As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Sysadmin] Routing to null

1131416181999

Posts

  • That_GuyThat_Guy I don't wanna be that guy Registered User regular
    edited May 2019
    That_Guy wrote: »
    OH FOR FUCK'S SAKE, the goddamned fiber got cut AGAIN. For those of you keeping score at home, that's the 2nd time this month. I don't have time to babysit knuckle dragging primitives who can't understand the concept of buried telecommunications lines while they fumble about with heavy machinery. This truly is frontier IT work.

    We've had significant portions of our infrastructure go down in the last few years because people break into the repositories where a lot of old copper is run and rip it out to sell. These are ancient concrete bunkers that could probably withstand a bomb, and are mostly filled with fiber these days. Yet...it...still happens.

    Meth is a hell of a drug.

    GETTING FIBER WAS FUCKING SUPPOSED TO FIX THAT! For serious, with the old T1s this place had before we got fiber, people would regularly steal long sections of copper cable. They used to joke, whenever the went down, crackheads had stolen the cables again.

    Edit: I may have been frothing at the mouth a little bit there.

    That_Guy on
  • SeidkonaSeidkona Had an upgrade Registered User regular
    edited May 2019
    Honestly I shouldn't have a restriction on what I can install on my desktop.

    I'm trusted to run the servers of a multinational company. I'm not in Financial or something.

    Seidkona on
    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • StraygatsbyStraygatsby Registered User regular
    Entaru wrote: »
    Honestly I shouldn't have a restriction on what I can install on my desktop.

    I'm trusted to run the servers of a multinational company. I'm not in Financial or something.

    Have you considered asking them 5 times?

    (I'm sorry. I'm so sorry. I couldn't resist)

  • wunderbarwunderbar What Have I Done? Registered User regular
    So due to reasons I'm dealing with break/fix tickets this morning, and of course I get one of the more stupid ones I've ever seen.

    open word "insufficient memory" this is usually a corrupt normal.dotm template thing, i've seen that a billion times. Delete the normal.dotm file, and open word.... same error. wont' create a new template file. manually create one, it recognizes that there's one there, but when word tries to repair it, get the same error. Change the location the normal.dotm file goes, same error.

    the fix..... disabling the adobe pdf handler add-in. As soon as I did that word was able to properly re-create the normal.dotm template file and the error went away.

    I hate computers.

    XBL: thewunderbar PSN: thewunderbar NNID: thewunderbar Steam: wunderbar87 Twitter: wunderbar
  • LD50LD50 Registered User regular
    wunderbar wrote: »
    So due to reasons I'm dealing with break/fix tickets this morning, and of course I get one of the more stupid ones I've ever seen.

    open word "insufficient memory" this is usually a corrupt normal.dotm template thing, i've seen that a billion times. Delete the normal.dotm file, and open word.... same error. wont' create a new template file. manually create one, it recognizes that there's one there, but when word tries to repair it, get the same error. Change the location the normal.dotm file goes, same error.

    the fix..... disabling the adobe pdf handler add-in. As soon as I did that word was able to properly re-create the normal.dotm template file and the error went away.

    I hate computers microsoft office.

  • wunderbarwunderbar What Have I Done? Registered User regular
    x41eny8bvotx.png

    XBL: thewunderbar PSN: thewunderbar NNID: thewunderbar Steam: wunderbar87 Twitter: wunderbar
  • SyphonBlueSyphonBlue The studying beaver That beaver sure loves studying!Registered User regular
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    LxX6eco.jpg
    PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
  • bowenbowen How you doin'? Registered User regular
    how many IP addresses did you get because usable range is usually for a block of addresses, but then why include network address (maybe it's the address of your ONT or something?)

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • SyphonBlueSyphonBlue The studying beaver That beaver sure loves studying!Registered User regular
    edited May 2019
    bowen wrote: »
    how many IP addresses did you get because usable range is usually for a block of addresses, but then why include network address (maybe it's the address of your ONT or something?)

    14 addresses, that's the block at 144.121.157.64/28. I don't understand why or how it's different from the network address and gateway or what the static route means there. I've never seen an ISP do this before.

    SyphonBlue on
    LxX6eco.jpg
    PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
  • BSoBBSoB Registered User regular
    edited May 2019
    Your address will be 144.121.156.254
    mask is as listed. 255.255.255.252
    Your gateway is 144.121.156.253

    BSoB on
  • FFFF Once Upon a Time In OaklandRegistered User regular
    edited May 2019
    wunderbar wrote: »
    So due to reasons I'm dealing with break/fix tickets this morning, and of course I get one of the more stupid ones I've ever seen.

    open word "insufficient memory" this is usually a corrupt normal.dotm template thing, i've seen that a billion times. Delete the normal.dotm file, and open word.... same error. wont' create a new template file. manually create one, it recognizes that there's one there, but when word tries to repair it, get the same error. Change the location the normal.dotm file goes, same error.

    the fix..... disabling the adobe pdf handler add-in. As soon as I did that word was able to properly re-create the normal.dotm template file and the error went away.

    I hate computers microsoft office Adobe.



    FF on
    Huh...
  • bowenbowen How you doin'? Registered User regular
    SyphonBlue wrote: »
    bowen wrote: »
    how many IP addresses did you get because usable range is usually for a block of addresses, but then why include network address (maybe it's the address of your ONT or something?)

    14 addresses, that's the block at 144.121.157.64/28. I don't understand why or how it's different from the network address and gateway or what the static route means there. I've never seen an ISP do this before.

    Alright so you need a switch in between the box and your firewall, the switch is there to allow you to plug in mutliple devices to the single port on that box.

    Then you'd use one of that range:

    IP : 144.121.157.64
    Sub: 255.255.255.252
    Gate: 144.121.156.253

    and bingo bango bongo you're done

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • bowenbowen How you doin'? Registered User regular
    Network address is meaningless here, I think that's the IP they gave to something else like an ONT or maybe another device they've got on site.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • BSoBBSoB Registered User regular
    Oh you got a range, nvm read it wrong.

    Depends on what you're doing with it. You set your NAT to translate the Range instead of a single address.

  • SyphonBlueSyphonBlue The studying beaver That beaver sure loves studying!Registered User regular
    BSoB wrote: »
    Your address will be 144.121.156.254
    mask is as listed. 255.255.255.252
    Your gateway is 144.121.156.253

    Okay but how do I use the useable block? That's a different subnet.

    LxX6eco.jpg
    PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
  • bowenbowen How you doin'? Registered User regular
    Here's a really "barebones" way of setting this up. Dummy switch in the middle can handle the routing from the ISP ONT or device or whatever just fine though it's not the "right" way to handle this with NAT and all that.

    gh361kztumcy.png

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • BSoBBSoB Registered User regular
    On a Cisco router you build an IP pool. Then you tell your router to draw from the pool for NAT purposes.

    Something like

    ip nat pool pool1 144.12.157.64 255.255.255.240

    ip access-list 1 permit any any

    ip nat inside source list 1 pool pool1 overload

  • SyphonBlueSyphonBlue The studying beaver That beaver sure loves studying!Registered User regular
    BSoB wrote: »
    On a Cisco router you build an IP pool. Then you tell your router to draw from the pool for NAT purposes.

    Something like

    ip nat pool pool1 144.12.157.64 255.255.255.240

    ip access-list 1 permit any any

    ip nat inside source list 1 pool pool1 overload

    Okay so I don't currently have a router, just a Watchguard T30, do I need to get a router?

    LxX6eco.jpg
    PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
  • RandomHajileRandomHajile Not actually a Snatcher The New KremlinRegistered User regular
    Are you sure you got 14 addresses? That netmask 255.255.255.252 is just two bits. Meaning the network address is “unusable” (by RFC standards, but it can be used in some cases), the broadcast is unusable, leaving you with two usable IP addresses, one of which is taken by the gateway....leaving you with 1. The /28 is probably their upstream subnet including their next hop (the “static route”).

    I may be reading it wrong, because it is formatted weird in any case.

  • bowenbowen How you doin'? Registered User regular
    Are you sure you got 14 addresses? That netmask 255.255.255.252 is just two bits. Meaning the network address is “unusable” (by RFC standards, but it can be used in some cases), the broadcast is unusable, leaving you with two usable IP addresses, one of which is taken by the gateway....leaving you with 1. The /28 is probably their upstream subnet including their next hop (the “static route”).

    I may be reading it wrong, because it is formatted weird in any case.

    Yeah I'm having a really hard time understanding how it's formatted myself, I just thought the router was doing some funky magic that they sometimes do.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • ThawmusThawmus +Jackface Registered User regular
    edited May 2019
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    They're routing your block to the .254 address, and expect you to route your block from there.

    I just did a traceroute to 144.121.157.65 (your first usable address), and the last hop was that .254 address. So that's what they're doing.

    Did you already assign the .254 address to your firewall? EDIT: I ask because I got a hit on that address so either they already assigned it to their equipment or you already assigned it to yours.

    Thawmus on
    Twitch: Thawmus83
  • ThawmusThawmus +Jackface Registered User regular
    Also what are you doing with the /28?

    Twitch: Thawmus83
  • SyphonBlueSyphonBlue The studying beaver That beaver sure loves studying!Registered User regular
    Thawmus wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    They're routing your block to the .254 address, and expect you to route your block from there.

    I just did a traceroute to 144.121.157.65 (your first usable address), and the last hop was that .254 address. So that's what they're doing.

    Did you already assign the .254 address to your firewall? EDIT: I ask because I got a hit on that address so either they already assigned it to their equipment or you already assigned it to yours.

    Yeah I've already assigned that to the firewall.

    LxX6eco.jpg
    PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
  • SiliconStewSiliconStew Registered User regular
    edited May 2019
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    SiliconStew on
    Just remember that half the people you meet are below average intelligence.
  • SyphonBlueSyphonBlue The studying beaver That beaver sure loves studying!Registered User regular
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    LxX6eco.jpg
    PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
  • ThawmusThawmus +Jackface Registered User regular
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    Twitch: Thawmus83
  • SyphonBlueSyphonBlue The studying beaver That beaver sure loves studying!Registered User regular
    Thawmus wrote: »
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    I host a few websites and other services in-house.

    LxX6eco.jpg
    PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
  • ThawmusThawmus +Jackface Registered User regular
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    I host a few websites and other services in-house.

    Okay, how have you been firewalling those so far? Through software?

    Twitch: Thawmus83
  • SyphonBlueSyphonBlue The studying beaver That beaver sure loves studying!Registered User regular
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    I host a few websites and other services in-house.

    Okay, how have you been firewalling those so far? Through software?

    Using static NAT through the firewall.

    LxX6eco.jpg
    PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
  • ThawmusThawmus +Jackface Registered User regular
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    I host a few websites and other services in-house.

    Okay, how have you been firewalling those so far? Through software?

    Using static NAT through the firewall.

    What I would do, then, is run the servers directly to the firewall (using the /28 block for their IP's), and run another cable to a cheapo router you use for your internal network. You still assign .65 to your LAN bridge (on the Watchguard), and you still set up a static route on your Watchguard (I have to believe it can do this, some devices do this automagically when you turn NAT off. I've seen really simple shit do this.).

    And I'd tighten up your firewall ruleset, big time. Only port 80/443 gets into your web server from the world, and port 22 can only get to it from your desk, for example. You can find lots of good example rulesets out there.

    This is pretty much how my boss ran our network for years without issue. I've motivated him to move to doing a 1:1 NAT setup instead of managing 130 iptables rulesets, but that's old people for you.

    Also, there are routers out there that don't cost $Texas but have some time costs instead. I've been using Mikrotik for 8 years now and I won't go back to Cisco if I have anything to say about it. That'd be the route I'd rather nudge you towards, to be honest. You'd have a hell of a lot more control over how this works.

    Twitch: Thawmus83
  • SyphonBlueSyphonBlue The studying beaver That beaver sure loves studying!Registered User regular
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    I host a few websites and other services in-house.

    Okay, how have you been firewalling those so far? Through software?

    Using static NAT through the firewall.

    What I would do, then, is run the servers directly to the firewall (using the /28 block for their IP's), and run another cable to a cheapo router you use for your internal network. You still assign .65 to your LAN bridge (on the Watchguard), and you still set up a static route on your Watchguard (I have to believe it can do this, some devices do this automagically when you turn NAT off. I've seen really simple shit do this.).

    And I'd tighten up your firewall ruleset, big time. Only port 80/443 gets into your web server from the world, and port 22 can only get to it from your desk, for example. You can find lots of good example rulesets out there.

    This is pretty much how my boss ran our network for years without issue. I've motivated him to move to doing a 1:1 NAT setup instead of managing 130 iptables rulesets, but that's old people for you.

    Also, there are routers out there that don't cost $Texas but have some time costs instead. I've been using Mikrotik for 8 years now and I won't go back to Cisco if I have anything to say about it. That'd be the route I'd rather nudge you towards, to be honest. You'd have a hell of a lot more control over how this works.

    Oh yeah I only allow port 443 to get to the web servers, nothing else is allowed. I'll look up Mikrotik. Thanks!

    LxX6eco.jpg
    PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
  • ThawmusThawmus +Jackface Registered User regular
    edited May 2019
    I recommend going to routerboard.com and looking over their test results. The CCR series are what I use, but you can use an RB series. Make special note of the max aggregate throughput numbers. Not all Mikrotik devices are made equal. Don't buy a router that maxes at 50Mbps (yes they make those)

    Also I don't actually buy from routerboard. Use whatever vendor you want.

    Thawmus on
    Twitch: Thawmus83
  • DarkewolfeDarkewolfe Registered User regular
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    I host a few websites and other services in-house.

    Okay, how have you been firewalling those so far? Through software?

    Using static NAT through the firewall.

    What I would do, then, is run the servers directly to the firewall (using the /28 block for their IP's), and run another cable to a cheapo router you use for your internal network. You still assign .65 to your LAN bridge (on the Watchguard), and you still set up a static route on your Watchguard (I have to believe it can do this, some devices do this automagically when you turn NAT off. I've seen really simple shit do this.).

    And I'd tighten up your firewall ruleset, big time. Only port 80/443 gets into your web server from the world, and port 22 can only get to it from your desk, for example. You can find lots of good example rulesets out there.

    This is pretty much how my boss ran our network for years without issue. I've motivated him to move to doing a 1:1 NAT setup instead of managing 130 iptables rulesets, but that's old people for you.

    Also, there are routers out there that don't cost $Texas but have some time costs instead. I've been using Mikrotik for 8 years now and I won't go back to Cisco if I have anything to say about it. That'd be the route I'd rather nudge you towards, to be honest. You'd have a hell of a lot more control over how this works.

    JFC I hate the world you guys live in.

    What is this I don't even.
  • SeidkonaSeidkona Had an upgrade Registered User regular
    Let me load up the console for my fancy cloud firewall and write some groups. . .

    Mostly just huntin' monsters.
    XBL:Phenyhelm - 3DS:Phenyhelm
  • ThawmusThawmus +Jackface Registered User regular
    Darkewolfe wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    I host a few websites and other services in-house.

    Okay, how have you been firewalling those so far? Through software?

    Using static NAT through the firewall.

    What I would do, then, is run the servers directly to the firewall (using the /28 block for their IP's), and run another cable to a cheapo router you use for your internal network. You still assign .65 to your LAN bridge (on the Watchguard), and you still set up a static route on your Watchguard (I have to believe it can do this, some devices do this automagically when you turn NAT off. I've seen really simple shit do this.).

    And I'd tighten up your firewall ruleset, big time. Only port 80/443 gets into your web server from the world, and port 22 can only get to it from your desk, for example. You can find lots of good example rulesets out there.

    This is pretty much how my boss ran our network for years without issue. I've motivated him to move to doing a 1:1 NAT setup instead of managing 130 iptables rulesets, but that's old people for you.

    Also, there are routers out there that don't cost $Texas but have some time costs instead. I've been using Mikrotik for 8 years now and I won't go back to Cisco if I have anything to say about it. That'd be the route I'd rather nudge you towards, to be honest. You'd have a hell of a lot more control over how this works.

    JFC I hate the world you guys live in.

    Networking or redneck engineering for cheap orgs?

    Twitch: Thawmus83
  • djmitchelladjmitchella Registered User regular
    Today I taught my kid a (valuable?) life skill:

    Mit7hKE.jpg
    0eDTXsv.jpg
    PjjzIdS.jpg

    It took him 20 minutes to get it all lined up and in the right order the first time, but that was with extra-long inner cables sticking out to make it easier to see what's going on. It was the third time cutting and stripping the housing before he managed to get everything the right length and crimped down properly, but once he'd started he was not going to give up.

    (maybe the valuable life skill is actually persistence, I guess, because monoprice charges like four dollars for a 30' cat5e cable, but I still have half of a thousand-foot roll sitting around and dangit, I'm going to use it all up eventually)

  • BahamutZEROBahamutZERO Registered User regular
    my dad used to make me crimp network cables for our home network, I think I must have been bad at it because it always seemed like those cables had signal degradation issues.

    BahamutZERO.gif
  • DarkewolfeDarkewolfe Registered User regular
    Thawmus wrote: »
    Darkewolfe wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    I host a few websites and other services in-house.

    Okay, how have you been firewalling those so far? Through software?

    Using static NAT through the firewall.

    What I would do, then, is run the servers directly to the firewall (using the /28 block for their IP's), and run another cable to a cheapo router you use for your internal network. You still assign .65 to your LAN bridge (on the Watchguard), and you still set up a static route on your Watchguard (I have to believe it can do this, some devices do this automagically when you turn NAT off. I've seen really simple shit do this.).

    And I'd tighten up your firewall ruleset, big time. Only port 80/443 gets into your web server from the world, and port 22 can only get to it from your desk, for example. You can find lots of good example rulesets out there.

    This is pretty much how my boss ran our network for years without issue. I've motivated him to move to doing a 1:1 NAT setup instead of managing 130 iptables rulesets, but that's old people for you.

    Also, there are routers out there that don't cost $Texas but have some time costs instead. I've been using Mikrotik for 8 years now and I won't go back to Cisco if I have anything to say about it. That'd be the route I'd rather nudge you towards, to be honest. You'd have a hell of a lot more control over how this works.

    JFC I hate the world you guys live in.

    Networking or redneck engineering for cheap orgs?

    Redneck engineering for cheap orgs.

    What is this I don't even.
  • DarkewolfeDarkewolfe Registered User regular
    edited May 2019
    I think there's a skill in teaching kids early on to think in an engineering capacity. Like, these objects aren't all magical artifacts that inexplicably do the things they do, they can all be broken down into components that you can understand, and you should always wonder HOW things work.

    Also that there's just a lot of satisfaction in working with your hands.

    Also, get up in the attic and run some cat5 for dad, we gotta get the new room wired up. You're young and the fiberglass insulation won't bother you as much.

    Darkewolfe on
    What is this I don't even.
  • LD50LD50 Registered User regular
    my dad used to make me crimp network cables for our home network, I think I must have been bad at it because it always seemed like those cables had signal degradation issues.
    Darkewolfe wrote: »
    Thawmus wrote: »
    Darkewolfe wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    Thawmus wrote: »
    SyphonBlue wrote: »
    SyphonBlue wrote: »
    Okay, I'm hoping someone who is better at networking than I am can help me out here:

    We just got our new fiber installed, and this was the IP addressing info that I was given:
    2k1sjxjh9wxt.png


    I cannot make heads or tails out of this. How do I set up my firewall to use this network?

    The first block is the point-to-point connection to the ISP from your router.
    The second "usable block" are your public IP addresses.
    Since they gave you both, the ISP didn't provide their own router to handle the point-to-point link, which means you need to configure your own router to do it.

    On your router, set one interface (WAN) to IP: 144.121.156.254, subnet: 255.255.255.252.
    On a second interface, set up IP: 144.121.157.65, subnet: 255.255.255.240.

    Then add static routes:
    destination: 144.121.156.242, subnet: 255.255.255.252 gateway/next hop: 144.121.156.254
    destination: 144.121.157.64, subnet: 255.255.255.240 gateway/next hp: 144.121.157.65
    destination: 0.0.0.0, subnet: 0.0.0.0 gateway/next hop: 144.121.156.253

    You then plug in a second firewall/router to the second interface and can use the 144.121.157.66 - .78 range for public IP addresses.
    For example, the WAN port on your second firewall might use: IP: 144.121.157.66, subnet: 255.255.255.240, gateway: 144.121.157.65.

    Blah, I don't want to have to buy a router. I work for a small non-profit and even just trying to convince them to switch off cheapo Comcast to this was a year-long affair.

    Oh well, thanks!

    What do you need the /28 for, though? The answer may help arrive at a solution.

    I host a few websites and other services in-house.

    Okay, how have you been firewalling those so far? Through software?

    Using static NAT through the firewall.

    What I would do, then, is run the servers directly to the firewall (using the /28 block for their IP's), and run another cable to a cheapo router you use for your internal network. You still assign .65 to your LAN bridge (on the Watchguard), and you still set up a static route on your Watchguard (I have to believe it can do this, some devices do this automagically when you turn NAT off. I've seen really simple shit do this.).

    And I'd tighten up your firewall ruleset, big time. Only port 80/443 gets into your web server from the world, and port 22 can only get to it from your desk, for example. You can find lots of good example rulesets out there.

    This is pretty much how my boss ran our network for years without issue. I've motivated him to move to doing a 1:1 NAT setup instead of managing 130 iptables rulesets, but that's old people for you.

    Also, there are routers out there that don't cost $Texas but have some time costs instead. I've been using Mikrotik for 8 years now and I won't go back to Cisco if I have anything to say about it. That'd be the route I'd rather nudge you towards, to be honest. You'd have a hell of a lot more control over how this works.

    JFC I hate the world you guys live in.

    Networking or redneck engineering for cheap orgs?

    Redneck engineering for cheap orgs.

This discussion has been closed.