network setup firewall routers

If this isn't exactly what you wanted, please try our Search (there's a LOT of techy and non-techy stuff here about Linux, Unix, Mac OS X and just computers in general!):

From - Mon Jun 19 06:31:39 2000
Path: news.randori.com!news-feeder2.wcg.net!WCG!cyclone2.usenetserver.com!news-out.usenetserver.com!newsfeed.skycache.com!Cidera!4.1.16.34!cpk-news-hub1.bbnplanet.com!news.gtei.net!firehose.mindspring.com!not-for-mail
From: "Doug Satterfield" <doug@satterfieldusa.com>
Newsgroups: comp.unix.sco.misc
Subject: Re: network setup advice sought
Date: Mon, 19 Jun 2000 01:38:18 -0400
Organization: Satterfield Computer Services
Lines: 204
Message-ID: <8ikc3v$1pl$1@slb7.atl.mindspring.net> 
References: <80q15.8247$yA5.563751@bgtnsc05-news.ops.worldnet.att.net> <pmncks8kot69nctru8g9h75jnve6421a82@4ax.com> <8i9dbr$uja$1@slb1.atl.mindspring.net> <otvgkskr55l8nmkpcgr03cp812ks3guurb@4ax.com> <8iai8b$eag$1@slb3.atl.mindspring.net> <kn1iksg2r4nsoduija3jtksbi4cem0kpmf@4ax.com> 
Reply-To: "Doug Satterfield" <doug@satterfieldusa.com>
NNTP-Posting-Host: a5.f7.d5.a4
X-Server-Date: 19 Jun 2000 05:46:39 GMT
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.00.0810.800
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.0810.800
Xref: news.randori.com comp.unix.sco.misc:61952
X-Mozilla-Status: 8010
X-Mozilla-Status2: 00000000


Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote in message
news:kn1iksg2r4nsoduija3jtksbi4cem0kpmf@4ax.com...
>On Thu, 15 Jun 2000 08:22:39 -0400, "Doug Satterfield"
><doug@satterfieldusa.com> wrote:
>
>>OSR 5.0.5a, (10.0.0.5) NT Terminal Server, (10.0.0.2) 15 PC's on LAN
static
>>IP addresses 10.0.0.10 - 25).
>>Main router at host site (10.0.0.1).
>>2 (remote sites on frame relay connection, 56K data lines working fine
>>couple of PC's each. Net IP 172.16.110.X, 172.16.120.X
>>I want to install high speed internet access at the host site and have all
3
>>locations use it for Internet access and mail.
>>In the remote routers I will set a default route to the Internet router
(be
>>it true router, or OSR 5 with NAT & IPfilter)
>
>Drivel:  I'll spare you my comments about using two different
>non-routeable blocks of IP addresses.  There's no reason the remote
>sites couldn't have shared the 10.x.x.x block.

I know, long story, another day.

>Plan A:  OSR5 box acts as router, firewall, NAT, DHCP client.
>Add 2nd NIC to OSR5 box.  Install TLS709 for DHCP, TLS711 for NAT and
>IPFilters.  Phone company installs a brain dead DSL modem/bridge which
>connects to 2nd NIC.  DHCP client gets IP address from telco ISP.  NAT
>translates this one IP address to the 10.0.0.xxx Class C IP block on
>the first NIC.  IPFilters controls traffic between the two NIC's.
>
>Plan B:  External hardware router, firewall, NAT, DHCP client.
>OSR5 box does nothing unusual and requires no added software or NIC.
>Customer purchases overpriced Cisco router or cheap junk ethernet
>router (Netgear, Linksys, D-Link, Netopia, etc).  Telco supplies brain
>dead DSL modem/bridge.  All router, firewall, NAT, DHCP, etc functions
>are resident in the hardware router.  This may be required if DSL
>service provider delivers dynamic IP address via PPPoE as OSR5
>currently does not have a PPPoE dialer while most cheap junk ethernet
>hardware routers have this feature.

Got It.  I don'y know the brand of router yet, but I will find out.

>Methinks you might want to do some reading on available technology,
>hardware, topology, and DSL offerings.  There are lots of options and
>complications.  For example, you *MUST* increase the IP maximum
>receive window on all your internal boxes to 32768 (from 4K or 4K),
>including your OSR5 box, or you will get rotten download performance.
>
>Navas Cable Modem/DSL Tuning Guide
>  http://Cable-DSL.home.att.net/
>DLSReports
>  http://www.dslreports.com

I could not agree more.  I hope I am not the only person trying to make
sense of this stuff.

>>In my case the Telephone company can install a ADSL modem and a router if
>>desired.  I am trying to decide which would be the best approach.  I don't
>>know yet if they support NAT on their router.
>
>ALL modern routers support NAT.  If it really routes (i.e. inspects
>packet headers) then it can do NAT.  Get the model numbers they offer
>to be sure.

OK

>There are routers with built in modems (Cayman 3220H).  The local
>telcos will supply only the modem for free and want extra $$$ for the
>combo router+modem boxes.  I'm partial to seperating the functions in
>two boxes because:
>1.  PacHell delivers 5 IP addresses to me via a single ADSL line.
>2.  Each of the 5 IP's go to 5 different routers and 5 different
>companies.  Each company/router gets it's own IP.
>
>This cannot be done with an integrated router/modem.  It's also
>proscribed by some of the "personal" DSL services.  I can supply
>details on this derrangement if you're interested.  I would go with
>the external modem and seperate router for flexibility reasons.

Telco installs a DSL modem and a separate router.  I would like the details.
I support several offices in the same building and it sounds like something
I should be looking into.

>>I understand that.  A 2nd NIC is required if the OSR box is the router.
If
>>the true router has no firewall and I want to use it anyway, can the OSR
box
>>still provide the IP filtering?
>
>Let me make my life easy.  No way in hell should you be using two
>routers.  Either OSR5 or external hardware does the routeing, not
>both.  The only justification for having two routers is to build a DMZ
>(demilitarized zone) system, where a dedicated mail server and
>possibly a bastion host sits exposed in the DMZ, while your internal
>LAN is hidden by the 2nd router.  This is the recommended high
>security method for large companies.  Often the 2nd router is also a
>proxy server offering yet another level of security and complexity.
>In this case, methinks you can always add complexity at a later date.
>Keep it simple for now, and just have one router.

I am leaning towards SCO as the router.  It keeps it alive instead of being
replaced totally by NT.

>You will not find a "true router" that does not also support NAT and
>some kind of firewall.  The firewall may be incredibly crude as in the
>Linksys and D-Link products, but it is quite effective.  Once you have
>NAT enabled somewhere, that box needs to "sniff" the packet payload
>for certain protocols to function.  Sniffing ftp is universal, but
>some of the goofier protocols (H.323, netmeeting, ICQ chat, real
>audio, certain games) that open random IP socket numbers and carry IP
>addresses in the data stream instead of the header, require imbedded
>NAT support.  For a list of potential problem applications, see:
>  http://cco.cicaldera.com/warp/public/701/60.html#HDT3
>Note the Cisco correctly distinguishes between NAT (network address
>translation) and PAT (port address translation).  TLS711 and all of
>the cheap routers actually do PAT.  Go through the list of problem
>applications and see if any apply.
>
>I bet you thought this was gonna be simple?

Nothing is ever simple and everything takes longer that anticipated.

>>If I connect the OSR box directly to the DSL modem then my system becomes
>>the router.  If the Telephone Co uses DHCP to assign an IP, (which they
do),
>>my 1st NIC for the internal LAN uses a static IP (10.0.0.5).  The NIC
>>attached to the DSL modem would use the DHCP client.  On OSR 5.0.5, is
this
>>do-able?  I have set up other systems with a PPP dialup connection to
their
>>ISP and used NAT and it works well.  I assume this is the same concept but
>>different.
>
>Yep.  This is a good description of Plan A.  Basically, OSR5 does
>everything.  As long as you either have a fixed IP, or a DHCP
>delivered IP, this will work.  No PPPoE support yet.  Methinks the
>term "modem" is a bit confusing.  DSL modem are essentially brain
>dead.  There's some intelligence about setting up PVC's permanent
>virtual circuits and ATM bridging, but that's all set and forget.  All
>the modem really does is do the modulation/demodulation on the phone
>line, and deliver an ethernet (IP over ATM) connection.  It's not like
>the traditional dialup modems which require an ordeal process to
>function.  The better modems provide line quality statistics and SNMP,
>but those can be ignored.  Think of it as the phone company supplying
>you an ethernet jack, which belches whatever the DSLAM at the switch
>decides is appropriate.  Unfortunately, with PPPoE, we return to the
>good olde daze of dialup and actually "dial" the ISP with DSL.  See:
>  http://www.carricksolutions.com/pppoe.htm
>for why I hate PPPoE.  Avoid if possible.

I don't have PPPoE.

>>I was informed that I would need a static IP.
>
>Static IP's make life MUCH simpler.  If you can afford it, do it.
>
>>If the IP is dynamic, how do
>>you know how to telnet into it?
>
>1.  Use a dynamic DNS service.   http://www.dyndns.com
>2.  Every time your DSL connects, ftp a file with your IP address to a
>known location on the net.  Users read the file, and use that IP
>address.  I do this with my dialup connections.
>3.  Port scan the block of IP addresses likely to be your server.
>This is a great way to make yourself unpopular with your ISP and other
>users.  It's also a violation of most terms-o-service.  But, it works.
>4.  Bring up your link at least once during the DHCP lease time.  This
>is called IP hogging.  Essentially, you're extending your lease time.
>Most of the local DHCP driven DSL ISP have 3 day leases.  One of my
>users on DHCP has had the same IP for about 6 months.
>5.  Find someone that's running a Dynamic DNS (DDNS) server on the net
>and pay them to host your continuously changing DNS record.  This only
>works marginally because the ISP's DNS caches are often not flushed or
>updated for days.

Sounds like a cron job.

>>I'm trying.  Right now I want to understand the theory.  Until I have
>>actually suffered thru the 1st install it is all a bit cloudy.  Before I
can
>>propose this to my client, I have to understand it.
>
>Yeah, I know the feeling.  That which I do not understand, usually
>turns around and bites me.
>
>--
>Jeff Liebermann   jeffl@comix.santa-cruz.ca.us
>150 Felker St #D  Santa Cruz CA  95060
>831-421-6491 pager   831-429-1240 fax
>http://www.cruzio.com/~jeffl/sco/   SCO stuff

Jeff, Thanks a million.  I feel I have enough confidence to jump into this
and see how well it flies.  I have been working with nat and ipfilter on the
ppp0 and DSL seems to be  the same thing only different.

Doug Satterfield doug@satterfieldusa.com
Satterfield Computer Services
PO Box 488
White Rock, Sc 29177

Versatile Site Map Generator $59.00
Buy A1 Sitemap Generator

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.