More IP addressing woes

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

More IP addressing woes

#1

Post by Mikerowaved »

Our stake center hosts an "unofficial" Family History Library. This library used to have its own Belkin consumer router there, so all 15 or so FHL PC's were on their own 192.168.0.x subnet with access to a local printer. This router also provided wireless access for those wishing to bring in their own notebooks to search with. It was also helpful during a group training session for family search or indexing.

Fast forward to a while ago when they installed our very own 881W in the stake center. The Global Service folks initially provided a single block of 64 IP addresses, but later (per our request) added another block of 128. They also disconnected the Belkin router, saying there was no longer a need for it and they only wanted "authorized" equipment on the network.

The problem with this setup is, the two blocks of IP addresses are not contiguous and there is no way to control which block the DHCP server will assign any given PC. This makes it so only those PC's on the same subnet as the printer can access it, the other PC's in the very same room that were assigned IP addresses from the other IP pool are out of luck. Yes, we considered assigning fixed IP addresses to every PC in the FHL, but by the time fixed IP addresses had been issued to PC's for 3 wards, a stake office, plus all the WAP's and a few printers, it didn't appear there would be enough to cover the FHL also. Besides, that still wouldn't cover FHL patrons that brought their own notebooks and connected via WiFi and wished to print.

We've been going in circles on this and may be close to obtaining permission to put the Belkin router back in place the way it was.

Any other suggestions as to how to solve this? What do other FHL's do?
So we can better help you, please edit your Profile to include your general location.
Aczlan
Member
Posts: 358
Joined: Sun Jun 06, 2010 5:29 pm
Location: Upstate, NY, USA

#2

Post by Aczlan »

Mikerowaved wrote:The problem with this setup is, the two blocks of IP addresses are not contiguous and there is no way to control which block the DHCP server will assign any given PC. This makes it so only those PC's on the same subnet as the printer can access it, the other PC's in the very same room that were assigned IP addresses from the other IP pool are out of luck. Yes, we considered assigning fixed IP addresses to every PC in the FHL, but by the time fixed IP addresses had been issued to PC's for 3 wards, a stake office, plus all the WAP's and a few printers, it didn't appear there would be enough to cover the FHL also. Besides, that still wouldn't cover FHL patrons that brought their own notebooks and connected via WiFi and wished to print.
I see 2 options:
1. Get permission from the Stake President to request that the GSD either remove both blocks of addresses and assign a new /24 block (254 addresses) or drop the /26 block (64 addresses) depending on how many addresses you need - This IMO is the best plan as it makes everything go on the same block of addresses.
2. Ignore the GSD and put the Belkin back in

I prefer option 1, but #2 might be worth doing short term.

Aaron Z
russellhltn
Community Administrator
Posts: 34417
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#3

Post by russellhltn »

Mikerowaved wrote:The Global Service folks initially provided a single block of 64 IP addresses, but later (per our request) added another block of 128. They also disconnected the Belkin router, saying there was no longer a need for it and they only wanted "authorized" equipment on the network.

Just for clarification, how did "they" disconnect the router? Did GSD ask or was that FM group who "did"?
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#4

Post by Mikerowaved »

RussellHltn wrote:Just for clarification, how did "they" disconnect the router? Did GSD ask or was that FM group who "did"?
Our FM group contracts with a local IT guy for many of the stakes in our area. He performed the 881W/WAP install and was the one who actually disconnected the router. Our FM group was able to explain to us why it was disconnected, so I think it was their call.
So we can better help you, please edit your Profile to include your general location.
MerrillDL
New Member
Posts: 37
Joined: Wed Sep 30, 2009 11:55 am
Location: Orem, UT - USA

#5

Post by MerrillDL »

Mikerowaved wrote:They also disconnected the Belkin router, saying there was no longer a need for it and they only wanted "authorized" equipment on the network.

This is an unfortunate statement by the GSC. The overall design of the Meetinghouse Internet is to simplify the installation so anyone regardless of technical aptitude can install it. Stakes that have individuals with higher technical aptitude often question why the configurations are so limited and seemingly simple changes to the firewall are not allowed.

In spite of this, there is no restriction or policy for 881 installations that says you can not have a 'rogue' or '3rd Party' router. If a stake or ward installs a 3rd party wireless router, the only recommendation is avoid channel conflict and make sure the router's wifi is properly encrypted. The GSC cannot and will not support 3rd party devices on a MHI network.

The Stake President should approve these installations and as a matter of courtesy, the router configuration parameters should be given to the STS.

My opinion is you are the best judge of a network design that works best for you. As long as don't call the GSC about a 3rd party device, they don't care. They don't monitor what devices are connected to a Meetinghouse Network.

With the 881 which has been assigned a 2nd range of IP addresses, they cannot be removed. Additional IP zones can be added until 256 IP Addresses have been added beyond the original 64.

If you want to remove a IP range that was added after the original configuration, the GSC will have you do a 'cold reset' on the 881. You will go through the 881 Firewall installation/registration again. The IP Address assigned to the router after the cold reset will be different than what was previously assigned.

The GSC doesn't have the authority to tell you to remove the Belkin, only recommend. If the belkin works best for you, then put it back in and make sure the wireless channel is different than the 1041's.
sammythesm
Member
Posts: 225
Joined: Tue Jan 05, 2010 2:50 pm
Location: Texas, United States
Contact:

#6

Post by sammythesm »

I'm going to advocate a different approach - contact the GSC and explain the issue of communicating between subnets.

There actually shouldn't be an issue communicating between the subnets, especially if you're trying to access a resource with a static IP. The router should know how to pass traffic between the subnets. So, to me, it sounds like a bug in the router config.

Raising the issue with the GSC helps the issue be resolved for the church in general and - as stated before in this forum - helps keep a more consistent network design throughout the church with fewer points of failure and unpredictability. This helps the GSC, the FM group, and especially whoever comes after you in the STS calling.
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#7

Post by aebrown »

I had a similar issue in our FHC with two non-contiguous IP ranges. I had planned to give the printer a static IP but hadn't gotten to that yet, and when the printer was getting a dynamic IP, but the PCs in the FHC were getting IP addresses in the two different subnets, only the PCs that happened to get IP addresses in the same subnet as the printer could connect to the printer (using the printer's name). But when I gave the printer a static IP address, I found that all the PCs could connect to it just fine, even those PCs that got a dynamic IP on a different subnet from the one I had selected for the printer.
Questions that can benefit the larger community should be asked in a public forum, not a private message.
User avatar
Jonahhex
New Member
Posts: 17
Joined: Fri Jun 08, 2012 1:33 pm
Location: Salt Lake City

#8

Post by Jonahhex »

Ok I'll see if I can answer all these questions.
Mikerowaved wrote:Fast forward to a while ago when they installed our very own 881W in the stake center. The Global Service folks initially provided a single block of 64 IP addresses, but later (per our request) added another block of 128. They also disconnected the Belkin router, saying there was no longer a need for it and they only wanted "authorized" equipment on the network.
This is true the GSC we would like it if there is only church issued equipment. The reason for that is we only provide best effort support (AKA... power cycle) for 3rd party devices. The GSC is unable to provide support for computers on or behind such connections, and most troubleshooting would have to take place while directly connected to the firewall.

Most times it is not the STS calling the GSC for support it is the end user/Family History patron, and we would like to give the best available support besides just saying "we don't support this device call your STS and/or FM".
Mikerowaved wrote:The problem with this setup is, the two blocks of IP addresses are not contiguous and there is no way to control which block the DHCP server will assign any given PC. This makes it so only those PC's on the same subnet as the printer can access it, the other PC's in the very same room that were assigned IP addresses from the other IP pool are out of luck.
The 881-W is able to communicate between subnets. This should not be a problem as long as you have a network attached printer and it is configured correctly in the static range from the firewall's configuration. FM's are able to order a printer if there is a need stated from the Stake Pres.
Mikerowaved wrote:Yes, we considered assigning fixed IP addresses to every PC in the FHL, but by the time fixed IP addresses had been issued to PC's for 3 wards, a stake office, plus all the WAP's and a few printers, it didn't appear there would be enough to cover the FHL also.
We would urge you not to assign computers to static IP addresses for many reasons... 4 major ones are. 1. They are not always powered ON network attached devices. 2. Most times computers are configured incorrectly such as putting a static ip into the dynamic network range. 3. It is harder to maintain a static network especially if there is a network change. 4. Troubleshooting and/or finding IP address conflicts are not cost effective, and at the GSC first line in TS is to set the computer back to dynamic.
Mikerowaved wrote:Besides, that still wouldn't cover FHL patrons that brought their own notebooks and connected via WiFi and wished to print.
If configured correctly you should be able to print using the 881-WiFi as long as the person is connected to LDS Access configured by the GSC.

If you use the 3rd party device it cuts this communication gateway.
Mikerowaved wrote:We've been going in circles on this and may be close to obtaining permission to put the Belkin router back in place the way it was.
You can have the Belkin router. The problem is that you will have to provide support for this network and make it is known that you are the primary contact for support. Secondary would be the manufacture. Then the GSC can be contacted if it is a problem with the firewall.
Mikerowaved wrote:Any other suggestions as to how to solve this? What do other FHL's do?
Most are using Church issued equipment and wireless connections. Some FHL have a 3rd party device attached behind the firewall just for filtered internet connectivity (for events and so they don't have to share the wireless password) the only problem is that they are unable to print to a device that is not on that network.
Aczlan wrote:1. Get permission from the Stake President to request that the GSD either remove both blocks of addresses and assign a new /24 block (254 addresses) or drop the /26 block (64 addresses) depending on how many addresses you need - This IMO is the best plan as it makes everything go on the same block of addresses.
2. Ignore the GSD and put the Belkin back in
1. A single block of IP addresses is not an option for the 881-W as of right now. The default configuration is set for 64 (old) and 128 (current) IP addresses and the initial range can not be deleted. We can add more IP addresses to the device after its activated.
2. Yes, you can put it back in, but you are the person that should provide support for it.
MerrillDL wrote:This is an unfortunate statement by the GSC. The overall design of the Meetinghouse Internet is to simplify the installation so anyone regardless of technical aptitude can install it. Stakes that have individuals with higher technical aptitude often question why the configurations are so limited and seemingly simple changes to the firewall are not allowed.

In spite of this, there is no restriction or policy for 881 installations that says you can not have a 'rogue' or '3rd Party' router. If a stake or ward installs a 3rd party wireless router, the only recommendation is avoid channel conflict and make sure the router's wifi is properly encrypted. The GSC cannot and will not support 3rd party devices on a MHI network.
Mostly true... The only points I will add is this... The direction for MHI is to be a simplified plug and pray network. From initial configuration to adding devices and it should be set to auto configure most connections (except devices requiring static info or webstats and such).
MerrillDL wrote:The Stake President should approve these installations and as a matter of courtesy, the router configuration parameters should be given to the STS.

My opinion is you are the best judge of a network design that works best for you. As long as don't call the GSC about a 3rd party device, they don't care. They don't monitor what devices are connected to a Meetinghouse Network.
Mostly true again. Just remember members that add 3rd party devices support them.
MerrillDL wrote:With the 881 which has been assigned a 2nd range of IP addresses, they cannot be removed. Additional IP zones can be added until 256 IP Addresses have been added beyond the original 64.

If you want to remove a IP range that was added after the original configuration, the GSC will have you do a 'cold reset' on the 881. You will go through the 881 Firewall installation/registration again. The IP Address assigned to the router after the cold reset will be different than what was previously assigned.
Some false and some true. The 881-W is configured with an initial range that can not be removed or added to. We can continue to add IP addresses to the device in 253 IP address blocks where 195 are usable as DHCP 3 additional times. If you want to change or remove an IP range you would have to do a "hard reset" contact the GSC and have your firewall removed from our database and reactivate the 881-W. Do not reset the firewall without contacting the GSC first.

**NOTICE** Your location should have the bandwidth to push this many connections. So the more connections sharing a single outside connection decreases the overall connectivity for users. An example is if you have one person streaming a video can make the internet very slow and/or unavailable depending on timeouts and the like. The firewall is a first come first served device. It does not provide load balancing or does it tier/partition network connectivity **NOTICE**
MerrillDL wrote:The GSC doesn't have the authority to tell you to remove the Belkin, only recommend. If the belkin works best for you, then put it back in and make sure the wireless channel is different than the 1041's.
True with the stipulation that it does not interfere with official church networking. The Channel and SSID must not be used if they will conflict with preexisting standards. *** Note *** Don't name the wireless net work for the 3rd party device LDS Access or other names reserved for church locations.

So in closing this is a configuration for 881-W firewalls set up in a meetinghouse. This information does not crossover to ASA and PIX firewall locations. We would like to be able to help everyone that calls us for connectivity issues, but we only support church issued devices. Meetinghouses are able to procure such devices via their FM w/Stake Pres approval. I hope this information helps and if you require more information feel free to contact me at the GSC - Connectivity department.
Keeping the Church Communication Network working
Tim Johnson - GSC - Connectivity
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#9

Post by aebrown »

jonahhex wrote:The direction for MHI is to be a simplified plug and pray network.

I'm not sure whether you:
  • Simply made a typo;
  • Allude to the old jokes about Microsoft's Plug and Play implementation that didn't always work as documented;
  • Imply that MHI requires a lot of faith
But in any case, prayer should be an important element of how we serve in our callings, so I'm glad you mentioned it!
Questions that can benefit the larger community should be asked in a public forum, not a private message.
danpass
Senior Member
Posts: 514
Joined: Wed Jan 24, 2007 5:38 pm
Location: Oregon City, OR
Contact:

#10

Post by danpass »

aebrown wrote:I'm not sure whether you:

  • Simply made a typo;
  • Allude to the old jokes about Microsoft's Plug and Play implementation that didn't always work as documented;
  • Imply that MHI requires a lot of faith

I too wondered whether it was a case of the first or second item on your list. Your third item had not occurred to me, perhaps because each of our deployments have gone so smoothly (one more to go, however).
Post Reply

Return to “Meetinghouse Internet”