.  The piggybacked DMZ router is obviously being recommended to provide a physical separation between the private LAN and the public subnet, as well as the DMZ router offering additional junction for traffic control.


 

Yes, that's correct.  This is one way to do it.

 

However, I did some searching, and I believe one person has actually successfully set this up the way you want to do, with no additional router.  Check out airwrck's post in the thread Configuring Devices Behind the Public Routed Subinterface.

I believe this allows you to assign the public routable IPs to certain devices, while maintaining DHCP using private IPs for other devices, and the RG will route between them.

 

If this is the case (and it sounds like it is, from airwrck's post), this would avoid the need for an additional router.  It also avoids having a firewall in the way when public IP devices need to talk to private IP devices.

 

Message Edited by SomeJoe7777 on 04-09-2009 04:01 PM
Message 13 of 28 (2,533 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


dave006 wrote: 

The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.


 

That may not be the case.  I believe if you set up the devices using the "Publically Routed Subinterface" option, there is a setting to continue to protect those devices with the firewall.  You can only open ports you want to to the outside.

 

Message 14 of 28 (2,533 Views)
Tutor

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


SomeJoe7777 wrote:

plooger wrote:

Apologies.  The piggybacked DMZ router is obviously being recommended to provide a physical separation between the private LAN and the public subnet, as well as the DMZ router offering additional junction for traffic control.


 

Yes, that's correct.  This is one way to do it.

 

However, I did some searching, and I believe one person has actually successfully set this up the way you want to do, with no additional router.  Check out airwrck's post in the thread Configuring Devices Behind the Public Routed Subinterface.

I believe this allows you to assign the public routable IPs to certain devices, while maintaining DHCP using private IPs for other devices, and the RG will route between them.

 

If this is the case (and it sounds like it is, from airwrck's post), this would avoid the need for an additional router.  It also avoids having a firewall in the way when public IP devices need to talk to private IP devices.


Yeah, I'd reviewed that post before opening this thread.  From what I could comprehend, that thread provides details on how to assign public IP addresses, statically, using the DHCP service provided by the router, rather than having to manually configure each static IP address on each PC. (i.e. the PCs can remain as "DHCP Enabled", but they would each always receive the same public IP address configured for them on the router -- with the association based on the MAC address of each PC)

 

I'm still uncertain, relative to the configuration described in that thread, as to what communication would be possible between the private and public devices, but also what access each publicly-addressed PC would have to the other public PCs.  (i.e. are the public PCs accessible only on the protocol ports allowed by the firewall, or does the router logically establish a separate subnet for the public IP range within which all the public IP-addressed PCs are accessible to each other)

Message 15 of 28 (2,533 Views)
Share this topic
Announcements

Welcome to the AT&T Community Forums!!! Stop by the Community How-To section for tips on how to get started.