WAN + LAN advice needed

kayasaman · ‎07-30-2007

Hi, this belongs in a new post as it is seperate from my internet connection issue (as now I'm connected)

Basically what I would like to do is build a network out of my 7 machines (macs, pc's, and linux boxes).

Criteria:

I would like to have security in the network for router, wireless interface (encryption, username/password etc), a firewall.

Also because I will be running a web, vnc, and ssh-server I will need to forward ports from the WAN to my LAN.

I would like file/print sharing enabled for my machines to communicate.

I have played about with SDM-Express and have currently got MAC address filtering for my wireless. I'm guessing to forward ports I will need to do that via IP filtering. - I tried this aswell but it didn't work as I think I got the wrong settings.

Also I turned on the firewall via SDM, but it told me that it wasn't going to put it on the ATM interface? I thought the ATM interface was my adsl modem, and that the firewall should be between the LAN and the WAN on a SOHO setup?

Currently I can connect to the internet with machines but I cannot connect them to each other or even ping each other from machine to machine (it works from router though).

Any advise or guides to documentation would be really helpfull.

Thanks

paolo bevilacqua · ‎07-30-2007

Hi,

1. stop using SDM that produces confusing results and prevent you from learning

2. Are you sure you need firewall? You have NAT configured, nobody can access anything from outside

3. Suggest you do not use mac address filtering. If you want to protect your wireless, configure a WEP key that is much simpler.

4 what do you want to forward ? the normal command is

ip nat inside source static interface

kayasaman · ‎07-31-2007

Ok I took all the SDM config off except for the MAC address filter access list which works fine, basically any non-autherized computers can't gain access to services:

access-list 700 permit 000b.6b4b.c5d0 0000.0000.0000

access-list 700 deny 0000.0000.0000 ffff.ffff.ffff

but I will read up about configuring WEP keys aswell even though I don't think it's compatible with my Mac OS9 machines?

If I wanted to forward say www port 80 form WAN to LAN the command would be:

ip nat inside source static tcp 192.x.x.x 80 interface (ATM0 or Dialer0??) 80

And then there's still the problem of my internal network because at the moment I can't use any services like ping or file sharing, netbios (samba) or apple file share. Will I need to configure NAT to open all ports on internal network to achieve this?

Basically like:

ip nat inside source static interface for all ports ranging from 1 to port limit?

kayasaman · ‎08-02-2007

I managed to forward ports from WAN to LAN using the above advise and everything works fine!

Is there a way to monitor the incoming packets though via logging or show statement, and also see which ports they are associated with?

Also my LAN still needs setting up, as I have no internal network access yet! Do I need to post that in the LAN/Routing part of the forum or is the command similar to that of the above?

paolo bevilacqua · ‎08-02-2007

Hi,

to see what "forwardings" are active, do show ip nat translation.

What in the lan is not working ?

kayasaman · ‎08-02-2007

In the LAN, nothing is working. I can't ping other computers within the LAN, or share files, or use any other services which I need.

{From the router I can ping, but from one machine to the other)

I don't know if this is NAT issue or if I need to make an access list?

paolo bevilacqua · ‎08-02-2007

Hi,

What machines are these? If win XP, be aware there is a firewall you should disable.

Are these using DHCP and getting an ip address correctly ?

kayasaman · ‎08-02-2007

Hi, at the moment I've just linked my XP machines up not my linux boxes or macs.

They are connected statically even though dhcp on router is set to give addresses between 192....1 and 255

I also disabled the firewall which I put on from SDM but I still haven't even got ping function let alone netbios.

paolo bevilacqua · ‎08-02-2007

Hi,

router has no role in communications for the systems on the same LAN. So the problem must be due to something else.

Pavel Bykov · ‎08-02-2007

First try this:

interface BVI1

no ip access-group 100 in

If that won't enable your local communication, try following:

Can you post your current config please?

When ports of your local machines are in one VLAN, which they are, there is nothing that switch does with packets. Are you connecting PCs over Wired or Wireless?

If you are using wireless, try wired.

Also, try pinging PCs's own IP address

And also, check if you have different MAC addresess on the PCs. I had a problem where Cable connection was cable dependant and all PCs had same MAC, so they could all communicate periodically to the internet, but not to each other.

kayasaman · ‎08-03-2007

This is current config. Wired and Wireless are bridged - my machines are connected by wireless!

I can ping machine from machine but other machines "request timed out"

I have Zone Alarm firewall on individual machines which I even took down and still same problem?

kayasaman · ‎08-06-2007

Thinking about the config, could it be something to do with access list 1? - That proper permissions haven't been setup?

Also I am trying to connect my macs to the network and it's fine with OSX, but in OS 9 I can't find any where to enter the base station ssid. I have tried to set the computer to connect to other instead of scanning but it won't give me any dialogs to enter ssid criteria?

paolo bevilacqua · ‎08-06-2007

Hi,

No, access list 1 has nothing to do with computers not connecting locally. It might be ACL 700, but that is active for wireless only.

Not sure what you should do for the macs. Sometime these have little hidden places to do the most obvious things.

kayasaman · ‎08-06-2007

Hi, I managed to fix the mac problem. It was just OS9 being wierd and old!

The ACL 700 is just a MAC layer address list and from what I know just permits services to the "allowed" addresses. I enabled it via the Wireless Management web interface through SDM, but I don't know if IP filtering ties in with it as it is a MAC filter.

I also thought that maybe it was the dhcp config clashing with the static machines, within the dhcp address region?

Using debug can I view what service is being 'allowed' on which IP address with vlan1? Perhaps that may help towards resolving my issue?

kayasaman · ‎08-06-2007

Thinking about it if indeed the ACL 700 is to blame for my access issues, could it be something to do with the mask?

I read this form the help:

Entering 255.255.255.255 as the mask causes the access point to accept any IP address. If you enter 0.0.0.0, the access point looks for an exact match with the IP address you entered in the IP Address field.

Does it mean that by entering 0000.0000.0000 as I have done I am only limiting myself to acces from the router? By entering 2552.5525.5255 would it mean that I will have access from everyone in the LAN?

I've tried testing it but to no effect and I'm just confused now!