Solved

Understanding Routing and Routers

Posted on 2004-08-18
6
1,815 Views
Last Modified: 2013-11-29
This is related to another question I have pending, but only loosely--I want to better understand what's going on here.

This is a small company--15 workstations.  T1 line, Adtran router, /29 subnet assigned.  
We currently have a server on the private LAN that is listening on both port 25 and 80.  

The Adtran is (apparently) set up to "port forward" these ports to the private IP (192.168.1.2).  It stops doing this after a while (or so it seems).  Rebooting the Adtran fixes the problem.  But they've swapped out the router, and no help.

What I have been asked to do is put a (Linksys) router in between the Adtran and the LAN.  I'm not completely sure of how to configure it, and that's where y'all come in.

Our public dedicated subnet is (something like) 100.100.100.192/29.  I understand this to mean that .192 is our network address, 199 is the broadcast address, and 193 to 198 are assignable.

The DNS for web and email points to the .193 address.  

What I've been told, however, is that when I put the Linksys in the chain, the Adtran will be reconfigured so that its "internal" IP will be .193, and I'll make the Linksys be .194.  I will also have to turn on port forwarding for 25 and 80 on the Linksys, and then modify DNS so that the web and email server are now pointing to the .194 address.

Does this sound right?  Egregiously wrong?

What I don't understand about port forwarding:  the Linksys will only forward port requests for the IP that it's assigned to?  Is that right?  What about the other public IPs in my subnet?  What if (hypothetically) I have 2 web servers: one at 192.168.1.2 and one at 192.168.1.3.  I create two DNS entries, one for 100.100.100.193, and one for 100.100.100.194.  Is it possible to configure the Linksys to forward public .193:80 to .2:80, and .194:80 to .3:80?  

How does  a "static map" differ from port forwarding?  Can I create a static map on a Linksys to accomplish the above?  Or do I need more expensive hardware?  If the Linksys can do it, can I subsequently filter undesired port traffic from the static maps?

Sorry for all the question marks... please help me learn!  Thanks in advance...
0
Comment
Question by:roblinx
  • 4
6 Comments
 

Author Comment

by:roblinx
ID: 11836307
The Linksys in question is an off-the-shelf BEFSX41, which is a "Broadband Firewall Router" (with some built-in VPN support, as well).
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11836936
> Our public dedicated subnet is (something like) 100.100.100.192/29.  I understand this to mean that .192 is our network
> address, 199 is the broadcast address, and 193 to 198 are assignable.

Very close.

> The DNS for web and email points to the .193 address.  

This suggests to me, strongly, that the .193 address is assigned to a device at your ISP's end of the T1.  So 194 through 198 are assignable by you.  The .194 address is probably the public address you're currently giving out for everything.

> What I've been told, however, is that when I put the Linksys in the chain, the Adtran will be reconfigured so that
> its "internal" IP will be .193, and I'll make the Linksys be .194.  I will also have to turn on port forwarding for 25 and 80 on
> the Linksys, and then modify DNS so that the web and email server are now pointing to the .194 address.

Nope.  

Currently, the Adtran knows everything on the internal network by its internal (192.168.1.x) address.  The Adtran itself has a 192.168.1.x address on the LAN side, which is the default gateway used by the clients.

Change the LAN-side address of the Adtran to 192.168.2.a/24, and connect it to the WAN-side interface of the LinkSys, configured as 192.168.2.2.  Configure the LAN-side interface of the LinkSys to the 192.168.1.x address currently on the Adtran.
Now you need to add a static route on the Adtran, speiciying that 192.168.1.0/24 is reached via 192.168.2.2.  On the LinkSys, add a default route pointint to 192.168.2.1.

None of this should have made any difference to your DNS settings or your port-forwarding config -- or resolved your problem....

Now currently you use a single address for everything, and have six more public IPs that aren't being used.  Just as the Adtran is supposed to be able to forward single specific port numbers to a specific destination. it should also provide "static NAT" to map these remaining public addresses to specific internal hosts such as web and email.




0
 

Author Comment

by:roblinx
ID: 11841958
PennGwyn:  Thank you for your response!  Let me make some replies and counter-questions here:

>> The DNS for web and email points to the .193 address.  
>
>This suggests to me, strongly, that the .193 address is assigned to a device at your ISP's end of the T1.  
>So 194 through 198 are assignable by you.  The .194 address is probably the public address you're currently
>giving out for everything.

Well... this is part of my confusion.  The DNS for mail and web services *definitely* points to the .193 address.
The serial side of the Adtran *was* configured with this same address.  At some point during the debug process
for this problem, though, a tech from the ISP changed the serial-side address of the Adtran to a separate
(completely different) IP address, from a /30 subnet they call our "serial subnet".  Apparently, that includes
our "edge router" (ISP side router) and our "premises router" (the one in our closet).  The change produced no
net effect on the router:  it still works, except for the problem I outlined.

>Change the LAN-side address of the Adtran to 192.168.2.a/24 [...]

Your proposal makes sense as a possibility, but I don't think it's appropriate in this debug process.  We want to
completely remove the forwarding/mapping responsibility from the Adtran--to try to definitively show that this
problem lies with the Adtran, or it doesn't.  The idea, as I understand it, is to give the Linksys a public IP address
from our range, and give the *Linksys* responsibility for the portforwarding/mapping.  

My question (well, one of 'em, anyway) is what address to assign where?  Again, they (the ISP) want to assign
.193 to the LAN side of the Adtran, and .194 to the serial side of the Linksys, and 192.168.1.1 to the LAN side of
the Linksys.  Presumably, I would have to change the DNS entries to point to .194, and set up forwarding for
that address in the Linksys.

Is this proposal way off-base?  Again, I'm not opposed to your suggestion, except that it doesn't address the
problem we're trying to solve.

Thank you for your help!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:roblinx
ID: 11841961
Bumping point value...
0
 
LVL 2

Accepted Solution

by:
riparius earned 500 total points
ID: 11842100
Actually...since you  need to totally disable the port forwarding and NAT of the Adtran  (since it stops working)  ...You do have it right.  It will simply become your "gateway" address.

Your external address right now (...193) is your gateway address after the ISP reconfigs it  (sounds like they will use one of their private router IP's for the external address and do an internal static route to ..193 )

The Linksys can be your new DHCP server, etc. and behave just like the Adtran has been (without the crash hopefully)  at address ..194 as you stated.  Your external addresses in DNS must be changed to ...194

To get mail and web servers to work....put them behind the linksys box on a private (192.168.1.x) address and port forward port 80 to the webserver and 25 (and 110 for external POP3 access)  to the mailserver.  They can be different machines.

To use your other addresses, you need another llinksys.  It is a simple router and is not designed to answer to more than one address.   Assign one of your other addresses (real ones) to the additional linksys.

NOTE:  you don't actually need to have a linksys at all for the servers...they may be connected directly to a switch behind the Adtran if you have an excellent firewall on them.  Then they will each have a "real" address.  I assume you have some user pc's that need DHCP and net access, and also want the NAT firewall...that is what you gain from the Linksys.

...193                  ..194                                          192.168.1.x
                                                               _______server1:80
Adtran    ---+----   Linksys--------------------|_______server2:25
                  |------Linksys2 or new server    |________users pcs (dhcp)
                           ..195 ,6,7      


           


0
 

Author Comment

by:roblinx
ID: 11882442
Thanks, Riparius--your answer guided me smoothly through the transition, and we now have the Linksys installed between the Adtran and the network.  
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now