Why won't these firewall rules work???

the merchant

I'm trying to publish a server to the web. I have 5 static public addresses from BT (UK, that's where my office is based)

The only problem I can see is that even though I've manually configured the router with a subnet of 255.255.255.248, the router status says that my subnet is 255.255.255.255. Would this be a BT or a Netgear problem?

Any ideas would be most welcome.

Router Status
WAN Mode: Single Port
WAN State: UP
NAT: Enabled
Connection Type: PPPoA
Connection State: Connected
IP Address: 217.**.**.16
Subnet Mask: 255.255.255.255
Gateway: 217.32.71.201
Primary DNS: 194.72.9.34
Secondary DNS: 194.72.9.38
MAC Address: 00:1b:2f:79:63:4c
Up Speed: 448 kbps
Down Speed: 7616 kbps
Multiplexing: VC-BASED
VPI: 0
VCI 38

This is from my welcome letter from BT......

"You’ve ordered a range of 5 or 13 public Static IP addresses.
Your full range contains 8 addresses (three of these addresses are reserved):

network address: 217.**.**.16
router/hub address: 217.**.**.22
subnet mask address: if you have 5 Static IP addresses: 255.255.255.248
if you have 13 Static IP addresses: 255.255.255.240
Your computers can use addresses from 217.**.**.17 to 217.**.**.21"

Spear

the merchant wrote: »

I'm trying to publish a server to the web. I have 5 static public addresses from BT (UK, that's where my office is based)

The only problem I can see is that even though I've manually configured the router with a subnet of 255.255.255.248, the router status says that my subnet is 255.255.255.255. Would this be a BT or a Netgear problem?

Any ideas would be most welcome.

Router Status
WAN Mode: Single Port
WAN State: UP
NAT: Enabled
Connection Type: PPPoA
Connection State: Connected
IP Address: 217.**.**.16
Subnet Mask: 255.255.255.255
Gateway: 217.32.71.201
Primary DNS: 194.72.9.34
Secondary DNS: 194.72.9.38
MAC Address: 00:1b:2f:79:63:4c
Up Speed: 448 kbps
Down Speed: 7616 kbps
Multiplexing: VC-BASED
VPI: 0
VCI 38

This is from my welcome letter from BT......

"You’ve ordered a range of 5 or 13 public Static IP addresses.
Your full range contains 8 addresses (three of these addresses are reserved):

network address: 217.**.**.16
router/hub address: 217.**.**.22
subnet mask address: if you have 5 Static IP addresses: 255.255.255.248
if you have 13 Static IP addresses: 255.255.255.240
Your computers can use addresses from 217.**.**.17 to 217.**.**.21"

You have .17 and .18 as the public addresses and traffic meant for these is being sent to your interal non-routable addresses of 192.168.2.1 and .2? Why aren't you setting your internal servers to the public IPs?

the merchant

Spear wrote: »

You have .17 and .18 as the public addresses and traffic meant for these is being sent to your interal non-routable addresses of 192.168.2.1 and .2? Why aren't you setting your internal servers to the public IPs?

Don't know to be honest, it's just how I normally do it. The 192.168.2.1 is a mail server and needs to be accessed from the LAN as well as the WAN.

Spear

the merchant wrote: »

Don't know to be honest, it's just how I normally do it. The 192.168.2.1 is a mail server and needs to be accessed from the LAN as well as the WAN.

As it stands now, it looks like that traffic meant for .17 and .18 is instead being sent to 2.1 and 2.2, without NAT in place, they're giving responses from their source addresses of 2.1 and 2.2 which are on private only address ranges, which the router won't send on to the net, and no other router will honour them either.

ntlbell

does the router support DNAT?

the merchant

ntlbell wrote: »

does the router support DNAT?

Not sure, it's one of these...

http://www.netgear.com/Products/VPNandSSL/WirelessVPNFirewallRouters/DGFV338.aspx?detail=Specifications

ntlbell

lets start from scratch.

Can you assign a machine with one of the external address using the correct subnet mask if unsure ring BT plug it into the router and see if you can get net access.

If the router supports DNAT you can DNAT (one to one nat) or pop in a second network card in the machine required and have one intnernal and one external address so it can be accessed from both

the router you have is pretty basic and not up to much from the looks of it.

the merchant

ntlbell wrote: »

lets start from scratch.

Can you assign a machine with one of the external address using the correct subnet mask if unsure ring BT plug it into the router and see if you can get net access.

If the router supports DNAT you can DNAT (one to one nat) or pop in a second network card in the machine required and have one intnernal and one external address so it can be accessed from both

the router you have is pretty basic and not up to much from the looks of it.

Thanks for the response, I'll call BT in the UK and see if they'll sort out the subnet issue. I'll be back later with an update.

FruitLover

You don't need to sort out the subnet mask issue. There is no issue. ADSL lines commonly get a /32 address from the provider when using PPPoE/A, but your full /29 will be routed to via your router's external IP. Set up DNAT on your router and you'll be able to publish these servers (you should ideally use a DMZ for this BTW)

Pininfarina

It's not an ISP issue. You're trying to use multi-NAT, i.e. map one public IP address to one private IP address. This will work fine on the Netgear box you have so long as you are on the latest router firmware and DSL firmware versions.