Well it seemed like a good idea...

OK, it looks like I'm missing something...

I need to add a wireless hub to my LAN. However for security sake I wanted to attached it outside my firewall and let the users come in via windows remote desktop just like they do from home.

So here is what I did (feel free to snicker)

We have a DSL line. I took the Ethernet line coming out of the DSL modem and ran it into a 4-port hub. Into that hub I plugged in the Wireless router and the firewall. I took one of our five static IP addresses and configured the wireless router using that IP address. I assigned the other four static IP's to the main firewall.

Now I can use the wireless router to access the Internet at large but when I try to use remote desktop to tunnel into our system the wireless LAN cannot "see" any of the static IP's assigned to the firewall. I suspect it's a subnetting issue where the wireless router thinks it owns all the static IP's but I can't seem to work out the issue.

Is there a way to set a sunbet to ONE address? Is that really the issue?

Thanks for any help.

Reply to
Scamp
Loading thread data ...

I think you correctly pinpointed the problem. But I'm confused about what you mean when you say you "assigned the other four static IP's to the main firewall." Which side of the firewall?

Firewalls are essentially like routers. If these 4 IP addresses are assigned to the Ethernet hub side of the firewall, i.e. to the same side as the ADSL modem, then what addresses are used by the hosts connecting to the other side of the firewall, i.e. "behind" the firewall?

If you are given 5 static IP addresses, presumably these apply to the Ethernet side of the ADSL modem. I'll guess that the subnet mask you were given to use is 255.255.255.248. I'll guess that the Ethernet side of your ADSL modem is given one of the 6 addresses available in this subnet, and that 5 remain for hosts connected directly to the in-home Ethernet.

Of the remaining 5 addresses, I would think one would be assigned to the unprotected side of the firewall and one is assigned to the wireless router. That leaves only three addresses, usable only by hosts connected to the hub. Not by hosts behind the firewall or behind the wireless router.

I'll assume that both the wireless router and the firewall are behaving like NATs, translating the one public IP address they are assigned into a set of private IP addresses on the other side? And that as a result of this, you'll have a tough time routing traffic between the two private IP subnets, even if you can see the Internet from behind either box.

The easiest solution to the problem is to delete that stand-alone firewall and use the firewall built into Windows on all your cabled hosts. Then you will have 4 static IP addresses to assign to 4 in-home computers, and these should be visible from the wireless hosts.

If this works, as it should, then there might be way to statically map the three remaining public IP addresses to three private IP addresses behind the firewall. If you can statically map these, 1 for 1, the firewall should have no trouble routing packets to the right host. But it might still be easier to just delete the stand-alone firewall.

Bert

Reply to
Albert Manfredi

Bert:

Thanks for the extended reply.

Our ISP has given us 5 static ip's with our DSL connection.

xx.xx.xx.60 - xx.xx.xx.64

xx.xx.xx.60 goes to the firewall and is routed to the internal mail server (ie mail.foo.com)

xx.xx.xx.61 goes to the firewall and is routed to various remote desktops (based on the port #)

xx.xx.xx.62 is the wireless router which nat's it's own LAN (192.168.0.1 - 192.168.0.255)

xxx.xx.xx.63 and xx.xx.xx.64 are not currently used.

behind the firewall is the main LAN (192.168.1.1 - 192.168.1.255) with dozens of PC's

From the outside world we can point any PC's remote desktop client at xx.xx.xx.61:yyyy (where yyyy is a pre-assigned port number) to get remote access. That is what I want to be able to do from the wireless router and it works for ANY address except xx.xx.xx.61

Reply to
Scamp

As you asked in an ethernet newsgroup, you get an ethernet answer.

Connect an ethernet switch between your DSL modem and the WAN ports of the two routers.

Many NAT implementations don't know how to route back to themselves, which is what it needs to do to get to a .61 address from inside.

If you want an IP solution, ask in comp.protocols.tcp-ip

-- glen

Reply to
glen herrmannsfeldt

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.