Public ip behind modem/router - setup
I have been reading this forum's topics thoroughly over the past few days - very helpful advice from some of the top posters.
However, I have a very basic question which is beginning to make me tear my hair out - how do I give the external NIC a public IP address that's completely visible over the internet but that will still allow communication with my router/modem.
Last week we decided to update our old G4 running OS X Server 10.3.8 to a brand new XServe. Our needs are very basic and the old server ran afp, nat, mail, firewall and vpn for a small workgroup of about 10 designers. Our ISP gave us a range of static public IP addresses of which we only used one for both our router address and mail (over smtp). ISP handles external DNS and sorted the MX records for this. A zoom modem/router was configured in half bridge mode to transparently send this IP address 83.xxx.89 to the OS X server via DHCP. Therefore external NIC was set up as DHCP and internal NIC was set up with local address 192.168.0.1. Because the 89 external address was also our mailgate address - mailgate.mydomain.com - our ISP could send down our mail, mobile users could log on via VPN, workers on the lan could browse the web and use afp etc. In other words, if worked perfectly for our small setup and was steady as a rock for about 3-4 years. I have noted comments about the lack of a hardware firewall - we are relying totally on Apple's firewall in OSX server but I am comfortable with this for my small workgroup.
When we came to install the XServe in a similar fashion the external NIC would only pick up the external public IP address for about two minutes. After this it would drop and pick up a self assigned IP address - obviously all connection to the internet would be lost and the primary address would become 192.168.0.1 because the internal NIC would move up in rank. After talking to Apple support for a literally a couple of hours they seemed to draw a blank but suggested that I must change the external NIC to manual to stop it being overridden. I must also set up LOM correctly. Fair enough, I'm willing to try this and have now got my ISP to send our mail down to a different mailgate - 83.xxx.90. Therefore we have one public IP for the router and another for the mailserver (that happens to be doing a few other services too). Domain names for these are mailgate.mydomain.com and mailgate2.mydomain.com - in fact the original address will still act as a mailserver with a slightly higher priority because I want the option of switching back to my G4 until all this is resolved and don't want two new setups on my hands! Once the Xserve is setup the old server will no longer function.
However, all the modems I have tried will only communicate with internal IP addresses on the LAN. Even the dmz instructions say I should configure with an internal IP address - is this correct? Turning off DHCP server and NAT on these devices doesn't seem to help either (I assumed this would be the answer but no). Can someone tell me where I am going wrong? I can't find anyone else asking about this so I can only assume that I have overlooked something really simple.
Ideally I would like to keep the new two address setup but I am quite happy to go back to the single setup with the router in half bridge mode if the Xserve will hang on to it reliably.
My set up is:
Router:
WAN static 83.xxx.89 subnet 255.255.255.248
LAN 192.168.1.1 subnet 255.255.255.0 (don't really understand where this fits in).
NAT off, DCHP off
Xserve
external NIC
WAN static 83.xxx.90 subnet 255.255.255.248, router 83.xxx.89 or 192.168.1.1 (tried both and tried matching both subnets)
internal NIC
LAN 192.168.0.1 subnet 255.255.255.0
LOM (guessing here a bit because manual is awful)
WAN static 83.xxx.91, subnet 255.255.255.248 (channel 1)
LAN 192.168.0.50, subnet 255.255.255.0
DNS on XServe will be setup up so that mailgate2.mydomain.com resolves to the internal 192.168.0.1 address. External DNS handled by ISP. Reading previous posts this seems correct.
Router/modems are Belkin F5D9630uk4 (hopeless, support tell me it won't take a static WAN address so it's going back), Voyager 205 (seems quite configurable but won't let anything through if NAT is disabled), Zoom X5 (older 4 year model currently working succesfully in half bridge mode for my older setup - however only new models will work in full bridge mode which could be what I am looking for??)
The realise the above modems/routers are more consumer models so I am willing to buy a more configurable expensive pro modem or router if this is what's needed. I stress though that I would like the Xserve to be acting as the firewall and NAT etc and don't really fancy having to have to forward loads of ports etc.
Thanks for taking the time to read this through, I thought more detail would be helpful. I am also prepared to employ a professional to set this up for me but they (Apple knowledgeable) are rather thin on the ground in Glos UK. We did get a company in four years ago to set up the old server and they gave up after three weeks (a friend and I managed to crack it the following weekend - probably just lucky!).
Any help would be really appreciated - what we're trying to do must be pretty common?
17 G4 Laptop Mac OS X (10.4.8)
Now solved - bought myself a more professional router that has more user features and all has become clear. Router is Draytek 2800 which seems like a good piece of kit. I think that there are various ways of achieving what I wanted to do (I suspected this all along) but I chose to set up a 'second public lan subnet' in Draytek speak. See here for more:
http://www.draytek.co.uk/support/kbvigor2ndsubnet.html
Thanks to those that posted.
Similar Messages
-
Help needed with Wireless ADSL2+Modem Router setup
I have a iMac 1GHz PowerPC G4 running 10.3.9 with all of the latest software updates and have just purchased a Netgear DG834G. I am currently using an USB modem and now need wireless internet access for remote working via an IBM Thinkpad.
I have tried to follow the Netgear manual but to no avail. Unfortunately, my ISP was unwilling to help with setup as they didn't supply the router! Typical! Anyway they gave me some settings which might as well be in a foreign language ....
Virtual Path Identifier VPI = 0
Virtual Channel Indentifier (VCI) parameters = 38
ISP Domain Name Server (DNS) Addresses apparently will be automatic
Fixed or Static IP Address is automatic
Protocol = PPOA - is this correct?
Encapsulation =VCMUX
Any advice and screenshots would be greatly appreciated as I am absolutely stuck.
iMac 15 G4 Mac OS X (10.3.9) Lacie Triple D2 160GB + 5G 30gb iPodFixed - told myself to RTFM!
-
Somewhat Frightening Message after Changing Modem / Router Hardware
Yesterday, I changed my DSL Modem/Router to be a DSL Modem only, and added a different router by using its WAN port.
This essentially shut off control of the original modem/router, and moved it to the new router.
Now, we have 4 computers connected via ethernet cables, and none on Wireless. All are turned off, except my partner's Windows XP machine, which, suddenly today has a new message at the bottom left of his Login Window:
(Red Button) "Turn off Bills Modem Mods"
Who/Where did this come from? My computer's name is "Bill Lastname" ...
All computers are set to use TCP/IP Using Automatic DCHP selection of local IP Address and other parameters.
Some kind of Hacker prank, or am I just having a little paranoia attack? All other computers are Macs running OS X.
Mac Plus, Performa 6116, PPC 8500 G4/450, 9500 G3/500, QS 2@1GHz Mac OS X (10.3.9)Not being a Windows user, I didn't realize I had inadvertantly input "Bills Modem Mods" to create a new account on the HP ... testing the new modem/router setup ... so that's why it started to appear as an option at the bottom of his signin window ...
Silly me ... didn't remember doing this ... so it startled me to think someone was hacking my partners computer ...
PTSD and Halloween approaching ...
Mac Plus, Performa 6116, PPC 8500 G4/450, 9500 G3/500, QS 2@1GHz Mac OS X (10.3.9) -
Airport Express & Netgear DG834G 54Mbps Wireless ADSL Modem Router
Could you offer any advice as to whether an Airport Express could be used as a range extender for an existing Netgear DG834G 54Mbps Wireless ADSL Modem Router setup as I really like the idea of Airtunes and sharing a USB printer. I gather that it is possible to use an Airport Express to extend the range of an Airport Extreme basestation setup but have not been successful in finding any info regarding the Netgear.
Any info gratefully received !
G5 Dual 2.3Ghz Mac OS X (10.4.6)mac-junkie, Welcome to the discussion area!
No it can not be used as a range extender.
But you can still use it for music and printer support. See KB 302153, AirPort Express: How to join an existing wireless network in client mode. -
RA VPN into ASA5505 behind C871 Router with one public IP address
Hello,
I have a network like below for testing remote access VPN to ASA5505 behind C871 router with one public IP address.
PC1 (with VPN client)----Internet-----Modem----C871------ASA5505------PC2
The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871:
version 15.0
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname router
boot-start-marker
boot-end-marker
enable password 7 xxxx
aaa new-model
aaa session-id common
clock timezone UTC -8
clock summer-time PDT recurring
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.2
ip dhcp pool dhcp-vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
ip cef
ip domain name xxxx.local
no ipv6 cef
multilink bundle-name authenticated
password encryption aes
username xxxx password 7 xxxx
ip ssh version 2
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN Interface
ip address 1.1.1.2 255.255.255.252
ip access-group wna-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
interface Vlan1
no ip address
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Vlan10
description router-asa
ip address 10.10.10.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list nat-pat interface FastEthernet4 overload
ip nat inside source static 10.10.10.1 interface FastEthernet4
ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500
ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500
ip nat inside source static esp 10.10.10.2 interface FastEthernet4
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.10.0 255.255.255.252 10.10.10.2
ip route 192.168.2.0 255.255.255.0 10.10.10.2
ip access-list standard ssh
permit 0.0.0.0 255.255.255.0 log
permit any log
ip access-list extended nat-pat
deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended wan-in
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.255.0.0 0.0.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 0.0.0.0 any
deny icmp any any fragments log
permit tcp any any established
permit icmp any any net-unreachable
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny ip any any log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class ssh in
exec-timeout 5 0
logging synchronous
transport input ssh
scheduler max-task-time 5000
end
ASA:
ASA Version 9.1(2)
hostname asa
domain-name xxxx.local
enable password xxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxxx encrypted
names
ip local pool vpn-pool 192.168.100.10-192.168.100.35 mask 255.255.255.0
interface Ethernet0/0
switchport trunk allowed vlan 2,10
switchport mode trunk
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan10
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.252
ftp mode passive
clock timezone UTC -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxx.local
object network vlan2-mapped
subnet 192.168.2.0 255.255.255.0
object network vlan2-real
subnet 192.168.2.0 255.255.255.0
object network vpn-192.168.100.0
subnet 192.168.100.0 255.255.255.224
object network lan-192.168.2.0
subnet 192.168.2.0 255.255.255.0
access-list no-nat-in extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list vpn-split extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static lan-192.168.2.0 lan-192.168.2.0 destination static vpn-192.168.100.0 vpn-192.168.100.0 no-proxy-arp route-lookup
object network vlan2-real
nat (inside,outside) static vlan2-mapped
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 10.10.10.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 10.10.10.1 255.255.255.255 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy vpn internal
group-policy vpn attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-split
default-domain value xxxx.local
username xxxx password xxxx encrypted privilege 15
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpn-pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
ikev1 pre-shared-key xxxx
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:40c05c90210242a42b7dbfe9bda79ce2
: endHi,
I think, that you want control all outbound traffic from the LAN to the outside by ASA.
I suggest some modifications as shown below.
C871:
interface Vlan2
description LAN-192.168.2
ip address 192.168.2.2 255.255.255.0
no ip nat inside
no ip proxy-arp
ip virtual-reassembly
ip access-list extended nat-pat
no deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
no permit ip 192.168.2.0 0.0.0.255 any
deny ip 192.168.2.0 0.0.0.255 any
permit ip 10.10.10.0 0.0.0.255 any
ASA 5505:
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
Try them out and response.
Best regards,
MB -
I work in an office building with free Wifi to connect to the Internet. I want to be able to use this internetconnection, but at the same time I want to shield of my own wired network.
I've made the following configuration:
- fritz adsl modem / router
- Airport Extreme (5th gen) set up to join existing wireless network (green light, works)
- Lan-cable from lan-port AE to wan-port TC (4th gen)
- Lan-cable from TC to Mac
- Lan-cable from TC to Printer
When I set my TC (network-settings) in bridge-mode everything works fine, but my Mac and Printer get an IP-address from the fritz modem / router and are visible to others.
I tried to set TC in NAT/DHCP-mode, but then I get the error message that I should set a static IP-adress for TC. When I set TC in DHCP-mode, it looses connection to the AE. I'm not sure what to do now. Does anyone know how to set up my TC and create my own private network and still be able to get on the internet?Hajenius wrote:
Is there a better alternative? I'd rather not want to reset my TC every day.
You are using free internet.. so there is a price to pay.. that is convenience and non-ideal network setup.
The better alternative is to pay for your own connection. Then you are completely free of the possibility of others in the bullding seeing your connection. (as long as you secure the wireless).
But I think you are probably over worrying about public wifi.. if it is setup right.. ask the building admins.. it should be setup so each user cannot see another users connection. This is typical for most wifi setup and simply means you can see internet connection but nobody else on the connection. ie other wireless users.
Having a router with NAT makes it then more secure again and allows clients on your own network to interact with each other. But you can setup wireless to the free wifi for every client.. (depending on how many IP you are allowed).. and run a secondary network without internet access. This is easy for desktop etc where you have a wireless and a wired connection but less convenient for mobile devices.. unless you use a cloud connection and each client can link and share via that.
Have I made the explanation worse??
Think of it this way.. if you had 3 laptops.. all 3 could connect to the internet from the building wifi.. but they cannot talk to each other or share resources in local office. You can put resources out in the cloud, that can be shared.. but that adds traffic and most free services are not fast.
Now you can also plug all three into Time Capsule by ethernet.. and share local resources. Files, printers backup etc. This network is not connected to the internet at all. Each laptop has internet via free wifi and local connection.
For devices like iphones that have no ethernet or other method.. you could use local wireless and public wireless.. but in turns.. still the only advantage is less issues with double NAT.. if that causes problems.. then this is an alternative. -
Hi,
I have an existing modem/router from my ISP that does DHCP and NAT with base IP 192.168.1.1 distributed in the wireless network. I use this wireless network for our private devices. I could turn off the DHCP server in this first router, but there isn't a separate setting to turn off NAT.
I want to connect my Airport Extreme (4th gen) to this existing router to create a separate wireless network for visiting guests, where IP addresses of 10.0.0.0 etc. are used. So I do not want to use the Airport Extreme in bridge mode, as I would like to keep the devices on the first network 'invisible' for those on the second network. (P.S. when connected in bridge mode, the Airport works well and can distribute a network with a different name from the first. It's just that I would feel more comfortable about our privacy if the Airport were to distribute a different IP range. False security, maybe?)
I've tried doing this by 'Sharing a public IP address' in Airport Utility's Internet tab, leaving TCP/IP's setting to 'via DHCP', setting DHCP addresses to start with 10.0.0.2 up to 200 with all else blank, and not using a standard host nor NAT-PMP in the NAT tab.
When I do this the Airport complains of a 'double NAT issue'. Internet connectivity seems to be OK, but when switching between the two networks on my Mac I get complaints about my IP address being in use by another device intermittently.
Can anyone help in how to get the 'double NAT issue' resolved?
Thanks!So if someone is connected to the modem/router network they will be able to see the HD I will have put in to the AirPort Extreme?
As I said above.....since the modem/router and AirPort are bridged, devices on the modem/router wireless will be able to "see" devices on the AirPort wireless, and vice versa.....
If they can see the HD connected to the AirPort Extreme, will they be able to access it
Yes, unless you plan to password protect the drive connected to the AirPort Extreme.
or will they still need the password needed to get onto the AirPort Extreme network?
The modem/router and AirPort Extreme are bridged. They are on the same network. All devices are on the same network when the modem/router and AirPort are bridged. Not sure how else that I can say this.
Also, because it is bridged, I shouldn't have any problems accessing the HD I will have connected to the AirPort Extreme from an external location?
Accessing devices from a remote location is never easy....and a topic for a different post/discussion. If you have a "static" Internet IP address from your provider, and have all the details on how to forward ports on your modem/router, you are off to a good start.
Apparently there is some addressing issues because devices can be seen as "Double IP" because the modem/router would have allocated IP's as well as the AirPort allocating IP's thus making connections slower until resolved
When you "bridge", all IP addresses are issued by one device. There will be no conflicts on the network, since they are bridged.
Once again, in very simple terms, you have two doors (access points) that open into the same room (network). One "door" is the modem/router and the other "door" is the AirPort Extreme. They are on the same network....("room") because they are bridged. -
Setup Modem/Router and AirPort Extreme running DHCP, NAT
I have a basic modem/router from my ISP which didn't always work very well, so upon suggestion instead of upgrading to a new one I purchased an airport express to use with the modem, since we mostly use apple devices at home.
The idea is to use the old modem/router strictly as a modem and use AirPort Express for everything else (routing & access point).
However I need some technical info to set this up, since I not very familiar with networking.
This is what I understand: In my old modem/router, I need to turn off wireless (it will be connected to the airport via Ethernet cable) and DHCP and NAT (if I can figure this out) as well as the firewall. After that, I should connect the airport to create a new wifi network and have it run DHCP & NAT (which will also provide firewall services)
Does this sound right?
Also, the Airport product page mentions that it can also run/provide the following: PPPoE, VPN Passthrough (IPSec, PPTP, and L2TP), DNS Proxy, SNMP, IPv6. Sorry if it sounds ignorant, but do I need to bother with any of this? Specifically PPPoE, which sounds like a modem function.
Again, since we're talking about a crappy modem here, the idea is to let the Airport do most of the work, and leave the least up to it.
Thanks in advance.I found the answer in an Amazon review:
1. Auto-Configure the modem with your ISP by directly connecting the modem to your computer. Follow the instructions given in the booklet/user manual/ISP letter to enter the PPPoE username & password.
2. After configuration is complete, confirm that you are connected to the internet.
3. Click 'Advanced Setup' on the Main Menu.
4. Turn off DHCP Server on the 'DHCP Settings' page. Click Apply.
5. Go to 'WAN IP Address' page and click Yes on the warning. Select RFC 1483 Transparent Bridging. Click Apply.
6. The Internet light on the modem will turn off and always remain off in bridged mode.
7. Remove cable from computer and plug into WAN port of your Router.
8. In your router settings enter the PPPoE username & password. Follow instructions in your router's user manual to enable DHCP on your router.
You should now be connected to the Internet using your modem & router in bridged mode. -
Set up a proper live and local DNS behind a router
Hello dear friends,
I'm new to Snow Leopard Server and also i'm quite inexperienced in setting up DNS. We bought a Mac Pro for out small company along with Snow Leopard Server to become independent from our ISP, for some specific services like web hosting, mail and to bring up new services like Address book server, iCal server, FTP, Mobile access etc...
So for me to do that i have to set up our own DNS first. We already bought our domain name (crisconsult.ro) and since then the site has been hosted on our ISP and then aliased to Apple. We also have our own (fix) public IP 80.86.123.116.
Having installed SL Server and set-up, behind an Airport extreme router, the server was unable to pick up our name server which is ns.crisconsult.ro. Since the router is the first in the network, the server became second with a local IP 10.0.1.2. This is the same IP that the server automatically set up for DNS, BUT if i keep this ip on our name server (ns) i feel it's not good since:
host ns.crisconsult.ro returns
ns.crisconsult.ro has address 10.0.1.2
and host 80.86.123.116 returns
116.123.86.80.in-addr.arpa domain name pointer ns.crisconsult.ro.
As i understand there should be our public IP (80.86.123.116), BUT all the tutorials on the net regarding setting up DNS in Leopard Server point that at DNS one should put the machine's own local IP and have the machine look at itself as DNS in network settings.
So? Is there a local DNS and a public DNS to set up? What gives?
I could really appreciate some help in configuring DNS, along to some good and real examples of DNS servers configured behind a router.
Thanks,
AndreiAndrei,
I too, would love nothing more than to be able to use DNS on my 10.4, 10.5 & 10.6 servers. Unfortunately, the only way I have found to effectively wield a somewhat complete level of control over the bind DNS included with the server, is to abandon all usage of the Server Admin DNS control in favor of something like webmin. The good news is, webmin gives you a host of other features that I (sadly) don't expect to see within the Apple Server GUI any time soon.
Bad news, is that the 'best practice' way of setting up a stable, functional DNS on a Mac Server seems to be: clean install, webmin install, and never, ever use the apple DNS interface. Similar rule applies to web server.
I like to think the measure of a good admin is the ability to fix the problem(s) without having to reinstall completely. However, I can say from much experience and extensive googling, that what you are trying to do is a game of hopscotch in a minefield. You should be VERY familiar with the installation and setup process once you have your box configured the way you want it.
Hopefully one day Apple will decide to take the bull by the horns and address teh fact that DNS is an integral part of a sever set up these days and provide us users with some of that Apple think-outside-the-box-so-you-dont-have-to product that they have been so well known for. I can't say whether they're in too much of a hurry deploying video iPods or super-duper mice that the server product that you and I would love to see work efectively simply doesn't.
Sorry to get on a rant, I just want to save you some time that I lost figgerin' on this vexing enigma. I can use citations for my assertions if need be.
-Chance -
WRT160N v3: Cannot connect to router setup web page with current Firefox or IE
Every time I try to connect to the admin page of my router, I get "The connection to the server was reset while the page was loading." This happens with FIrefox 11, and started when I upgraded to 8 or 9. A machine running FF 3.6 does not exhibit this problem; I get right in. What IE 9 says is "Internet Explorer cannot display the webpage" (after complaining about the expired certificate).
I ran Wireshark to see if I could learn anything, but all I could figure out was this:
https handshake was OK.
First TLS packet is received by router, which then immediately issues a reset and ends the connection. I don't know why.
Has anyone seen this? or have I got a screwed up configuration (or router)?
Solved!
Go to Solution.castor wrote:
"The connection has timed out", seems to affect servers at MozilllaZine, for Firefox on Windows...
I'm not sure what this has to do with my problem; my difficulty is only in trying to talk to the router configuration page. Everything else works just fine.
~~ Tools > Options
~~ Advanced (tab) -> Network (tab) > "Setting"
~~ (X) Auto-detect proxy setting for this network
I have "use system proxy settings". Since this is a home network and I'm not using a software proxy on my machine, I know there is nothing between me and the router.
Second, let me know if you have enabled 'https' in the router management page. What is the IP address on the computer when connected to the router. To check the IP address that you are getting from the Router... You can check the IP address in the following manner:
# Click on Start -> All Programs -> Accessories -> Command Prompt.
# A black pop up box should come up, type: "ipconfig /all" …
This is not going the right direction, but to satisfy your curiosity:
IPv4 Address. . . . . . . . . . . : 10.244.122.142(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.244.122.1
DHCP Server . . . . . . . . . . . : 10.244.122.1
These are correct. (Since my telco DSL has me behind its own NAT router and has assigned my modem address 192.168.1.2, so I could not use Cisco/Linksys's manufacturer default address settings.)
There check the IP address and Default Gateway under LAN….
If it provides the valid IP address then try to connect the router to a different computer and then try to open the router setup page...
I have a linux virtual host (thanks to VMware) now running Firefox 5, and it can talk to the router setup page just fine, once I accept and save the invalid certificate the router presents, at https://10.244.122.1. So I conclude the problem is to do with the later version of Firefox (currently 11, but I had this problem with 10 and maybe with 8 and 9). -
Help needed - tunnel from behind ADSL router
I have a situation in which I require to set-up IPSec tunnel in between two 1841 routers. This is normally two minutes job, in this case however one of the routers sits on a private LAN behind ADSL router (at the moment there is no reasonable way to get around it).
Thus:
1841-1 <-> WAN <-> ADSL Router <-> 1841-2
1841-1
FE0/1 Private LAN 172.16.1.1
FE0/0 Public IP
|
WAN
|
ADSL Router
Public IP
NAT
Private LAN1 192.168.0.1
|
1841-2
FE0/0 LAN1 IP 192.168.0.1
FE0/1 LAN2 IP 172.16.0.1
172.16.1.0-172.16.0.0 require to communicate over the IPSec tunnel.
Could you please advice me on 1) what is the most practical way to set this up with out loosing sanity; and 2) Could you maybe point me to some documentation that deals with this specific scenario?
Thanks.'1841-2' does not have public IP (it "fakes" to have one).
IPsec tunnel is fully working now.
In the process though I have learned that it depends on what ADSL modem you are using to get this working.
Check out http://kb.juniper.net/KB4715 for example (this is the one I got working).
You can thus give your Cisco router a private IP behind ADSL router and then follow the steps from the knowledge base article above on ADSL modem (if you have same type available).
In addition then, on your Cisco router - you require to add loopback 0 interface and give it public IP of your ADSL router (yes - your adsl router WAN interface and loopback interface on your Cisco router have now the same public IP).
As the last step, on your Cisco router, change tunnel interface: source interface loopback 0 and destination your remote gateway.
I am going to try different modems, many models can actually do this, but the documentation is often unimpressive.
It is possible that there are better ways to do this, if so, please let me know.
If you wish to have more details about the set-up, let me know.
Thanks. -
RV180 behind DSL-ROUTER can't connect with QuickVPN
Hello,
I want to ask if is possible to configure the RV180 behind my DSL Router to connect using QuickVPN. First I tried to connect to the PPTP server and worked fine, but when I tried to connect using QickVPN, seems to connect but when the client says "verifying network" after a while appears the message "network not responding..."
In my DSL-Router forwared this ports: UDP: 500,4500,443,60443 - TCP: 443,60443 (i don't know if tcp ports are needed but I opened for testing) and allowed protocol ESP (comes with the rule to allow IPSEC-L2TP)
Thanks!Hello Siva,
From where I have to test reachabilty? From the computer where I have installed the QuickVPN client I can reach de WAN interface of the DSL-Router, which is doing NAT and forwarding the ports I said to the WAN interface of my RV180. The network betwwen DSL and RV180 is using private ips.
The schema is:
Internet ---- (public ip) dsl router (192.168.1.1) ---- (192.168.1.50)RV180(10.0.0.1) ----- my network 10.0.0.0/24
In the document you posted is explained:
"Your Cisco router must have a direct public IP address for QuickVPN to work, please check under the status tab and your internet connection type and make sure it has a public IP address and it is not behind another router. This issue is more common with DSL connections; if you are behind another router/modem you should request your ISP to turn it into bridge mode so our router can be the border router between your LAN and your ISP."
It's my configuration. I will look how to turn my DSL router into a bridge. Thanks. -
I have a new modem/router from my ISP which does not let me change the DNS anymore. As I do not want the standard DNS provided by the ISP and I do not want to set the required DNS on each connected device I thought to use the TC as the router instead of keep running it in "bridged mode". The modem allows me to set a DMZ to a defined machine, port forwarding or the use of DYNDNS. To make the situation a bit more complicated one of the devices, an IP TV set top box needs to be connected directly to the modem due to IMPG issues.
I have been selecting DMZ:
Then I gave the TC the static IP 192.168.1.10 and the required DNS:
And selected a range of IP addresses:
I can only select DHCP only. As soon as I try to set DHCP and NAT, I get an error message:
The setup does work but I am really not sure what kind of implications this has. Is the modem still providing NAT? Is my network now open and unprotected?
Thank you very much for some insight and suggestions.The setup does work but I am really not sure what kind of implications this has. Is the modem still providing NAT? Is my network now open and unprotected?
Yes, the modem is still the router.
This is in fact the best setup.. what you are doing is using the TC as a secondary DHCP server. There is no need to even use DMZ.. it does not block in any way packets from internet.
Your network is not open.. it is behind a NAT router same as it was.
I use exactly the same setup to provide DNS alternatives to my clients.. same as what you are doing. -
QuickVPN - RV110W behind DSL Router
Hi all,
I have a Cisco RV110W behind an Actiontek V1000H DSL router supplied by my ISP.
I'd like to be able to make use of the Cisco QuickVPN client. According to my ISP placing the Actiontek into bridge mode cannot be done.
On the Actiontek I have forwarded the following ports to my RV110W's address:
60443/tcp
4500/udp
500/udp
On the RV110W I have ensured that remote management is enabled (on port 60443).
When attempting to connect with the client (using port 60443) - I get this far:
2012/01/30 11:16:21 [STATUS]OS Version: Windows 7
2012/01/30 11:16:21 [STATUS]Windows Firewall Domain Profile Settings: ON
2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
2012/01/30 11:16:21 [STATUS]Windows Firewall Private Profile Settings: ON
2012/01/30 11:16:21 [STATUS]One network interface detected with IP address 192.168.245.164
2012/01/30 11:16:21 [STATUS]Connecting...
2012/01/30 11:16:22 [DEBUG]Input VPN Server Address = xx.xx.xx.xx
2012/01/30 11:16:22 [STATUS]Connecting to remote gateway with IP address: xx.xx.xx.xx
2012/01/30 11:16:22 [WARNING]Server's certificate doesn't exist on your local computer.
2012/01/30 11:16:23 [WARNING]Remote gateway wasn't reached...
2012/01/30 11:16:23 [WARNING]Failed to connect.
2012/01/30 11:16:23 [WARNING]Failed to connect!
Any suggestions? Is this configuration even possible?
Thanks!Hi, Rudi & Craig
I just tested another diffrent way, which way as Craig's book did, I set
Master's IP is DSL Router inside IP which same as "PUBLIC" Network Card's
IP address (10.0.0.101) when setting the MASTER's configuration in
iManager, it still working fine. Then it will be the best way if the ISP
change my static Public IP.
BTW, Craig, when you have chance, can you memtion this on your web site or
in your book (when you have new version book), BM38SP5 got a bug, the
vpn.jar cannot set Non-BM VPN Slave (I used Linksys router for Slave
server), I called Novell support engineer, he said Novell knew this error,
I have to use the vpn.jar which in BM38SP4_IR5 to setup Non-BM VPN Salve.
But there is another problem, the vpn.jar which in BM38SP4_IR5 cannot set
MASTER VPN server. The only way to do the job is install BM38SP5, setup
MASTER VPN server, setup C2S VPN, then copy the vpn.jar which in
BM38SP4_IR5 in, to setup Non-BM VPN Salve. I hope you can understand my
poor Engish.
James
> Rudolf Thilo wrote:
> Hello James.
>> In Craig's book, there is a sample
>> for VPN Slave Server behind DSL router.
>> But I don't know I can setup Master VPN
>> server behind DSL router or not.
> It works, starting with BM3.8. IIRC Craig has an example
> in his book? You will need to specify the DSL router's
> (static!!) public IP address as the MASTER's public IP
> when setting um the MASTER's configuration.
> Regards, Rudi. -
SOLVED: Dropped connections with Time Capsule and cable modem/router
I've been dealing with random dropped connections for quite a while and I thought that it would be useful to share what I've found.
I was having a very puzzling problem where my internet connection would drop randomly on wireless devices. On my laptop, webpages would suddenly become unresponsive for a minute or two, Mail would have connection problems and complain, etc...but incredibly randomly and definitely not repeatable or in any pattern that I noticed.
I also have 2 Nest thermostats in the house which connect via wi-fi. I noticed that they would randomly show Offline very often when viewed from a webpage or iPhone app, but the Nest front panels showed that they were connected with a strong signal.
As I said, the dropped connections were very sporadic. Most of the time, everything worked, but every once in a while...bam.
I worked with the level 3 tech support guys at Nest for over a week to figure out what was going on. We went through settings on my router and Time Capsule and everything seemed proper and okay. I even replaced the Nests with new ones but still had the same problem. We were all completely stumped.
Yesterday, my laptop dropped it's connection at the same time my wife's laptop dropped hers. At this point, I wondered if something was wrong with the Time Capsule or maybe my internet provider.
I called AppleCare to see if they could help with debugging the problem. They passed me up to a senior wi-fi tech and he asked me many questions about the configuration of my network. My home network looked like this yesterday (see crappy diagram below)
Motorola Cable modem/router
|
Netgear multiport switch
| | | | |
hardwired Macs, TimeCapsule (bridge mode)
laser printers, | | | | |
Apple TVs laptops, Nest, iphones
This configuration seemed correct to me. The Time Capsule in bridge mode would mean that the cable modem/router would be handling DHCP so all the devices would be on the same network and I could print from a laptop to one of my printers and the laptops could connect to the hardwired Macs, etc..
The AppleCare technician said he thought that bridge mode was the problem. He mentioned that there was a known issue that in this configuration, the IP addresses could get lost between the cable modem/router and the Time Capsule. He said it would be best if the Time Capsule was in DHCP/NAT mode and the first device before the switch, this way the Time Capsule was the only device passing out IP addresses.
So I repatched my network like this:
Motorola Cable modem/router
|
TimeCapsule (DHCP/NAT mode)
| | | | | |
Netgear multipart switch laptops, Nest, iphones
| | | |
hardwired Macs,
laser printers,
Apple TVs
I can tell you that in the past 24 hours, I haven't seen anything lose a connection. Not even the Nests which seemed be on and off all the time. And, in this configuration, all the devices are on the same network and able to speak to each other.
I hope that helps someone.So you're saying that Bridge Mode not functioning properly is a well known issue?
Not to me.. I have not had issues with the TC in bridge. And it is my prefered setup. I think it is better as a wireless AP and network hard disk than a router any day of the week.. but there are other ways to skin the cat if it is proving unreliable. I am at the moment using a wireless bridge from the Gen4 TC to a Gen4 AE upstairs for TV internet streaming.. it started off very reliable.. but of late I guess I need to reboot it every few days. And it has required a full reset two or three times.. although I probably need to take some of the blame for those. I am not over worried.. i do not believe in wireless bridges except for the most interim of arrangements.. it will be wired in ethernet ASAP.
Wireless should always be used in a way that respects its status as voodoo.. not stable technology. NOT SCIENCE.. it is more a bag of beads and rattles.
Is there a way to change the cable modem/router to avoid the double NAT problem?
The answer to this may depend on your ISP. Did they provide the modem? If so they may lock it down so you have no control. But normally a Motorola cable modem will not have a bridge mode as such but will have a method of turning off NAT.. (and wireless).. this amounts to the same thing.
Once you turn off NAT.. you need to power cycle the modem so the TC gets the public IP in router mode. The power cycle time might be 5min or 20min or overnight.. it again depends on your ISP.. but you need to stop the modem capturing the public IP so it can be passed to the modem.
Depending on where you are in the world.. US is most concentration of cable network.. you can go out and buy your own modem. Pick one on your ISP list and steer clear of SB.. at least with the apple routers they are problematic.
It also can be a case that the cable modem is SB model and therefore more problematic. Sorry I have forgotten the recommendation for what to buy. There are a number of posts here about it but search is terrible now. (or I am too old to figure it out). I will get Bob to poke his nose in and tell you what works for him.
Maybe you are looking for
-
What's Happened To Mountain Lion??
I've had to completely re-build my i-Mac after a download of OS 9 Mavericks destroyed my system. (As many people are reporting, see all the 'one-star' reviews on the Mavericks page at Apple). I re-installed 10.6. Snow Leopard - for which I had the d
-
Oracle9i Host and Text_IO Command Issues
We are currently attempting to migrate from Forms6i to Oracle9i Forms. I understand that the current Host and Text_IO commands execute on the application server tier and NOT on the client. To counter the Host command issue the migration documentation
-
Web Gallery - thumbnails link to the wrong photos
anyone else got this issue? Ive uploaded various galleries, and it seems .mac is a bit confused. See, I have many photos in iPhoto that are titled e.g. CIMG09878. That was never a problem. Now though on the net, in the web gallery, if I click on one
-
Unable to convert sender service IP_testScenario to an ALE logical system
i have a IDOC -> BPM--->File scenario, the BPM is named as IP_testScenario when IDOC is sent from R3 to BPM, in the MONI i can also see a Acknowledgement message saying <SAP:Category>XIAdapter</SAP:Category> <SAP:Code area="IDOC_ADAPTER">ATTRIBU
-
Impossible to quit editing a note *without* saving
I just realised that when editing a note, there's no way to undo the changes done, i.e. the changes are always saved, no matter how you quit the Notes application. Even if you just press the Exit button, the changes are saved, which is actually a nic