cebu1014
asked on
Netopia 3000 bridge to Firewall
This was a working system until the modem got reset. I have established internet connection with the provider by porting a pc through the modem. The sonicwall is still connected but when configuring modem as a bridge I still have problems. The instructions in this link gives me no access to the internet through the pc or through the pc's ported through the firewall. Also, I cannot ping the public Ip of the modem. I have to reset to get back to square 1. What may be the steps to I need to get it working?
http://apttech.wordpress.com/2009/09/04/how-to-put-a-motorola-netopia-3000-router-in-bridge-mode/
http://apttech.wordpress.com/2009/09/04/how-to-put-a-motorola-netopia-3000-router-in-bridge-mode/
Sorry, I meant is your ISP providing PPPoE?
Here are a couple articles related to Netopia devices, but there are various models of Netopia devices, and there are various versions of software, so verify these things before following these docs for any applicable tips.
http://www.netopia.com/support/hardware/technotes/CQG_020-002.html
The first has a statement:
"An exception to this would be if you have an account from ATT / SBC that uses PPPoE with a fixed block of IP addresses, called "Sticky IP." For this type of account you should be referring to " this second link:
http://www.netopia.com/support/hardware/technotes/CQG_042.html
Also, I seem to recall something from the past prior to having out T1's, I believe I was a DSL circuit, but certainly not T1's, where it was normal to not be able to ping the external interface from within the LAN. This was due to the nature of the device used to connect to the Internet. But I don't remember the specifics of the connecting device. If you have an outside connection to test from, such as another site you can call or a cell phone with network utilities (I use Nete Tools on my Android), you can do a test Ping from outside the network.
From within the LAN, can you ping other public IP's but just not the external interface of the Netopia?
http://www.netopia.com/support/hardware/technotes/CQG_020-002.html
The first has a statement:
"An exception to this would be if you have an account from ATT / SBC that uses PPPoE with a fixed block of IP addresses, called "Sticky IP." For this type of account you should be referring to " this second link:
http://www.netopia.com/support/hardware/technotes/CQG_042.html
Also, I seem to recall something from the past prior to having out T1's, I believe I was a DSL circuit, but certainly not T1's, where it was normal to not be able to ping the external interface from within the LAN. This was due to the nature of the device used to connect to the Internet. But I don't remember the specifics of the connecting device. If you have an outside connection to test from, such as another site you can call or a cell phone with network utilities (I use Nete Tools on my Android), you can do a test Ping from outside the network.
From within the LAN, can you ping other public IP's but just not the external interface of the Netopia?
ASKER
It is PPPoe. Netopia 3347 I believe.
In the instructions, in my link provided. It says disable the gateway for the WAN. I tried but to no avail. Is that correct? Maybe I only need to just enable ethernet bridge?
In the instructions, in my link provided. It says disable the gateway for the WAN. I tried but to no avail. Is that correct? Maybe I only need to just enable ethernet bridge?
Yes, the Netopia manual says nothing about Disabling Routing.
I've only seen a few routers where you have to disable routing to bridge them.
http://www.netopia.com/support/hardware/SoftwareUserGuideV761-Clsc.pdf
I've only seen a few routers where you have to disable routing to bridge them.
http://www.netopia.com/support/hardware/SoftwareUserGuideV761-Clsc.pdf
cebu1014, Ethernet Bridge is the same as Bridge mode, so enabling Ethernet Bridge should be what you want. You may not need to "disable the gateway". The link that DIIRE pointed to shows on page 108 info about configuring Ethernet Bridge. Remember, unless you know you have the exact manual for the exact version of model and firmware, instructions may vary, but the concepts are still the same. It's just that the designers decided to "improve" one version over another (which may not always be an improvement in the end user's eyes.)
ASKER
The versions of firmware do vary. The version I had,according to your link, only asks for enabling the bridge. Some reason though the firewall is not accessing the internet through the bridged modem even after the restarting and the modem does have internet.
I am not there at the momemt. The firewall needs not to be configured since nothing has changed.
Do you think just unplugging both devices and power up will correct issue?
I am not there at the momemt. The firewall needs not to be configured since nothing has changed.
Do you think just unplugging both devices and power up will correct issue?
ASKER
Still the same issue...
Now...
I cant ping the ip address of the motorola when I bridge( I tried from an external source). When not bridged I can ping.
We have the same setup at another store. Same provider,same firewall,same dsl service,w/static ip setup,(although the modem may be older) but I can ping the motorola/netopia modem. That site though is unavailable to me to compare notes.
Now...
I cant ping the ip address of the motorola when I bridge( I tried from an external source). When not bridged I can ping.
We have the same setup at another store. Same provider,same firewall,same dsl service,w/static ip setup,(although the modem may be older) but I can ping the motorola/netopia modem. That site though is unavailable to me to compare notes.
So at least you verified telco connectivity and have remote access to manage the Netopia. That's good.
To be honest, I hesitated at saying you shouldn't expect a response from a ping because I wasn't sure. I think in some cases, some devices in bridged mode essentially become transparent, simply passing all traffic through to their designated internal device. Maybe that version of the Netopia does. More likely is that the Netopia has a setting to tell it not to respond to ICMP traffic for security reasons. But that may be all wrong, so don't take it for granted. Since your goal is not to be able to ping the Netopia, maybe it's doing it's job by passing all traffic to the firewall. Can you ping the firewall when the Netopia is in bridged mode?
Regarding the other working site, if you can't get access to the devices at the working site directly, could you if you were inside that office? Could you, for instance, use something like GoToAssist or GoToMeeting to establish a remote session with a computer that is in that office, thus putting you virtually inside the office with access to that equipment? Maybe that would allow you to compare settings?
To be honest, I hesitated at saying you shouldn't expect a response from a ping because I wasn't sure. I think in some cases, some devices in bridged mode essentially become transparent, simply passing all traffic through to their designated internal device. Maybe that version of the Netopia does. More likely is that the Netopia has a setting to tell it not to respond to ICMP traffic for security reasons. But that may be all wrong, so don't take it for granted. Since your goal is not to be able to ping the Netopia, maybe it's doing it's job by passing all traffic to the firewall. Can you ping the firewall when the Netopia is in bridged mode?
Regarding the other working site, if you can't get access to the devices at the working site directly, could you if you were inside that office? Could you, for instance, use something like GoToAssist or GoToMeeting to establish a remote session with a computer that is in that office, thus putting you virtually inside the office with access to that equipment? Maybe that would allow you to compare settings?
ASKER
Being that these are static IP's. I have 7 available. .xxxxx.0 - .xxxxx.6 .6 for the modem.
It almosts seems to me that the other IPs are not freed up where I can have the other ip available to the firewall. I cannot ping the modem from the firewall. The xxx.85 is setup now and before in the firewall in the WAN section with a xxxx.86 NAT. entry. I hope that makes sense....
Nothing in the motorola setup I need to configure since I am using the static IP range???
It almosts seems to me that the other IPs are not freed up where I can have the other ip available to the firewall. I cannot ping the modem from the firewall. The xxx.85 is setup now and before in the firewall in the WAN section with a xxxx.86 NAT. entry. I hope that makes sense....
Nothing in the motorola setup I need to configure since I am using the static IP range???
ASKER
Does it really need to be bridged in this case?? Maybe just disable the DHCP only in the modem and leave everything else alone??
I'm drawing a blank here, but does the netopia have the feature where it can pass all traffic through to one device? Many do, but they call it different names. The idea is your firewall would be that one device and it would have an external ip.
Do you need an external ip on the firewall for vpn or something else? If not, I wouldn't try to put the netopia in bridge mode.
I'll look at the manual when I'm back in front of a computer.
Do you need an external ip on the firewall for vpn or something else? If not, I wouldn't try to put the netopia in bridge mode.
I'll look at the manual when I'm back in front of a computer.
ASKER
VPN is needed for sonicwall to sonicwall. I believe the firmware is 7.0 or greater. Right now the carrier broadband card is not available to be to get into the laptop on site. I have WIFI on it that picks up the local network with the ethernet cable plugged directly into the modem. That a way I can access the firewall as well. I will see if I can get in soon with the broadband card.
Thanks
Thanks
ASKER
I can't reached the site now to configure. Do you think these are the necessary steps to complete a bridge to a firewall on the lan side?
http://www.netopia.com/support/hardware/technotes/CQG_015.html
http://www.netopia.com/support/hardware/technotes/CQG_015.html
Yes, I think that would be the right steps, if you have firmware version 72, but not 8.x. That looks like that would be the right process to follow.
Have you tried using a free trial of GoToAssist or GoToMeeting to get access to an internal computer?
Have you tried using a free trial of GoToAssist or GoToMeeting to get access to an internal computer?
ASKER
Kbirecki
I will give you the points for you excellent assistance.
If I understand the instructions in the link I provided. I put the sonicwall's IP address into the LAN interface In this case. .85(one of the public IP's provided by ISP). SEE STEP 5B. Also subnet mask is subnet mask given to me by the ISP.
In the WAN interface, is that that the modem IP PUBLIC address?
Finally, the DHCP portion. Server mode should be set to off?
I will give you the points for you excellent assistance.
If I understand the instructions in the link I provided. I put the sonicwall's IP address into the LAN interface In this case. .85(one of the public IP's provided by ISP). SEE STEP 5B. Also subnet mask is subnet mask given to me by the ISP.
In the WAN interface, is that that the modem IP PUBLIC address?
Finally, the DHCP portion. Server mode should be set to off?
Let me re-read the instructions, but I think something might be mixed up in your plan there. One moment please.
First, the big picture. Skip any parts you understand, but I thought this might be helpful. I'm not a Netopia expert of any kind, but I understand more about where you are in this process. Sorry it took so long to put this together, I wanted to be thorough.
When you disable NAT, all interfaces on the Netopia, and the externally facing interface of the Sonicwall, all have to have publicly assigned IP's from your ISP. They must be in one subnet, i.e. a set of IP addresses that are grouped by the subnet mask. There are many subnet mask calculators online that are very helpful in checking and planning networks. One that I use is http://www.subnetmask.info. One other noteworthy point, you mentioned in one of your earlier messages that you have 7 IP's, but that can't be right. In the world of IP addresses, everything works out evently, so your useable addresses will be an even number, and your assigned ranges will be two addresses more than your useable range; the beginning IP will be "Network" and the last IP will be the "Broadcast", both of which are unuseable by you directly, but they are used by devices on the subnet.
So your ISP will have assigned a range of IP's, and you mentioned that it starts with x.x.x.0. Ranges of IP's will include 2, 4, 8, 16, 32, etc. IP's in them. In your case, it's probably 8. You didn't mention what your subnet mask is, but based on the assumpition that you have about 6 useable, as you mentioned, for the modem, you probably have a total of 8, minus the two you can't use (Network and Broadcast). So your subnet mask is 255.255.255.248, or in slash notation, /29.
If you go to that site above and plug in the first IP given by your ISP at the top (this would be one less than anything they state as "useable", they usually give both to be clear), leave the Class as Default (these are public IP's, so this is most likely Class A), and select the number of hosts to match what your ISP specified (probably 8) and then click [Calculate]. You'll see all the other relevant fields below filled in. One to check would be the subnet mask to see that it matches what your ISP specified, and what I assumed here.
So your complete range is probably x.x.x.0 - x.x.x.7, 8 IP's, with a subnet mask of 255.255.255.248, or in slash notation, /29.
Now, for your devices, I think this is want you want: (The example pictures are inconsistent; they use an IP/subnet mask combination that is int the same between the two pictures.)
Public Internet -- >> (to Netopia)
(to public Internet) <<-- -- -- Netopia (N) -- -- -- >>
(N) WAN (N) LAN
IP: x.x.x.6 x.x.x.5
Gateway: Note 1*
Subnet Mask: 255.255.255.248 for both
(to Netopia) << -- -- -- -- -- -- -- Sonicwall (SW)
(SW) WAN (SW) LAN
IP: x.x.x.4 192.168.1.1 (assumption)
Gateway: x.x.x.6 192.168.1.x
Subnet Mask: 255.255.255.248 255.255.255.0 (assumption)
Note 1* - There is normally a Gateway specified for all interfaces. In your case, I'd expect it to be a Gateway IP provided by your ISP, which is essentially the device at the other end of your connection, on the ISP's side, so you won't see it, of course, but I expect the WAN interface of the Netopia needs it, but I don't see it in the pictures in the document. So keep and eye out for that, maybe the actual screens are different, or maybe it is on another screen not shown here.
The LAN side of your Sonicwall should be whatever your internal network is, I just wanted to show the complete picture.
To clarify and answer your questions (although out of order), I'm going to cover the configuration steps in that document to confirm what I think you need to do:
Steps 1 & 2 - as documented
Step 3
Yes, DHCP should be disabled. In Step 3b, it gives you the option either way depending on how you will be using your internal (to the Netopia) network. In your case, you have (I think) just the one device, the Sonicwall. And you will be asigning a static IP to that device (the preferred method), so yes, disable DHCP. Assuming you verify the diagram above, use the that LAN IP shown.
Step 4 - as documented
Step 5
Enable the LAN interface and set this to a public IP assigned from the ISP (*not* the IP of the sonicwall, it will get it's own IP), and add the subnet mask from your ISP. Restrictions to "None" as specified.
Step 6 - as documented
Step 7
Enter the WAN interface IP and netmask (assuming you verify them) from the diagram above.
Steps 8-9 - as documented.
Now be *certain* you check and re-check everything before you continue ith step 10 and 11 because if you have a mistaken entry, you could disable your remote access and you *may* have to make a trip there to get access through a console interface.
I still question that the document doesn't explicitly state whether the "Addess Mapping (NAT)" disables the WAN IP fields or not, and there is nothing shown for a gateway on the WAN interface picture. It's normal to have those in all devices I've dealt with. So this is all standard operating procedure.
Hope this helps!
When you disable NAT, all interfaces on the Netopia, and the externally facing interface of the Sonicwall, all have to have publicly assigned IP's from your ISP. They must be in one subnet, i.e. a set of IP addresses that are grouped by the subnet mask. There are many subnet mask calculators online that are very helpful in checking and planning networks. One that I use is http://www.subnetmask.info. One other noteworthy point, you mentioned in one of your earlier messages that you have 7 IP's, but that can't be right. In the world of IP addresses, everything works out evently, so your useable addresses will be an even number, and your assigned ranges will be two addresses more than your useable range; the beginning IP will be "Network" and the last IP will be the "Broadcast", both of which are unuseable by you directly, but they are used by devices on the subnet.
So your ISP will have assigned a range of IP's, and you mentioned that it starts with x.x.x.0. Ranges of IP's will include 2, 4, 8, 16, 32, etc. IP's in them. In your case, it's probably 8. You didn't mention what your subnet mask is, but based on the assumpition that you have about 6 useable, as you mentioned, for the modem, you probably have a total of 8, minus the two you can't use (Network and Broadcast). So your subnet mask is 255.255.255.248, or in slash notation, /29.
If you go to that site above and plug in the first IP given by your ISP at the top (this would be one less than anything they state as "useable", they usually give both to be clear), leave the Class as Default (these are public IP's, so this is most likely Class A), and select the number of hosts to match what your ISP specified (probably 8) and then click [Calculate]. You'll see all the other relevant fields below filled in. One to check would be the subnet mask to see that it matches what your ISP specified, and what I assumed here.
So your complete range is probably x.x.x.0 - x.x.x.7, 8 IP's, with a subnet mask of 255.255.255.248, or in slash notation, /29.
Now, for your devices, I think this is want you want: (The example pictures are inconsistent; they use an IP/subnet mask combination that is int the same between the two pictures.)
Public Internet -- >> (to Netopia)
(to public Internet) <<-- -- -- Netopia (N) -- -- -- >>
(N) WAN (N) LAN
IP: x.x.x.6 x.x.x.5
Gateway: Note 1*
Subnet Mask: 255.255.255.248 for both
(to Netopia) << -- -- -- -- -- -- -- Sonicwall (SW)
(SW) WAN (SW) LAN
IP: x.x.x.4 192.168.1.1 (assumption)
Gateway: x.x.x.6 192.168.1.x
Subnet Mask: 255.255.255.248 255.255.255.0 (assumption)
Note 1* - There is normally a Gateway specified for all interfaces. In your case, I'd expect it to be a Gateway IP provided by your ISP, which is essentially the device at the other end of your connection, on the ISP's side, so you won't see it, of course, but I expect the WAN interface of the Netopia needs it, but I don't see it in the pictures in the document. So keep and eye out for that, maybe the actual screens are different, or maybe it is on another screen not shown here.
The LAN side of your Sonicwall should be whatever your internal network is, I just wanted to show the complete picture.
To clarify and answer your questions (although out of order), I'm going to cover the configuration steps in that document to confirm what I think you need to do:
Steps 1 & 2 - as documented
Step 3
Yes, DHCP should be disabled. In Step 3b, it gives you the option either way depending on how you will be using your internal (to the Netopia) network. In your case, you have (I think) just the one device, the Sonicwall. And you will be asigning a static IP to that device (the preferred method), so yes, disable DHCP. Assuming you verify the diagram above, use the that LAN IP shown.
Step 4 - as documented
Step 5
Enable the LAN interface and set this to a public IP assigned from the ISP (*not* the IP of the sonicwall, it will get it's own IP), and add the subnet mask from your ISP. Restrictions to "None" as specified.
Step 6 - as documented
Step 7
Enter the WAN interface IP and netmask (assuming you verify them) from the diagram above.
Steps 8-9 - as documented.
Now be *certain* you check and re-check everything before you continue ith step 10 and 11 because if you have a mistaken entry, you could disable your remote access and you *may* have to make a trip there to get access through a console interface.
I still question that the document doesn't explicitly state whether the "Addess Mapping (NAT)" disables the WAN IP fields or not, and there is nothing shown for a gateway on the WAN interface picture. It's normal to have those in all devices I've dealt with. So this is all standard operating procedure.
Hope this helps!
ASKER
This is excellent. It will be even better if it works!! All good stuff..
In earlier posts, the bridge was discussed. I thought all along,with everything constant, enabling the bridge was all that needed. Well I have tried that route with no success. Is that still needed in addition to the steps provided in your last post??? or not???
In the LAN interface step of Netopia, I am required to use a public IP that is not used by the sonicwall itself?? The SW already has .5 has the WAN interface and using .6 has NAT. .5 = our VPN IP in our local office to reach the problem site.
You had .4 has the SW WAN IP. I cant use .5 in both places???
The 7 public IP's was wrong it is .8. I wasn't including the first IP. It is xxx.248 for the subnet mask.
I cant remote into the network with other internet access means as before so I will have to travel tomorrow.
Thanks
In earlier posts, the bridge was discussed. I thought all along,with everything constant, enabling the bridge was all that needed. Well I have tried that route with no success. Is that still needed in addition to the steps provided in your last post??? or not???
In the LAN interface step of Netopia, I am required to use a public IP that is not used by the sonicwall itself?? The SW already has .5 has the WAN interface and using .6 has NAT. .5 = our VPN IP in our local office to reach the problem site.
You had .4 has the SW WAN IP. I cant use .5 in both places???
The 7 public IP's was wrong it is .8. I wasn't including the first IP. It is xxx.248 for the subnet mask.
I cant remote into the network with other internet access means as before so I will have to travel tomorrow.
Thanks
Good, I think you're on the right track. And I believe that disabling NAT is effectively "bridging" the Netopia. Like many technologies and many manufacturers, the same concept can have different names. In this case, according to the manual and what we know you want to do, "disabling NAT" is the same as "bridging". So I don't think you need to search for or do anything else regarding bridging. Just disable NAT per those instructions.
Absolutely YES about not re-using the same IP. I should have said that the IP's I assigned was just one way to do it. You *DO* need to set each interface to a uniquely assigned IP address. Since the Sonic wall already has one, just keep it the same. Just adjust the plan to accommodate each interface having a unique IP, including any VPN configuration. In my case, I have WatchGuard firewalls with a site-to-site VPN setup and I too have a dedicated IP for the VPN at each end. That is independent of the published public IP's for things like email, Citrix, etc. But on the LAN side of the firewall, it is all private IP's.
Does that clear it up? Good luck tomorrow!
Absolutely YES about not re-using the same IP. I should have said that the IP's I assigned was just one way to do it. You *DO* need to set each interface to a uniquely assigned IP address. Since the Sonic wall already has one, just keep it the same. Just adjust the plan to accommodate each interface having a unique IP, including any VPN configuration. In my case, I have WatchGuard firewalls with a site-to-site VPN setup and I too have a dedicated IP for the VPN at each end. That is independent of the published public IP's for things like email, Citrix, etc. But on the LAN side of the firewall, it is all private IP's.
Does that clear it up? Good luck tomorrow!
ASKER
I got it to work. I put in the modem IP on the LAN interface side of modem and disabled NAT on WAN side,disabled DHCP. We have connection on the VPN.
I was able to use a file transfer program,while there, that exchanges sales information to and receives alignment file from our main server in the home office. They can connect to our application server in main office too.
NOW, I cannot ping from our office to that remote site local network. Before, this did work. Therefore no remote into using VNC.
Our VPN in sonicwall says the connection is still active.
Do you think something to do with disabling NAT on WAN side disallows communication from outside like pinging(nothing was changed on firewall that I know of).... Like I said the file exchange program I used while there at remote site exchanged files to and from the home office.
I was able to use a file transfer program,while there, that exchanges sales information to and receives alignment file from our main server in the home office. They can connect to our application server in main office too.
NOW, I cannot ping from our office to that remote site local network. Before, this did work. Therefore no remote into using VNC.
Our VPN in sonicwall says the connection is still active.
Do you think something to do with disabling NAT on WAN side disallows communication from outside like pinging(nothing was changed on firewall that I know of).... Like I said the file exchange program I used while there at remote site exchanged files to and from the home office.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
P.S. See if it has a way to save the configuration and document how to restore the current config so that even someone onsite can do it if necessary.
ASKER
Excellent. Excellent!
Is your ISp providing PPoE?