Need help understanding U-verse LAN setup (public & private on 3800HGV)

Tutor

Need help understanding U-verse LAN setup (public & private on 3800HGV)

Hi, I'm trying to help a friend optimize his new U-verse setup, and so have come here seeking help from the U-verse community.

 

Overview:

- gateway is 2wire 3800HGV-B

- 6 ethernet (hard-wire) devices (4 desktops, laptop, DVR)

- available 5-port 10/100 switch

- 5 static IPs

 

Current configuration:

- 5-port switch is connected to gateway to increase available ports

- 3 desktops are hard-wired and each configured with a "public" static IP

- 1 desktop, the laptop and DVR are hard-wired and using DHCP address assignment (getting a "private" IP)

- PCs are all running XP

 

Questions:

This configuration results in 2 separate subnets, a public subnet and a private.  Given a desktop, his laptop and DVR are in the private subnet, how does this limit his access to the public-addressed PCs?  e.g. From his laptop, what services will he be able to access on the private-subnet desktop that he won't be able to access for those desktops on the public network?  (Will he be able to see UPnP media servers that are running on the public PCs?  Will he be able to see network shares on the public PCs?)

 

Assuming some critical services are still desired, can the PCs or gateway be configured to allow additional services between these networks?  If so, how?  Or is some other network configuration (e.g. multiple NICs) required to priovide open access to these other PCs?

 

Thanks in advance for any insight.

Message 1 of 28 (4,168 Views)
Scholar

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


SomeJoe7777 wrote:

dave006 wrote: 

The devices on the "private" network will only be able to use the services of the machines that are available via their public IP addresses. So if you want to see a service on one of the three (3) public IP machines those same services have to be available to anyone on the internet. (THIS IS VERY DUMB). So no UPnP or network shares or shared printers unless you want to share them with the world.


 

That may not be the case.  I believe if you set up the devices using the "Publically Routed Subinterface" option, there is a setting to continue to protect those devices with the firewall.  You can only open ports you want to to the outside.

 


No it is the case. If you want to use any of the services from one of the 3 public IP addressed machines from your private network, that same service has to be enable on the RG, that's why if you can see the service from your private network then anyone on the internet can see the same service. It is a "Publically Routed Network".

 

Joe, no there is no specific option to continue to protect the devices in the "Publically Routed SubInterface", this is the default unless you set the RG  to "Allow all applications" for that host, the RGs firewall will still protect your 3 public IP devices. Again, you should only open the ports that you want to share with the rest of the IP world. Even if you use the "Allow all applications", stateful packet inspection will still occur as the traffic passes through the gateway providing continued protection against Denial of Service and other common Internet attacks. You will have to go to the "Advanced"  page here: http://192.168.1.254/xslt?PAGE=J15&THISPAGE=J09&NEXTPAGE=J15 if you want to disable additional firewall protection.

 

Dave

Message 16 of 28 (2,530 Views)
Scholar

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


plooger wrote:

 

Yeah, I'd reviewed that post before opening this thread.  From what I could comprehend, that thread provides details on how to assign public IP addresses, statically, using the DHCP service provided by the router, rather than having to manually configure each static IP address on each PC. (i.e. the PCs can remain as "DHCP Enabled", but they would each always receive the same public IP address configured for them on the router -- with the association based on the MAC address of each PC)

 

I'm still uncertain, relative to the configuration described in that thread, as to what communication would be possible between the private and public devices, but also what access each publicly-addressed PC would have to the other public PCs.  (i.e. are the public PCs accessible only on the protocol ports allowed by the firewall, or does the router logically establish a separate subnet for the public IP range within which all the public IP-addressed PCs are accessible to each other)


 

Yes the router does treat the devices with a public IP address as if they are on a different network and network segment. It is not logical mapping, you will have a different subnet for the public IPs, for example the mask for the public subnet will be 255.255.255.248 for your /29 network and all of the public devices will be accessable but the RGs firewall will be protecting them from each other, from your private network (192.168.1.0 by default with a mask of 255.255.255.0).

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.

 

Dave

Message 17 of 28 (2,530 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


dave006 wrote:

No it is the case. If you want to use any of the services from one of the 3 public IP addressed machines from your private network, that same service has to be enable on the RG, that's why if you can see the service from your private network then anyone on the internet can see the same service. It is a "Publically Routed Network".


 

So, then the RG actually applies firewall rules on the Ethernet subinterface, not the VDSL interface.  Thus when packets pass from the private subnet to the public subnet and back, they travel through the firewall, with all rules applied?  If so, that's a bad design.

 

WIth this restriction in mind, then the only thing I can think of that will work is the following:

 

1. All DVR/STB hardware plugs directly into the RG, and gets 192.168.1.xx private IPs via DHCP off the RG.

2. Use the "Publically Routed Subinterface" option in the RG to add your public IPs to the internal network.

3. Attach all "private" machines to the network, they can use DHCP to get IP addressing information from the RG.

4. For the "public" machines, manually configure them.  Give them a static public IP, with a default gateway of the public IP that the RG was configured with in step 2.

5. Multihome the public machines, giving each of them a second IP.  Use a 192.168.1.xx static IP (xx between 2 and 63).  Do NOT assign a default gateway.

6. You will need some kind of name resolution mechanism for the private machines to talk to the public machines directly.  You can do this three ways: a. Use a hosts file on each private machine that relates the names of the public machines to their private (192.168.1.xx) address.  b. Set up your own local DNS server and point the private machines to use that as their DNS resolver.  In that DNS server, have names for the public machines that resolve to their private IP.  Or c. Use a DNS service like OpenDNS on the private machines, and add public machine names to the OpenDNS configuration page that resolve to the private IPs.  If you absolutely don't want to set up special name resolution, you can communicate from private machines to public machines using the public machines' private IP addresses instead of names.

7. The public machines do not need special DNS configuration.  When they want to talk to a private machine, they will use the RG as the DNS server, which will hand back the private IP of the private machine in question, and the public machine will communicate with it directly using the private interface.

 

This will make it so there is no firewall in the way of the private and public machines communicating with each other.  The public machines, when they communicate with the Internet, will all use their individualized public IPs.  You can also now configure the RG's firewall to only allow specific protocols to the public machines without interfering with private-to-public machine communication.

 

Message 18 of 28 (2,530 Views)
Tutor

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


dave006 wrote:

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.


Simple workaround, thanks.  (Though this separate LAN segment for allowing the public-facing hosts to communicate with each other through their public IPs won't be necessary if we add secondary NICs to each of them to allow communication within the "private" network.)

Message 19 of 28 (2,530 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


plooger wrote:

dave006 wrote:

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.


Simple workaround, thanks.  (Though this separate LAN segment for allowing the public-facing hosts to communicate with each other through their public IPs won't be necessary if we add secondary NICs to each of them to allow communication within the "private" network.)


 

Uh, none of that makes any sense.  Having the public computers on a switch by themselves that is uplinked to the RG does nothing.  All switch ports throughout the LAN are identical from a logical subnet standpoint.

 

As I explained in my last post, you do not need secondary NIC cards to accomplish this.  You can multihome (use multiple IP addresses on separate subnets) using only one NIC.

 

Message 20 of 28 (2,530 Views)
Scholar

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


plooger wrote:

dave006 wrote:

 

In your original post you asked about having the services available from all of your local hosts. If you really only want the public IP hosts to see each other and all hosted services then you have to make a small physical change. You would need to put the three (3) hosts on their own LAN segment on a switch and the switch will allow the hosts to communicate directly without traffic going to the RG for local communcation.  Just make sure you plug the switche's uplink port into one of the RGs ports.


Simple workaround, thanks.  (Though this separate LAN segment for allowing the public-facing hosts to communicate with each other through their public IPs won't be necessary if we add secondary NICs to each of them to allow communication within the "private" network.)


I think we covered the multipe NIC option back in Post 6 on page 1. This can vary dangerous since if one of your public IP hosts is compromised your entire network is at risk and error prone as you will have to add metrics to the route tables to get the correct traffic flow over the intended connection and prevent the default routes for a machine from being used in error.  This often causes routing loops and flakey performance because of the ARP caches and local DNS caches on the individual machines when individual devices are restarted.

 

Simple is always the easiest answer for IP routing. Again, do you really need all of the hosts to see all of the services of each computer or is that just a nice to have?

 

Dave

Message 21 of 28 (2,895 Views)
Scholar

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


SomeJoe7777 wrote:

Uh, none of that makes any sense.  Having the public computers on a switch by themselves that is uplinked to the RG does nothing.  All switch ports throughout the LAN are identical from a logical subnet standpoint.

 

As I explained in my last post, you do not need secondary NIC cards to accomplish this.  You can multihome (use multiple IP addresses on separate subnets) using only one NIC.

 


Acutually, having the public computers on a switch allows the traffic and all local services; TCPIP and UDP to be handled in the switch fabric based on the MAC addressses without the traffic needing to go to the RG. The switch will use it's local MAC list to allow port to port communication. Recall that they have a different IP address scheme and a different subnet mask so they would not be on the same logical network or logical subnet as you meintioned. Their IP addresses and net mask are in the /29 routeable net block with a net mask of 255.255.255.248 and not the private 192.168.1.0 /24 network with a net mask of 255.255.255.0. The RG manages the mapping based on the mac addresses and when it detects a static ip it removes it from the table.

 

The RGs firewall only allows traffic for a public network IP address to be directed to a local LAN device with the same public network IP address. That is, except for traffic sent to the single broadband IP address assigned to the router and shared through NAPT, traffic sent to other

specific broadband IP addresses associated with the connection cannot be directed to local LAN devices that may be using private IP addresses.

 

Dave

Message 22 of 28 (2,895 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


dave006 wrote:

Acutually, having the public computers on a switch allows the traffic and all local services; TCPIP and UDP to be handled in the switch fabric based on the MAC addressses without the traffic needing to go to the RG. The switch will use it's local MAC list to allow port to port communication. Recall that they have a different IP address scheme and a different subnet mask so they would not be on the same logical network or logical subnet as you meintioned. Their IP addresses and net mask are in the /29 routeable net block with a net mask of 255.255.255.248 and not the private 192.168.1.0 /24 network with a net mask of 255.255.255.0. The RG manages the mapping based on the mac addresses and when it detects a static ip it removes it from the table.

 

The RGs firewall only allows traffic for a public network IP address to be directed to a local LAN device with the same public network IP address. That is, except for traffic sent to the single broadband IP address assigned to the router and shared through NAPT, traffic sent to other specific broadband IP addresses associated with the connection cannot be directed to local LAN devices that may be using private IP addresses.


 

Yes, you can have the public and private computers communicate with each other directly, based on MAC address.  But you do not need a separate switch for this.  You can plug a private computer into the RG and a public computer into another downstream switch and it will work the exact same way.  Just because the packet traverses the RG's ports does not mean that the packet will be filtered by the firewall.  The 4 ports of the RG are a switch, and if the packet is addressed to another computer on the local LAN by MAC address, the RG's routing logic won't touch it.

 

The manner in which the packets get routed like this is software and configuration dependent, not hardware dependent.  Any computer can communicate with another on the same subnet by sending packets directly using their MAC address, and will by default do so as long as the NIC is configured to be a member of that subnet.

 

This is exactly how it would work in my post above that illustrates the 7 steps necessary to properly configure it.  With this setup, all communication between all computers happens directly, with no involvement from the RG's routing engine.

 

Message Edited by SomeJoe7777 on 04-10-2009 08:20 AM
Message 23 of 28 (2,895 Views)
Scholar

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


SomeJoe7777 wrote:

 

Yes, you can have the public and private computers communicate with each other directly, based on MAC address.  But you do not need a separate switch for this.  You can plug a private computer into the RG and a public computer into another downstream switch and it will work the exact same way.  Just because the packet traverses the RG's ports does not mean that the packet will be filtered by the firewall.  The 4 ports of the RG are a switch, and if the packet is addressed to another computer on the local LAN by MAC address, the RG's routing logic won't touch it.

 

The manner in which the packets get routed like this is software and configuration dependent, not hardware dependent.  Any computer can communicate with another on the same subnet by sending packets directly using their MAC address, and will by default do so as long as the NIC is configured to be a member of that subnet.

 

This is exactly how it would work in my post above that illustrates the 7 steps necessary to properly configure it.  With this setup, all communication between all computers happens directly, with no involvement from the RG's routing engine.

 

Message Edited by SomeJoe7777 on 04-10-2009 08:20 AM

The problem is that the public routeable IPs are not in the same subnet or network as the private IPs. While the switching fabric can see the MACs of all devices. TCP/IP will needs ARP and routes to cross the two networks / subnets. This is why to OP is looking at having multipe NICs in the public hosts to allow them to sit on both physical network segments.

 

For the OPs example. He has a /29 Public subnet (5 Public routable IPs) and it's mask will be 255.255.255.248.  Lets use a sample network group: 99.100.1.192 to represent the /29 network. In this case the net mask will be 255.255.255.248 with an IP range of 99.100.1.93 - 99.100.1.98 (U-verse wants the RG on the last address) this leave 5 IPs to be assigned to your hosts.

 

The private non-routable IPs will have a net mask of 255.255.255.0 with a default network of 192.168.1.0 with a range of IPs from 192.168.1.1 - 192.168.1.254 (.254 is the default for the RG).  

 

Now that you have to different networks, you need route statements on both routers, this is where the problem exists. You can't add additional routes in the RG. You have full control if you are using a secondary router link a Cisco Linksys or Netgear. If we had just a little more access in teh RG then it would be easy to create static routes and even manage the DNS properly.

 

I also did some additional research and the 2Wire does not support UPnP (OP mentined it is his initial post) and as I have posted in a couple of threads the 2Wire RG does not like a specifc type of VPN as documneted in this support document: http://support.2wire.com/?page=view&article=20&text=VPN&cat=&sort=

 

Dave

 

Message 24 of 28 (2,895 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


dave006 wrote:

The problem is that the public routeable IPs are not in the same subnet or network as the private IPs. While the switching fabric can see the MACs of all devices. TCP/IP will needs ARP and routes to cross the two networks / subnets. This is why to OP is looking at having multipe NICs in the public hosts to allow them to sit on both physical network segments.

 

For the OPs example. He has a /29 Public subnet (5 Public routable IPs) and it's mask will be 255.255.255.248.  Lets use a sample network group: 99.100.1.192 to represent the /29 network. In this case the net mask will be 255.255.255.248 with an IP range of 99.100.1.93 - 99.100.1.98 (U-verse wants the RG on the last address) this leave 5 IPs to be assigned to your hosts.

 

The private non-routable IPs will have a net mask of 255.255.255.0 with a default network of 192.168.1.0 with a range of IPs from 192.168.1.1 - 192.168.1.254 (.254 is the default for the RG).  

 

Now that you have to different networks, you need route statements on both routers, this is where the problem exists. You can't add additional routes in the RG. You have full control if you are using a secondary router link a Cisco Linksys or Netgear. If we had just a little more access in teh RG then it would be easy to create static routes and even manage the DNS properly.


 

You are still not understanding my proposed configuration.

 

Let's use your numbers.  Computers A, B, and C are the "public" computers.  They have a public IP in the range 99.100.1.192/29.  Network address (not useable) of 99.100.1.192.  Broadcast address (not usable) of 99.100.1.199.  Useable IPs of 99.100.1.193-198.  RG is going to use 99.100.1.198.  Subnet mask 255.255.255.248 for everyone.  Default gateway of 99.100.1.198 for the 3 computers A, B, and C.  Configure the RG for "Publically Routable Subinterface", use 99.100.1.198 for the router address, 255.255.255.248 for subnet mask.

 

Everything with these computers now works just hunky-dory.

 

Now, add computers D and E.  Confgure for DHCP, plug into the same network as computers A, B, and C.  Now computers D and E get an IP address from the RG's DHCP server, they get 192.168.1.75 and 76, with a subnet mask of 255.255.255.0, default gateway of 192.168.1.254 (the RG).

 

Those two computers now work just fine as well.

 

OK, now the problem at this point is that computers A, B, and C can't communicate with D and E, and vice versa because they are on different subnets.  We will fix this by multihoming computers A, B, and C so that all of them have 2 IP addresses, one in the public range and one in the private range.

 

So, on computers A, B, and C,add a static IP addresses of 192.168.1.10, .11, and .12, with subnet mask 255.255.255.0, and NO default gateway.

 

Presto, all computers can now communicate with each other with no interference from the RG.  DNS even works when initiating communication from the public computers.  The name is registered in the RG, so on computer A, "ping computerD" works properly, because the RG resolves the name to 192.168.1.75, and computer A sends the packet using ARP by MAC address directly to computer D because they are now part of the same subnet.

 

Initiating a communication from computer D to computer A is a bit different, because "computer A" would resolve to the public IP is the RG answered the DNS query.  This won't work, as computer D would send the packet to the default gateway (the RG).  So we need some type of different DNS resolution for computers D and E where "ping computerA" would cause a resolution to computer A's private IP address of 192.168.1.11.  We can do this with a hosts file, local private DNS, or public configurable service like OpenDNS.

 

Problem totally solved.  No additional router.  No additional routes on the RG.  No additional NIC cards.

 

Message 25 of 28 (2,895 Views)
Tutor

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)

Great debate and information guys, thanks.  Taking dave's security warnings into account (i.e. "don't do it!"), Joe's documented "final solution", along with the configuration steps detailed earlier, provide a clear understanding of one way to get the private and public PCs communicating openly.

 

The only variation I'd still consider is the second NIC, although not required, per Joe's solution.  A second NIC for each of the public PCs *could* be beneficial in some instances (e.g. if the primary NIC is only 100MB, but you want Gigabit for the internal, private network -- which would require a separate Gigabit switch for the private network, of course, since the 3800HGV isn't Gigabit).

Message 26 of 28 (2,895 Views)
Expert

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


plooger wrote:

The only variation I'd still consider is the second NIC, although not required, per Joe's solution.  A second NIC for each of the public PCs *could* be beneficial in some instances (e.g. if the primary NIC is only 100MB, but you want Gigabit for the internal, private network -- which would require a separate Gigabit switch for the private network, of course, since the 3800HGV isn't Gigabit).


 

If you want to do gigabit on the internal network, and you have a gigabit switch, then there's no reason to have a 100 Mb NIC. :smileyhappy:

 

I use gigabit throughout my home network, and the gigabit switch is uplinked to the RG (at 100 Mb).

 

A second NIC would be beneficial in a server environment or video editing environment for something like iSCSI SAN or network backup applications.  I've done those before, but not in a home/desktop environment.

 

Message 27 of 28 (2,895 Views)
Highlighted
Tutor

Re: Need help understanding U-verse LAN setup (public & private on 3800HGV)


SomeJoe7777 wrote:

plooger wrote:

The only variation I'd still consider is the second NIC, although not required, per Joe's solution.  A second NIC for each of the public PCs *could* be beneficial in some instances (e.g. if the primary NIC is only 100MB, but you want Gigabit for the internal, private network -- which would require a separate Gigabit switch for the private network, of course, since the 3800HGV isn't Gigabit).


 

If you want to do gigabit on the internal network, and you have a gigabit switch, then there's no reason to have a 100 Mb NIC.

 


Right.  Unless the primary NIC is built-in, in which case there's no reason not to take advantage of it, even after adding the Gigabit NIC card.

Message 28 of 28 (2,895 Views)
Share this topic
Announcements

Welcome to the AT&T Community Forums!!! Stop by the Community How-To section for tips on how to get started.