Anyone even peripherally involved with computers agrees that object-oriented programming (OOP) is the wave of the future. Maybe one in 50 of them has actually tried to use OOP – which has a lot to do with its popularity (Steve Steinberg)
There are only two things wrong with C++: The initial concept and the implementation. (Bertrand Meyer)
Technophobes take warning: we're going to dive in to the bits a little more deeply than usual. I apologize for that and promise that I will try to avoid giving anyone a lasting headache, but there is just no way to explain this without some binary visualization.
This starts with a surprise. I was visiting a growing company to talk to them about installing Kerio Control appliance routers at each of their three locations. We had wrapped up all of the details of what they needed and how much it would cost. It was now time for me to go look at their physical infrastructure to see where I'd put the main office router.
The surprise was that I found a Verizon FIOS MI424WR router in their wiring closet. That's exactly the same router I have in my house and I was shocked to see it deployed in a business. This is a router that provides NAT Internet access for computers, but it also passes TCP to Verizon STB's (Television Set Top Boxes).
Why was it here? Well, for the same reason I have it in my house: the owner wants Verizon FIOS TV in his office. That router gives him that.
Unfortunately, seeing that drained the blood from my face. I stammered something like "This isn't going to work" and everyone looked at me with surprise. Why was I so upset?
A bridge to nowhere
When you come in with a new router and there is already something in place, you have two choices: rip and replace, or bridge.
Rip and replace is the preferred path. Just unplug whatever is there and replace it. Simple. Unfortunately, I knew that doing that will kill some of the TV functionality: Video on Demand and channel information. That stuff flows through TCP and has to go through the Verizon router because it gets to the STB's through Coax, and not through the Ethernet LAN. So I can't rip out the Verizon router.
Bridging is the other option. This is a mode available on some routers that tells it to be "transparent" - basically do whatever it is you need to do but pass everything on through to another router. That's often an option on so-called DSL modem/routers - the bridging option lets it continue translating the DSL signal but pass the routing function elsewhere. Unfortunately, that's not possible here. As the manufacturer of the router explains:
Can I Bridge the Actiontec MI424WR router that Verizon provided, when I signed up for FiOS service?
The MI424WR does not have a bridging option, and neither Verizon nor Actiontec support attempting to bridge it.
The desire to bridge the MI424WR is based on a misunderstanding that it is a modem as well as a router. Actiontec does produce DSL Modems/Router that have a Transparent-Bridging option, which bypasses or disables the router function and allows the Modems/Router to act simply as a DSL modem, when it is enabled. Many consumers do not realize that with FiOS, the ONT (typically outside the home) is the device that handles changing the FiOS signal from Fiber to either Ethernet or Coax, and that the Router is just a Router, and if it was bridged or bypassed, it would be a device without a function.
For most Verizon FiOS customers, their service would completely stop if the MI424WR was bridged, because the Video on Demand service is dependent on it to work.
That's why I was upset. I explained this to the customer. He insisted upon calling Verizon to verify my statements and soon I found myself talking to a Verizon tech who insisted that I was wrong.
Well, not entirely wrong. He agreed that the device could not be bridged, but insisted that I could put the Verizon router into a DMZ if the customer would pay for a block of five IP addresses.
Right here is where we have to get a little geeky. What the Verizon tech suggested was that I'd give one public IP to the Verizon router and let it have that for the TV's. I'd use one of the other IP's on my box and we'd have a working system.
That made sense. I knew I was in trouble with just one IP, but with more addresses, we could create a DMZ.
I have to branch off for a moment here. Trust me, this diversion will eventually help us understand the larger problem.
Pretend that the Verizon router was not a router. Think of it as a computer instead; a computer with a public IP address and another network card that has a private IP. That's actually what it is, of course, so it shouldn't be too hard to visualize that.
What do you do when you have a computer that needs a public IP? You have two choices, actually: it can sit fully exposed to the Internet or it can be protected behind a firewall. Both scenarios loosely come under the definition of DMZ, though purists will insist that "fully exposed" should not use the DMZ acronym in any context.
The Kerio firewall is quite capable of handling a protected DMZ and that would be how I would want to configure it. When I heard "five IP addresses", that configuration was what my mind jumped to.
Why? Because that's what I wanted. I didn't want anyone to be able to plug into the Verizon router or use its wireless and get Internet access without passing through the Kerio firewall. The whole point of Control is, after all, to CONTROL TRAFFIC. So that's where my brain went.
Looking at the bits
The clue here was the five IP addresses. It's really six, but one of them will be the gateway, so the customer would get five that he can use.Verizon is going to give him these addresses in a subnet. They'll tell him the subnet mask to use and for the five IP's that will mean that it is 255.255.255.248. There's another way to express that, however. We could also say that's a /29 subnet. I really recommend that you think of subnets that way, because it will help you understand more easily. For reference, use this:
255.255.255.252 = /30 or 2 bits for you, 4 addresses, 2 useable.
255.255/255.248 = /29 or 3 bits for you, 8 addresses, 6 useable.
255.255.255.240 = /28 or 4 bits for you, 16 addresses, 14 useable.
255.255.255.224 = /27 or 5 bits for you, 32 addresses, 30 useable.
255.255.255.192 = /26 or 6 bits for you, 64 addresses, 62 useable.
255.255.255.128 = /25 or 7 bits for you, 128 addresses, 126 useable.
255.255.255.0 = /24 or 8 bits for you, 256 addresses, 254 useable.
It's the "bits for you" part that is critically important here. Three bits only gives eight values - 0 to 7. As zero is how we refer to the subnet and 7 (all ones) has to be the broadcast, that leaves six adresses available. One of those has to be the gateway, so now we're down to five. Get that firmly in your head before we move on.
Verizon has a much larger network, of course. They carve their network up into blocks like this for their customers. Home users get /30, which gives them one and only one address: 2 bits, which is four possible addresses, two of which are available to the customer, one which becomes the gateway and that leaves one for the customers router.
Remember that routers choose routes based on bits. When a Verizon router out in the Internet somewhere sees an address where the bits match the bits assigned to you, it moves those packets toward you. That recognition of bits and sending them off to the right place is exactly what I'd want to do to create a DMZ.
Let's say Verizon gave him 126.96.36.199/29 (they didn't, but we have to use something to see this).
Assuming Verizon used 188.8.131.52 as its gateway for the /29 subnet originally, we'd use 184.108.40.206 as the Kerio public IP and put 220.127.116.11 on the Verizon router. The 18.104.22.168 would be put on port 2 of the Kerio and would be the gateway for the Verizon router.
The physical hookup takes the WAN cable out of the Verizon and plugs it to the Kerio WAN port. Port 2 on the Kerio plugs into the Verizon WAN port. That's a protected DMZ - everything has to flow through Kerio Control.
I think that should work, but I don't have any easy way to test it. I turned to Kerio support and asked them if they could create a simulated environment and check my thinking. They did that, but reported back to me that it didn't work. They didn't seem to understand why any more than I do. I'm pushing that harder (maybe they mistyped something while setting it up), but I have to install this in a few days, so I'm under pressure.
In the weeds
So, it seems that my only choice here at the moment is to have an "unprotected" DMZ. Of course the thing that is unprotected is a firewall itself and there is nothing but a TV set or two on its LAN, so it's not much of a security risk, but it does give a path that can bypass the Kerio Control. If we disable the wireless, that would require someone to physically plug into the router, which can't be done without walking into the wiring closet with computer in hand, so I suppose that's not too horrible, but it still bothers me.
Your ideas are appreciated. Did I miss something? Did I drop some bits on the floor without noticing?
There are a few other things I found after the fact:
The Verizon subnet
Because of the false /24 subnet, there's a potential problem looming. Let's say Verizon gave him the IP's we used in the examples above and we use one of them for a mail or webserver. Let's say Verizon gives someone else another set of addresses in the same subnet. How can that customer access any of these addresses?