Ok I'll see if I can answer all these questions.
Mikerowaved wrote:Fast forward to a while ago when they installed our very own 881W in the stake center. The Global Service folks initially provided a single block of 64 IP addresses, but later (per our request) added another block of 128. They also disconnected the Belkin router, saying there was no longer a need for it and they only wanted "authorized" equipment on the network.
This is true the GSC we would like it if there is only church issued equipment. The reason for that is we only provide best effort support (AKA... power cycle) for 3rd party devices. The GSC is unable to provide support for computers on or behind such connections, and most troubleshooting would have to take place while directly connected to the firewall.
Most times it is not the STS calling the GSC for support it is the end user/Family History patron, and we would like to give the best available support besides just saying "we don't support this device call your STS and/or FM".
Mikerowaved wrote:The problem with this setup is, the two blocks of IP addresses are not contiguous and there is no way to control which block the DHCP server will assign any given PC. This makes it so only those PC's on the same subnet as the printer can access it, the other PC's in the very same room that were assigned IP addresses from the other IP pool are out of luck.
The 881-W is able to communicate between subnets. This should not be a problem as long as you have a network attached printer and it is configured correctly in the static range from the firewall's configuration. FM's are able to order a printer if there is a need stated from the Stake Pres.
Mikerowaved wrote:Yes, we considered assigning fixed IP addresses to every PC in the FHL, but by the time fixed IP addresses had been issued to PC's for 3 wards, a stake office, plus all the WAP's and a few printers, it didn't appear there would be enough to cover the FHL also.
We would urge you not to assign computers to static IP addresses for many reasons... 4 major ones are. 1. They are not always powered ON network attached devices. 2. Most times computers are configured incorrectly such as putting a static ip into the dynamic network range. 3. It is harder to maintain a static network especially if there is a network change. 4. Troubleshooting and/or finding IP address conflicts are not cost effective, and at the GSC first line in TS is to set the computer back to dynamic.
Mikerowaved wrote:Besides, that still wouldn't cover FHL patrons that brought their own notebooks and connected via WiFi and wished to print.
If configured correctly you should be able to print using the 881-WiFi as long as the person is connected to LDS Access configured by the GSC.
If you use the 3rd party device it cuts this communication gateway.
Mikerowaved wrote:We've been going in circles on this and may be close to obtaining permission to put the Belkin router back in place the way it was.
You can have the Belkin router. The problem is that you will have to provide support for this network and make it is known that you are the primary contact for support. Secondary would be the manufacture. Then the GSC can be contacted if it is a problem with the firewall.
Mikerowaved wrote:Any other suggestions as to how to solve this? What do other FHL's do?
Most are using Church issued equipment and wireless connections. Some FHL have a 3rd party device attached behind the firewall just for filtered internet connectivity (for events and so they don't have to share the wireless password) the only problem is that they are unable to print to a device that is not on that network.
Aczlan wrote:1. Get permission from the Stake President to request that the GSD either remove both blocks of addresses and assign a new /24 block (254 addresses) or drop the /26 block (64 addresses) depending on how many addresses you need - This IMO is the best plan as it makes everything go on the same block of addresses.
2. Ignore the GSD and put the Belkin back in
1. A single block of IP addresses is not an option for the 881-W as of right now. The default configuration is set for 64 (old) and 128 (current) IP addresses and the initial range can not be deleted. We can add more IP addresses to the device after its activated.
2. Yes, you can put it back in, but you are the person that should provide support for it.
MerrillDL wrote:This is an unfortunate statement by the GSC. The overall design of the Meetinghouse Internet is to simplify the installation so anyone regardless of technical aptitude can install it. Stakes that have individuals with higher technical aptitude often question why the configurations are so limited and seemingly simple changes to the firewall are not allowed.
In spite of this, there is no restriction or policy for 881 installations that says you can not have a 'rogue' or '3rd Party' router. If a stake or ward installs a 3rd party wireless router, the only recommendation is avoid channel conflict and make sure the router's wifi is properly encrypted. The GSC cannot and will not support 3rd party devices on a MHI network.
Mostly true... The only points I will add is this... The direction for MHI is to be a simplified plug and pray network. From initial configuration to adding devices and it should be set to auto configure most connections (except devices requiring static info or webstats and such).
MerrillDL wrote:The Stake President should approve these installations and as a matter of courtesy, the router configuration parameters should be given to the STS.
My opinion is you are the best judge of a network design that works best for you. As long as don't call the GSC about a 3rd party device, they don't care. They don't monitor what devices are connected to a Meetinghouse Network.
Mostly true again. Just remember members that add 3rd party devices support them.
MerrillDL wrote:With the 881 which has been assigned a 2nd range of IP addresses, they cannot be removed. Additional IP zones can be added until 256 IP Addresses have been added beyond the original 64.
If you want to remove a IP range that was added after the original configuration, the GSC will have you do a 'cold reset' on the 881. You will go through the 881 Firewall installation/registration again. The IP Address assigned to the router after the cold reset will be different than what was previously assigned.
Some false and some true. The 881-W is configured with an initial range that can not be removed or added to. We can continue to add IP addresses to the device in 253 IP address blocks where 195 are usable as DHCP 3 additional times. If you want to change or remove an IP range you would have to do a "hard reset" contact the GSC and have your firewall removed from our database and reactivate the 881-W.
Do not reset the firewall without contacting the GSC first.
**NOTICE** Your location should have the bandwidth to push this many connections. So the more connections sharing a single outside connection decreases the overall connectivity for users. An example is if you have one person streaming a video can make the internet very slow and/or unavailable depending on timeouts and the like. The firewall is a first come first served device. It does not provide load balancing or does it tier/partition network connectivity **NOTICE**
MerrillDL wrote:The GSC doesn't have the authority to tell you to remove the Belkin, only recommend. If the belkin works best for you, then put it back in and make sure the wireless channel is different than the 1041's.
True with the stipulation that it does not interfere with official church networking. The Channel and SSID must not be used if they will conflict with preexisting standards.
*** Note *** Don't name the wireless net work for the 3rd party device LDS Access or other names reserved for church locations.
So in closing this is a configuration for 881-W firewalls set up in a meetinghouse. This information does not crossover to ASA and PIX firewall locations. We would like to be able to help everyone that calls us for connectivity issues, but we only support church issued devices. Meetinghouses are able to procure such devices via their FM w/Stake Pres approval. I hope this information helps and if you require more information feel free to contact me at the GSC - Connectivity department.