First off, I am not too impressed with Motorola’s documentation. We need more examples of configurations. The IP addressing section just explains the differences between A, B, and C Class subnets.
Enough venting, I am stepping off my soapbox, for now.
Question 1:
If I use non-routable addresses for my AP’s and SM’s, how do I view them using a SNMP program? I am using SNMPc from castlerock.
You cannot ping the addresses, so how in the world is a SNMP program supposed to find them???
Question 2:
I setup a SM with NAT and DHCP server.
The DHCP server has the private NAT address of 192.168.1.1 /24. The first address is dishes out is 192.168.1.2, and so on. The PC attached to the SM gets the address 192.168.1.2 /24 correctly. That part works fine. I can route through the network and out to the Internet without a problem.
The problem is, if you bring up a web browser on that PC and type in 192.168.1.1, it brings you directly to the SM’s control Panel screen.
Motorola tells me to use non-routable IP’s for my AP’s and SM’s for security reasons. And that works, you cannot get to the SM from anywhere other than using the LUID, when you are connected to the AP.
Yet, when you setup the DHCP server on the SM, there is this HUGE security hole. So I cannot access the SM directly from my PC on the management network. But, my customers will be able to access their SM right from their computer. Did I setup something wrong, or is this a bug in the system?
afajvan,
Non-routable addresses are not routable on the Internet. This doesn’t mean it is non-routable on your internal network. Many large scale corporations use non-routable addresses for addressing their entire internal networks.
Some ISP’s use VLSM and utilize subnet mask changes so that each customer is on “their own” network.
You will need routers in your network to route the private traffic between your NMS and the SM. I would be curious to see/hear how many Canopy customers are using private “non-routable” addressing as well as SNMP for monitoring. I am sure there are quite a few.
There isn’t a bug in the system regarding DHCP, LUID, and the 192 subnet. You can set up DHCP so that you hand out addresses on a subnet other than the SM itself. Once that is done you could block traffic coming from the DHCP pool of addresses to the SM subnet. This would keep your customers from being able to access the SM.
Ok, I think I got it now, non-routable addresses are what we on the East Coast call Private addresses :lol:
I plan on using all private addresses. I am planning to have a Firewall on our E3 connection coming into our NOC. Most of my customers will be residential, so they will only need to be able to get web browsers going, and email ports opened. I am going to shut everything else down using ACL’s on the CISCO switches and routers.
I setup a switch and a router. the router is connected to my firewall.
Everything on the switch is on the 10.10.0.0/16 network. I know, 64K addresses. This is a lab environment.
The AP is 10.10.1.1 gateway 10.10.0.1 the router.
The SM RF interface is 10.10.2.10 interface enabled
The NAT public interface is 10.10.4.10
The NAT private interface is 192.168.1.1/24
DHCP server is enabled
The CPE connected to the SM grabs 192.168.1.2/24
Everything works. I can get out to the internet fine.
SNMPc sees the AP and the RF interface address.
I cannot ping 10.10.4.10, the NAT public interface. Did I do something wrong is that the ways it works.??
Is there a better way to address these devices, or will this work fine?
Alan
are you pinging the SM from a system that is on the same network as what you set your public IP to??? sounds like your not??? anyway, you might want to use the RF public interface for your management purposes and not the NAT public address. As for customers reaching your SM, you can just assign a strong password to the unit so they could not access it.