I think you should check with AT&T to make sure they are allowing the 5 IP addresses. I would think that AT&T does not like having IP address just show up. Yes, you have had it for 10 years but that assumes that AT&T has kept your configuration current. Also, you can ask AT&T about your Speedstream DSL modem and it's ability to support multiple fixed IP addresses.
If you still think wireless security is useless because you have nothing to hide ...
- Thread starter electron
- Start date
I think you should check with AT&T to make sure they are allowing the 5 IP addresses. I would think that AT&T does not like having IP address just show up. Yes, you have had it for 10 years but that assumes that AT&T has kept your configuration current. Also, you can ask AT&T about your Speedstream DSL modem and it's ability to support multiple fixed IP addresses.
Update...
I called AT&T support. After the required 30 minutes on the phone with someone without a clue, they put me thru to level 2. I didn't really get any specific help on my setup from level 2 either, because she basically shut down when I told her I'm using Netgear routers (i.e., non-AT&T equipment). I asked her what equipment AT&T would provide for this, and she said a Motorola (Netopia) 3347 modem/router in bridge mode, and plug the Netgear routers into the 3347 LAN ports (which sounds logically similar to my DSL modem with a switch hanging off of it).
I called the local AT&T store and they said they had one in stock, but when I arrived ten minutes later, they didn't have one ("they usually do"). So I got a 2wire 2701 DSL modem/router from them instead since it has a 30-day money back deal.
Level 2 did tell me a couple of things that might be clues to why my setup doesn't work, and maybe how it will. She said I have eight static IP addresses...".16" thru ".23". ".22" is my gateway IP address, ".16", and ".23" are used for something that I had never heard of. So I'm supposed to be able to use ".17" thru ".21"., and that I should use a subnet of ".248". I have been using 151.164.182.60 as the gateway because that's what shows up in my router status screen when I get one connected. So maybe I need to use an IP address of nnn.nnn.nnn.17 thru .21 with a gateway address of nnn.nnn.nnn.22 and a subnet of ".248".
Thanks,
Ira
I called AT&T support. After the required 30 minutes on the phone with someone without a clue, they put me thru to level 2. I didn't really get any specific help on my setup from level 2 either, because she basically shut down when I told her I'm using Netgear routers (i.e., non-AT&T equipment). I asked her what equipment AT&T would provide for this, and she said a Motorola (Netopia) 3347 modem/router in bridge mode, and plug the Netgear routers into the 3347 LAN ports (which sounds logically similar to my DSL modem with a switch hanging off of it).
I called the local AT&T store and they said they had one in stock, but when I arrived ten minutes later, they didn't have one ("they usually do"). So I got a 2wire 2701 DSL modem/router from them instead since it has a 30-day money back deal.
Level 2 did tell me a couple of things that might be clues to why my setup doesn't work, and maybe how it will. She said I have eight static IP addresses...".16" thru ".23". ".22" is my gateway IP address, ".16", and ".23" are used for something that I had never heard of. So I'm supposed to be able to use ".17" thru ".21"., and that I should use a subnet of ".248". I have been using 151.164.182.60 as the gateway because that's what shows up in my router status screen when I get one connected. So maybe I need to use an IP address of nnn.nnn.nnn.17 thru .21 with a gateway address of nnn.nnn.nnn.22 and a subnet of ".248".
Thanks,
Ira
pete_c
Guru
I guess that means that your mask is 255.255.255.248 and you have 6(5) IP/s.
What did she say your first three octets were?
looks like your subnet is:
151.164.182.16/255.255.255.248/29
151.164.182.17-151.164.182.22
Gateway is: 151.164.182.22
Subnet ID: 151.164.182.16
Broadcast address: 151.164.182.23
What did she say your first three octets were?
looks like your subnet is:
151.164.182.16/255.255.255.248/29
151.164.182.17-151.164.182.22
Gateway is: 151.164.182.22
Subnet ID: 151.164.182.16
Broadcast address: 151.164.182.23
I would rather not post them, but they were what I expected. They were the ones I am getting when I tell the router to get the WAN IP address from the ISP, and the ones I'm using when I try to provide a static WAN IP address.
I tried several of the things I mentioned in my last post. None worked.
One confusing thing is what shows up in my router's WAN status screen for the gateway when it connects. It shows 151.164.182.60. This IP address belongs to AT&T (SBC), but none of the octets match my static IP addresses. The level 2 tech didn't know what it was either, which I thought was really odd.
pete_c
Guru
Its because its still getting an address via DHCP and you are still requesting it on your side of the modem. BTW you can just substitute your first 3 octets above and the 4th octet will be fine.
Funny cuz we had public IP's on all of the computers (> 100K) on the network we had due to ancillary desktop setups.
Configure your router on the wan side with a static IP like the first one you provided, gateway IP and mask as mentioned earlier.
Try to put in all the WAN stuff manually. IP, Subnet mask, Gateway and see if you can ping the gateway address and an internet address.
Can you telnet to the router? It would be easier if you could.
Funny cuz we had public IP's on all of the computers (> 100K) on the network we had due to ancillary desktop setups.
Configure your router on the wan side with a static IP like the first one you provided, gateway IP and mask as mentioned earlier.
Try to put in all the WAN stuff manually. IP, Subnet mask, Gateway and see if you can ping the gateway address and an internet address.
Can you telnet to the router? It would be easier if you could.
apostolakisl
Senior Member
First off I can tell you that if you install vpn routers on two of your lan's and link them, communication between the two lan's will be seamless. I have my vpn router at home and work and it links the two networks together with no probs. There may be other ways to do it when the two lans are right next to each other, but my guess would be there isn't a secure way to do it when each lan is on its own public IP.
The second issue is that I bet your modem isn't supporting more than one WAN IP address pass through at a time. Not sure on that. The one I am using is the Netopia 3546-002 which is what they included with it like 6 years ago. It might just be your settings on the modem as well.
Edit: Here is the modem I have. Assuming this ebay item is in working order it should work for you since it works for me and I think I have the same ATT service as you. For $29 buy it now shipped, I would do it. In fact, I might be one as a backup.
http://cgi.ebay.com/Netopia-Cayman-3546-002-Cayman-3500-Broadband-Router-/280593719181?pt=COMP_EN_Routers&hash=item4154b05f8d
And an FYI, a couple years ago it started getting flaky on me, I thought I needed a new one but it turns out the power supply started losing amps resulting in borderline function. A new power supply and it has been good since.
Update...after purchasing the 2Wire DSL modem/router (because the local store didn't have the AT&T Level 2 tech recommended Motorola Netopia 3347), I called AT&T Level 2 to ask if the 2Wire would work. She said it would, but for the same price, the 3347 is much better. It turns out that the 3347 is the modem/router AT&T currently gives to its business DSL customers. I ordered a 3347 online from AT&T and it should be delivered tomorrow. Maybe there is a way to do what I want without the 3347, but at least with it, I can get support from AT&T.
Thanks,
Ira
Thanks,
Ira
Update...I got the Motorola/Netopia 3347 modem/gateway/router installed. DSL line connects directly to it. It is set up to acquire its WAN IP address from the ISP, which gets the static IP address set up as the gateway (nnn.nnn.nnn.22). It has a LAN IP address of 192.168.1.1. The 3347 has wireless capability, but I have it disabled.
The two Netgear routers have their WAN ports connected to LAN ports on the 3347. The routers are set up to use static IP addresses on the WAN side, but the static IP addresses are not the real static IP addresses assigned by the ISP. Instead, they are 192.168.1.nnn with a subnet mask of 255.255.255.0. The 3347 uses IP mapping to map a real static IP address (nnn.nnn.nnn.21 and nnn.nnn.nnn.20, respectively) to each router's LAN IP address (192.168.1.nnn).
Each router has a different private IP address subnet. One is 192.168.2.nnn and the other is 192.168.3.nnn. The routers' DHCP servers are set up to dynamically assign the same private IP address to each laptop based on the laptop's MAC address and the NIC it is using, i.e., wired or wireless. The Netgear SRXN3205 router has wireless built in, and it will be the primary wireless AP. That way, I will always know the IP address of the laptop depending on which router it is connected to and how it is connected.
So far, everything works great. I can get to the internet from PC's on either router. I can get to either router via it's public IP address. The private LANs are isolated from each other. I can establish a SSL VPN connection between a PC on the wired LAN and the wireless router's LAN. I need to do a router firmware update on the wired router (to get 64 bit support) before I can establish a SSL VPN connection from a wireless LAN PC to the wired LAN. I did a tracert from a PC on the wireless LAN to the public IP address for the wired router, and it goes to the 3347 but doesn't go back to the ISP. I guess the 3347 has enough smarts in it to route it directly to the wired router? One potential negative is that the router side of the 3347 is 100Mb instead of Gb like the rest of my LAN, so traffic going thru it is not as fast as between other switches. However, in reality it's not a problem because I will probably only be going between LANs when the PC is using a wireless connection, so that will limit it more than the 100Mb router.
Two things left to do...first, make a printer on the wired LAN available to a PC on the wireless LAN, without having to establish a VPN connection first. I thought of hanging the printer off the 3347 router and IP map a static IP address to it. Not sure if that will work, and not sure if it is a good idea to do so. Any other way to do this via routing rules, port forwarding, etc.? If so, specific instructions, please.
Second...I want to make establishing the SSL VPN connection to the wired LAN as simple as possible. I can create a desktop icon that when clicked will open Internet Explorer and go to the URL that will display the wired LAN's SSL VPN login screen. I would like to take it one step further and actually have the user ID (and optionally, the password) entered on the login screen. That way, all my wife has to do is click on the desktop icon, then click on the login screen's continue button. If I could automate the continue button, that would be even better. The vendor doesn't have any suggestions on how to do any of this. Anyone know of a way?
Thanks,
Ira
The two Netgear routers have their WAN ports connected to LAN ports on the 3347. The routers are set up to use static IP addresses on the WAN side, but the static IP addresses are not the real static IP addresses assigned by the ISP. Instead, they are 192.168.1.nnn with a subnet mask of 255.255.255.0. The 3347 uses IP mapping to map a real static IP address (nnn.nnn.nnn.21 and nnn.nnn.nnn.20, respectively) to each router's LAN IP address (192.168.1.nnn).
Each router has a different private IP address subnet. One is 192.168.2.nnn and the other is 192.168.3.nnn. The routers' DHCP servers are set up to dynamically assign the same private IP address to each laptop based on the laptop's MAC address and the NIC it is using, i.e., wired or wireless. The Netgear SRXN3205 router has wireless built in, and it will be the primary wireless AP. That way, I will always know the IP address of the laptop depending on which router it is connected to and how it is connected.
So far, everything works great. I can get to the internet from PC's on either router. I can get to either router via it's public IP address. The private LANs are isolated from each other. I can establish a SSL VPN connection between a PC on the wired LAN and the wireless router's LAN. I need to do a router firmware update on the wired router (to get 64 bit support) before I can establish a SSL VPN connection from a wireless LAN PC to the wired LAN. I did a tracert from a PC on the wireless LAN to the public IP address for the wired router, and it goes to the 3347 but doesn't go back to the ISP. I guess the 3347 has enough smarts in it to route it directly to the wired router? One potential negative is that the router side of the 3347 is 100Mb instead of Gb like the rest of my LAN, so traffic going thru it is not as fast as between other switches. However, in reality it's not a problem because I will probably only be going between LANs when the PC is using a wireless connection, so that will limit it more than the 100Mb router.
Two things left to do...first, make a printer on the wired LAN available to a PC on the wireless LAN, without having to establish a VPN connection first. I thought of hanging the printer off the 3347 router and IP map a static IP address to it. Not sure if that will work, and not sure if it is a good idea to do so. Any other way to do this via routing rules, port forwarding, etc.? If so, specific instructions, please.
Second...I want to make establishing the SSL VPN connection to the wired LAN as simple as possible. I can create a desktop icon that when clicked will open Internet Explorer and go to the URL that will display the wired LAN's SSL VPN login screen. I would like to take it one step further and actually have the user ID (and optionally, the password) entered on the login screen. That way, all my wife has to do is click on the desktop icon, then click on the login screen's continue button. If I could automate the continue button, that would be even better. The vendor doesn't have any suggestions on how to do any of this. Anyone know of a way?
Thanks,
Ira
apostolakisl
Senior Member
The easiest way to work between the various LAN's is to use vpn routers. Once the routers are linked, everything routes through using the 192.168.x.x addresses as though both networks were the same LAN. If you have a server setup on the network you can even use it to serve up your dns allowing use of proper names. I set things up about 8 years ago using Linksys befvp41 routers. They disconnected these a little bit ago but you can still get new ones. Of course, there are other models currently in production that do the same thing.
If you don't use vpn routers, I know of no way to get to the printer short of using port forwarding and opening the printer up to the outside world.
If you don't use vpn routers, I know of no way to get to the printer short of using port forwarding and opening the printer up to the outside world.
apostolakisl
Senior Member
Yeah. Guess your right there. I connected my office to home becuase I wanted a single environment. That is where my mind was.
Of course the vpn routers can be connected/disconnected from each other. So you could isolate the networks except during those times when you did want connectivity.
Of course the vpn routers can be connected/disconnected from each other. So you could isolate the networks except during those times when you did want connectivity.
You nailed it. It's basically a variation of some of the other techniques discussed in this thread to isolate the wired and wireless home networks. My wife often works from home and connects to her company's LAN via a wireless connection to my home LAN, then a Cisco VPN connection (split tunnel mode) to her company's LAN. But she also needs access to a network-attached printer on my home LAN. It worked fine before because in split tunnel mode, she had access to her company LAN and my LAN. With the new setup, it doesn't work because of the separate home LAN's. I haven't tried concurrent VPN connections (SSL VPN to my wired LAN and Cisco VPN to her company's LAN) on her PC, but my experience with Cisco VPN clients is they don't play well with other VPN clients.
The only VPN connections between the two home networks will be when one of us is on a non-company laptop or other device using a wireless connection. We will then SSL VPN to the wired network to be able to access printers, NAS boxes, etc.
I guess my best shot is to try to set up some routing rules and/or port forwarding. Maybe one of the routers will allow me to permit only certain IP addresses or MAC addresses to get thru to the printer.
tmbrown97
Senior Member
That makes sense - using a VPN that doesn't directly bridge the two networks, but allows only specific traffic to pass to/from specific IP's and ports. I've done that on an enterprise scale enough times - just never at home.
Another thing you can do is create a subnet for shared devices and allow the subnets for work computers and the home subnet to talk to this shared subnet, but not to each other.
Another thing you can do is create a subnet for shared devices and allow the subnets for work computers and the home subnet to talk to this shared subnet, but not to each other.
I got it to work. On a PC on the wireless side, I defined a new printer with a TCP/IP address of nnn.nnn.nnn.21 (public IP address mapped to my home wired LAN). Printer is defined exactly the way it was before except for the public IP address instead of the private IP address.
In the wired router, I set up a new service called "Printer", type "TCP", port "9100". I then set up an inbound services routing rule for "Printer" that forwards the traffic to my printer on the wired LAN, and forces it to port 9100 (not sure if that was necessary or not). I also restricted inbound requests for this rule to the public IP address mapped to my wireless router (nnn.nnn.nnn.20). I printed a test page from the wireless LAN PC and it worked fine. Just to make sure I didn't open it up to everyone, I changed the rule to only allow a different IP address (nnn.nnn+1.nnn.20), printed a test page, and it never printed. The PC on the wireless LAN eventually showed a printer error in the printer dialog.
So is it really this easy, or have I opened up a serious security exposure by doing it this way?
In the wired router, I set up a new service called "Printer", type "TCP", port "9100". I then set up an inbound services routing rule for "Printer" that forwards the traffic to my printer on the wired LAN, and forces it to port 9100 (not sure if that was necessary or not). I also restricted inbound requests for this rule to the public IP address mapped to my wireless router (nnn.nnn.nnn.20). I printed a test page from the wireless LAN PC and it worked fine. Just to make sure I didn't open it up to everyone, I changed the rule to only allow a different IP address (nnn.nnn+1.nnn.20), printed a test page, and it never printed. The PC on the wireless LAN eventually showed a printer error in the printer dialog.
So is it really this easy, or have I opened up a serious security exposure by doing it this way?
Making progress...upgraded firmware on wired router and I'm now able to establish an SSL VPN connection (full tunnel mode) from a laptop connected to the wireless router to my wired router.
Another question...let's say that I'm using 192.168.1.nnn for private addresses on the "LAN side" of the DSL modem/router/gateway. That means the gateway has a LAN address of 192.168.1.1, and the two routers connected to it have "WAN addresses" of 192.168.1.3 and 192.168.1.4, respectively. On the two routers, I now have both LANs set up using the same private network addresses, e.g., 172.16.1.nnn. Both routers have private LAN addresses of 172.16.1.1, and have their DHCP servers giving out 172.16.1.100-200 (although the wired router doesn't really give out any addresses because I assign static (private) IP addresses to each wired device connected to it, and there aren't any wireless devices on that router). Using the same private network addresses on both routers allows me to move a wired device from one to the other (if I need to) without having to change its static IP address. I can't ping from the wired private network to the wireless private network, or vice versa, which is good. When I establish the SSL VPN connection from wireless to wired, I can see all the devices on the wired network, which is good.
So is there anything negative about having both private networks using the same IP address range? I think I should probably set up the DHCP servers and SSL VPN client IP address ranges so none of them overlap. Anything else?
Thanks,
Ira
Another question...let's say that I'm using 192.168.1.nnn for private addresses on the "LAN side" of the DSL modem/router/gateway. That means the gateway has a LAN address of 192.168.1.1, and the two routers connected to it have "WAN addresses" of 192.168.1.3 and 192.168.1.4, respectively. On the two routers, I now have both LANs set up using the same private network addresses, e.g., 172.16.1.nnn. Both routers have private LAN addresses of 172.16.1.1, and have their DHCP servers giving out 172.16.1.100-200 (although the wired router doesn't really give out any addresses because I assign static (private) IP addresses to each wired device connected to it, and there aren't any wireless devices on that router). Using the same private network addresses on both routers allows me to move a wired device from one to the other (if I need to) without having to change its static IP address. I can't ping from the wired private network to the wireless private network, or vice versa, which is good. When I establish the SSL VPN connection from wireless to wired, I can see all the devices on the wired network, which is good.
So is there anything negative about having both private networks using the same IP address range? I think I should probably set up the DHCP servers and SSL VPN client IP address ranges so none of them overlap. Anything else?
Thanks,
Ira
