Network router problem

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet (More info?)

I've set up 3 routers to provide security between two small networks, yet be
able to share resources.

The setup consists of a Speedstream DSL modem, a Netgear FVS318 immediately
downstream; and two RP614v2 routers plugged into the '318. All computers (6
total) are plugged into the 614's.

I configured the routers so that they each have unique IP addresses, and
serve (DHCP) unique ranges of IP addresses.

I then added an HP LJ 2300 (plugged into the '318) and configured direct
routes (I think that's what Netgear calls making the HP's IP address
"visible" to the computers on the networks) in each of the '614's.

All computers could share the DSL service, and print to the HP printer
without problem. Everything seemed fine.

All worked for about a week. Then one of the 614 router's stopped
functioning. I could not ping from or to any computer connected to that
router. A router reset (reset button on the back) fixed it, temporarily. A
week later the problem repeated. I replaced the router with a new one,
figuring that it had an intermittent problem.

All was fine for another week. Today, the same problem occurred, with the
same router.

Is it possible that the FVS318 is causing these problems in the 614? What
else could cause these symptoms?

Someone suggested a DHCP lease expired and wasn't renewed. How can I check
for a lease expiration?

Thanks,
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet (More info?)

In article <0001HW.BCE366F501985A32F03055B0@news.individual.net>,
DaveC <me@privacy.net> wrote:

> I've set up 3 routers to provide security between two small networks, yet be
> able to share resources.
>
> The setup consists of a Speedstream DSL modem, a Netgear FVS318 immediately
> downstream; and two RP614v2 routers plugged into the '318. All computers (6
> total) are plugged into the 614's.
>
> I configured the routers so that they each have unique IP addresses, and
> serve (DHCP) unique ranges of IP addresses.
>
> I then added an HP LJ 2300 (plugged into the '318) and configured direct
> routes (I think that's what Netgear calls making the HP's IP address
> "visible" to the computers on the networks) in each of the '614's.
>
> All computers could share the DSL service, and print to the HP printer
> without problem. Everything seemed fine.
>
> All worked for about a week. Then one of the 614 router's stopped
> functioning. I could not ping from or to any computer connected to that
> router. A router reset (reset button on the back) fixed it, temporarily. A
> week later the problem repeated. I replaced the router with a new one,
> figuring that it had an intermittent problem.
>
> All was fine for another week. Today, the same problem occurred, with the
> same router.
>
> Is it possible that the FVS318 is causing these problems in the 614? What
> else could cause these symptoms?
>
> Someone suggested a DHCP lease expired and wasn't renewed. How can I check
> for a lease expiration?
>
> Thanks,

I don't know about the Netgear routers, but my Linksys display's the
lease remaining time on its main configuration page. However, if the
two 614s have unique IP addresses, then they're not using DHCP to obtain
them and there's no lease to expire.

What happens if you switch the two 614s?

--
There are 10 kinds of people in the world:
those who understand binary, and those who don't.

Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3
7BDA 71ED 6496 99C0 C7CF

 

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet (More info?)

On Wed, 2 Jun 2004 11:45:05 -0700, Tom Stiller wrote
(in article <tomstiller-92FBBC.14450502062004@comcast.dca.giganews.com>):

> I don't know about the Netgear routers, but my Linksys display's the
> lease remaining time on its main configuration page. However, if the
> two 614s have unique IP addresses, then they're not using DHCP to obtain
> them and there's no lease to expire.

Hmm... of course your right.

When the problem originally occurred, I figured the router was defective and
returned it to the store for another 614. I installed the new router and
configured it identically. Today, about 10 days later, it failed in the same
mode (I can ping other computers on the network (ie, connected to the same
614), but I can't get through the 318 to the WAN, or to the IP-configured
printer plugged into the 318). Power-cycle the router and all is well again.

I've switched the DC power supplies to the two 614s, in case it was a
supply/glitch problem, The same router failed.

> What happens if you switch the two 614s?

I'm reluctant to do that, because the one Dr. that does have a fully
functioning network wouldn't be happy if his network crashed, rather than his
partner's. At least now, it's perceived as a limited problem (not
office-wide). But if I can't come up with any other possibility, I'll have to
give that a try.

Netgear tech support says that it's a power problem. Since it's this one
router and none of the other equipment, I'm highly skeptical.

Other ideas?

Thanks,
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet (More info?)

DaveC wrote:

> I've set up 3 routers to provide security between two small networks, yet be
> able to share resources.
>
> The setup consists of a Speedstream DSL modem, a Netgear FVS318 immediately
> downstream; and two RP614v2 routers plugged into the '318. All computers (6
> total) are plugged into the 614's.
>
>
<snip - problem description (one router hoses after 1 week)>

Problem is likely that you are using low end consumer gear. The code on
those "routers" (to me calling these things routers is like calling a
gocart a car) tends to me not the most stable. Ya get what you pay for.

Look into upgrading to some "real" routers. Try a sonicwall or
watchguard at the border of the dsl connection, and put "real" routers
(cisco 2600 series or nortel ARN) inside the border. and hook them all
up with real switches, for chrissake! no actual endpoint devices should
be plugged into routers (yes, I know, the '318's and 614 have the built
in switch. but these "routers" are giving you problems, aren't they?)





--
Copyright 2004 T. Sean Weintz
This post may be copied freely without
the express permission of T. Sean Weintz.
T. Sean Weintz could care less.
T. Sean Weintz is in no way responsible for
the accuracy of any information contained in
any usenet postings claiming to be from
T. Sean Weintz. Users reading postings from
T. Sean Weintz do so at their own risk.
T. Sean Weintz will in no way be liable for
premature hair loss, divorce, insanity,
world hunger, or any other adverse relults
that may arise from reading any usenet
posting attributed to T. Sean Weintz

ALSO - FWIW, The following WHOIS Record is years out of date:
Weintz, Sean (SW2893) tweintz@MAIL.IDT.NET
Sean Weintz
462 Sixth Street , #A
Brooklyn, NY 11215

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

(added comp.protocols.tcp-ip where this really belongs)

DaveC wrote:

> I've set up 3 routers to provide security between two small networks, yet be
> able to share resources.

> The setup consists of a Speedstream DSL modem, a Netgear FVS318 immediately
> downstream; and two RP614v2 routers plugged into the '318. All computers (6
> total) are plugged into the 614's.

That is what I would do if I wanted security between two nets
using a common WAN connection.

> I configured the routers so that they each have unique IP addresses, and
> serve (DHCP) unique ranges of IP addresses.

Well, they really need separate subnets. Is that what you mean?

> I then added an HP LJ 2300 (plugged into the '318) and configured direct
> routes (I think that's what Netgear calls making the HP's IP address
> "visible" to the computers on the networks) in each of the '614's.

Anything on the 318 side should be visible to the other machines
without doing anything special.

Machines connected to the 614s must have the default route
pointing to the appropriate 614, but DHCP should do that for you.

The printer should have a static address on the appropriate net,
so that it doesn't change. I suppose its default route should
point to the 318, though it really shouldn't need one.

> All computers could share the DSL service, and print to the HP printer
> without problem. Everything seemed fine.

> All worked for about a week. Then one of the 614 router's stopped
> functioning. I could not ping from or to any computer connected to that
> router. A router reset (reset button on the back) fixed it, temporarily. A
> week later the problem repeated. I replaced the router with a new one,
> figuring that it had an intermittent problem.

(snip)

> Is it possible that the FVS318 is causing these problems in the 614? What
> else could cause these symptoms?

> Someone suggested a DHCP lease expired and wasn't renewed. How can I check
> for a lease expiration?

There are two questions. First are the DHCP leases given by the 614's
to the connected computers. The other is the leases given by
the 318 to the 614's. I would probably configure the 614's with
static WAN addresses and default routes, but the normal instructions
likely use DHCP.

The machines connected to the 614s should have some way to
view their DHCP information, I believe IPCONFIG on windows
machines. The setup system for the 614s should indicate the
DHCP assignments given by the 318.

I think the next thing I would do is give the 614's static
WAN addresses and turn off the DHCP server on the 318.

Post the network addresses and netmasks used for each of the
three nets. That way we can figure out if they make sense.
(There should not be any security related matters in posting them.)

-- glen

 

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

On Wed, 2 Jun 2004 11:49:48 -0700, glen herrmannsfeldt wrote
(in article <gjpvc.36867$eY2.14387@attbi_s02>):

> There are two questions. First are the DHCP leases given by the 614's
> to the connected computers. The other is the leases given by
> the 318 to the 614's. I would probably configure the 614's with
> static WAN addresses and default routes, but the normal instructions
> likely use DHCP.

Indeed, I did use static addresses for the 614s, as someone else in this
thread pointed out.

> The machines connected to the 614s should have some way to
> view their DHCP information, I believe IPCONFIG on windows
> machines. The setup system for the 614s should indicate the
> DHCP assignments given by the 318.

What about for Mac OS 9.x? If I look at the TCP/IP info in the TCP control
panel, it has a "renew lease" button, but no details about the lease.

When the router "fails", I am able to ping other computers in that (sub?) net
(ie, connected to the same 614). I just can't ping the 318 or anything
beyond, including the IP printer plugged into the 318.

> I think the next thing I would do is give the 614's static
> WAN addresses and turn off the DHCP server on the 318.

I have not turned off DHCP in the 318. I'll try this.

> Post the network addresses and netmasks used for each of the
> three nets. That way we can figure out if they make sense.
> (There should not be any security related matters in posting them.)

Netgear FVS318
WAN Port
IP 67.x.x.x
Subnet mask: 0.0.0.0
DHCP: no (basically functions as a bridge?)
one static route configured in this router for printer: 192.168.0.2

LAN Port:
IP 192.168.0.1
Subnet mask: 255.255.255.0
DHCP: server
DHCP range: 192.168.0.2 - 100
RIP direction: both
RIP version: RIP-2B
MTU size: 1500 (default)

Netgear RP614v2 #1
WAN Port:
IP: 192.168.0.3 **
Subnet mask: 255.255.255.0
DHCP: client ***
LAN Port:
IP: 192.168.1.1
Subnet mask: 255.255.255.0
DHCP: server
DHCP range: 192.168.1.2 - 50

Netgear RP614v2 #2
WAN Port:
IP: 192.168.0.3 **
Subnet mask: 255.255.255.0
DHCP: client ***
LAN Port:
IP: 192.168.2.1
Subnet mask: 255.255.255.0
DHCP: server
DHCP range: 192.168.2.2 - 50

Computers are all DHCP clients, no fixed IP's.

** The interface between the 318 and the 614s should use unique IP's, right?
The 318's LAN port IP is 192.168.0.1. The 614's WAN IP's are both
192.168.0.3. Would this cause a problem? I'll check to confirm these IP's
when I go to the site in about an hour.

*** The two 614's should be in "Client: no" mode, right (ie, neither Server
or Client)?

All ideas welcome.

Thanks,
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

Update:

Netgear FVS318
WAN Port
IP 67.x.x.x
Subnet mask: 0.0.0.0
DHCP: no (basically functions as a bridge?)
### Correction: no static routes for this router ###

LAN Port:
IP 192.168.0.1
Subnet mask: 255.255.255.0 ### static ###
DHCP: server
DHCP range: 192.168.0.2 - 100
RIP direction: both
RIP version: RIP-2B
MTU size: 1500 (default)

Netgear RP614v2 #1
WAN Port:
IP: 192.168.0.3 ### dynamically assigned ###
Subnet mask: 255.255.255.0
DHCP: client
LAN Port:
IP: 192.168.1.1 ### static ###
Subnet mask: 255.255.255.0
DHCP: server
DHCP range: 192.168.1.2 - 50
### one static route configured to printer: 192.168.0.2 ###

Netgear RP614v2 #2
WAN Port:
IP: 192.168.0.6 ### dynamically assigned ###
Subnet mask: 255.255.255.0
DHCP: client ***
LAN Port:
IP: 192.168.2.1 ### static ###
Subnet mask: 255.255.255.0
DHCP: server
DHCP range: 192.168.2.2 - 50
### one static route configured to printer: 192.168.0.2 ###

All seems correctly configured:
318 router is acting as DHCP server (on LAN side)
614 routers are acting as DHCP clients (on WAN side)
and acting as DHCP servers (on LAN side)

All IPs are unique. (There were no duplicate IP's; that was a document/edit
error on my part...)

To reiterate:
When error occurs, computers connected to failed 614 router can ping each
other, but not any of the routers (192.168.0.1, .1.1, or .2.1). Nor can they
ping the printer (static route in the 318 router). Power cycle the failed
router and all is well again for days (approx 10 days).

Suggestions by some that the equipment isn't "professional" doesn't help. If
you can tell me *why* this is happening, and *why* more-"professional" brands
will fix the problem, your argument would be much more persuasive.

Ideas? (I'm running out, right now...)

Thanks,
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

In article <0001HW.BCE3A4A40004E674F03055B0@news.individual.net>,
DaveC <me@privacy.net> wrote:

> Update:
>
> Netgear FVS318
> WAN Port
> IP 67.x.x.x
> Subnet mask: 0.0.0.0
> DHCP: no (basically functions as a bridge?)
> ### Correction: no static routes for this router ###
>
> LAN Port:
> IP 192.168.0.1
> Subnet mask: 255.255.255.0 ### static ###
> DHCP: server
> DHCP range: 192.168.0.2 - 100
> RIP direction: both
> RIP version: RIP-2B
> MTU size: 1500 (default)
>
> Netgear RP614v2 #1
> WAN Port:
> IP: 192.168.0.3 ### dynamically assigned ###
> Subnet mask: 255.255.255.0
> DHCP: client
> LAN Port:
> IP: 192.168.1.1 ### static ###
> Subnet mask: 255.255.255.0
> DHCP: server
> DHCP range: 192.168.1.2 - 50
> ### one static route configured to printer: 192.168.0.2 ###
>
> Netgear RP614v2 #2
> WAN Port:
> IP: 192.168.0.6 ### dynamically assigned ###
> Subnet mask: 255.255.255.0
> DHCP: client ***
> LAN Port:
> IP: 192.168.2.1 ### static ###
> Subnet mask: 255.255.255.0
> DHCP: server
> DHCP range: 192.168.2.2 - 50
> ### one static route configured to printer: 192.168.0.2 ###
>
> All seems correctly configured:
> 318 router is acting as DHCP server (on LAN side)
> 614 routers are acting as DHCP clients (on WAN side)
> and acting as DHCP servers (on LAN side)

What value is there in employing DHCP between the 318 and the two 614s?
Why not assign the 614s fixed IP addresses and avoid the whole issud of
DHCP leases between the routers?
>
> All IPs are unique. (There were no duplicate IP's; that was a document/edit
> error on my part...)
>
> To reiterate:
> When error occurs, computers connected to failed 614 router can ping each
> other, but not any of the routers (192.168.0.1, .1.1, or .2.1). Nor can they
> ping the printer (static route in the 318 router). Power cycle the failed
> router and all is well again for days (approx 10 days).
>
> Suggestions by some that the equipment isn't "professional" doesn't help. If
> you can tell me *why* this is happening, and *why* more-"professional" brands
> will fix the problem, your argument would be much more persuasive.
>
> Ideas? (I'm running out, right now...)
>
> Thanks,

--
There are 10 kinds of people in the world:
those who understand binary, and those who don't.

Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3
7BDA 71ED 6496 99C0 C7CF

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

"DaveC" <me@privacy.net> wrote in message
news:0001HW.BCE3803F019E47AEF03055B0@news.individual.net...
> On Wed, 2 Jun 2004 11:49:48 -0700, glen herrmannsfeldt wrote
> (in article <gjpvc.36867$eY2.14387@attbi_s02>):
>
> > There are two questions. First are the DHCP leases given by the 614's
> > to the connected computers. The other is the leases given by
> > the 318 to the 614's. I would probably configure the 614's with
> > static WAN addresses and default routes, but the normal instructions
> > likely use DHCP.
>
> Indeed, I did use static addresses for the 614s, as someone else in this
> thread pointed out.
>
> > The machines connected to the 614s should have some way to
> > view their DHCP information, I believe IPCONFIG on windows
> > machines. The setup system for the 614s should indicate the
> > DHCP assignments given by the 318.
>
> What about for Mac OS 9.x? If I look at the TCP/IP info in the TCP control
> panel, it has a "renew lease" button, but no details about the lease.
>
> When the router "fails", I am able to ping other computers in that (sub?)
net
> (ie, connected to the same 614). I just can't ping the 318 or anything
> beyond, including the IP printer plugged into the 318.
>
> > I think the next thing I would do is give the 614's static
> > WAN addresses and turn off the DHCP server on the 318.
>
> I have not turned off DHCP in the 318. I'll try this.

this does stop you putting other devices on the interconnect LAN and using
DHCP. Just assign the 614s addresses outside the DHCP range on the 318.

FWIW i have 2 Netgears cascaded to isolate the "safe" wired LAN from
wireless.

topology is
WAN - FR314 - wired LAN (4 PCs) - MR814 - wireless laptops.

this lets wireless devices have internet access, but not get to wired shares
and printers.
>
> > Post the network addresses and netmasks used for each of the
> > three nets. That way we can figure out if they make sense.
> > (There should not be any security related matters in posting them.)
>
> Netgear FVS318
> WAN Port
> IP 67.x.x.x
> Subnet mask: 0.0.0.0
> DHCP: no (basically functions as a bridge?)
> one static route configured in this router for printer: 192.168.0.2
>
> LAN Port:
> IP 192.168.0.1
> Subnet mask: 255.255.255.0
> DHCP: server
> DHCP range: 192.168.0.2 - 100
> RIP direction: both
> RIP version: RIP-2B
> MTU size: 1500 (default)
>
> Netgear RP614v2 #1
> WAN Port:
> IP: 192.168.0.3 **
> Subnet mask: 255.255.255.0
> DHCP: client ***
> LAN Port:
> IP: 192.168.1.1
> Subnet mask: 255.255.255.0
> DHCP: server
> DHCP range: 192.168.1.2 - 50
>
> Netgear RP614v2 #2
> WAN Port:
> IP: 192.168.0.3 **
> Subnet mask: 255.255.255.0
> DHCP: client ***
> LAN Port:
> IP: 192.168.2.1
> Subnet mask: 255.255.255.0
> DHCP: server
> DHCP range: 192.168.2.2 - 50
>
> Computers are all DHCP clients, no fixed IP's.
>
> ** The interface between the 318 and the 614s should use unique IP's,
right?

Yes.

> The 318's LAN port IP is 192.168.0.1. The 614's WAN IP's are both
> 192.168.0.3. Would this cause a problem? I'll check to confirm these IP's
> when I go to the site in about an hour.

certainly going to confuse the WAN attached router - how can it decide where
to send return traffic?

frankly i am surprised it worked OK for a while - it implies that the 2nd
614 has some sort of workaround - maybe it ignores the configured address if
it ARPs on power up and sees another device on that IP address.

or if you "cloned" the config, maybe the 2 614s share other settings - like
the WAN port MAC address, which might make things work by accident......

>
> *** The two 614's should be in "Client: no" mode, right (ie, neither
Server
> or Client)?

if this is on the 614 WAN port then "no DHCP client" is correct

>
> All ideas welcome.
>
> Thanks,
> --
> DaveC
> me@privacy.net
> This is an invalid return address
> Please reply in the news group
--
Regards

Stephen Hope - return address needs fewer xxs

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

"shope" <stephen_hope@xntlxworld.com> wrote:
>FWIW i have 2 Netgears cascaded to isolate the "safe" wired LAN from
>wireless.
>
>topology is
>WAN - FR314 - wired LAN (4 PCs) - MR814 - wireless laptops.
>
>this lets wireless devices have internet access, but not get to wired shares
>and printers.

Do you only allow certain ports thru the MR814, or do you block
NetBios, or what? I'd think to have real isolation you'd want:

WAN -> RouterA -> (RouterB & WiFiRouter)

and then hang the secure LAN off RouterB and the insecure stuff off
WiFiRouter.

--
William Smith
ComputerSmiths Consulting, Inc. www.compusmiths.com

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet (More info?)

"T. Sean Weintz" <sean@snerts-r-us.org> wrote in message
news:10bsbmrr8ns491d@corp.supernews.com...
> DaveC wrote:
>
> > I've set up 3 routers to provide security between two small networks,
yet be
> > able to share resources.
> >
> > The setup consists of a Speedstream DSL modem, a Netgear FVS318
immediately
> > downstream; and two RP614v2 routers plugged into the '318. All computers
(6
> > total) are plugged into the 614's.
> >
> >
> <snip - problem description (one router hoses after 1 week)>
>
> Problem is likely that you are using low end consumer gear. The code on
> those "routers" (to me calling these things routers is like calling a
> gocart a car) tends to me not the most stable. Ya get what you pay for.
>
> Look into upgrading to some "real" routers. Try a sonicwall or
> watchguard at the border of the dsl connection, and put "real" routers
> (cisco 2600 series or nortel ARN) inside the border. and hook them all
> up with real switches, for chrissake! no actual endpoint devices should
> be plugged into routers (yes, I know, the '318's and 614 have the built
> in switch. but these "routers" are giving you problems, aren't they?)
>

or - if you like integrated router / switches, try cisco 831s for a
reasonable SOHO router with embedded 4 port switch...... even Cisco gets
around to using good ideas

see http://cisco.com/en/US/products/hw/routers/ps380/index.html
for more than you ever wanted to know about mainstream low end routers.

> --
> Copyright 2004 T. Sean Weintz
> This post may be copied freely without
> the express permission of T. Sean Weintz.
> T. Sean Weintz could care less.
> T. Sean Weintz is in no way responsible for
> the accuracy of any information contained in
> any usenet postings claiming to be from
> T. Sean Weintz. Users reading postings from
> T. Sean Weintz do so at their own risk.
> T. Sean Weintz will in no way be liable for
> premature hair loss, divorce, insanity,
> world hunger, or any other adverse relults
> that may arise from reading any usenet
> posting attributed to T. Sean Weintz
>
> ALSO - FWIW, The following WHOIS Record is years out of date:
> Weintz, Sean (SW2893) tweintz@MAIL.IDT.NET
> Sean Weintz
> 462 Sixth Street , #A
> Brooklyn, NY 11215
--
Regards

Stephen Hope - return address needs fewer xxs

 

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip,alt.internet.wireless (More info?)

>> topology is
>> WAN - FR314 - wired LAN (4 PCs) - MR814 - wireless laptops.

I, too, don't understand how this can provide isolation of the wireless net
from the wired. All traffic for the wireless subnet must pass through the
wired net. Doesn't this make the wired segment -- by definition -- insecure?

> WAN -> RouterA -> (RouterB & WiFiRouter)
>
> and then hang the secure LAN off RouterB and the insecure stuff off
> WiFiRouter.

Yeah, I also would use some configuration like this (view with monospace
font):

WAN
|
|
|
Router A
| |
| |
| |
Wireless Router B
Router +------+------+------+
~ ~ | | |
~ ~ | | |
~ ~ | | |
Wireless PC PC PC
PCs

This isolates the two sub nets from each other. I'm using a similar topology
to isolate 2 wired subnets. They need to be wired in *parallel* to have
complete isolation, don't they?
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

DaveC wrote:

> Update:

> Netgear FVS318
> WAN Port
> IP 67.x.x.x
> Subnet mask: 0.0.0.0

I don't think it should ever be 0.0.0.0.

> DHCP: no (basically functions as a bridge?)
> ### Correction: no static routes for this router ###

> LAN Port:
> IP 192.168.0.1
> Subnet mask: 255.255.255.0 ### static ###
> DHCP: server
> DHCP range: 192.168.0.2 - 100
> RIP direction: both

Probably you should turn RIP off. I can't see where it
would cause problems here, but it can.

> RIP version: RIP-2B
> MTU size: 1500 (default)

> Netgear RP614v2 #1
> WAN Port:
> IP: 192.168.0.3 ### dynamically assigned ###

I would statically assign this, outside the DHCP range
of the 318.

> Subnet mask: 255.255.255.0
> DHCP: client
> LAN Port:
> IP: 192.168.1.1 ### static ###
> Subnet mask: 255.255.255.0
> DHCP: server
> DHCP range: 192.168.1.2 - 50
> ### one static route configured to printer: 192.168.0.2 ###

You should not need a static route here. Hosts on the 614 LANs
should have a static route (DHCP assigned) to the 614s.
Routers should always know how to get to the directly attached
nets, unless you remove the route entry.

The 614's should have a WAN side static default route,
either through DHCP or statically assigned, pointing to the 318
LAN side.

> Netgear RP614v2 #2
> WAN Port:
> IP: 192.168.0.6 ### dynamically assigned ###
> Subnet mask: 255.255.255.0
> DHCP: client ***
> LAN Port:
> IP: 192.168.2.1 ### static ###
> Subnet mask: 255.255.255.0
> DHCP: server
> DHCP range: 192.168.2.2 - 50
> ### one static route configured to printer: 192.168.0.2 ###
>
> All seems correctly configured:
> 318 router is acting as DHCP server (on LAN side)
> 614 routers are acting as DHCP clients (on WAN side)
> and acting as DHCP servers (on LAN side)
>
> All IPs are unique. (There were no duplicate IP's; that was a document/edit
> error on my part...)
>
> To reiterate:
> When error occurs, computers connected to failed 614 router can ping each
> other, but not any of the routers (192.168.0.1, .1.1, or .2.1). Nor can they
> ping the printer (static route in the 318 router). Power cycle the failed
> router and all is well again for days (approx 10 days).
>
> Suggestions by some that the equipment isn't "professional" doesn't help. If
> you can tell me *why* this is happening, and *why* more-"professional" brands
> will fix the problem, your argument would be much more persuasive.
>
> Ideas? (I'm running out, right now...)

The only other thing I can think of is thermal. Are the
routers stacked so that one gets hotter? How about a fan
blowing over them to cool them a little more.

-- glen

 

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

On Wed, 2 Jun 2004 16:21:30 -0700, Tom Stiller wrote
(in article <tomstiller-0D7996.19213002062004@comcast.dca.giganews.com>):

> What value is there in employing DHCP between the 318 and the two 614s?
> Why not assign the 614s fixed IP addresses and avoid the whole issue of
> DHCP leases between the routers?

It does seem simpler, doesn't it. I'd be glad to try this solution. What is
the range I should choose the static addresses from for the 614's?

And just turn off DHCP on the LAN side of the 318? Anything else to it?

Thanks,
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

On Wed, 2 Jun 2004 23:26:33 -0700, glen herrmannsfeldt wrote
(in article <twzvc.4081$uY.275@attbi_s53>):

> DaveC wrote:

>> Subnet mask: 0.0.0.0

> I don't think it should ever be 0.0.0.0.

How does one determine what this should be?

>> RIP direction: both
>> RIP version: RIP-2B

> Probably you should turn RIP off. I can't see where it
> would cause problems here, but it can.

What is RIP? Where can I read about it?

>> Netgear RP614v2 #1
>> WAN Port:
>> IP: 192.168.0.3 ### dynamically assigned ###

> I would statically assign this, outside the DHCP range
> of the 318.

Or turn off DHCP on the 318 and assign a static IP in each of the 614's in
what range? (If DHCP is off, can I assign 192.168.0.3, for example? Or is the
DHCP range verboten even if DHCP is off?)

>> ### one static route configured to printer: 192.168.0.2 ###

> You should not need a static route here. Hosts on the 614 LANs
> should have a static route (DHCP assigned) to the 614s.
> Routers should always know how to get to the directly attached
> nets, unless you remove the route entry.

Haven't specifically removed any routes, yet no computer was able to access
the IP of the networked printer (plugged into the 318). If I remove the
static route, no client can print from that subnet.

> The 614's should have a WAN side static default route,
> either through DHCP or statically assigned, pointing to the 318
> LAN side.

With my limited (but growing) understanding of all things IP, I was baffled
at this, also. I presumed that if clients could get to the WAN, they should
be able to get to the printer. But they can't, without a static route.

> The only other thing I can think of is thermal. Are the
> routers stacked so that one gets hotter? How about a fan
> blowing over them to cool them a little more.

They're stacked one on top of the other, but vertically (ie, parallel with
the wall) such that heat easily flows in one side and out the other, without
heating up each other. Large storage room, always low-mid 70's (F)
temperature.
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

In article <0001HW.BCE4766600209BBFF03055B0@news.individual.net>,
DaveC <me@privacy.net> wrote:

> On Wed, 2 Jun 2004 16:21:30 -0700, Tom Stiller wrote
> (in article <tomstiller-0D7996.19213002062004@comcast.dca.giganews.com>):
>
> > What value is there in employing DHCP between the 318 and the two 614s?
> > Why not assign the 614s fixed IP addresses and avoid the whole issue of
> > DHCP leases between the routers?
>
> It does seem simpler, doesn't it. I'd be glad to try this solution. What is
> the range I should choose the static addresses from for the 614's?
>
> And just turn off DHCP on the LAN side of the 318? Anything else to it?
>

Yes, turn off the DHCP server for the LAN side of the 318 and configure
the 614s to use fixed IP addresses. You should be able to use the
current addresses, but check the manual for the 318 to see if there are
constraints between allowable fixed IP addresses and DHCP ranges.

Subnet masks should have 1s in (at least) all bit positions
corresponding to the network address; the mask may be extended if the
network employs is true subnetting. Your Class A address (67.x.x.x)
should probably have a subnet mask of 255.0.0.0 and the class C
addresses (192.x.x.x) should probably have masks of 255.255.255.0.

--
There are 10 kinds of people in the world:
those who understand binary, and those who don't.

Tom Stiller

PGP fingerprint = 5108 DDB2 9761 EDE5 E7E3
7BDA 71ED 6496 99C0 C7CF

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet (More info?)

shope wrote:

> or - if you like integrated router / switches, try cisco 831s for a
> reasonable SOHO router with embedded 4 port switch...... even Cisco gets
> around to using good ideas
>
> see http://cisco.com/en/US/products/hw/routers/ps380/index.html
> for more than you ever wanted to know about mainstream low end routers.

er.. aren't some those the old linksys, relabled now that cisco bought
them out? I have been told they (the linksys stuff) are absolute
garbage, unstable as hell.

>
>>--
>>Copyright 2004 T. Sean Weintz
>>This post may be copied freely without
>>the express permission of T. Sean Weintz.
>>T. Sean Weintz could care less.
>>T. Sean Weintz is in no way responsible for
>>the accuracy of any information contained in
>>any usenet postings claiming to be from
>>T. Sean Weintz. Users reading postings from
>>T. Sean Weintz do so at their own risk.
>>T. Sean Weintz will in no way be liable for
>>premature hair loss, divorce, insanity,
>>world hunger, or any other adverse relults
>>that may arise from reading any usenet
>>posting attributed to T. Sean Weintz
>>
>>ALSO - FWIW, The following WHOIS Record is years out of date:
>>Weintz, Sean (SW2893) tweintz@MAIL.IDT.NET
>> Sean Weintz
>> 462 Sixth Street , #A
>> Brooklyn, NY 11215


--
Copyright 2004 T. Sean Weintz
This post may be copied freely without
the express permission of T. Sean Weintz.
T. Sean Weintz could care less.
T. Sean Weintz is in no way responsible for
the accuracy of any information contained in
any usenet postings claiming to be from
T. Sean Weintz. Users reading postings from
T. Sean Weintz do so at their own risk.
T. Sean Weintz will in no way be liable for
premature hair loss, divorce, insanity,
world hunger, or any other adverse relults
that may arise from reading any usenet
posting attributed to T. Sean Weintz

ALSO - FWIW, The following WHOIS Record is years out of date:
Weintz, Sean (SW2893) tweintz@MAIL.IDT.NET
Sean Weintz
462 Sixth Street , #A
Brooklyn, NY 11215

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip,alt.internet.wireless (More info?)

I have this same configuration at home. I've been thinking about exactly
what you're saying. In the diagram, the wireless devices can see the
individual wired devices with their individual IP addresses. The wired
devices see the entire WLAN as a single IP address due to the NAT function
in Router B.

Putting the WLAN in the middle seems to make more sense: there would be a
logical progression from the least secure network (Internet) to the
mid-secure network (WLAN) to the most secure network (wired LAN). This
means that traffic from the wired LAN to the Internet would pass through the
WLAN. Although this seems insecure, that traffic will be even less secure
when it gets to the Internet. Also, ONLY traffic to the Internet should
pass through the WLAN. Broadcast traffic on the wired LAN will stay on the
wired LAN, because broadcasts are not forwarded by routers, and unicasts
between wired LAN devices will also not be forwarded.

The reason that I put the wired router in the middle is that this router is
also my print server. By putting it in the middle, the wireless devices can
reach the printer. If I had put the WLAN in the middle, then the wired LAN
and print server would be hidden behind the wired router's NAT function.

Ron Bandes, CCNP, CTT+, etc.

"DaveC" <me@privacy.net> wrote in message
news:0001HW.BCE4715F001F6DFAF03055B0@news.individual.net...
> >> topology is
> >> WAN - FR314 - wired LAN (4 PCs) - MR814 - wireless laptops.
>
> I, too, don't understand how this can provide isolation of the wireless
net
> from the wired. All traffic for the wireless subnet must pass through the
> wired net. Doesn't this make the wired segment -- by definition --
insecure?
>
> > WAN -> RouterA -> (RouterB & WiFiRouter)
> >
> > and then hang the secure LAN off RouterB and the insecure stuff off
> > WiFiRouter.
>
> Yeah, I also would use some configuration like this (view with monospace
> font):
>
> WAN
> |
> |
> |
> Router A
> | |
> | |
> | |
> Wireless Router B
> Router +------+------+------+
> ~ ~ | | |
> ~ ~ | | |
> ~ ~ | | |
> Wireless PC PC PC
> PCs
>
> This isolates the two sub nets from each other. I'm using a similar
topology
> to isolate 2 wired subnets. They need to be wired in *parallel* to have
> complete isolation, don't they?
> --
> DaveC
> me@privacy.net
> This is an invalid return address
> Please reply in the news group

 

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip,alt.internet.wireless (More info?)

On Thu, 3 Jun 2004 08:09:19 -0700, Ron Bandes wrote
(in article <zaHvc.1$jI2.323@news4.srv.hcvlny.cv.net>):

> I have this same configuration at home.

Not to niggle, but *which* config do you have?
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

DaveC wrote:


>>>Subnet mask: 0.0.0.0

>>I don't think it should ever be 0.0.0.0.
> How does one determine what this should be?

For the WAN link it should be specified by your ISP,
but at the least 255.0.0.0, but likely even more ones
than that.

>>>RIP direction: both
>>>RIP version: RIP-2B

>>Probably you should turn RIP off. I can't see where it
>>would cause problems here, but it can.

> What is RIP? Where can I read about it?

RIP is Routing Information Protocol, to tell machines where
to find routers, as in dynamic routing. It is possible
that RIP will add routes or remove static routes that
you add.

>>>Netgear RP614v2 #1
>>>WAN Port:
>>>IP: 192.168.0.3 ### dynamically assigned ###

>>I would statically assign this, outside the DHCP range
>>of the 318.

> Or turn off DHCP on the 318 and assign a static IP in each of the 614's in
> what range? (If DHCP is off, can I assign 192.168.0.3, for example? Or is the
> DHCP range verboten even if DHCP is off?)

As you seem to understand, 192.168.x.y are class C nets, such
that 192.168.x is the network part, and y is the host part.
The netmask, default for 192.168 addresses, of 255.255.255.0,
specifies that the first three octets are the (sub)network
address and the last is the host. The first and last host
address, 0 and 255, are reserved, so you have 254 possible hosts
on each net. You could use DHCP for some of the 254 host
addresses and static addresses for the rest. Absolutely do
not assign static addresses within the DHCP range, as DHCP
could then assign the address to another host.

>>>### one static route configured to printer: 192.168.0.2 ###

>>You should not need a static route here. Hosts on the 614 LANs
>>should have a static route (DHCP assigned) to the 614s.
>>Routers should always know how to get to the directly attached
>>nets, unless you remove the route entry.
>
>
> Haven't specifically removed any routes, yet no computer was able to access
> the IP of the networked printer (plugged into the 318). If I remove the
> static route, no client can print from that subnet.

>>The 614's should have a WAN side static default route,
>>either through DHCP or statically assigned, pointing to the 318
>>LAN side.

> With my limited (but growing) understanding of all things IP, I was baffled
> at this, also. I presumed that if clients could get to the WAN, they should
> be able to get to the printer. But they can't, without a static route.

The router should be doing NAT, network address translation.
It must, or you couldn't get out. Well, the 318 must do
NAT, I suppose the 614's don't need to. If they aren't,
you would need static routes on the 318 pointing to each of
the 614s for the appropriate net. Is it possible that the 614s
are not doing NAT?

>>The only other thing I can think of is thermal. Are the
>>routers stacked so that one gets hotter? How about a fan
>>blowing over them to cool them a little more.

> They're stacked one on top of the other, but vertically (ie, parallel with
> the wall) such that heat easily flows in one side and out the other, without
> heating up each other. Large storage room, always low-mid 70's (F)
> temperature.

That sounds cool enough, though heat tends to flow vertically
unless they have fans blowing that direction.

-- glen

 

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

On Thu, 3 Jun 2004 10:09:55 -0700, glen herrmannsfeldt wrote
(in article <CXIvc.1050$Sw.150@attbi_s51>):

> As you seem to understand

*barely* (see below)

> 192.168.x.y are class C nets, such
> that 192.168.x is the network part, and y is the host part.

By "network" you mean that that 9 digits uniquely define a network segment,
and by "host" you mean that the last 3 digits define one of 254 computers on
that segment?

> The netmask, default for 192.168 addresses, of 255.255.255.0,
> specifies that the first three octets are the (sub)network
> address and the last is the host.

This is where I get a bit lost. If you've already targeted your destination
computer by identifing a unique network segment with 9 digits and a computer
with 3 more (as above), what's the purpose of defining a sub-segment within
that already-defined network segment? I must have some understanding
inverted...

> The first and last host
> address, 0 and 255, are reserved, so you have 254 possible hosts
> on each net. You could use DHCP for some of the 254 host
> addresses and static addresses for the rest. Absolutely do
> not assign static addresses within the DHCP range, as DHCP
> could then assign the address to another host.

> That sounds cool enough, though heat tends to flow vertically
> unless they have fans blowing that direction.

Hmm... lemme try that again. They are stacked on top of each other (as they
would be on a desk or shelf), but turned 90 degrees and the stack is bolted
to the wall. So heat from one does not effect another (convection-wise,
anyway).
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

In article <0001HW.BCE3A4A40004E674F03055B0@news.individual.net>,
DaveC <me@privacy.net> wrote:
>
> To reiterate:
> When error occurs, computers connected to failed 614 router can ping each
> other, but not any of the routers (192.168.0.1, .1.1, or .2.1). Nor can they
> ping the printer (static route in the 318 router). Power cycle the failed
> router and all is well again for days (approx 10 days).
>

approx 10 days, repeatable?
well there goes my theory of a periodic/weekly cron job
on one of the clients causing strife up the wire...

Since you say it's always this particular one failing,
I'd still be looking for something happening on that subnet,
not necessarily inside the router box.

 

[DaveC]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

On Wed, 2 Jun 2004 22:19:34 -0700, J.Random Luser wrote
(in article <user-FEC552.17193403062004@scream.auckland.ac.nz>):

> Since you say it's always this particular one failing,
> I'd still be looking for something happening on that subnet,
> not necessarily inside the router box.

Suggestions? I'm clueless as to what would be causing it.

The client's got a medical db program running on one computer acting as a
server to the clients on the subnet. Other than that, just a browser.

The confusing thing is that applications are identical on both subnets; the
medical db app (MediMac) is running on both subnets. Identical subnets. One
router bonks out every week or two.

Stumped.
--
DaveC
me@privacy.net
This is an invalid return address
Please reply in the news group

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet (More info?)

"T. Sean Weintz" <sean@snerts-r-us.org> wrote in message
news:10bunusoeo2om3b@corp.supernews.com...
> shope wrote:
>
> > or - if you like integrated router / switches, try cisco 831s for a
> > reasonable SOHO router with embedded 4 port switch...... even Cisco gets
> > around to using good ideas
> >
> > see http://cisco.com/en/US/products/hw/routers/ps380/index.html
> > for more than you ever wanted to know about mainstream low end routers.
>
> er.. aren't some those the old linksys, relabled now that cisco bought
> them out? I have been told they (the linksys stuff) are absolute
> garbage, unstable as hell.

No - real "cisco", and run IOS - same command line and tools as the bigger
brothers. The earlier version such as the 80x and 82x have the same software
versions and options, and pre-date cisco buying linksys.

Work has a couple 1000 of various 8xx routers deployed on ISDN, DSL and
other managed WANs.
>
> >
> >>--
> >>Copyright 2004 T. Sean Weintz
> >>This post may be copied freely without
> >>the express permission of T. Sean Weintz.
> >>T. Sean Weintz could care less.
> >>T. Sean Weintz is in no way responsible for
> >>the accuracy of any information contained in
> >>any usenet postings claiming to be from
> >>T. Sean Weintz. Users reading postings from
> >>T. Sean Weintz do so at their own risk.
> >>T. Sean Weintz will in no way be liable for
> >>premature hair loss, divorce, insanity,
> >>world hunger, or any other adverse relults
> >>that may arise from reading any usenet
> >>posting attributed to T. Sean Weintz
> >>
> >>ALSO - FWIW, The following WHOIS Record is years out of date:
> >>Weintz, Sean (SW2893) tweintz@MAIL.IDT.NET
> >> Sean Weintz
> >> 462 Sixth Street , #A
> >> Brooklyn, NY 11215
>
>
> --
> Copyright 2004 T. Sean Weintz
> This post may be copied freely without
> the express permission of T. Sean Weintz.
> T. Sean Weintz could care less.
> T. Sean Weintz is in no way responsible for
> the accuracy of any information contained in
> any usenet postings claiming to be from
> T. Sean Weintz. Users reading postings from
> T. Sean Weintz do so at their own risk.
> T. Sean Weintz will in no way be liable for
> premature hair loss, divorce, insanity,
> world hunger, or any other adverse relults
> that may arise from reading any usenet
> posting attributed to T. Sean Weintz
>
> ALSO - FWIW, The following WHOIS Record is years out of date:
> Weintz, Sean (SW2893) tweintz@MAIL.IDT.NET
> Sean Weintz
> 462 Sixth Street , #A
> Brooklyn, NY 11215
--
Regards

Stephen Hope - return address needs fewer xxs

 

[Guest]

Archived from groups: comp.sys.mac.comm,comp.sys.mac.hardware.misc,comp.dcom.lans.ethernet,comp.protocols.tcp-ip (More info?)

<William P.N. Smith> wrote in message
news:0jmsb0hi2lbh8v2mp3o1sfufmimf2japkr@4ax.com...
> "shope" <stephen_hope@xntlxworld.com> wrote:
> >FWIW i have 2 Netgears cascaded to isolate the "safe" wired LAN from
> >wireless.
> >
> >topology is
> >WAN - FR314 - wired LAN (4 PCs) - MR814 - wireless laptops.
> >
> >this lets wireless devices have internet access, but not get to wired
shares
> >and printers.
>
> Do you only allow certain ports thru the MR814, or do you block
> NetBios, or what? I'd think to have real isolation you'd want:
>
> WAN -> RouterA -> (RouterB & WiFiRouter)
>
> and then hang the secure LAN off RouterB and the insecure stuff off
> WiFiRouter.

it isnt intended as a paranoia solution, just to limit access to Microsoft
shares etc on the wired network from wireless.

A knowledgeable hacker with some idea of the layout could probably break
through - this layout limits netbios access since broadcast limiting and
address translation get in the way, but that isnt going to stop fixed port /
address attacks

1 reason for this choice is similar to a later post - the wired to WAN
router has URL filtering against an "adult" blocking database, and it was
important to keep that in place for a couple of child laptops going to the
internet, even when they use wireless.

The next stage may be another router..........
>
> --
> William Smith
> ComputerSmiths Consulting, Inc. www.compusmiths.com
--
Regards

Stephen Hope - return address needs fewer xxs