Follow Pete on Twitter! http://twitter.com/tyrstag
How to connect your new Astaro firewall to your network
So you’ve followed the directions from Part 1 and you have a working firewall with 3 network cards. But, you haven’t been able to get into the firewall to configure it. How do you connect it to your network?
Ok, the first thing you need to do is figure out which NIC is which, but until you can get connected on one of them, there’s no way to know for sure which NIC is which.
The first thing you will need to do is to make sure you are on the same network as the Astaro. In Vista, the easiest way to do this is to click on the Start Marble, Right click on “Network”, Left Click “Properties”. This will bring up the “Network and Sharing Center”. On the left side of the “Network and Sharing Center”, under “Tasks” click on “Manage Network Connections”
You will probably have a lot less connections than I do. I’m running the Astaro Software in a Virtual Machine on the same computer that I’m writing this on.
Find the connection that shows a connection. It will probably say “Local Area Connection”. Right click on the Connection and Click “Properties”.
Double Click on “Internet Protocol Version 4 (TCP/IPv4)”. If you accepted the default IP setting while installing the Astaro software, you should be able to use the settings in this screenshot.
You can leave the DNS server alone for now, we don’t need the setting to get the firewall running.
Next, Take a network patch cable and connect it to the PC you are doing the configuration from. Next we have to figure out which is the Internal port of the firewall. If you have 3 NICs, the Astaro has named the ports as eth0, eth1 and eth2. It named them in the order they were detected during the installation. So if you have one or two built into the motherboard, they are most likely eth0 and eth1 if you had 2 ports on your mobo and just eth0 if you had only 1.
But the easiest thing to do is “Trial and Error”. Put the cable into any of the ports and open up Internet explorer or Firefox or your browser of choice.
In the address bar enter https://192.168.2.100:4444, this is the default management address. Hopefully you got a Certificate error. If not then move the cable to another port in the Astaro and hit “Refresh” (F5). When you get the Certificate error, you have the right port.
Click on “Continue to this website”. If you haven’t gone through the Basic Configuration from Part 1, go back to the first part and follow those directions. I’ll wait here while you do that. . .
OK, back?
How does it fit in the Network?
The firewall sits in between the Modem/Router and your network switch. So that all traffic between the internet and your PC is filtered and scanned. Like in this diagram.
IP Addressing and Subnet Masks – What are they and how do they work?
If you’ve ever given your PC an IP address you know that there are 4 pieces of information that you need for the network to work correctly.
· IP Address
· Netmask
· Gateway Address
· 2 DNS Servers (1 Minimum)
We’ll deal with the first 3 here and DNS later.
IP Addresses
An IP Address is how your computer is identified on the Internet. They are not unique to each computer (contrary to what most people think). But they MUST be unique on the internet.
Huh? How can it be on multiple computers and still be unique on the internet? That’s done by a little thing known as NAT(Network Address Translation) and the fact that there are 2 types of IP Addresses, Public and Private.
Public IP Addresses are the addresses that are on the Internet and therefore are PUBLIC, meaning they can be seen by anyone with an Internet connection and MUST be UNIQUE.
Private IP Addresses are used internally to your Home, Business, Cell phone, PDA . . . They are not seen on the Internet and are PRIVATE. They must be unique on your network, but the same address can be used thousands of times by different internal networks.
Let’s look at an IP Address
IP Addresses are written in a format known as a “Dotted Quad”. Meaning that there are 4 parts separated by Periods. You’ve seen them.
192.168.100.100
Each part of the address can be any number between 1 and 254. (Technically 0 -255, but the numbers 0 and 255 should not be used.) The reason for the numbering is that an entire IP Address is a 32-bit number, each part of the address being 8-bits in Binary. We’ll discuss Binary later in the blog. You should understand it so you have a better understanding of how Netmasks and IP Addresses work.
Private Addresses
Private addresses come in 3 Ranges. Each was designed for a different number of devices on the Private network. You should use the smallest number of addresses that you can. Here are the ranges.
10.0.0.0 – 10.255.255.255 supports up to 16,777,216 computers and has a default Subnet Mask of 255.0.0.0 ß For some reason people like to use this range. I guess it’s in case they eventually buy more than 1,000,000 computers.
172.16.0.0 – 172.31.255.255 Supports up to 1,048,576 computers and has a default Subnet Mask of 255.240.0.0
192.168.0.0 – 192.168.255.255 Supports up to 65,536 computers and has a default Subnet Mask of 255.255.0.0 ß This is the most common of the address ranges. Almost every home router has this preconfigured. The Astaro firewall you built in Part 1 set up a default network of 192.168.2.0 with a Subnet Mask of 255.255.255.0
Private addresses are NOT routable on the Internet. This means that if you try to use one of those addresses on the internet, any Modem/Router you try to send data to will ignore them.
Only Public addresses are allowed on the Internet. Public Addresses are all the other numbers not included in the list above. These Public IP addresses are issued in blocks to ISPs for use by their customers. The ISP has a limited number of addresses to give out so they use something called Dynamic Host Configuration Protocol (DHCP) to give out addresses from a pool as they are needed.
You are issued 1 address when you connect, no matter how many computers you have on your private network. When you disconnect, the address is added back to the pool so other users can use them.
Your Modem/Router/Firewall then gives a Private Address to any computer inside your Private network. These are usually the 192.168.X.X addresses.
So, how does the Private Address get converted into a Public Address?
That’s done by a little Magic called Network Address Translation (NAT). When you access the Internet using a Private Address, your Router/Modem/Firewall (Just Router from now on) assigns your computer a Port Number, then forwards your request out to the Remote Host (Web Server) using the Public Address and tells the Remote Host to send the Data (Web Page) pack to your Public Address on the Port that was assigned by the Router. The device receives the data, looks at the requested port, looks through the table it created for the NAT entries and then forwards it on to your PC.
2. Router (192.168.1.1) translates my Private IP to the Public Address and adds a random port. (72.72.X.X:12345) It adds the entry to the NAT table.
3. Router forwards the request on to www.google.com and tells the server to Reply to your Public IP on the specified port. (72.72.X.X:12345)
4. Google fills the request and sends it to (72.72.X.X:12345).
5. Router accepts the request and looks in the NAT table for the entry 12345. It finds My Computer listed with the Private Address (192.168.1.5).
6. It changes the Public Address to MY Computer’s Private Address and forwards it to My Computer
Pretty Simple right?
What are IP Ports?
Every IP Address has 65536 Ports that are available for services to use as well as for NAT. They are numbered from 0-65535. Each service that you connect to uses a specific port.
The first 1024 ports are called the “Well Known” ports. These include:
· Port 21 FTP (File Transfer)
· Port 22 SSH (Secure Shell)
· Port 53 DNS (Domain Names)
· Port 80 HTTP (Web Pages)
· Port 443 HTTPS (Secure Web Pages)
There are many other ports that are registered to services that are out of the first 1024. Probably the most common are:
· Port 3389 RDP (Remote Desktop)
· Port 5900 VNC (Remote Control)
You can find a complete list of the registered ports HERE.
Subnet Masks
Subnet Masks are probably the most confusing and misunderstood things about IP Addresses. I’m going to give a very high level look at Subnet Masks here.
I could probably do a whole blog just on Subnet Masks and if there were enough interest in it, I might be talked into it.
The Subnet Mask tells your computer what network it’s attached to. It does this by comparing the IP Address it has with the IP Address of the Host it want to talk to and seeing if they are on the same subnet. How does it do that? This is where it gets REALLY confusing. You normally see subnet masks that look like this:
255.255.255.0
What this is actually saying is that any IP Address that has the same first 3 Quads, is on the same network as me. WTF?!? How does that work?
A 255 means that the Address must match EXACTLY, a 0 means that they do not have to match at all.
There are many more Subnet Masks that you may see, like:
· 255.255.255.240
· 255.255.224.0
· 255.255.0.0
Notice that the lower numbers are at the end of the mask. All masks must follow this format; you cannot have a subnet mask that has a lower number in the middle. 255.240.255.0 is NOT a valid mask and will wreak all kinds of havoc on your network.
OK, so I want to talk to my printer. My Computer’s IP Address is 192.168.1.5 and My Printer’s Address is 192.168.1.10, My Computer looks at both addresses and the Subnet Mask to decide if it can talk to the printer directly.
|
|
1st Quad
|
2nd Quad
|
3rd Quad
|
4th Quad
|
|
PC
|
192
|
168
|
1
|
5
|
|
Printer
|
192
|
168
|
1
|
10
|
|
Subnet Mask
|
255
|
255
|
255
|
0
|
|
Result
|
Match
|
Match
|
Match
|
Doesn’t matter
|
So, these devices are on the same Subnet.
Now let’s see what happens with a Host that is NOT on my network. Let’s look at www.Google.com. One IP address for Google is 208.67.217.231. (They have many)
|
|
1st Quad
|
2nd Quad
|
3rd Quad
|
4th Quad
|
|
PC
|
192
|
168
|
1
|
5
|
|
Printer
|
208
|
67
|
217
|
231
|
|
Subnet Mask
|
255
|
255
|
255
|
0
|
|
Result
|
No Match
|
No Match
|
No Match
|
Doesn’t matter
|
So, this address is NOT on the same Subnet.
What happens when the IP Addresses are not on the same Subnet?
This is where the Gateway address comes in.
When your computer tries to contact a Host that is not on the same subnet, it forwards the request on to the IP Address in the Default Gateway field.
Then the NAT Magic happens all over again.
What if I want to access my computer from the internet or I want to run a Web/WHS Server?
The first problem that you have is that you were probably issued a DHCP IP Address that will change occasionally and/or every time you reboot your Router/Modem. To deal with this and to use a name instead of the IP Address, we will use DynDNS. Dynamic Domain Name System is a service that you can use to have a real name for your site that will update automatically any time your IP Address changes.
First, you will need to create a DynDNS account. Go to www.dyndns.org and create an account.
Click on “Host Services” and then “Add New Hostname”
Give a name that you want to use for your new host and select one of the DynDNS hostnames that are there for you to choose from.
Once you have a name and domain picked out, you can click the “Use auto detected IP address X.X.X.X” link, or just click on “Create Host”. Then you will need to log in to your Astaro firewall.
Go to Network / DNS then click on the DynDNS tab. Clcik on the “New DynDNS . . . “
For the Hostname: field, use the full name that you created on the DynDNS website. Ie: myhost.dyndns.org, whatever you chose.
You can leave the Assign: field to the default of “IP of Local Interface”
Set the Interface: to “External”
Type: should be “DynDNS”
Move down to Username: enter the Username you created for DynDNS.org
In the Password: field, enter the Password you used for DynDNS.prg
Click “Save”.
Once you hit save, you will be back at the DynDNS status screen. You will see that there are 2 squares and one of them is RED. This means that the settings are not activated.
Click the RED square and it will turn GREEN. The Settings are now active.
Click the Double Arrow in the top right corner of the Astaro window. Make sure that the DynDNS status is: “The last update was successful.”
HINT: Never hit the Refresh button of your browser, that will log you out of the Astaro Management interface and you will need to Login again.
Congratulations! You have now set up your first DynDNS Domain Name! From your computer you should now be able to open a Command Prompt and Ping “myhostname” and get a reply.
(Yes, I’m faking this result. That address is a private address that couldn’t be ping’d this way.)
That’s great! How do I setup a remote desktop session from the internet?
The first thing you need to do is figure out what the address of the computer you want to access from the Internet is. Go to that machine and open a Command Prompt.
From the Command Prompt window type: ipconfig
You’re looking for line that reads IPv4 Address. I actually have 2 addresses listed, the address I need in my case is 192.168.2.10, which is the default range that the Astaro install created.
Now that you found the address that the Astaro Assigned, you need to make that permanent. You don’t want that address to change every time you reboot the computer and have to reconfigure the firewall.
You do that by creating a DHCP Mapping.
Log into your Astaro firewall and go to Network / DHCP, then click on “Lease Table”. This is a list of all the IP Addresses that the Astaro gave out. Look up the IP Address you got from your Remote Desktop computer and find the MAC Address.
Select the MAC address from the table and copy it with CTRL-V. Click on the “Static MAC/IP Mappings” tab.
On the DHCP Server: field, select Internal.
Paste the MAC address into the MAC Address field.
Enter the IP Address that you got from ipconfig. Or you can enter ANY valid address for this machine to get any time it is turned on.
Click “Save”.
You have now setup a Static DHCP mapping!
Why do it this way? Why not just give the PC a static address? Easy, to make management easier. If you set the Addresses static on all the PC’s, when you want to change addresses you have to go to each PC and change them. This will give you a single place to change the addresses from. If you want to change the Address of 1 or all you machines, just go into the “Static Mappings” and change them there. The next time the machine reboots or when the lease expires, it will get the new address.
Now that you have a Static IP Address, you can set up the incoming connection. You do that in the Network Security / NAT Menu. Click on the DNAT/SNAT tab. Click “New NAT Rule”.
In the Name: field, add some descriptive name for this rule. I just put RDP.
You can leave the Group: and Position: at their defaults.
Traffic Source is “Where will this connection come from?”. If you will be accessing this connection from the Interent, leave it at Any.
For Traffic Service: click on the little folder to the right (That will let you select an existing service), the services will open in the left column. Find Microsoft Remote Desktop and Drag it from the column into the Traffic Service: field. (pretty cool huh?)
For Traffic Destination: click on the folder to the right and drag “External (WAN) (ADDRESS)” into the Traffic Destination: field.
The NAT mode: will stay DNAT (Destination)
In the Destination: field click on the GREEN Plus sign. (This lets you ADD a Destination)
Give the Destination a Name:
The Type: will stay “Host”
Enter the Address: that you set as STATIC in the previous step.
Leave the Interface: as <>
Click Save.
Click the “Automatic packet filter rule:” check box so there is a check mark in it.
Click Save.
You will now be back at the DNAT/SNAT Status screen.
Click on the RED Square to enable the rule.
Congratulations! You now have a fully configured DNAT rule that will forward RDP requests to the computer that you gave a static IP address by using DynDNS names!
You cannot test this configuration from inside your network. The next time you are outside and you want to access your computer, open Remote Desktop Connection and for the address, use the DynDNS name you created at the beginning of this How-To!
See you in Part 3!
Follow Pete on Twitter! http://twitter.com/tyrstag