Ask a question
Search in U-verse Forums

U-verse Forums

Reply
Highlighted
Posted Apr 8, 2009
11:56:33 PM
View profile
Need help understanding U-verse LAN setup (public & private on 3800HGV)

Hi, I'm trying to help a friend optimize his new U-verse setup, and so have come here seeking help from the U-verse community.

 

Overview:

- gateway is 2wire 3800HGV-B

- 6 ethernet (hard-wire) devices (4 desktops, laptop, DVR)

- available 5-port 10/100 switch

- 5 static IPs

 

Current configuration:

- 5-port switch is connected to gateway to increase available ports

- 3 desktops are hard-wired and each configured with a "public" static IP

- 1 desktop, the laptop and DVR are hard-wired and using DHCP address assignment (getting a "private" IP)

- PCs are all running XP

 

Questions:

This configuration results in 2 separate subnets, a public subnet and a private.  Given a desktop, his laptop and DVR are in the private subnet, how does this limit his access to the public-addressed PCs?  e.g. From his laptop, what services will he be able to access on the private-subnet desktop that he won't be able to access for those desktops on the public network?  (Will he be able to see UPnP media servers that are running on the public PCs?  Will he be able to see network shares on the public PCs?)

 

Assuming some critical services are still desired, can the PCs or gateway be configured to allow additional services between these networks?  If so, how?  Or is some other network configuration (e.g. multiple NICs) required to priovide open access to these other PCs?

 

Thanks in advance for any insight.

Hi, I'm trying to help a friend optimize his new U-verse setup, and so have come here seeking help from the U-verse community.

 

Overview:

- gateway is 2wire 3800HGV-B

- 6 ethernet (hard-wire) devices (4 desktops, laptop, DVR)

- available 5-port 10/100 switch

- 5 static IPs

 

Current configuration:

- 5-port switch is connected to gateway to increase available ports

- 3 desktops are hard-wired and each configured with a "public" static IP

- 1 desktop, the laptop and DVR are hard-wired and using DHCP address assignment (getting a "private" IP)

- PCs are all running XP

 

Questions:

This configuration results in 2 separate subnets, a public subnet and a private.  Given a desktop, his laptop and DVR are in the private subnet, how does this limit his access to the public-addressed PCs?  e.g. From his laptop, what services will he be able to access on the private-subnet desktop that he won't be able to access for those desktops on the public network?  (Will he be able to see UPnP media servers that are running on the public PCs?  Will he be able to see network shares on the public PCs?)

 

Assuming some critical services are still desired, can the PCs or gateway be configured to allow additional services between these networks?  If so, how?  Or is some other network configuration (e.g. multiple NICs) required to priovide open access to these other PCs?

 

Thanks in advance for any insight.

Need help understanding U-verse LAN setup (public & private on 3800HGV)

3,787 views
27 replies
(0) Me too
(0) Me too
Reply
View all replies
(27)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 7:32:15 AM
0
(0)
Expert

Why do you have static IPs?  What is their use?  If it's for internal servers that will serve external services (like HTTP), why can't that be done with NAT?

 

Why do you have static IPs?  What is their use?  If it's for internal servers that will serve external services (like HTTP), why can't that be done with NAT?

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

2 of 28 (3,786 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 7:51:48 AM
0
(0)
Mentor

I also have  a couple of questions on this:

 

1. Where do you turn wireless off on the 2Wire router. I look at the wireless settings and I can disable SSID broadcast and security but I don't see where to disable the wireless completely?

 

2. When I put the Linksys behind the 2Wire it displayed a message that there was a router behind the router and I selected Resolve and it put the Linksys in the DMZ and internet works fine but I am getting a dialog that says "Please enter the master password for the Software Security Device." when I connect to the Linksys. I can cancel this dialog to get the Linksys Admin login but I am not sure where the former dialog is being generated from?

 

Thx

I also have  a couple of questions on this:

 

1. Where do you turn wireless off on the 2Wire router. I look at the wireless settings and I can disable SSID broadcast and security but I don't see where to disable the wireless completely?

 

2. When I put the Linksys behind the 2Wire it displayed a message that there was a router behind the router and I selected Resolve and it put the Linksys in the DMZ and internet works fine but I am getting a dialog that says "Please enter the master password for the Software Security Device." when I connect to the Linksys. I can cancel this dialog to get the Linksys Admin login but I am not sure where the former dialog is being generated from?

 

Thx

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

3 of 28 (3,786 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 8:37:25 AM
0
(0)
Master
To turn the wireless off in the RG go to system summary look under Home Network 2nd column Status At A Glance 3rd down Wireless Enable/Disable.
To turn the wireless off in the RG go to system summary look under Home Network 2nd column Status At A Glance 3rd down Wireless Enable/Disable.

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

4 of 28 (3,786 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 8:39:00 AM
0
(0)
Master

stonecrd wrote:

I also have  a couple of questions on this:

 

1. Where do you turn wireless off on the 2Wire router. I look at the wireless settings and I can disable SSID broadcast and security but I don't see where to disable the wireless completely?     http://192.168.1.254/xslt?PAGE=C01&THISPAGE=B02&NEXTPAGE=C01

 

2. When I put the Linksys behind the 2Wire it displayed a message that there was a router behind the router and I selected Resolve and it put the Linksys in the DMZ and internet works fine but I am getting a dialog that says "Please enter the master password for the Software Security Device." when I connect to the Linksys. I can cancel this dialog to get the Linksys Admin login but I am not sure where the former dialog is being generated from?

 

Thx


 

            

stonecrd wrote:

I also have  a couple of questions on this:

 

1. Where do you turn wireless off on the 2Wire router. I look at the wireless settings and I can disable SSID broadcast and security but I don't see where to disable the wireless completely?     http://192.168.1.254/xslt?PAGE=C01&THISPAGE=B02&NEXTPAGE=C01

 

2. When I put the Linksys behind the 2Wire it displayed a message that there was a router behind the router and I selected Resolve and it put the Linksys in the DMZ and internet works fine but I am getting a dialog that says "Please enter the master password for the Software Security Device." when I connect to the Linksys. I can cancel this dialog to get the Linksys Admin login but I am not sure where the former dialog is being generated from?

 

Thx


 

            

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

5 of 28 (3,786 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 9:32:29 AM
0
(0)
Tutor

stonecrd wrote:

I also have  a couple of questions on this:

 

1. Where do you turn wireless off on the 2Wire router....

2. When I put the Linksys behind the 2Wire ...


Which aren't really questions related to "this" thread.  I hope any responses received help you, but understand that your posing these questions here have cluttered this thread, started to get answers to different questions, but now diluted with unrelated noise.


stonecrd wrote:

I also have  a couple of questions on this:

 

1. Where do you turn wireless off on the 2Wire router....

2. When I put the Linksys behind the 2Wire ...


Which aren't really questions related to "this" thread.  I hope any responses received help you, but understand that your posing these questions here have cluttered this thread, started to get answers to different questions, but now diluted with unrelated noise.

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

6 of 28 (3,786 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 9:33:28 AM
0
(0)
Expert

stonecrd wrote:

 

2. When I put the Linksys behind the 2Wire it displayed a message that there was a router behind the router and I selected Resolve and it put the Linksys in the DMZ and internet works fine but I am getting a dialog that says "Please enter the master password for the Software Security Device." when I connect to the Linksys. I can cancel this dialog to get the Linksys Admin login but I am not sure where the former dialog is being generated from?


 

That dialog is from Firefox's "Use a Master Password" option.  I you don't use it, turn it off in Tools -> Options -> Security.

 


stonecrd wrote:

 

2. When I put the Linksys behind the 2Wire it displayed a message that there was a router behind the router and I selected Resolve and it put the Linksys in the DMZ and internet works fine but I am getting a dialog that says "Please enter the master password for the Software Security Device." when I connect to the Linksys. I can cancel this dialog to get the Linksys Admin login but I am not sure where the former dialog is being generated from?


 

That dialog is from Firefox's "Use a Master Password" option.  I you don't use it, turn it off in Tools -> Options -> Security.

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

7 of 28 (3,786 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 9:37:38 AM
0
(0)
Tutor

SomeJoe7777 wrote:

Why do you have static IPs?  What is their use?  If it's for internal servers that will serve external services (like HTTP), why can't that be done with NAT?


The static IPs are needed because the unique IP addresses are required. (NAT'd PCs would all report as the same address, from the perspective of the outside world.)


SomeJoe7777 wrote:

Why do you have static IPs?  What is their use?  If it's for internal servers that will serve external services (like HTTP), why can't that be done with NAT?


The static IPs are needed because the unique IP addresses are required. (NAT'd PCs would all report as the same address, from the perspective of the outside world.)

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

8 of 28 (3,786 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 10:10:57 AM
0
(0)
Scholar

plooger wrote:

Hi, I'm trying to help a friend optimize his new U-verse setup, and so have come here seeking help from the U-verse community.

 

Overview:

- gateway is 2wire 3800HGV-B

- 6 Ethernet (hard-wire) devices (4 desktops, laptop, DVR)

- available 5-port 10/100 switch

- 5 static IPs

 

Current configuration:

- 5-port switch is connected to gateway to increase available ports

- 3 desktops are hard-wired and each configured with a "public" static IP

- 1 desktop, the laptop and DVR are hard-wired and using DHCP address assignment (getting a "private" IP)

- PCs are all running XP

 

Questions:

This configuration results in 2 separate subnets, a public subnet and a private.  Given a desktop, his laptop and DVR are in the private subnet, how does this limit his access to the public-addressed PCs?  e.g. From his laptop, what services will he be able to access on the private-subnet desktop that he won't be able to access for those desktops on the public network?  (Will he be able to see UPnP media servers that are running on the public PCs?  Will he be able to see network shares on the public PCs?)

 

Assuming some critical services are still desired, can the PCs or gateway be configured to allow additional services between these networks?  If so, how?  Or is some other network configuration (e.g. Multiple NICs) required to provide open access to these other PCs?

 

Thanks in advance for any insight.


 

The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.

 

The question from the previous poster still stands, what are the 3 machines doing that need public IP addresses? I hope they are well configured and have the latest OS security patches in place. Make sure that you have the RGs firewall configured to only allow specific ports and not be configured to "Allow all applications" for these public addresses.

 

Yes, if you need to have local access to these devices, you will need to have multiple NICs or a complex software solution to provide what we call a multi-homed IP solution to support multiple IP addresses to one or more of these three (3) public IP machines.

 

I would strongly suggest that you and your friend reevaluate the need for the three pubic IPs and triple check the firewall settings and OS security features and settings. Unless you want them to become a new U-verse Zombie Bolt Army.

 

Dave

 

 

Message Edited by dave006 on 04-09-2009 10:13 AM

plooger wrote:

Hi, I'm trying to help a friend optimize his new U-verse setup, and so have come here seeking help from the U-verse community.

 

Overview:

- gateway is 2wire 3800HGV-B

- 6 Ethernet (hard-wire) devices (4 desktops, laptop, DVR)

- available 5-port 10/100 switch

- 5 static IPs

 

Current configuration:

- 5-port switch is connected to gateway to increase available ports

- 3 desktops are hard-wired and each configured with a "public" static IP

- 1 desktop, the laptop and DVR are hard-wired and using DHCP address assignment (getting a "private" IP)

- PCs are all running XP

 

Questions:

This configuration results in 2 separate subnets, a public subnet and a private.  Given a desktop, his laptop and DVR are in the private subnet, how does this limit his access to the public-addressed PCs?  e.g. From his laptop, what services will he be able to access on the private-subnet desktop that he won't be able to access for those desktops on the public network?  (Will he be able to see UPnP media servers that are running on the public PCs?  Will he be able to see network shares on the public PCs?)

 

Assuming some critical services are still desired, can the PCs or gateway be configured to allow additional services between these networks?  If so, how?  Or is some other network configuration (e.g. Multiple NICs) required to provide open access to these other PCs?

 

Thanks in advance for any insight.


 

The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.

 

The question from the previous poster still stands, what are the 3 machines doing that need public IP addresses? I hope they are well configured and have the latest OS security patches in place. Make sure that you have the RGs firewall configured to only allow specific ports and not be configured to "Allow all applications" for these public addresses.

 

Yes, if you need to have local access to these devices, you will need to have multiple NICs or a complex software solution to provide what we call a multi-homed IP solution to support multiple IP addresses to one or more of these three (3) public IP machines.

 

I would strongly suggest that you and your friend reevaluate the need for the three pubic IPs and triple check the firewall settings and OS security features and settings. Unless you want them to become a new U-verse Zombie Bolt Army.

 

Dave

 

 

Message Edited by dave006 on 04-09-2009 10:13 AM

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

9 of 28 (3,786 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 10:13:22 AM
0
(0)
Expert

In other words, these PCs run an application where the system on the other end would not function correctly unless they have different IP addresses.

 

From a programmer's standpoint, I'd say that was a poorly designed application, but I also assume you have no control over that. :smileywink:

 

The U-Verse RG is not designed to have two separate subnets on the same physical network.  My recommendation is to place private IP devices connected directly (or through a switch) to the RG and use the 192.168.x.x subnet.  Then assign the public IPs to the other machines, and run them behind another router that's in the DMZ.  In the RG's interface, use the "Publically routable subnet" option to route all public IPs to the DMZ router.  Then create firewall holes in the DMZ router for communication between public and private machines.

 

In other words, these PCs run an application where the system on the other end would not function correctly unless they have different IP addresses.

 

From a programmer's standpoint, I'd say that was a poorly designed application, but I also assume you have no control over that. :smileywink:

 

The U-Verse RG is not designed to have two separate subnets on the same physical network.  My recommendation is to place private IP devices connected directly (or through a switch) to the RG and use the 192.168.x.x subnet.  Then assign the public IPs to the other machines, and run them behind another router that's in the DMZ.  In the RG's interface, use the "Publically routable subnet" option to route all public IPs to the DMZ router.  Then create firewall holes in the DMZ router for communication between public and private machines.

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

10 of 28 (3,786 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 11:29:10 AM
0
(0)
Tutor

Dave006 wrote:
The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.

Ok, this gets me going.  I didn't know if the 2wire router had any special (non-standard), optional settings for streamlining connectivity between the private LAN and a public subnet.  (A manual for the 3800HGV sure would be handy, AT&T/2wire.)



The question from the previous poster still stands, what are the 3 machines doing that need public IP addresses? I hope they are well configured and have the latest OS security patches in place. Make sure that you have the RGs firewall configured to only allow specific ports and not be configured to "Allow all applications" for these public addresses. ... I would strongly suggest that you and your friend reevaluate the need for the three pubic IPs and triple check the firewall settings and OS security features and settings. Unless you want them to become a new U-verse Zombie Bolt Army.

Within the context of this thread, "why?" the public IPs are needed is moot -- though the stern warnings are much appreciated.  The security of the publicly-addressed computers is a separate concern being championed, understanding that providing separate local access also increases the risk, in the event that a publicly-accessible PC is compromised.
 

Yes, if you need to have local access to these devices, you will need to have multiple NICs or a complex software solution to provide what we call a multi-homed IP solution to support multiple IP addresses to one or more of these three (3) public IP machines.

If you have a link to some page describing the software approach for multi-homing, as it applies, I'd love to get my mitts on it.  I'm running multiple IPs on the PC from which I'm typing, but not multi-homing w/ just one NIC.
 
Thanks for the reply, Dave.  And, again, I appreciate the security warnings and admonishments.
 

SomeJoe7777 wrote:

 

In other words, these PCs run an application where the system on the other end would not function correctly unless they have different IP addresses. ... From a programmer's standpoint, I'd say that was a poorly designed application, but I also assume you have no control over that.


Precisely. And thank you for understanding.

 

 


The U-Verse RG is not designed to have two separate subnets on the same physical network.  My recommendation is to place private IP devices connected directly (or through a switch) to the RG and use the 192.168.x.x subnet.  Then assign the public IPs to the other machines, and run them behind another router that's in the DMZ.  In the RG's interface, use the "Publically routable subnet" option to route all public IPs to the DMZ router.  Then create firewall holes in the DMZ router for communication between public and private machines.


Yeah, not sure any router should, but I didn't know if they were doing something crazy that might prove advantageous to my friend.

 

And interesting suggestion on how to streamline the availability and protection of the publicly-addressed PCs.  I've seen a couple threads on setting-up a piggybacked router in this fashion, through the DMZ, but hadn't considered this configuration for my friend's network.  What advantage would this piggybacked/DMZ-passthrough router configuration have over configuring each publicly-addressed PC's "Internet" services in the 2wire 3800HGV's firewall setup?  Also, how would this piggybacked router setup solve the issue of private/public subnet connectivity between his networked devices?


Dave006 wrote:
The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.

Ok, this gets me going.  I didn't know if the 2wire router had any special (non-standard), optional settings for streamlining connectivity between the private LAN and a public subnet.  (A manual for the 3800HGV sure would be handy, AT&T/2wire.)



The question from the previous poster still stands, what are the 3 machines doing that need public IP addresses? I hope they are well configured and have the latest OS security patches in place. Make sure that you have the RGs firewall configured to only allow specific ports and not be configured to "Allow all applications" for these public addresses. ... I would strongly suggest that you and your friend reevaluate the need for the three pubic IPs and triple check the firewall settings and OS security features and settings. Unless you want them to become a new U-verse Zombie Bolt Army.

Within the context of this thread, "why?" the public IPs are needed is moot -- though the stern warnings are much appreciated.  The security of the publicly-addressed computers is a separate concern being championed, understanding that providing separate local access also increases the risk, in the event that a publicly-accessible PC is compromised.
 

Yes, if you need to have local access to these devices, you will need to have multiple NICs or a complex software solution to provide what we call a multi-homed IP solution to support multiple IP addresses to one or more of these three (3) public IP machines.

If you have a link to some page describing the software approach for multi-homing, as it applies, I'd love to get my mitts on it.  I'm running multiple IPs on the PC from which I'm typing, but not multi-homing w/ just one NIC.
 
Thanks for the reply, Dave.  And, again, I appreciate the security warnings and admonishments.
 

SomeJoe7777 wrote:

 

In other words, these PCs run an application where the system on the other end would not function correctly unless they have different IP addresses. ... From a programmer's standpoint, I'd say that was a poorly designed application, but I also assume you have no control over that.


Precisely. And thank you for understanding.

 

 


The U-Verse RG is not designed to have two separate subnets on the same physical network.  My recommendation is to place private IP devices connected directly (or through a switch) to the RG and use the 192.168.x.x subnet.  Then assign the public IPs to the other machines, and run them behind another router that's in the DMZ.  In the RG's interface, use the "Publically routable subnet" option to route all public IPs to the DMZ router.  Then create firewall holes in the DMZ router for communication between public and private machines.


Yeah, not sure any router should, but I didn't know if they were doing something crazy that might prove advantageous to my friend.

 

And interesting suggestion on how to streamline the availability and protection of the publicly-addressed PCs.  I've seen a couple threads on setting-up a piggybacked router in this fashion, through the DMZ, but hadn't considered this configuration for my friend's network.  What advantage would this piggybacked/DMZ-passthrough router configuration have over configuring each publicly-addressed PC's "Internet" services in the 2wire 3800HGV's firewall setup?  Also, how would this piggybacked router setup solve the issue of private/public subnet connectivity between his networked devices?

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

11 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 12:44:30 PM
0
(0)
Tutor

SomeJoe7777 wrote:

 

The U-Verse RG is not designed to have two separate subnets on the same physical network.  My recommendation is to place private IP devices connected directly (or through a switch) to the RG and use the 192.168.x.x subnet.  Then assign the public IPs to the other machines, and run them behind another router that's in the DMZ.  In the RG's interface, use the "Publically routable subnet" option to route all public IPs to the DMZ router.  Then create firewall holes in the DMZ router for communication between public and private machines.

 


Apologies.  The piggybacked DMZ router is obviously being recommended to provide a physical separation between the private LAN and the public subnet, as well as the DMZ router offering additional junction for traffic control.

 


SomeJoe7777 wrote:

 

The U-Verse RG is not designed to have two separate subnets on the same physical network.  My recommendation is to place private IP devices connected directly (or through a switch) to the RG and use the 192.168.x.x subnet.  Then assign the public IPs to the other machines, and run them behind another router that's in the DMZ.  In the RG's interface, use the "Publically routable subnet" option to route all public IPs to the DMZ router.  Then create firewall holes in the DMZ router for communication between public and private machines.

 


Apologies.  The piggybacked DMZ router is obviously being recommended to provide a physical separation between the private LAN and the public subnet, as well as the DMZ router offering additional junction for traffic control.

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

12 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 1:59:34 PM
0
(0)
Expert

plooger wrote:

Apologies.  The piggybacked DMZ router is obviously being recommended to provide a physical separation between the private LAN and the public subnet, as well as the DMZ router offering additional junction for traffic control.


 

Yes, that's correct.  This is one way to do it.

 

However, I did some searching, and I believe one person has actually successfully set this up the way you want to do, with no additional router.  Check out airwrck's post in the thread Configuring Devices Behind the Public Routed Subinterface.

I believe this allows you to assign the public routable IPs to certain devices, while maintaining DHCP using private IPs for other devices, and the RG will route between them.

 

If this is the case (and it sounds like it is, from airwrck's post), this would avoid the need for an additional router.  It also avoids having a firewall in the way when public IP devices need to talk to private IP devices.

 

Message Edited by SomeJoe7777 on 04-09-2009 04:01 PM

plooger wrote:

Apologies.  The piggybacked DMZ router is obviously being recommended to provide a physical separation between the private LAN and the public subnet, as well as the DMZ router offering additional junction for traffic control.


 

Yes, that's correct.  This is one way to do it.

 

However, I did some searching, and I believe one person has actually successfully set this up the way you want to do, with no additional router.  Check out airwrck's post in the thread Configuring Devices Behind the Public Routed Subinterface.

I believe this allows you to assign the public routable IPs to certain devices, while maintaining DHCP using private IPs for other devices, and the RG will route between them.

 

If this is the case (and it sounds like it is, from airwrck's post), this would avoid the need for an additional router.  It also avoids having a firewall in the way when public IP devices need to talk to private IP devices.

 

Message Edited by SomeJoe7777 on 04-09-2009 04:01 PM

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

13 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 2:01:24 PM
0
(0)
Expert

dave006 wrote: 

The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.


 

That may not be the case.  I believe if you set up the devices using the "Publically Routed Subinterface" option, there is a setting to continue to protect those devices with the firewall.  You can only open ports you want to to the outside.

 


dave006 wrote: 

The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.


 

That may not be the case.  I believe if you set up the devices using the "Publically Routed Subinterface" option, there is a setting to continue to protect those devices with the firewall.  You can only open ports you want to to the outside.

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

14 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 2:43:07 PM
0
(0)
Tutor

SomeJoe7777 wrote:

plooger wrote:

Apologies.  The piggybacked DMZ router is obviously being recommended to provide a physical separation between the private LAN and the public subnet, as well as the DMZ router offering additional junction for traffic control.


 

Yes, that's correct.  This is one way to do it.

 

However, I did some searching, and I believe one person has actually successfully set this up the way you want to do, with no additional router.  Check out airwrck's post in the thread Configuring Devices Behind the Public Routed Subinterface.

I believe this allows you to assign the public routable IPs to certain devices, while maintaining DHCP using private IPs for other devices, and the RG will route between them.

 

If this is the case (and it sounds like it is, from airwrck's post), this would avoid the need for an additional router.  It also avoids having a firewall in the way when public IP devices need to talk to private IP devices.


Yeah, I'd reviewed that post before opening this thread.  From what I could comprehend, that thread provides details on how to assign public IP addresses, statically, using the DHCP service provided by the router, rather than having to manually configure each static IP address on each PC. (i.e. the PCs can remain as "DHCP Enabled", but they would each always receive the same public IP address configured for them on the router -- with the association based on the MAC address of each PC)

 

I'm still uncertain, relative to the configuration described in that thread, as to what communication would be possible between the private and public devices, but also what access each publicly-addressed PC would have to the other public PCs.  (i.e. are the public PCs accessible only on the protocol ports allowed by the firewall, or does the router logically establish a separate subnet for the public IP range within which all the public IP-addressed PCs are accessible to each other)


SomeJoe7777 wrote:

plooger wrote:

Apologies.  The piggybacked DMZ router is obviously being recommended to provide a physical separation between the private LAN and the public subnet, as well as the DMZ router offering additional junction for traffic control.


 

Yes, that's correct.  This is one way to do it.

 

However, I did some searching, and I believe one person has actually successfully set this up the way you want to do, with no additional router.  Check out airwrck's post in the thread Configuring Devices Behind the Public Routed Subinterface.

I believe this allows you to assign the public routable IPs to certain devices, while maintaining DHCP using private IPs for other devices, and the RG will route between them.

 

If this is the case (and it sounds like it is, from airwrck's post), this would avoid the need for an additional router.  It also avoids having a firewall in the way when public IP devices need to talk to private IP devices.


Yeah, I'd reviewed that post before opening this thread.  From what I could comprehend, that thread provides details on how to assign public IP addresses, statically, using the DHCP service provided by the router, rather than having to manually configure each static IP address on each PC. (i.e. the PCs can remain as "DHCP Enabled", but they would each always receive the same public IP address configured for them on the router -- with the association based on the MAC address of each PC)

 

I'm still uncertain, relative to the configuration described in that thread, as to what communication would be possible between the private and public devices, but also what access each publicly-addressed PC would have to the other public PCs.  (i.e. are the public PCs accessible only on the protocol ports allowed by the firewall, or does the router logically establish a separate subnet for the public IP range within which all the public IP-addressed PCs are accessible to each other)

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

15 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 4:01:54 PM
0
(0)
Scholar

SomeJoe7777 wrote:

dave006 wrote: 

The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.


 

That may not be the case.  I believe if you set up the devices using the "Publically Routed Subinterface" option, there is a setting to continue to protect those devices with the firewall.  You can only open ports you want to to the outside.

 


No it is the case. If you want to use any of the services from one of the 3 public IP addressed machines from your private network, that same service has to be enable on the RG, that's why if you can see the service from your private network then anyone on the internet can see the same service. It is a "Publically Routed Network".

 

Joe, no there is no specific option to continue to protect the devices in the "Publically Routed SubInterface", this is the default unless you set the RG  to "Allow all applications" for that host, the RGs firewall will still protect your 3 public IP devices. Again, you should only open the ports that you want to share with the rest of the IP world. Even if you use the "Allow all applications", stateful packet inspection will still occur as the traffic passes through the gateway providing continued protection against Denial of Service and other common Internet attacks. You will have to go to the "Advanced"  page here: http://192.168.1.254/xslt?PAGE=J15&THISPAGE=J09&NEXTPAGE=J15 if you want to disable additional firewall protection.

 

Dave


SomeJoe7777 wrote:

dave006 wrote: 

The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.


 

That may not be the case.  I believe if you set up the devices using the "Publically Routed Subinterface" option, there is a setting to continue to protect those devices with the firewall.  You can only open ports you want to to the outside.

 


No it is the case. If you want to use any of the services from one of the 3 public IP addressed machines from your private network, that same service has to be enable on the RG, that's why if you can see the service from your private network then anyone on the internet can see the same service. It is a "Publically Routed Network".

 

Joe, no there is no specific option to continue to protect the devices in the "Publically Routed SubInterface", this is the default unless you set the RG  to "Allow all applications" for that host, the RGs firewall will still protect your 3 public IP devices. Again, you should only open the ports that you want to share with the rest of the IP world. Even if you use the "Allow all applications", stateful packet inspection will still occur as the traffic passes through the gateway providing continued protection against Denial of Service and other common Internet attacks. You will have to go to the "Advanced"  page here: http://192.168.1.254/xslt?PAGE=J15&THISPAGE=J09&NEXTPAGE=J15 if you want to disable additional firewall protection.

 

Dave

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

16 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 4:30:53 PM
0
(0)
Scholar

plooger wrote:

 

Yeah, I'd reviewed that post before opening this thread.  From what I could comprehend, that thread provides details on how to assign public IP addresses, statically, using the DHCP service provided by the router, rather than having to manually configure each static IP address on each PC. (i.e. the PCs can remain as "DHCP Enabled", but they would each always receive the same public IP address configured for them on the router -- with the association based on the MAC address of each PC)

 

I'm still uncertain, relative to the configuration described in that thread, as to what communication would be possible between the private and public devices, but also what access each publicly-addressed PC would have to the other public PCs.  (i.e. are the public PCs accessible only on the protocol ports allowed by the firewall, or does the router logically establish a separate subnet for the public IP range within which all the public IP-addressed PCs are accessible to each other)


 

Yes the router does treat the devices with a public IP address as if they are on a different network and network segment. It is not logical mapping, you will have a different subnet for the public IPs, for example the mask for the public subnet will be 255.255.255.248 for your /29 network and all of the public devices will be accessable but the RGs firewall will be protecting them from each other, from your private network (192.168.1.0 by default with a mask of 255.255.255.0).

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.

 

Dave


plooger wrote:

 

Yeah, I'd reviewed that post before opening this thread.  From what I could comprehend, that thread provides details on how to assign public IP addresses, statically, using the DHCP service provided by the router, rather than having to manually configure each static IP address on each PC. (i.e. the PCs can remain as "DHCP Enabled", but they would each always receive the same public IP address configured for them on the router -- with the association based on the MAC address of each PC)

 

I'm still uncertain, relative to the configuration described in that thread, as to what communication would be possible between the private and public devices, but also what access each publicly-addressed PC would have to the other public PCs.  (i.e. are the public PCs accessible only on the protocol ports allowed by the firewall, or does the router logically establish a separate subnet for the public IP range within which all the public IP-addressed PCs are accessible to each other)


 

Yes the router does treat the devices with a public IP address as if they are on a different network and network segment. It is not logical mapping, you will have a different subnet for the public IPs, for example the mask for the public subnet will be 255.255.255.248 for your /29 network and all of the public devices will be accessable but the RGs firewall will be protecting them from each other, from your private network (192.168.1.0 by default with a mask of 255.255.255.0).

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.

 

Dave

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

17 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 5:14:02 PM
0
(0)
Expert

dave006 wrote:

No it is the case. If you want to use any of the services from one of the 3 public IP addressed machines from your private network, that same service has to be enable on the RG, that's why if you can see the service from your private network then anyone on the internet can see the same service. It is a "Publically Routed Network".


 

So, then the RG actually applies firewall rules on the Ethernet subinterface, not the VDSL interface.  Thus when packets pass from the private subnet to the public subnet and back, they travel through the firewall, with all rules applied?  If so, that's a bad design.

 

WIth this restriction in mind, then the only thing I can think of that will work is the following:

 

1. All DVR/STB hardware plugs directly into the RG, and gets 192.168.1.xx private IPs via DHCP off the RG.

2. Use the "Publically Routed Subinterface" option in the RG to add your public IPs to the internal network.

3. Attach all "private" machines to the network, they can use DHCP to get IP addressing information from the RG.

4. For the "public" machines, manually configure them.  Give them a static public IP, with a default gateway of the public IP that the RG was configured with in step 2.

5. Multihome the public machines, giving each of them a second IP.  Use a 192.168.1.xx static IP (xx between 2 and 63).  Do NOT assign a default gateway.

6. You will need some kind of name resolution mechanism for the private machines to talk to the public machines directly.  You can do this three ways: a. Use a hosts file on each private machine that relates the names of the public machines to their private (192.168.1.xx) address.  b. Set up your own local DNS server and point the private machines to use that as their DNS resolver.  In that DNS server, have names for the public machines that resolve to their private IP.  Or c. Use a DNS service like OpenDNS on the private machines, and add public machine names to the OpenDNS configuration page that resolve to the private IPs.  If you absolutely don't want to set up special name resolution, you can communicate from private machines to public machines using the public machines' private IP addresses instead of names.

7. The public machines do not need special DNS configuration.  When they want to talk to a private machine, they will use the RG as the DNS server, which will hand back the private IP of the private machine in question, and the public machine will communicate with it directly using the private interface.

 

This will make it so there is no firewall in the way of the private and public machines communicating with each other.  The public machines, when they communicate with the Internet, will all use their individualized public IPs.  You can also now configure the RG's firewall to only allow specific protocols to the public machines without interfering with private-to-public machine communication.

 


dave006 wrote:

No it is the case. If you want to use any of the services from one of the 3 public IP addressed machines from your private network, that same service has to be enable on the RG, that's why if you can see the service from your private network then anyone on the internet can see the same service. It is a "Publically Routed Network".


 

So, then the RG actually applies firewall rules on the Ethernet subinterface, not the VDSL interface.  Thus when packets pass from the private subnet to the public subnet and back, they travel through the firewall, with all rules applied?  If so, that's a bad design.

 

WIth this restriction in mind, then the only thing I can think of that will work is the following:

 

1. All DVR/STB hardware plugs directly into the RG, and gets 192.168.1.xx private IPs via DHCP off the RG.

2. Use the "Publically Routed Subinterface" option in the RG to add your public IPs to the internal network.

3. Attach all "private" machines to the network, they can use DHCP to get IP addressing information from the RG.

4. For the "public" machines, manually configure them.  Give them a static public IP, with a default gateway of the public IP that the RG was configured with in step 2.

5. Multihome the public machines, giving each of them a second IP.  Use a 192.168.1.xx static IP (xx between 2 and 63).  Do NOT assign a default gateway.

6. You will need some kind of name resolution mechanism for the private machines to talk to the public machines directly.  You can do this three ways: a. Use a hosts file on each private machine that relates the names of the public machines to their private (192.168.1.xx) address.  b. Set up your own local DNS server and point the private machines to use that as their DNS resolver.  In that DNS server, have names for the public machines that resolve to their private IP.  Or c. Use a DNS service like OpenDNS on the private machines, and add public machine names to the OpenDNS configuration page that resolve to the private IPs.  If you absolutely don't want to set up special name resolution, you can communicate from private machines to public machines using the public machines' private IP addresses instead of names.

7. The public machines do not need special DNS configuration.  When they want to talk to a private machine, they will use the RG as the DNS server, which will hand back the private IP of the private machine in question, and the public machine will communicate with it directly using the private interface.

 

This will make it so there is no firewall in the way of the private and public machines communicating with each other.  The public machines, when they communicate with the Internet, will all use their individualized public IPs.  You can also now configure the RG's firewall to only allow specific protocols to the public machines without interfering with private-to-public machine communication.

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

18 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 8:36:50 PM
0
(0)
Tutor

dave006 wrote:

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.


Simple workaround, thanks.  (Though this separate LAN segment for allowing the public-facing hosts to communicate with each other through their public IPs won't be necessary if we add secondary NICs to each of them to allow communication within the "private" network.)


dave006 wrote:

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.


Simple workaround, thanks.  (Though this separate LAN segment for allowing the public-facing hosts to communicate with each other through their public IPs won't be necessary if we add secondary NICs to each of them to allow communication within the "private" network.)

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

19 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 9:21:20 PM
0
(0)
Expert

plooger wrote:

dave006 wrote:

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.


Simple workaround, thanks.  (Though this separate LAN segment for allowing the public-facing hosts to communicate with each other through their public IPs won't be necessary if we add secondary NICs to each of them to allow communication within the "private" network.)


 

Uh, none of that makes any sense.  Having the public computers on a switch by themselves that is uplinked to the RG does nothing.  All switch ports throughout the LAN are identical from a logical subnet standpoint.

 

As I explained in my last post, you do not need secondary NIC cards to accomplish this.  You can multihome (use multiple IP addresses on separate subnets) using only one NIC.

 


plooger wrote:

dave006 wrote:

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.


Simple workaround, thanks.  (Though this separate LAN segment for allowing the public-facing hosts to communicate with each other through their public IPs won't be necessary if we add secondary NICs to each of them to allow communication within the "private" network.)


 

Uh, none of that makes any sense.  Having the public computers on a switch by themselves that is uplinked to the RG does nothing.  All switch ports throughout the LAN are identical from a logical subnet standpoint.

 

As I explained in my last post, you do not need secondary NIC cards to accomplish this.  You can multihome (use multiple IP addresses on separate subnets) using only one NIC.

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

20 of 28 (2,152 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 10:44:21 PM
0
(0)
Scholar

plooger wrote:

dave006 wrote:

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.


Simple workaround, thanks.  (Though this separate LAN segment for allowing the public-facing hosts to communicate with each other through their public IPs won't be necessary if we add secondary NICs to each of them to allow communication within the "private" network.)


I think we covered the multipe NIC option back in Post 6 on page 1. This can vary dangerous since if one of your public IP hosts is compromised your entire network is at risk and error prone as you will have to add metrics to the route tables to get the correct traffic flow over the intended connection and prevent the default routes for a machine from being used in error.  This often causes routing loops and flakey performance because of the ARP caches and local DNS caches on the individual machines when individual devices are restarted.

 

Simple is always the easiest answer for IP routing. Again, do you really need all of the hosts to see all of the services of each computer or is that just a nice to have?

 

Dave


plooger wrote:

dave006 wrote:

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.


Simple workaround, thanks.  (Though this separate LAN segment for allowing the public-facing hosts to communicate with each other through their public IPs won't be necessary if we add secondary NICs to each of them to allow communication within the "private" network.)


I think we covered the multipe NIC option back in Post 6 on page 1. This can vary dangerous since if one of your public IP hosts is compromised your entire network is at risk and error prone as you will have to add metrics to the route tables to get the correct traffic flow over the intended connection and prevent the default routes for a machine from being used in error.  This often causes routing loops and flakey performance because of the ARP caches and local DNS caches on the individual machines when individual devices are restarted.

 

Simple is always the easiest answer for IP routing. Again, do you really need all of the hosts to see all of the services of each computer or is that just a nice to have?

 

Dave

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

21 of 28 (2,517 Views)
0
(0)
  • Rate this reply
View profile
Apr 9, 2009 11:04:51 PM
0
(0)
Scholar

SomeJoe7777 wrote:

Uh, none of that makes any sense.  Having the public computers on a switch by themselves that is uplinked to the RG does nothing.  All switch ports throughout the LAN are identical from a logical subnet standpoint.

 

As I explained in my last post, you do not need secondary NIC cards to accomplish this.  You can multihome (use multiple IP addresses on separate subnets) using only one NIC.

 


Acutually, having the public computers on a switch allows the traffic and all local services; TCPIP and UDP to be handled in the switch fabric based on the MAC addressses without the traffic needing to go to the RG. The switch will use it's local MAC list to allow port to port communication. Recall that they have a different IP address scheme and a different subnet mask so they would not be on the same logical network or logical subnet as you meintioned. Their IP addresses and net mask are in the /29 routeable net block with a net mask of 255.255.255.248 and not the private 192.168.1.0 /24 network with a net mask of 255.255.255.0. The RG manages the mapping based on the mac addresses and when it detects a static ip it removes it from the table.

 

The RGs firewall only allows traffic for a public network IP address to be directed to a local LAN device with the same public network IP address. That is, except for traffic sent to the single broadband IP address assigned to the router and shared through NAPT, traffic sent to other

specific broadband IP addresses associated with the connection cannot be directed to local LAN devices that may be using private IP addresses.

 

Dave


SomeJoe7777 wrote:

Uh, none of that makes any sense.  Having the public computers on a switch by themselves that is uplinked to the RG does nothing.  All switch ports throughout the LAN are identical from a logical subnet standpoint.

 

As I explained in my last post, you do not need secondary NIC cards to accomplish this.  You can multihome (use multiple IP addresses on separate subnets) using only one NIC.

 


Acutually, having the public computers on a switch allows the traffic and all local services; TCPIP and UDP to be handled in the switch fabric based on the MAC addressses without the traffic needing to go to the RG. The switch will use it's local MAC list to allow port to port communication. Recall that they have a different IP address scheme and a different subnet mask so they would not be on the same logical network or logical subnet as you meintioned. Their IP addresses and net mask are in the /29 routeable net block with a net mask of 255.255.255.248 and not the private 192.168.1.0 /24 network with a net mask of 255.255.255.0. The RG manages the mapping based on the mac addresses and when it detects a static ip it removes it from the table.

 

The RGs firewall only allows traffic for a public network IP address to be directed to a local LAN device with the same public network IP address. That is, except for traffic sent to the single broadband IP address assigned to the router and shared through NAPT, traffic sent to other

specific broadband IP addresses associated with the connection cannot be directed to local LAN devices that may be using private IP addresses.

 

Dave

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

22 of 28 (2,517 Views)
0
(0)
  • Rate this reply
View profile
Apr 10, 2009 6:19:54 AM
0
(0)
Expert

dave006 wrote:

Acutually, having the public computers on a switch allows the traffic and all local services; TCPIP and UDP to be handled in the switch fabric based on the MAC addressses without the traffic needing to go to the RG. The switch will use it's local MAC list to allow port to port communication. Recall that they have a different IP address scheme and a different subnet mask so they would not be on the same logical network or logical subnet as you meintioned. Their IP addresses and net mask are in the /29 routeable net block with a net mask of 255.255.255.248 and not the private 192.168.1.0 /24 network with a net mask of 255.255.255.0. The RG manages the mapping based on the mac addresses and when it detects a static ip it removes it from the table.

 

The RGs firewall only allows traffic for a public network IP address to be directed to a local LAN device with the same public network IP address. That is, except for traffic sent to the single broadband IP address assigned to the router and shared through NAPT, traffic sent to other specific broadband IP addresses associated with the connection cannot be directed to local LAN devices that may be using private IP addresses.


 

Yes, you can have the public and private computers communicate with each other directly, based on MAC address.  But you do not need a separate switch for this.  You can plug a private computer into the RG and a public computer into another downstream switch and it will work the exact same way.  Just because the packet traverses the RG's ports does not mean that the packet will be filtered by the firewall.  The 4 ports of the RG are a switch, and if the packet is addressed to another computer on the local LAN by MAC address, the RG's routing logic won't touch it.

 

The manner in which the packets get routed like this is software and configuration dependent, not hardware dependent.  Any computer can communicate with another on the same subnet by sending packets directly using their MAC address, and will by default do so as long as the NIC is configured to be a member of that subnet.

 

This is exactly how it would work in my post above that illustrates the 7 steps necessary to properly configure it.  With this setup, all communication between all computers happens directly, with no involvement from the RG's routing engine.

 

Message Edited by SomeJoe7777 on 04-10-2009 08:20 AM

dave006 wrote:

Acutually, having the public computers on a switch allows the traffic and all local services; TCPIP and UDP to be handled in the switch fabric based on the MAC addressses without the traffic needing to go to the RG. The switch will use it's local MAC list to allow port to port communication. Recall that they have a different IP address scheme and a different subnet mask so they would not be on the same logical network or logical subnet as you meintioned. Their IP addresses and net mask are in the /29 routeable net block with a net mask of 255.255.255.248 and not the private 192.168.1.0 /24 network with a net mask of 255.255.255.0. The RG manages the mapping based on the mac addresses and when it detects a static ip it removes it from the table.

 

The RGs firewall only allows traffic for a public network IP address to be directed to a local LAN device with the same public network IP address. That is, except for traffic sent to the single broadband IP address assigned to the router and shared through NAPT, traffic sent to other specific broadband IP addresses associated with the connection cannot be directed to local LAN devices that may be using private IP addresses.


 

Yes, you can have the public and private computers communicate with each other directly, based on MAC address.  But you do not need a separate switch for this.  You can plug a private computer into the RG and a public computer into another downstream switch and it will work the exact same way.  Just because the packet traverses the RG's ports does not mean that the packet will be filtered by the firewall.  The 4 ports of the RG are a switch, and if the packet is addressed to another computer on the local LAN by MAC address, the RG's routing logic won't touch it.

 

The manner in which the packets get routed like this is software and configuration dependent, not hardware dependent.  Any computer can communicate with another on the same subnet by sending packets directly using their MAC address, and will by default do so as long as the NIC is configured to be a member of that subnet.

 

This is exactly how it would work in my post above that illustrates the 7 steps necessary to properly configure it.  With this setup, all communication between all computers happens directly, with no involvement from the RG's routing engine.

 

Message Edited by SomeJoe7777 on 04-10-2009 08:20 AM

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

23 of 28 (2,517 Views)
0
(0)
  • Rate this reply
View profile
Apr 10, 2009 11:02:18 AM
0
(0)
Scholar

SomeJoe7777 wrote:

 

Yes, you can have the public and private computers communicate with each other directly, based on MAC address.  But you do not need a separate switch for this.  You can plug a private computer into the RG and a public computer into another downstream switch and it will work the exact same way.  Just because the packet traverses the RG's ports does not mean that the packet will be filtered by the firewall.  The 4 ports of the RG are a switch, and if the packet is addressed to another computer on the local LAN by MAC address, the RG's routing logic won't touch it.

 

The manner in which the packets get routed like this is software and configuration dependent, not hardware dependent.  Any computer can communicate with another on the same subnet by sending packets directly using their MAC address, and will by default do so as long as the NIC is configured to be a member of that subnet.

 

This is exactly how it would work in my post above that illustrates the 7 steps necessary to properly configure it.  With this setup, all communication between all computers happens directly, with no involvement from the RG's routing engine.

 

Message Edited by SomeJoe7777 on 04-10-2009 08:20 AM

The problem is that the public routeable IPs are not in the same subnet or network as the private IPs. While the switching fabric can see the MACs of all devices. TCP/IP will needs ARP and routes to cross the two networks / subnets. This is why to OP is looking at having multipe NICs in the public hosts to allow them to sit on both physical network segments.

 

For the OPs example. He has a /29 Public subnet (5 Public routable IPs) and it's mask will be 255.255.255.248.  Lets use a sample network group: 99.100.1.192 to represent the /29 network. In this case the net mask will be 255.255.255.248 with an IP range of 99.100.1.93 - 99.100.1.98 (U-verse wants the RG on the last address) this leave 5 IPs to be assigned to your hosts.

 

The private non-routable IPs will have a net mask of 255.255.255.0 with a default network of 192.168.1.0 with a range of IPs from 192.168.1.1 - 192.168.1.254 (.254 is the default for the RG).  

 

Now that you have to different networks, you need route statements on both routers, this is where the problem exists. You can't add additional routes in the RG. You have full control if you are using a secondary router link a Cisco Linksys or Netgear. If we had just a little more access in teh RG then it would be easy to create static routes and even manage the DNS properly.

 

I also did some additional research and the 2Wire does not support UPnP (OP mentined it is his initial post) and as I have posted in a couple of threads the 2Wire RG does not like a specifc type of VPN as documneted in this support document: http://support.2wire.com/?page=view&article=20&text=VPN&cat=&sort=

 

Dave

 


SomeJoe7777 wrote:

 

Yes, you can have the public and private computers communicate with each other directly, based on MAC address.  But you do not need a separate switch for this.  You can plug a private computer into the RG and a public computer into another downstream switch and it will work the exact same way.  Just because the packet traverses the RG's ports does not mean that the packet will be filtered by the firewall.  The 4 ports of the RG are a switch, and if the packet is addressed to another computer on the local LAN by MAC address, the RG's routing logic won't touch it.

 

The manner in which the packets get routed like this is software and configuration dependent, not hardware dependent.  Any computer can communicate with another on the same subnet by sending packets directly using their MAC address, and will by default do so as long as the NIC is configured to be a member of that subnet.

 

This is exactly how it would work in my post above that illustrates the 7 steps necessary to properly configure it.  With this setup, all communication between all computers happens directly, with no involvement from the RG's routing engine.

 

Message Edited by SomeJoe7777 on 04-10-2009 08:20 AM

The problem is that the public routeable IPs are not in the same subnet or network as the private IPs. While the switching fabric can see the MACs of all devices. TCP/IP will needs ARP and routes to cross the two networks / subnets. This is why to OP is looking at having multipe NICs in the public hosts to allow them to sit on both physical network segments.

 

For the OPs example. He has a /29 Public subnet (5 Public routable IPs) and it's mask will be 255.255.255.248.  Lets use a sample network group: 99.100.1.192 to represent the /29 network. In this case the net mask will be 255.255.255.248 with an IP range of 99.100.1.93 - 99.100.1.98 (U-verse wants the RG on the last address) this leave 5 IPs to be assigned to your hosts.

 

The private non-routable IPs will have a net mask of 255.255.255.0 with a default network of 192.168.1.0 with a range of IPs from 192.168.1.1 - 192.168.1.254 (.254 is the default for the RG).  

 

Now that you have to different networks, you need route statements on both routers, this is where the problem exists. You can't add additional routes in the RG. You have full control if you are using a secondary router link a Cisco Linksys or Netgear. If we had just a little more access in teh RG then it would be easy to create static routes and even manage the DNS properly.

 

I also did some additional research and the 2Wire does not support UPnP (OP mentined it is his initial post) and as I have posted in a couple of threads the 2Wire RG does not like a specifc type of VPN as documneted in this support document: http://support.2wire.com/?page=view&article=20&text=VPN&cat=&sort=

 

Dave

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

24 of 28 (2,517 Views)
0
(0)
  • Rate this reply
View profile
Apr 10, 2009 5:33:27 PM
0
(0)
Expert

dave006 wrote:

The problem is that the public routeable IPs are not in the same subnet or network as the private IPs. While the switching fabric can see the MACs of all devices. TCP/IP will needs ARP and routes to cross the two networks / subnets. This is why to OP is looking at having multipe NICs in the public hosts to allow them to sit on both physical network segments.

 

For the OPs example. He has a /29 Public subnet (5 Public routable IPs) and it's mask will be 255.255.255.248.  Lets use a sample network group: 99.100.1.192 to represent the /29 network. In this case the net mask will be 255.255.255.248 with an IP range of 99.100.1.93 - 99.100.1.98 (U-verse wants the RG on the last address) this leave 5 IPs to be assigned to your hosts.

 

The private non-routable IPs will have a net mask of 255.255.255.0 with a default network of 192.168.1.0 with a range of IPs from 192.168.1.1 - 192.168.1.254 (.254 is the default for the RG).  

 

Now that you have to different networks, you need route statements on both routers, this is where the problem exists. You can't add additional routes in the RG. You have full control if you are using a secondary router link a Cisco Linksys or Netgear. If we had just a little more access in teh RG then it would be easy to create static routes and even manage the DNS properly.


 

You are still not understanding my proposed configuration.

 

Let's use your numbers.  Computers A, B, and C are the "public" computers.  They have a public IP in the range 99.100.1.192/29.  Network address (not useable) of 99.100.1.192.  Broadcast address (not usable) of 99.100.1.199.  Useable IPs of 99.100.1.193-198.  RG is going to use 99.100.1.198.  Subnet mask 255.255.255.248 for everyone.  Default gateway of 99.100.1.198 for the 3 computers A, B, and C.  Configure the RG for "Publically Routable Subinterface", use 99.100.1.198 for the router address, 255.255.255.248 for subnet mask.

 

Everything with these computers now works just hunky-dory.

 

Now, add computers D and E.  Confgure for DHCP, plug into the same network as computers A, B, and C.  Now computers D and E get an IP address from the RG's DHCP server, they get 192.168.1.75 and 76, with a subnet mask of 255.255.255.0, default gateway of 192.168.1.254 (the RG).

 

Those two computers now work just fine as well.

 

OK, now the problem at this point is that computers A, B, and C can't communicate with D and E, and vice versa because they are on different subnets.  We will fix this by multihoming computers A, B, and C so that all of them have 2 IP addresses, one in the public range and one in the private range.

 

So, on computers A, B, and C,add a static IP addresses of 192.168.1.10, .11, and .12, with subnet mask 255.255.255.0, and NO default gateway.

 

Presto, all computers can now communicate with each other with no interference from the RG.  DNS even works when initiating communication from the public computers.  The name is registered in the RG, so on computer A, "ping computerD" works properly, because the RG resolves the name to 192.168.1.75, and computer A sends the packet using ARP by MAC address directly to computer D because they are now part of the same subnet.

 

Initiating a communication from computer D to computer A is a bit different, because "computer A" would resolve to the public IP is the RG answered the DNS query.  This won't work, as computer D would send the packet to the default gateway (the RG).  So we need some type of different DNS resolution for computers D and E where "ping computerA" would cause a resolution to computer A's private IP address of 192.168.1.11.  We can do this with a hosts file, local private DNS, or public configurable service like OpenDNS.

 

Problem totally solved.  No additional router.  No additional routes on the RG.  No additional NIC cards.

 


dave006 wrote:

The problem is that the public routeable IPs are not in the same subnet or network as the private IPs. While the switching fabric can see the MACs of all devices. TCP/IP will needs ARP and routes to cross the two networks / subnets. This is why to OP is looking at having multipe NICs in the public hosts to allow them to sit on both physical network segments.

 

For the OPs example. He has a /29 Public subnet (5 Public routable IPs) and it's mask will be 255.255.255.248.  Lets use a sample network group: 99.100.1.192 to represent the /29 network. In this case the net mask will be 255.255.255.248 with an IP range of 99.100.1.93 - 99.100.1.98 (U-verse wants the RG on the last address) this leave 5 IPs to be assigned to your hosts.

 

The private non-routable IPs will have a net mask of 255.255.255.0 with a default network of 192.168.1.0 with a range of IPs from 192.168.1.1 - 192.168.1.254 (.254 is the default for the RG).  

 

Now that you have to different networks, you need route statements on both routers, this is where the problem exists. You can't add additional routes in the RG. You have full control if you are using a secondary router link a Cisco Linksys or Netgear. If we had just a little more access in teh RG then it would be easy to create static routes and even manage the DNS properly.


 

You are still not understanding my proposed configuration.

 

Let's use your numbers.  Computers A, B, and C are the "public" computers.  They have a public IP in the range 99.100.1.192/29.  Network address (not useable) of 99.100.1.192.  Broadcast address (not usable) of 99.100.1.199.  Useable IPs of 99.100.1.193-198.  RG is going to use 99.100.1.198.  Subnet mask 255.255.255.248 for everyone.  Default gateway of 99.100.1.198 for the 3 computers A, B, and C.  Configure the RG for "Publically Routable Subinterface", use 99.100.1.198 for the router address, 255.255.255.248 for subnet mask.

 

Everything with these computers now works just hunky-dory.

 

Now, add computers D and E.  Confgure for DHCP, plug into the same network as computers A, B, and C.  Now computers D and E get an IP address from the RG's DHCP server, they get 192.168.1.75 and 76, with a subnet mask of 255.255.255.0, default gateway of 192.168.1.254 (the RG).

 

Those two computers now work just fine as well.

 

OK, now the problem at this point is that computers A, B, and C can't communicate with D and E, and vice versa because they are on different subnets.  We will fix this by multihoming computers A, B, and C so that all of them have 2 IP addresses, one in the public range and one in the private range.

 

So, on computers A, B, and C,add a static IP addresses of 192.168.1.10, .11, and .12, with subnet mask 255.255.255.0, and NO default gateway.

 

Presto, all computers can now communicate with each other with no interference from the RG.  DNS even works when initiating communication from the public computers.  The name is registered in the RG, so on computer A, "ping computerD" works properly, because the RG resolves the name to 192.168.1.75, and computer A sends the packet using ARP by MAC address directly to computer D because they are now part of the same subnet.

 

Initiating a communication from computer D to computer A is a bit different, because "computer A" would resolve to the public IP is the RG answered the DNS query.  This won't work, as computer D would send the packet to the default gateway (the RG).  So we need some type of different DNS resolution for computers D and E where "ping computerA" would cause a resolution to computer A's private IP address of 192.168.1.11.  We can do this with a hosts file, local private DNS, or public configurable service like OpenDNS.

 

Problem totally solved.  No additional router.  No additional routes on the RG.  No additional NIC cards.

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

25 of 28 (2,517 Views)
0
(0)
  • Rate this reply
View profile
Apr 10, 2009 7:56:52 PM
0
(0)
Tutor

Great debate and information guys, thanks.  Taking dave's security warnings into account (i.e. "don't do it!"), Joe's documented "final solution", along with the configuration steps detailed earlier, provide a clear understanding of one way to get the private and public PCs communicating openly.

 

The only variation I'd still consider is the second NIC, although not required, per Joe's solution.  A second NIC for each of the public PCs *could* be beneficial in some instances (e.g. if the primary NIC is only 100MB, but you want Gigabit for the internal, private network -- which would require a separate Gigabit switch for the private network, of course, since the 3800HGV isn't Gigabit).

Great debate and information guys, thanks.  Taking dave's security warnings into account (i.e. "don't do it!"), Joe's documented "final solution", along with the configuration steps detailed earlier, provide a clear understanding of one way to get the private and public PCs communicating openly.

 

The only variation I'd still consider is the second NIC, although not required, per Joe's solution.  A second NIC for each of the public PCs *could* be beneficial in some instances (e.g. if the primary NIC is only 100MB, but you want Gigabit for the internal, private network -- which would require a separate Gigabit switch for the private network, of course, since the 3800HGV isn't Gigabit).

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

26 of 28 (2,517 Views)
0
(0)
  • Rate this reply
View profile
Apr 10, 2009 8:15:40 PM
0
(0)
Expert

plooger wrote:

The only variation I'd still consider is the second NIC, although not required, per Joe's solution.  A second NIC for each of the public PCs *could* be beneficial in some instances (e.g. if the primary NIC is only 100MB, but you want Gigabit for the internal, private network -- which would require a separate Gigabit switch for the private network, of course, since the 3800HGV isn't Gigabit).


 

If you want to do gigabit on the internal network, and you have a gigabit switch, then there's no reason to have a 100 Mb NIC. :smileyhappy:

 

I use gigabit throughout my home network, and the gigabit switch is uplinked to the RG (at 100 Mb).

 

A second NIC would be beneficial in a server environment or video editing environment for something like iSCSI SAN or network backup applications.  I've done those before, but not in a home/desktop environment.

 


plooger wrote:

The only variation I'd still consider is the second NIC, although not required, per Joe's solution.  A second NIC for each of the public PCs *could* be beneficial in some instances (e.g. if the primary NIC is only 100MB, but you want Gigabit for the internal, private network -- which would require a separate Gigabit switch for the private network, of course, since the 3800HGV isn't Gigabit).


 

If you want to do gigabit on the internal network, and you have a gigabit switch, then there's no reason to have a 100 Mb NIC. :smileyhappy:

 

I use gigabit throughout my home network, and the gigabit switch is uplinked to the RG (at 100 Mb).

 

A second NIC would be beneficial in a server environment or video editing environment for something like iSCSI SAN or network backup applications.  I've done those before, but not in a home/desktop environment.

 

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

27 of 28 (2,517 Views)
0
(0)
  • Rate this reply
View profile
Apr 10, 2009 8:26:02 PM
0
(0)
Tutor

SomeJoe7777 wrote:

plooger wrote:

The only variation I'd still consider is the second NIC, although not required, per Joe's solution.  A second NIC for each of the public PCs *could* be beneficial in some instances (e.g. if the primary NIC is only 100MB, but you want Gigabit for the internal, private network -- which would require a separate Gigabit switch for the private network, of course, since the 3800HGV isn't Gigabit).


 

If you want to do gigabit on the internal network, and you have a gigabit switch, then there's no reason to have a 100 Mb NIC.

 


Right.  Unless the primary NIC is built-in, in which case there's no reason not to take advantage of it, even after adding the Gigabit NIC card.


SomeJoe7777 wrote:

plooger wrote:

The only variation I'd still consider is the second NIC, although not required, per Joe's solution.  A second NIC for each of the public PCs *could* be beneficial in some instances (e.g. if the primary NIC is only 100MB, but you want Gigabit for the internal, private network -- which would require a separate Gigabit switch for the private network, of course, since the 3800HGV isn't Gigabit).


 

If you want to do gigabit on the internal network, and you have a gigabit switch, then there's no reason to have a 100 Mb NIC.

 


Right.  Unless the primary NIC is built-in, in which case there's no reason not to take advantage of it, even after adding the Gigabit NIC card.

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

28 of 28 (2,517 Views)
Share this post
Share this post