Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Subnetting

  1. #1
    Newbie
    Join Date
    Apr 2010
    Posts
    12

    Red face Subnetting

    Sorry if thereīs already a post about this, but I was not able to find it.
    Here go several questions all together.
    1.- My client is a school with several classrooms, administration sector and guests which I want to separate in different subnets (192.168.1.x; 192.168.2.x and so on). Which is the correct way to create rules that permit members of one subnet to connect or not to hosts placed in the other subnet ?.
    2.- I donīt want any of those subnets to be a DMZ zone. Is that possible ?
    3.- Untangle by default does permit or not trafic between subnets ?
    Thank you and regards

  2. #2
    Untangler RatKnight's Avatar
    Join Date
    Nov 2010
    Location
    Shepherd University
    Posts
    57

    Default

    Okay, here is the lo down...

    If you don't want them to be able to talk to one another, keep the Subnet mask in the DHCP server for each one set to 255.255.255.0 .

    Only set the subnet for the UT box to 255.255.0.0 This will allow the subnets to talk with the UT server, but not with one another. So, the clients on the DHCP server will only be able to "talk" to other subnets.

    Also, this will sound strange, but separate your subnets a bit...

    For example, use 192.168.1.0 for classrooms
    192.168.19.0 for administration
    192.168.43.0 for guests.

    Why? Because then someone would have to guess at the IP address subnets to hit them.

    Also, DO NOT FORGET TO SET NAT RULES!!! Only allow those networks to connect with the external IP address, and back to that subnet. I am assuming that you are using a server with only 2 ports, if that is the case, then a clever person could just set a static ip address and change their subnet. If not, and you have 3 internal, and 1 external, you can actually just take care of most of this with NAT rules.

    If I am incorrect about something, someone please correct me

    Thanks,

    Rat

  3. #3
    Newbie
    Join Date
    Apr 2010
    Posts
    12

    Default

    Hi Rat.
    Thanks for your reply.
    I donīt know if I really fully understood.
    1.- Thereīs only one place I found to set a subnet for DHCP server.
    2.- When you say "set the subnet for the UT box to 255.255.0.0" where do you mean ?.
    3.- If I want only 1 of the 3 or more subnets not to be able to talk to the others...what should I do ?
    4.- I have only one public IP address. When you talk about the NAT rules, exactly to what rules do you refer ? Does that concern my case ?
    5.- I forgot this in my first post: If I donīt want any DMZ zone. How should I configure my UT box ?
    Thanks again in advance
    Agoriuq

  4. #4
    Untangler RatKnight's Avatar
    Join Date
    Nov 2010
    Location
    Shepherd University
    Posts
    57

    Default

    Probably a bad idea for me to answer this at 2AM, but I will give it a go...

    1) Yes, change the subnet mask in the DHCP server to 255.255.0.0
    2) In the UT servers Network settings, where you have the static IP address, change it to 255.255.0.0 for the subnet mask.
    3) if you want one of the subnets to not be able to talk to the other two, set its' subnet mask to 255.255.255.0, that should keep it from effectively communicating with the other subnets (please read my earlier caution on that).
    4) With the NAT rules, you basically need to give the firewall permission to allow the networks through. So, what I would do is create a NAT rule that allows all traffic from the internal device to the external, and vice versa. If that isn't possible, then just setup the NAT rule from each subnet to forward to your 1 public IP. Shouldn't be a problem (we do that in the building I manage). Remember, you need a different interface for each Subnet, so 2 network cards aren't going to do it, you need at least 4.
    5) Configure it without a DMZ. Simply run everything through. You are definately going to want a DMZ if you are running a web server though...

    Hope that helps,

    Andy
    I am a Networking and Security Student. So, if I am wrong about something, please feel free to point it out. We learn from our mistakes, not from being right :)

  5. #5
    Newbie
    Join Date
    Apr 2010
    Posts
    12

    Default Not clear yet

    Hi Rat
    I tried all the alternatives you suggested, but Itīs stil a random thing for me
    From LAN B I can ping a host and open a webpage in a server in LAN A but I canīt open a Windows share in it.
    System stil manages me instead of me managing Untangle
    Iīm wonking in a laboratory enviroment and I canīt implement it in the school until I can fully understand it and make it do what I want.
    Any tip ?

  6. #6
    Newbie
    Join Date
    Apr 2010
    Posts
    12

    Exclamation

    Hi there
    Iīll try to be clear describing my configuration which Iīm still working in my lab as I was not able to get what I wanted yet.
    My UT Box is equipped with 4 NICs.
    One for WAN and the other three for 3 subnets (a, b and c)
    a= (192.168.10.x) b= (192.168.20.x) and c= (192.168.30.x)
    This customer is a school where (a) is dedicated for administration,
    (must be a secure enviroment), (b) is for students and (c) for guests
    who connect to WiFi and get only access to Internet
    The directory is controled by two Microsoft Windows 2003 servers
    which act as domain controllers and file sharing, and are one on LAN (a)
    and the other in LAN (b). What I want (and couldnīt get yet) is to control trafic between LANs in such a way that LAN (b) must not be able to talk to computers in LAN (a) and vice versa. Obviously LAN (c) must not have access to any of the others. But the two servers (192.168.10.10) and (192.168.20.10) must have complete communication to allow syncronization.
    How should I set up networking so I can control this ?
    Thank you in advance.

  7. #7
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,367

    Default

    The 3 subnets must be physically separated, at least 1 switch for each
    Connect each switch to the nic in untangle.
    The traffic between 192.168.10.10 and 192.168.20.10 can be managed by a combination of packet filter in networking/advanced and firewall app.
    The world is divided into 10 kinds of people, who know binary and those not

  8. #8
    Newbie
    Join Date
    Apr 2010
    Posts
    12

    Default

    Hi dwasserman
    The hardware configuration is exactly as you descrived, and I figured that the way should be to set some packet filter rules or something like that, but I was not able to get it working. Could you tell me how to do that ?
    Thanks

  9. #9
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,367

    Default

    Works in reverse, put here pictures of your network, configuration screens and what results you get for trying to see what is wrong.
    The world is divided into 10 kinds of people, who know binary and those not

  10. #10
    Newbie
    Join Date
    Apr 2010
    Posts
    12

    Default

    Sorry dwasserman
    I donīt understand. What else do you need in order to see what I ask for ? Donīt have any pictures and in your first post you described my configuration. And itīs exactly as you painted it.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2