Announcement

Collapse
No announcement yet.

Calling all network guru's

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Calling all network guru's

    I’m currently using Bell Fibe business internet with my Pepwave surf SOHO router using PPOE authentication which works fine - I can put in my own www.domain.ca while inside my LAN and get to everything just fine. The Bell Fibe modem is configured in Bridge mode in this case. However, I want to add a RATtrap device for security between the modem and my SOHO router, but it will not work. The folks at RATtrap suggested I setup the Bell Fibe modem to perform the PPOE authentication and place my router in the modem's DMZ while configuring the SOHO to obtain it's WAN address from the Fibe modem via dhcp. From the outside this works fine. I tested the SMTP and I can send email from the outside to my mail server without issue. I can go to the domain with a browser (from the outside) and that works great as well. However, I cannot get to my domain by either Outlook client or browse using the DNS name from the LAN. Can any network guru's suggest a solution?

    Robert
    HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

  • #2
    Does the DNS you are trying to reach resolve to your public IP address? If it does it will probably not work.

    Comment


    • #3
      Not a network guru, but in my setup my clients have their DNS point to my router. I use pfSense for my router. If I use my external domain name inside the LAN then the DNS Server (router/pfSense) routes just as if the request was from the WAN side.

      Comment


      • #4
        Originally posted by drhtmal View Post
        Does the DNS you are trying to reach resolve to your public IP address? If it does it will probably not work.
        Giving this a second shot, it appears that I cannot even use my public IP address. This doesn't make sense to me since my router is in the DMZ of the modem. Being in the DMZ I didn't think any port forwarding is required since it's basically open. Any other suggestions would be greatly appreciated.
        HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

        Comment


        • #5
          Originally posted by langenet View Post

          Giving this a second shot, it appears that I cannot even use my public IP address. This doesn't make sense to me since my router is in the DMZ of the modem. Being in the DMZ I didn't think any port forwarding is required since it's basically open. Any other suggestions would be greatly appreciated.
          The router being in the DMZ does not automatically give you access to hosts on your internal private LAN. You still have to configure port forwarding (which is not a great solution but that is for a different level of discussion.)

          Comment


          • #6
            Not a network guru, however. I believe port forwarding applies from the WAN port (from the internet). As WAN works to your locally hosted domain but connection from the LAN fails; would indicate a NAT configuration. Solution maybe very dependent on your router's capabilities.

            ​​​​​

            Comment


            • #7
              Here also utilize PFSense and am not familiar with your RatTrap firewall configuration. That said typically most routers have the same features set except for a few SOHO routers.

              PFSense has the settings for NAT reflection under system / advanced / firewall & NAT.

              I have seen your issue with another automation peer on Cocoontech.

              First read this on Hairpinning.

              In network computing, hairpinning (or NAT loopback) describes a communication between two hosts behind the same NAT device using their mapped endpoint. Because not all NAT devices support this communication configuration, applications must be aware of it.

              Hairpinning is where a machine on the LAN is able to access another machine on the LAN via the external IP address of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate machine on the LAN).

              Consider a private network with the following:

              Gateway address: 192.168.0.1
              Host 1: 192.168.0.5
              Host 2: 192.168.0.7
              The gateway has an external IP : 192.0.2.1
              Host 1 runs a P2P application P1 on its port 12345 which is externally mapped to 4444.
              Host 2 runs a P2P application P2 on its port 12345 which is externally mapped to 5555.

              If the NAT device supports hairpinning, then P1 application can connect to the P2 application using the external endpoint 192.0.2.1:5555. If not, the communication will not work.


              The aforementioned user's SOHO (ISP's combo router) did not do NAT loopback nor was it an option on the ISP SOHO router.

              @Robert, check your SOHO router and RatTrap device for a switch to enable or disable NAT reflection.

              Looked over the manual for the nat reflection (hairpinning) setting on your Pepwave Surf SOHO router. There is no mention in the manual.

              Googling nat reflection setting on Pepwave Surf SOHO router ....

              Thinking it is a sort of saftey feature decision of the MFG of the SOHO router.

              - Pete

              Auto mator
              Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU - Mono 6.00
              Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.00

              X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

              Comment


              • #8
                Thanks Pete for your insight. As always, you provide great information. I've had 2 days of a networking nightmare. I finally called to have the modem swapped. I think all the config changes messed it up even though things were set back. The new modem resolved the issue,
                Saying that, I'll return the rattrap device and I think I'll go with a pfsense firewall solution. While I've built systems in the past, I'm liking the SG-1100 MicroFirewall Netgate is offering - small foot print, low cost, low power consumption.
                I know that you've mentioned it before, but what are the 3 essential add-ons in pfsense I should have? Geo-blocking?

                It's been 20 years since I did my Cisco CCNA/CCNP certification and haven't played with it for 18 of those years - I've been in the Java development space for a number of years.

                Robert
                HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

                Comment


                • #9
                  When referring to the new modem are you writing about the Pepwave Surf SOHO router?

                  The Netgate SG-1100 is nice and small.

                  Personally have DIY'd my PFSense boxes. Initially it was just an old computer and added NIC cards. Today it is a BCM mITX motherboard (Haswell chipset) with 6 Intel Gb NICs on it. Just also installed PFSense on a Qotom 2 port computer. Easy install via USB stick.

                  Click image for larger version  Name:	pfsense.jpg Views:	0 Size:	133.4 KB ID:	1321455

                  This is what I have enabled on my PFSense firewalls (well two of them).

                  1 - IP6
                  2 - PFBlocker (MaxMind)
                  3 - DNS Resolver (think that it is on by default when you install it)
                  4 - Snort
                  5 - Squid
                  6 - NTP connected to a GPS with PPS (optional)
                  7 - VPN ==> IPSec with L2TP (optional) - IE: today no ports are open and only access my stuff via VPN. It is so easy these days.
                  8 - UPS plugin connected to an APC (optional)
                  9 - 2nd WAN failover link (using a cellular modem) optional
                  10 - 2,3,4 optionally added LANs. (for tinkering mostly)

                  You can do VLANs too on the PFSense LAN ports.

                  PFSense GUI is plug n play. When first installing it you are protected by default settings and nothing is left open on PFSense.

                  Yeah it was only Cisco many years ago (airlines). It was always set and forget but then it was private line (point to point, frame relay and MPLS). My desktop had (in the 1990's) a public IP address on it and at the time there was no DHCP in use. The before Cisco routers used NAT tables which were hand done along with the router tables. No firewalls then. Intro to the internet firewalls were F5's at the time. What a PITA it was to have to worry about the Internet. I personally hated the introduction of the "GUI" and alway liked the quick CLI.
                  - Pete

                  Auto mator
                  Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU - Mono 6.00
                  Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.00

                  X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

                  Comment


                  • #10
                    Thanks Pete... Yeah, it was the Fibre modem that was replaced and finally things got working as before. The Pepwave SOHO has been extremely reliable and even after 4 years they are still providing firmware updates.

                    Yeah now I remember, it was in 2001 when I did my CCNP Certification - remember, just flew into Boston a couple of days before the Twin Towers were taken down. Couldn't fly back to Canada since the airways were shutdown. An interesting week that was...

                    Anyway, thanks for the info - may hit you up later for more . I've been thinking about pfsense for a long while and think I'll go that way.

                    Robert
                    HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

                    Comment


                    • #11
                      Good news Robert. So you kept your RatTrap firewall as it is working now eh?

                      Yeah I was working in 2001 for an Airline and while I remember a bunch of stuff don't really like to think about it much these days.

                      At the time we were already behind in the conversion to all IP such that we implemented a custom Cisco Router firmware to allow for ALC use. (MATIP).

                      I was traveling a bunch at the time and did stop traveling for a couple of years.
                      - Pete

                      Auto mator
                      Homeseer 3 Pro - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU - Mono 6.00
                      Homeseer Zee2 (Lite) - 3.0.0.534 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.00

                      X10, UPB, Zigbee, ZWave and Wifi MQTT automation.

                      Comment


                      • #12
                        Pete, no, RATtrap is going back - never could make it work in my configuration - yeah, I know weird... Going to order a SG-1100 MicroFirewall today actually.

                        Let the fun begin!
                        HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

                        Comment


                        • #13
                          Robert, you will be very happy with pfSense. When I made the switch it made everything much easier and more stable. I ran it for over a year. I did subsequently switch to Ubiquiti, but not because the firewall/router was better, just for the centralized management. The pfSense router was more powerful and configurable, especially with regard to threat management.
                          Randy Prade
                          Aurora, CO
                          Prades.net

                          PHLocation - Pushover - EasyTrigger - UltraECM3 - Ultra1Wire3 - Arduino

                          Comment

                          Working...
                          X