Link to home
Start Free TrialLog in
Avatar of roblinx
roblinx

asked on

Understanding Routing and Routers

This is related to another question I have pending, but only loosely--I want to better understand what's going on here.

This is a small company--15 workstations.  T1 line, Adtran router, /29 subnet assigned.  
We currently have a server on the private LAN that is listening on both port 25 and 80.  

The Adtran is (apparently) set up to "port forward" these ports to the private IP (192.168.1.2).  It stops doing this after a while (or so it seems).  Rebooting the Adtran fixes the problem.  But they've swapped out the router, and no help.

What I have been asked to do is put a (Linksys) router in between the Adtran and the LAN.  I'm not completely sure of how to configure it, and that's where y'all come in.

Our public dedicated subnet is (something like) 100.100.100.192/29.  I understand this to mean that .192 is our network address, 199 is the broadcast address, and 193 to 198 are assignable.

The DNS for web and email points to the .193 address.  

What I've been told, however, is that when I put the Linksys in the chain, the Adtran will be reconfigured so that its "internal" IP will be .193, and I'll make the Linksys be .194.  I will also have to turn on port forwarding for 25 and 80 on the Linksys, and then modify DNS so that the web and email server are now pointing to the .194 address.

Does this sound right?  Egregiously wrong?

What I don't understand about port forwarding:  the Linksys will only forward port requests for the IP that it's assigned to?  Is that right?  What about the other public IPs in my subnet?  What if (hypothetically) I have 2 web servers: one at 192.168.1.2 and one at 192.168.1.3.  I create two DNS entries, one for 100.100.100.193, and one for 100.100.100.194.  Is it possible to configure the Linksys to forward public .193:80 to .2:80, and .194:80 to .3:80?  

How does  a "static map" differ from port forwarding?  Can I create a static map on a Linksys to accomplish the above?  Or do I need more expensive hardware?  If the Linksys can do it, can I subsequently filter undesired port traffic from the static maps?

Sorry for all the question marks... please help me learn!  Thanks in advance...
Avatar of roblinx
roblinx

ASKER

The Linksys in question is an off-the-shelf BEFSX41, which is a "Broadband Firewall Router" (with some built-in VPN support, as well).
> Our public dedicated subnet is (something like) 100.100.100.192/29.  I understand this to mean that .192 is our network
> address, 199 is the broadcast address, and 193 to 198 are assignable.

Very close.

> The DNS for web and email points to the .193 address.  

This suggests to me, strongly, that the .193 address is assigned to a device at your ISP's end of the T1.  So 194 through 198 are assignable by you.  The .194 address is probably the public address you're currently giving out for everything.

> What I've been told, however, is that when I put the Linksys in the chain, the Adtran will be reconfigured so that
> its "internal" IP will be .193, and I'll make the Linksys be .194.  I will also have to turn on port forwarding for 25 and 80 on
> the Linksys, and then modify DNS so that the web and email server are now pointing to the .194 address.

Nope.  

Currently, the Adtran knows everything on the internal network by its internal (192.168.1.x) address.  The Adtran itself has a 192.168.1.x address on the LAN side, which is the default gateway used by the clients.

Change the LAN-side address of the Adtran to 192.168.2.a/24, and connect it to the WAN-side interface of the LinkSys, configured as 192.168.2.2.  Configure the LAN-side interface of the LinkSys to the 192.168.1.x address currently on the Adtran.
Now you need to add a static route on the Adtran, speiciying that 192.168.1.0/24 is reached via 192.168.2.2.  On the LinkSys, add a default route pointint to 192.168.2.1.

None of this should have made any difference to your DNS settings or your port-forwarding config -- or resolved your problem....

Now currently you use a single address for everything, and have six more public IPs that aren't being used.  Just as the Adtran is supposed to be able to forward single specific port numbers to a specific destination. it should also provide "static NAT" to map these remaining public addresses to specific internal hosts such as web and email.




Avatar of roblinx

ASKER

PennGwyn:  Thank you for your response!  Let me make some replies and counter-questions here:

>> The DNS for web and email points to the .193 address.  
>
>This suggests to me, strongly, that the .193 address is assigned to a device at your ISP's end of the T1.  
>So 194 through 198 are assignable by you.  The .194 address is probably the public address you're currently
>giving out for everything.

Well... this is part of my confusion.  The DNS for mail and web services *definitely* points to the .193 address.
The serial side of the Adtran *was* configured with this same address.  At some point during the debug process
for this problem, though, a tech from the ISP changed the serial-side address of the Adtran to a separate
(completely different) IP address, from a /30 subnet they call our "serial subnet".  Apparently, that includes
our "edge router" (ISP side router) and our "premises router" (the one in our closet).  The change produced no
net effect on the router:  it still works, except for the problem I outlined.

>Change the LAN-side address of the Adtran to 192.168.2.a/24 [...]

Your proposal makes sense as a possibility, but I don't think it's appropriate in this debug process.  We want to
completely remove the forwarding/mapping responsibility from the Adtran--to try to definitively show that this
problem lies with the Adtran, or it doesn't.  The idea, as I understand it, is to give the Linksys a public IP address
from our range, and give the *Linksys* responsibility for the portforwarding/mapping.  

My question (well, one of 'em, anyway) is what address to assign where?  Again, they (the ISP) want to assign
.193 to the LAN side of the Adtran, and .194 to the serial side of the Linksys, and 192.168.1.1 to the LAN side of
the Linksys.  Presumably, I would have to change the DNS entries to point to .194, and set up forwarding for
that address in the Linksys.

Is this proposal way off-base?  Again, I'm not opposed to your suggestion, except that it doesn't address the
problem we're trying to solve.

Thank you for your help!
Avatar of roblinx

ASKER

Bumping point value...
ASKER CERTIFIED SOLUTION
Avatar of riparius
riparius

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of roblinx

ASKER

Thanks, Riparius--your answer guided me smoothly through the transition, and we now have the Linksys installed between the Adtran and the network.