Re: Workgroup Client Bridge Configuration

On Tue, 14 Feb 2006 19:30:33 -0500, RWM <RWM@xxxxxxxxxx> wrote:

Agreed, "WCB" is a Cisco giveaway, but no, this is a Senao 3054cb3
bridge and 2611cb3 AP, both operating in 802.11b mode.

So much for my gold star.

The 3054cb3 will bridge multiple MAC addresses.

The 3054CB3 will bridge multiple MAC addresses. However I'm not so
sure about the 2611DB3 operating in client mode. Digging....
Ah, the data *** mumbles something about "Multi-Client Bridge
Functionality" which I guess means it will bridge more than one MAC
address. In any case, it should work with your one client computah
with just one MAC.

Point taken. Perhaps a list FAQ is in order... ASCII visualizations
are not a specialty.

Nope. Just my personal preferences and experiences.
There are tools available to do ASCII drafting but I never use them.

Converting your mess into something readable.
There's also no reason to mangle non-routeable IP addresses.

Understood, but easier to type.

I once wasted about an hour trying to troubleshoot what turned out to
be a subnet mask problem. I couldn't figure out what was happening
because the person with the question camouflaged all the IP addresses
in various ways. Once I pried the real IP addresses out of him, the
answer was obvious. In any case, there's no security reason to hide
non-routeable IP addresses.

Internet
|
Firewall WAN=216.xxx.xxx.xxx
^ LAN=192.168.1.1

OK, except this been configured LAN = WAN address for ~ five years.

That can only work if the router/firewall/NAT device has dual IP
addresses (alias) for the LAN interface. For example, if the WAN port
was 216.216.216.111, while the LAN port was BOTH 216.216.216.1 and
192.168.1.1. I've seen this done and it does work, but only with high
end or Linux routers.

However it does cause problems with some Windoze and Mac clients that
do not appreciate having a default gateway that is outside of the
netmask range. For example, if the client's LAN IP is 192.168.1.2,
but the gateway is 216.216.216.1, some operating systems just will not
push packets at the gateway. Fortunately, this has become somewhat
common with VPN's, so the later operating systems all accomidate this
arrangement.

I think there are some potential security implication by having
clients use the WAN side IP instead of the LAN side. I wanna do some
reading first before I proclaim this to be a problem.

Any chance the PC on the wireless link is some ancient junker running
Windoze 95 or 98 first edition?

So, what does your DHCP server deliver to the client? What does:
IPCONFIG
look like?

Also, it would be interesting to see the routing table. Dump:
ROUTE PRINT
and see where the default gateway points.

Also, what's the make and model of firewall/router/NAT box ?

Does that include both the clients directly connected to the switch as
well as the single client connected to the WCB?
Yes, and from wireless clients accessing via the AP.
Can they also all ping the access point IP address?
Yes.

So you can literally ping anything from anywhere on the LAN side. That
means the LAN side is working (as you noted). The problem could only
be a routeing problem going to the internet.

Can they all ping the firewall IP address?
Yes, with the caveat that its LAN address is its public WAN address.

That's not the way it's normally done. If the router does NAT, the
LAN side IP address must be a LAN address. As I previously mentioned,
there may be a 2nd IP address which might be routeable, but that's
rather unusual. Is this network part of a larger VPN based enterprise
LAN? If so, the routeable IP address on router may actually be a
tunnel to elsewhere on a corporate LAN.

The AP metrics are IP = 192.A.B.x, subnet 255.255.255.0, with default
gateway = ISP public default GW IP 216.C.D.E

Wrong. The default gateway of EVERYTHING that's on the LAN side of
the router should point to the LAN side IP address of the router,
192.168.1.1. Pointing to something on the internet won't work because
nothing on the LAN knows how to get to the IP on the internet without
first going through the router.

OK, now this is interesting, in that the net has worked fine as
previously indicated with WAN IP = LAN IP.

If it's running NAT, it should have an IP address on the LAN side. Try
setting the gateway to 192.168.1.1 (or whatever) on the PC going
through the wireless link and see if that magically fixes things.


What should the default gateway be for the WCB?
192.168.1.1 (Router LAN IP address)

Understood, with the above caveat that with the exception of the Senao
bridge, it works as is with the LAN IP = WAN IP = public.

In theory, the Senao radios are a bridge which works on the MAC layer
and know nothing about IP addresses. Unless there's some filtering
going on, I can't think of anything I could do in the Senao bridge
radios to allow pings, but no internet access. The MAC address for
the WAN IP and the LAN IP would be the same so anything sent to there
router should be accepted. Weird.

(I should also mention that there is a fallback Proxim Rangelan2 bridge
working on that segment now, with the gateway = WAN IP.)

You must like antique wireless hardware. Frequency hoppers are
ancient. Well, if it works with the Proxim Rangelan2, then is should
work with the Senao. Offhand, I can't think of any reason it
shouldn't work. So far, the only thing that's either wrong or odd is
the use of the WAN side IP as the gateway.

Thanks sincerely for your response, Jeff. While making the indicated
changes, any view as to why it works "as is"?

I just did a fast check on my office W2K box to see if I could put the
gateway outside the LAN netmask range. Yep. It works. So, it's not
a problem, just an unusual way of setting up a network. It should
work as is, but it's not usually done like that. That leaves the
question of what inside the Senao bridge radios is causing the
problem.

Can you test the computer that's going through the wireless link with
a direct ethernet connection? I'm just curious if it works without
the wireless. If it does work with an ethernet cable, then it has to
be something screwy in the Senao radios (by process of elimination).

Good luck.
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@xxxxxxxxxxxxxxxxxxxxxx
# http://802.11junk.com jeffl@xxxxxxxxxx
# http://www.LearnByDestroying.com AE6KS
.