IP/TCP and DHCP probs?

[CougarGT]

I am setting up a small network at my father business. We have a DSL line coming in, that only certain employees can have access too. For this i got a D-Link 704 Gateway running into the uplink of a 16 port switch. What i want to do is manually specify the IP address's of the computers, so i can block certain IP groups depending upon what ports they will have access too. This is where my problem comes in. I have turned off the DHCP server setting on my router, and am using a LAN IP of 192.168.0.1. I then manually specify the IP on the computers ( I have been using an ip ending range of 100-120), as well as setting the subnet mask (255.255.255.0) and the default gateway to the LAN IP (192.168.0.1). This results in no access to the web or any of the service ports for this matter. If I renenable the DHCP server, and let the computers automatically get an IP address, they have access to all the service ports, but the problem with this is it is hard to limit who, and what computer gets what services. Can anyone shed some light as to what may the problem with specifying the IP address?

 

[FUBAR]

Are you specifying your DNS servers as well?

Can you explain a little more of these "service ports"

 

[FFC]

Did you check your basic connectivity when you hard coded the IP addresses. Could you ping the default gateway you set? Could the workstations ping each other? Did you have DNS servers configured? Could you ping those?

Apologies if this approach is too simplistic.

 

[CougarGT]

FOr service ports i mean
80 - HTML
21 - FTP
etc etc......Only certain people will get email access, others will get html, depending upon what their job requires.

As for DNS servers i do beleive i left it as automatic.......
When specifying the IP's i can ping all other computers, and the router. Network connectivity is fine.......

 

[MiniMe69]

wow talk about being a hard a$$ to the what...15 employees there. limiting people to what ports then can access...whats the point when the office is so small already. you can just look over your shoulder to see what the other dude is doing.

 

[CougarGT]

Well..........75% of the people who work there do not require the use of anything on the web for their day to day jobs. To keep productivity high my dad doesnt want the distraction of surfing the web a click away. It is an electrical engineering/ service business. I tend to agree with him. SOme employees need FTP capability and email capability, that is the idea of using the firewall to limit what they have access too.

 

[Acetate]

are any of the workstations able to ping outside the router?
try www.cisco.com or something.

Also, you'll have to specify which DNS server is to be used, you can't leave it blank when manually changing IPs.

How are you denying "groups" IP addresses port requests, exactly?

 

[Acetate]

You also can't use 192.168.0.1 for your router interface.

You MUST NEVER use a 0 in an IP address, it is for network IDs only (not for devices).
Use 192.168.1.1 for your router interface.

Set your router to block all web requests for your network (192.168.1.0)

Hope this helps!

 

[n0cmonkey]

<< You also can't use 192.168.0.1 for your router interface.

You MUST NEVER use a 0 in an IP address, it is for network IDs only (not for devices).
Use 192.168.1.1 for your router interface.

Set your router to block all web requests for your network (192.168.1.0)

Hope this helps! >>



I have 0's in my ip addresses and it works fine (windows, Mac, Linux, OpenBSD, and FreeBSD).


Try pinging 64.58.76.223 when you specify the ip addresses. (thats www.yahoo.com) Try tracert/traceroute if that doesnt work.

 

[Acetate]

You won't see any problems, but there could be an issue down the road.
Each octet in use must have at least 1 bit used.

Safest to always go with a number other than one, from my networking experience.

 

[Hobbzilla]

<< You also can't use 192.168.0.1 for your router interface.

You MUST NEVER use a 0 in an IP address, it is for network IDs only (not for devices).
Use 192.168.1.1 for your router interface.

Set your router to block all web requests for your network (192.168.1.0)

Hope this helps! >>



I guess I better go renumber my entire 10.0.0.x subnet

 

[spidey07]

My guess is dns servers. try pinging something by name and see if it resolves to an IP address. If it doesn't resolve then put the ISPs DNS servers on the PC IP configuration.

192.168.0.1 is perfectly fine for an IP address. You most certainly can use 0 in an IP address and you can also use the 192.168.0.0 subnet any way you please.

 

[CougarGT]

<< are any of the workstations able to ping outside the router?
try www.cisco.com or something.

Also, you'll have to specify which DNS server is to be used, you can't leave it blank when manually changing IPs.

How are you denying "groups" IP addresses port requests, exactly? >>



I have set up some groups in the router......

the default group has all ports blocked

IP's ending in 100-102 are allowed port 21, 25, 80, 110, 443 etc etc
and IP's ending in 103-105 are allowed 21, 25, 110

 

[CougarGT]

I will try and change the LAN ip in the router and i'll look into the DNS setting some more
Thanks for all your help

 

[Acetate]

Does that router support ACL's (Access Control Lists)?

 

[n0cmonkey]

<< You won't see any problems, but there could be an issue down the road.
Each octet in use must have at least 1 bit used.

Safest to always go with a number other than one, from my networking experience. >>



Thinking about it, I almost remember that a couple of OSes had problems with 0's in the ip addresses. Of course that was something like 10+ years ago. Back when 192.168.1.0 would have been known as a broadcast ip


I may be remembering my history wrong though.

 

[Acetate]

The reason that it actually works in a mini home network is because the IP isn't being routed, therefore the router isn't looking at the network portions (192.168.X) to make a decision.

Routers cannot make a proper decision with 0's, because there are designated as a network address.

Peace!

 

[CougarGT]

You guys rock

 

[n0cmonkey]

<< The reason that it actually works in a mini home network is because the IP isn't being routed, therefore the router isn't looking at the network portions (192.168.X) to make a decision.

Routers cannot make a proper decision with 0's, because there are designated as a network address.

Peace! >>



Thats why NAT happens before the router.

 

[n0cmonkey]

<< You guys rock >>



Is it working?

 

[Acetate]

Precisely my point.

Glad we get along

 

[n0cmonkey]

<< Precisely my point. >>



I dont know if you are right. My knowledge of cisco/bay/3com/whatever other routers are out there is quite limited.

 

[spidey07]

<< Routers cannot make a proper decision with 0's, because there are designated as a network address >>


whoah there big fella. That is entirely false.

How about 12.10.0.45/24 ? that's a good address
194.0.193.1/18? that's a good address
172.16.0.1/24 that's a good address
215.0.212.64/16 that's a good address
192.168.0.1/24 that's a good address

routers could care less about if there is a zero octect in an IP address so long as the mask is correct. Way back you had to worry about a zeros broadcast which is why use of the zero subnet was discouraged. But that was like 10 years ago.



history...

 

[Hobbzilla]

Sarcasm is hard to display in these posts.
So my previous post about renumber my *entire* 10.0.0.x subnet was not suppossed to be taken literally.

Sorry for any confusion I might have caused.

I guess I should have just said, " You can use 0 in any octet but the first & last"

 

[n0cmonkey]

<< Sarcasm is hard to display in these posts.
So my previous post about renumber my *entire* 10.0.0.x subnet was not suppossed to be taken literally.

Sorry for any confusion I might have caused.

I guess I should have just said, " You can use 0 in any octet but the first & last" >>



It wasnt your post that caused the replies. I use a 10.x.x.x ip on my internal machines too and I realized your post was sarcastic (or atleast hoped it was ).

spidey07, looks like a nice link, thanks

EDIT: Guess its a cisco link, no wonder it looked like it had some decent info on it