Re: Well it seemed like a good idea...

Bert:

Thanks for the extended reply.

Our ISP has given us 5 static ip's with our DSL connection.

xx.xx.xx.60 - xx.xx.xx.64

xx.xx.xx.60 goes to the firewall and is routed to the internal mail
server (ie mail.foo.com)

xx.xx.xx.61 goes to the firewall and is routed to various remote
desktops (based on the port #)

xx.xx.xx.62 is the wireless router which nat's it's own LAN
(192.168.0.1 - 192.168.0.255)

xxx.xx.xx.63 and xx.xx.xx.64 are not currently used.


behind the firewall is the main LAN (192.168.1.1 - 192.168.1.255)
with dozens of PC's

From the outside world we can point any PC's remote desktop client at
xx.xx.xx.61:yyyy (where yyyy is a pre-assigned port number) to get
remote access. That is what I want to be able to do from the wireless
router and it works for ANY address except xx.xx.xx.61






On Wed, 26 Apr 2006 19:21:44 GMT, "Albert Manfredi"
<albert.e.manfredi@xxxxxxxxxx> wrote:

<Scamp@xxxxxxxxxx> wrote:

OK, it looks like I'm missing something...

I need to add a wireless hub to my LAN. However for security sake I
wanted to attached it outside my firewall and let the users come in
via windows remote desktop just like they do from home.

So here is what I did (feel free to snicker)

We have a DSL line. I took the Ethernet line coming out of the DSL
modem and ran it into a 4-port hub. Into that hub I plugged in the
Wireless router and the firewall. I took one of our five static IP
addresses and configured the wireless router using that IP address.
I assigned the other four static IP's to the main firewall.

Now I can use the wireless router to access the Internet at large but
when I try to use remote desktop to tunnel into our system the
wireless LAN cannot "see" any of the static IP's assigned to the
firewall. I suspect it's a subnetting issue where the wireless
router thinks it owns all the static IP's but I can't seem to work out
the issue.

Is there a way to set a sunbet to ONE address? Is that really the
issue?

I think you correctly pinpointed the problem. But I'm confused about
what you mean when you say you "assigned the other four static IP's to
the main firewall." Which side of the firewall?

Firewalls are essentially like routers. If these 4 IP addresses are
assigned to the Ethernet hub side of the firewall, i.e. to the same side
as the ADSL modem, then what addresses are used by the hosts connecting
to the other side of the firewall, i.e. "behind" the firewall?

If you are given 5 static IP addresses, presumably these apply to the
Ethernet side of the ADSL modem. I'll guess that the subnet mask you
were given to use is 255.255.255.248. I'll guess that the Ethernet side
of your ADSL modem is given one of the 6 addresses available in this
subnet, and that 5 remain for hosts connected directly to the in-home
Ethernet.

Of the remaining 5 addresses, I would think one would be assigned to the
unprotected side of the firewall and one is assigned to the wireless
router. That leaves only three addresses, usable only by hosts connected
to the hub. Not by hosts behind the firewall or behind the wireless
router.

I'll assume that both the wireless router and the firewall are behaving
like NATs, translating the one public IP address they are assigned into
a set of private IP addresses on the other side? And that as a result of
this, you'll have a tough time routing traffic between the two private
IP subnets, even if you can see the Internet from behind either box.

The easiest solution to the problem is to delete that stand-alone
firewall and use the firewall built into Windows on all your cabled
hosts. Then you will have 4 static IP addresses to assign to 4 in-home
computers, and these should be visible from the wireless hosts.

If this works, as it should, then there might be way to statically map
the three remaining public IP addresses to three private IP addresses
behind the firewall. If you can statically map these, 1 for 1, the
firewall should have no trouble routing packets to the right host. But
it might still be easier to just delete the stand-alone firewall.

Bert

.

Relevant Pages

  • RE: Wireless access
    ... Well, How about setting your wireless in a complete DMZ off the Firewall, ... and only HTTP traffic can flow out to the internet and nothing else. ... to facilitate one-on-one interaction with one of our expert instructors. ...
    (Security-Basics)
  • Re: router/firewall, wireless gateway recommendation for home user
    ... NAT will reduce all of the direct attacks unless you ... firewall appliance for under $100. ... to your wireless nodes, and to protect all internal hosts via NAT, you ... device to reduce direct attacks (additional security layer). ...
    (Security-Basics)
  • Re: Need Help with D-link DI-524 and Setting up File Sharing
    ... Hi Jeff- the Pentium 2 is wired, The P4 is wireless ... >6Mbits/sec is typical for a 10baseT-HDX connection. ... >>2) I understand that the router acts as a firewall. ... A software firewall on the ...
    (alt.internet.wireless)
  • Re: non-ssid, changed ssid, wpa on network; what else can i do?
    ... What else can I do to make my wireless network secure? ... Keep the wireless router firmware up to date. ... Don't punch too many holes in your firewall. ... >All I have is one laptop and one desktop. ...
    (alt.internet.wireless)
  • Re: Connecting computers wirelessly
    ... but my XP account and sign on password on each machine are ... All I'm trying to do is switch the workshop machine to wireless. ... indications I can find of firewall or 3rd party interference. ... Both computers have Windows XP ...
    (microsoft.public.windowsxp.newusers)