881W NAT and Firewall

Similar Messages

• FMS: NAT and Firewall

  I've run into one roadblock after another with Cirrus (Stratus) - basically, even the Adobe Videophone example refuses to work in the 'real world' where there's a mix of NAT and firewall configurations outside the developer's control. (http://forums.adobe.com/message/1064983#1064983 and thread at http://forums.adobe.com/thread/736422?tstart=0)
  My question is whether Flash Media Server 4 has the same sort of issues? We don't want to pay up to install and run our own FMS only to discover that we won't be able to provide a P2P service to our end users because they're scattered around the Internet with a mix of mobile devices and computers lying behind NAT and firewall devices that we can't predict.

  FMS4 and Cirrus should behave identically as far as facilitating P2P communications on the open Internet.
  as the referenced article describes, with some combinations of NATs and firewalls, P2P communication is impossible.  RTMFP tries really hard to establish connections in the cases where direct communication is possible, but will not function in cases where direct communication is not possible.
  we believe direct communications should be possible for the majority of Internet users, but recognize that it won't be possible for 100% of users.

• Howto: Zones in private subnets using ipfilter's NAT and Port forwarding

  This setup supports the following features:
  * Requires 1 Network interface total.
  * Supports 1 or more public ips.
  * Allows Zone to Zone private network traffic.
  * Allows internet access from the global zones.
  * Allows direct (via ipfilter) internet access to ports in non-global zones.
  (change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
  Network setup:
  iprb0 65.38.103.1/24
  defaultrouter 65.38.103.254
  iprb0:1 192.168.1.1/24 (in global zone)
  Create a zone on iprb0 with an ip of 192.168.1.2
  ### Example /etc/ipf/ipnat.conf
  # forward from a public port to a private zone port
  rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
  # force outbound zone traffic thru a certain ip address
  # required for mail servers because of reverse lookup
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
  map iprb0 192.168.1.2/32 -> 65.38.103.1
  # allow any 192.168.1.x zone to use the internet
  map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
  map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
  Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
  Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
  Create /etc/init.d/zone_route_hack
  Link this file to /etc/rc3.d/S99zone_route_hack.
  #/bin/sh
  # based on information found at
  # http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
  # http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
  fake_router=192.168.1.254
  public_net=65.38.103.0
  router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
  # send some data to the real network router so we look up it's arp address
  ping -sn $router 1 1 >/dev/null
  # record the arp address of the real router
  router_arp=`arp $router | nawk '{print $4}'`
  # delete any existing arp address entry for our fake private subnet router
  arp -d $fake_router >/dev/null
  # assign the real routers arp address to our fake private subnet router
  arp -s $fake_router $router_arp
  # route our private subnet through our fake private subnet router
  route add default $fake_router
  # Can't create this route until the zone/interface are loaded
  # Adjust this based on your hardware and number of zones
  sleep 300
  # Duplicate this line for every non-global zone with a private ip that
  # will have ipfilter rdr (redirects) pointing to it
  route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
  The following /etc/ipf/ipf.conf defaults to deny.
  # ipf.conf
  # IP Filter rules to be loaded during startup
  # See ipf(4) manpage for more information on
  # IP Filter rules syntax.
  # INCOMING DEFAULT DENY
  block in all
  block return-rst in proto tcp all
  # two open ports one of which is redirected in ipnat.conf
  pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
  pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
  # INCOMING PING
  pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
  # INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
  #pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
  # OUTGOING RULES
  block out all
  # ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
  # remove/edit as needed to actually talk to local private physical networks
  block out quick from any to 192.168.0.0/16
  block out quick from any to 172.16.0.0/12
  block out quick from any to 10.0.0.0/8
  block out quick from any to 0.0.0.0/8
  block out quick from any to 127.0.0.0/8
  block out quick from any to 169.254.0.0/16
  block out quick from any to 192.0.2.0/24
  block out quick from any to 204.152.64.0/23
  block out quick from any to 224.0.0.0/3
  # Allow traffic out the public interface on the public address
  pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
  # Allow traffic out the public interface on the private address (needs nat and router arp hack)
  pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
  # INCOMING TRACEROUTE FIX PART 2
  #pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.

  Instead of using the script as a legacy_run script, set it up in SMF.
  First create the file /var/svc/manifest/system/ip-route-hack.xml with
  the following
  ---Start---
  <?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM
  "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
  ident "@(#)ip-route-hack.xml 1.0 09/21/06"
  -->
  <service_bundle type='manifest' name='NATtrans:ip-route-hack'>
  <service
  name='system/ip-route-hack'
  type='service'
  version='1'>
  <create_default_instance enabled='true' />
  <single_instance />
  <dependency
  name='physical'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/physical:default' />
  </dependency>
  <dependency
  name='loopback'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/loopback:default' />
  </dependency>
  <exec_method
  type='method'
  name='start'
  exec='/lib/svc/method/svc-ip-route-hack start'
  timeout_seconds='0' />
  <property_group name='startd' type='framework'>
  <propval name='duration' type='astring'
  value='transient' />
  </property_group>
  <stability value='Unstable' />
  <template>
  <common_name>
  <loctext xml:lang='C'>
  Hack to allow zone to NAT translate.
  </loctext>
  </common_name>
  <documentation>
  <manpage
  title='zones'
  section='1M'
  manpath='/usr/share/man' />
  </documentation>
  </template>
  </service>
  </service_bundle>
  ---End---
  then modify /var/svc/manfiest/system/zones.xml and add the following
  dependancy
  ---Start---
  <dependency
  name='inet-ip-route-hack'
  type='service'
  grouping='require_all'
  restart_on='none'>
  <service_fmri value='svc:/system/ip-route-hack' />
  </dependency>
  ---End---
  Finally create the file /lib/svc/method/svc-ip-route-hack with the
  contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
  'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
  import /var/svc/manifest/system/zones.xml'.
  This will guarantee that ip-route-hack is run before zones are started,
  but after the interfaces are brought on line. It is worth noting that
  zones.xml may get overwritten during a patch, so if it suddenly stops
  working, that could be why.

• Static NAT and same IP address for two interfaces

  We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
  static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
  static (production,Outside) 10.10.10.10  access-list production_nat_static_1
  Thanks for any help.
  Jeff

  Hi Jeff,
  Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Setting up gateway and firewall in OS X Server 10.3?

  Hi all,
  I have a G4 tower with two working ethernet cards in it that I would like to configure as a gateway and firewall. It has OS X Server 10.3 on it. I have easily found the firewall configuration in the Server Admin intrerface, but I can find nothing about configuring the server to act as a gateway. The only information I have found that is pertinent is related to the Gateway Setup Assistant that comes with OS X Server 10.4, which doesn't exaclty help me. Does anyone have any documentation on configuring OS X Server 10.3 to be a gateway? Thanks.

  Actually, I may have marked this as answered too quickly...
  So I followed the guide at the back of the getting started manual, and set everything up as follows:
  - PCI ethernet card is set up as the connection to the outside world. It is plugged into a switch which connects to a wall jack. In Network under System Preferences, it is set up as the first internet conection to try. It has a static IP address, and is set up to use the organization's DNS servers. It is NOT plugged into the upstream port, but is instead in port #9. The light on the router is on.
  - Built-in wireless is set up to be the internal connection. It is plugged into the upstream slot on anouther switch. It has a static IP address, and is set up to use the organization's DNS servers. The light on the router is on, so it appears there is a connection.
  - A different computer is plugged into the second switch, which a static IP address and to use the organization's DNS servers.
  So basically, unlike in the scenario in the manual, I am not using the OS X Server for DNS, DHCP or NAT services. That should, if anything, simplify it.
  The firewall service is started, and is set to allow all traffic in and out, no problems. Nice and simple to start.
  The server has an okay connection to the outside world via the PCI ethernet card. I can ping other machines and load web pages. I cannot, however, access the machine connected to the router which is connected to the built-in ethernet. Likewise, that machine has no access to either the OS X Server or the outsideworld.
  How does OS X Server decide which ethernet card is to be connected to the outside world, and which is for the internal firewall? Is the confusion possible because I'm connected to two routers?

• Airport Utility and Firewall Difficulties

  I am running Windows 7 with a Time Capsule and Airport Express for NAS, wireless routing, and Airplay.  The TC is connected to the Win 7 desktop via ethernet and we have a Vista laptop and iPhones which connect wirelessly to the network.
  I also have a Webroot internet security program for antivirus and firewall which seems to be interfering with Airport Utility finding the TC and AE.  If I disable the firewall and reboot, the devices appear in APutil.  Windows Firewall is disabled and not used.
  I have included the APutil.exe, APagent.exe, iTunes.exe, and a few other Apple executables in the security exceptions to allow their traffic but APutil still can't see the devices.  The wireless internet connection still works but Airplay will not.  Is there another Webroot setting I need to change?
  Alternatively, would I still be protected if I shut off the Webroot firewall function and allowed the NAT Firewall in the Apple hardware to operate?  Is there anything I need to do in the Airport Utility to make this happen?
  Many thanks in advance from a wireless newbie.

  iTunes uses UDP port 5353 to locate AirPort Express base stations that can be destinations for your AirTunes music stream. Make sure this port is allowed through your firewall.
  The following link contains a list of all the ports tha apple uses with it's software.
  http://support.apple.com/kb/TS1629?viewlocale=en_US

• Cisco ACE and firewall design

  Guys,
  If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?
  Sent from Cisco Technical Support iPad App

  Hi,
  With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.
  Firewall ---------Switch ---------------- Load Balancer ---
  As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.
  Regards,
  Siva

• I want to use Back to my mac. When I try to turn it on, it says "Back to My Mac may be slow because more than one device on your network is providing network services.   Turn off NAT and DHCP on one of the devices and try again." How do I fix this?

  Not sure if I am doing this right. This is my first time in the support community.
  I imagine what I put in my heading was supposed to go in here.
  I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
  Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).

  Why do ISPs insist upon making things so difficult for their customers?
  If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
  http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
  Scroll down to DHCP Settings
  You will need to log in with proper "technician" credentials. They are provided in the above link as
  Username: tech
  Password: t3lu5tv
  ... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business.

• Using modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi) : impossible to create a new Wi-Fi network (2.4 or 5 GHz) ? Conflict with DHCP / NAT and so on. No answer from the Apple help desk, Air Port Utility 6.1 unusable (configuration = Win 7)

  Good afternoon,
  My internet connection is delivered by a modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi), it's almost the same than a BBox-2 from Belgacom (software and configuration).
  This modem has 4 ethernet port, 2 for TV, 2 for LAN, the WAN port is RJ-11 and the connection is a PPPoE (in fact, it's the Belgacom network). I also got a Wi-Fi 802.11g on it.
  The main raison why I bought a TC is the dual Wi-Fi 2.4 GHz and 5 GHz (for 802.11n), especially for my MacBook Pro and my iPad 3.
  First of all, can I do the following with my TC :
  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Up to now, after 2 man days of configuration, my TC is connected to my existing LAN network, as a bridge, but there is no new Wi-Fi network.
  The Airport Utility 6.1 "Wizard" is just un-usable and I need to use a Win 7 laptop in order to get access to all the configuration !
  The standard manual is very poor.
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  Sincerely yours,
  AVDB

  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  This is easy enough to do..
  Plug the TC directly into a computer.. without other connections to do the setup.
  Using the newly installed 5.6 utility.
  Bridge the TC.
  Create a wireless network.
  This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
  I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
  Update the TC..
  Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router.

• HT203200 Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone el

  Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone else??

  Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone else??

• Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?

  Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?

  Hi the_mad_movies,
  It seems like this article will be the best option for addressing this issue:
  Error 3194, Error 17, or "This device isn't eligible for the requested build"
  http://support.apple.com/kb/ts4451
  Thanks for coming to the Apple Support Communities!
  Cheers,
  Braden

• I am getting a timeout when attempting to upload os5.0.1.  (3 attempts) including with av and firewall disabled.  1mbdsl.  3hr  download time.

  Thrree different times I attempted to download the new OS to my wife's iPad.  each time it would proceed to a point somewhere around 80 minutes remaining (started with 3+ hours remaining and downloaded about 4mb per minute).  I have a 1mbDSL line that routinely tests out at around .85mb per min.  I have tried all the "fixes" I found on the site including isolating allother USB interfaced hardware, rebooting both machines (PC and iPad), shutting off AV and firewall and still it fails at about the same point - giving error 3259.
  An attempt to find other info or any way to comminicate directly with Apple re this was not successful.
  Any ideas?
  My next idea is to take the entire PC to my son's where there is a faster internet connection but that is a lot of trouble and you shouldn;t have to do that.  with other large file updates I have done on other software, if it fails or times out you are able to resume where it left off and eventually get it done. 

  An alternative is to try downloading the update via a browser : https://discussions.apple.com/message/16703914#16703914
  You could also do that via, for example, a friend's computer and then copy it to your own computer for the actual update.

• NAT and Routed Network with Two ISP's on one router

  I'm sure this has been done covered many times, but I am not finding it.
  I have two ISP connections.
  With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
  With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
  On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
  I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
  Everything on 192.168.100.x should use NAT and go out ISP-B
  I have tried
  ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
  route-map ISP-B permit 10
   match ip address 101
   match interface GigabitEthernet0/1
   set ip next-hop 100.0.0.1
  route-map ISP-A permit 10
   match ip address 111
   match interface Multilink1
   set ip next-hop 1.1.1.1
  The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.

  I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
  If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
  http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
  HTH

• When installing third party software, how do I temporarily turn off the factory installed virus sw and firewall?

  when installing third party software, how do I temporarily turn off the factory installed virus sw and firewall?  Is it necessary on a Mac to do so?  I come from the Windows world and am still in the learning curve on the Mac.

  Correct.  I have not installed ANY other software for anti-virus, etc.  I want to install a Synch app for my HTC phone to sych with MS Outlook 2011 installed on my Mac.    HTC will not synch with it otherwise.  That was really the basis for my question....if installing a non Apple app can be done without messing with factory settings on the Mac.  In Windows I remember that I needed to disable Norton and the Firewall in order for installation to occur. 
  Thanks.

• Suggest antivirus and firewall

  Hi, im running a windows computer xp home service pack3,
  I was having problems downloading films from itunes, and i suspected either a bug/virus in my computer
  or conflict with security software in my computer was causing problems, So i wiped my computer and installed new version
  of xp,Went onto itunes and downloaded film which seems to have downloaded okay,
  I dont want the same problem so can anyone suggest please an antivirus and firewall for my computer [had pandacloud antivirus before] which shouldnt cause conflict problems with itunes?, Many thanks for any help given.

  WIndows XP has a fairly serviceable firewall built into it already. As long as you are connecting to the internet via a router there really shouldn't be too much to worry about. Back in the day of directly connected modems people were inadverntly exposing their file systems to anyone who chose to look. A quick visit to Sheilds Up! should let you know if there are any significant issues.
  I tend to recommend AVG-Free as an AV solution for personal use. Don't install its toolbar or search redirector. Whatever AV package you use you may want to go into its advanced settings and exclude it from monitoring your iTunes folder. This should prevent any conflict between the AV and iTunes.
  tt2