New 192.168.x.x subnet option for MH firewalls

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
Mikerowaved
Community Moderators
Posts: 3131
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

New 192.168.x.x subnet option for MH firewalls

Postby Mikerowaved » Thu Aug 21, 2014 2:30 am

[Moderator Note: this post and those that follow it were in response to this post. Because this new discussion has nothing to do with the original topic, this discussion has been split into a new topic.]

rl_albright wrote:aebrown: what information does yours present? (I recently re-activated the firewall here and the new firewall settings change the IP range from a Class A network to a Class C network (from 10.*.*.* to 192.168.*.*)

Interesting. That's the first time I've seen that from a church firewall. Looks like they might have given up on trying to keep every PC and device church-wide on a unique 10.x.x.x address. (I don't blame them!)
Last edited by aebrown on Thu Aug 21, 2014 1:04 pm, edited 1 time in total.
Reason: Add moderator note
So we can better help you, please edit your Profile to include your general location.

User avatar
rl_albright
Member
Posts: 53
Joined: Sun Apr 28, 2013 10:54 pm
Location: Lakewood, WA

Re: Firewall filtering out LDS.org

Postby rl_albright » Thu Aug 21, 2014 7:44 am

Mikerowaved wrote:
rl_albright wrote:aebrown: what information does yours present? (I recently re-activated the firewall here and the new firewall settings change the IP range from a Class A network to a Class C network (from 10.*.*.* to 192.168.*.*)

Interesting. That's the first time I've seen that from a church firewall. Looks like they might have given up on trying to keep every PC and device church-wide on a unique 10.x.x.x address. (I don't blame them!)


Well it will certainly make it a LOT easier to manage overall on both ends.
I get a user zone subnet with:
Static: 192.168.108.2 - 32 (31 total addresses)
DHCP: 192.168.108.33 - 192.168.111.254 (990 total addresses)

I get a Facility Zone with:
Static: 10.134.166.210 - 222 (13 total addresses)

The old configuration with buildings that needed a larger number of IP addresses, I had 2 different subnets under the user zones and if I had a printer on one zone, it could ONLY be printed by devices that were on that zone. (Very annoying for trying to manage a small family history room!!)

russellhltn
Community Administrator
Posts: 20734
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall filtering out LDS.org

Postby russellhltn » Thu Aug 21, 2014 11:15 am

Mikerowaved wrote:Looks like they might have given up on trying to keep every PC and device church-wide on a unique 10.x.x.x address. (I don't blame them!)

Mostly. The information I have indicates that new activations will result in a 192.168.x.x for members (port 0 and 1), a 10.x.x.x for FM group devices (port 3), and if there is a FHC there will be another 10.x.x.x (port 2) for the FHC to use. I believe this is to allow the FH department to continue to support the Lexmark printers.

In a few weeks a tool will appear in tm that will allow us to upgrade our firewalls to the new system.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

drepouille
Senior Member
Posts: 1227
Joined: Sun Jul 01, 2007 5:06 pm
Location: Plattsmouth, NE
Contact:

Re: Firewall filtering out LDS.org

Postby drepouille » Thu Aug 21, 2014 12:30 pm

This thread is mutating to a different subject.

  • What do you mean by "for members"?
  • Which port do I use for all my wireless access points?
  • Which port do I use for all my clerk computers?
  • What happens if some (but not all) my FHC computers use wireless adapters?
  • What happens if some (but not all) my clerk computers use wireless adapters?
  • Will I need different SSIDs and passwords for FHC, clerk, and member access?
  • Will I have to purchase a different switch for each port on the firewall?
Dana Repouille, Plattsmouth, Nebraska

russellhltn
Community Administrator
Posts: 20734
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall filtering out LDS.org

Postby russellhltn » Thu Aug 21, 2014 12:49 pm

Good questions. By "for members" I mean the usual things we've been attaching to the Internet: WAPs, clerk computers, etc.

I did see one person indicated that FM had attached their unit via wireless. I'm not sure how that works. Probably OK for a "phone home" system. Not so good if they expect to access it remotely.

And to some extent, yes, you would need a separate switch for each type. (Either that or a more expensive switch that allows you to assign ports into different LANs.)

I don't know, but I suspect there's no real downside to connecting "memebers" to the the FHC side (other than they can't talk to the "member" side very well.) It's not a security issue. The problem was that the church was running out of 10.x.x.x IPs and needed to change tactics. The bulk of the users don't need unique 10.x.x.x IPs so they're getting switched to 192.168.x.x. If you could get enough addresses, you could make the whole building 10.x.x.x. (Like it is now.) But I'm just guessing.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

User avatar
Mikerowaved
Community Moderators
Posts: 3131
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Firewall filtering out LDS.org

Postby Mikerowaved » Thu Aug 21, 2014 5:27 pm

russellhltn wrote:In a few weeks a tool will appear in tm that will allow us to upgrade our firewalls to the new system.

That would make it real nice to be able to do one building at a time at my own pace. Helps me remember where all those pesky static IP devices are hiding that need to be manually updated. :) Hummm... If this works, it might be the LAST time I have to fiddle with them. (Of course, I tell myself that every time I have to update them.)
So we can better help you, please edit your Profile to include your general location.

russellhltn
Community Administrator
Posts: 20734
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall filtering out LDS.org

Postby russellhltn » Thu Aug 21, 2014 5:30 pm

Mikerowaved wrote:Helps me remember where all those pesky static IP devices are hiding that need to be manually updated.


In TM under "Internet Provider" there's a "notes" area. I record mine in there. Maybe not the perfect spot, but I like having them in TM.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

CleggGP
Church Employee
Church Employee
Posts: 98
Joined: Mon Jul 28, 2014 12:55 pm

Re: New 192.168.x.x subnet option for MH firewalls

Postby CleggGP » Fri Aug 22, 2014 1:07 pm

The Church is introducing a new Meetinghouse Firewall configuration that provides faster firewall data throughput, and creates a large DHCP address pool in the Public Network space. The configuration upgrade creates two network zones: Public Network (with 990 DHCP and 31 static addresses in the 192.168.x.x space) and Facilities Zone (with 13 static addresses for heating/cooling, sprinkler, alarm systems, etc. in the 10.x.x.x space).

Firewall ports are dedicated to network zones: Public Network (881W Ports 0 and 1) and Facilities Zone (881W Port 3). The second-to-last port (881W Port 2) is reserved for Special Purpose network (like a co-located Family History Center).

The firewall upgrade is performed by the Technology Manager (TM) tool. Initially only the Global Service Center can upgrade existing Meetinghouse Firewalls, but later Facilities Managers (FMs) and Stake Technology Specialists (STSs) will be granted permissions in the TM Tool to perform the upgrade.

Before performing the upgrade:

    1. FMs/STSs must ensure that network devices are connected to the correct firewall ports. For example: access points, clerk PCs, etc. should only be connected to the Public Network firewall ports (881W Ports 0 & 1). The Facilities Zone is not designed for USER traffic, so any USER-based devices must be connected to the Public Network ports.

    2. If the meetinghouse contains an official Family History, before doing the firewall upgrade you must contact the Global Service Center (+1 855-537-4357) for additional information.

    3. You must identify devices assigned static IP addresses in the building. Where the meetinghouse network addresses are changing, these devices will need to be assigned new addresses in the new IP address space.
This is an exciting change for Church meetinghouses. It will enable existing Meetinghouse Firewalls to perform better, and allow users to better connect to the meetinghouse network.

russellhltn
Community Administrator
Posts: 20734
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New 192.168.x.x subnet option for MH firewalls

Postby russellhltn » Fri Aug 22, 2014 1:28 pm

Welcome!

CleggGP wrote:Initially only the Global Service Center can upgrade existing Meetinghouse Firewalls, but later Facilities Managers (FMs) and Stake Technology Specialists (STSs) will be granted permissions in the TM Tool to perform the upgrade.


Any idea what time-frame that will be?

And when you say "Facilities Zone" that would NOT include a FM Employee who works in the building, correct? It's just for 'devices' under the control of FM?

And any suggestions for drepouille who may have issues separating his FHC network from the public network?
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

CleggGP
Church Employee
Church Employee
Posts: 98
Joined: Mon Jul 28, 2014 12:55 pm

Re: New 192.168.x.x subnet option for MH firewalls

Postby CleggGP » Fri Aug 22, 2014 2:16 pm

We don't yet have the date of when FMs/STSs will be able to perform the upgrade. It will likely be within a few weeks, but we want to get more communication out first about the new MH firewall configuration.

russellhltn: The "Facilities Zone" is for MH network devices. Family History will define the type of meetinghouse FH centers to place in the Special Purpose Zone.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest