Page 1 of 8

New 192.168.x.x subnet option for MH firewalls

Posted: Thu Aug 21, 2014 3:30 am
by Mikerowaved
[Moderator Note: this post and those that follow it were in response to this post. Because this new discussion has nothing to do with the original topic, this discussion has been split into a new topic.]
rl_albright wrote:aebrown: what information does yours present? (I recently re-activated the firewall here and the new firewall settings change the IP range from a Class A network to a Class C network (from 10.*.*.* to 192.168.*.*)
Interesting. That's the first time I've seen that from a church firewall. Looks like they might have given up on trying to keep every PC and device church-wide on a unique 10.x.x.x address. (I don't blame them!)

Re: Firewall filtering out LDS.org

Posted: Thu Aug 21, 2014 8:44 am
by rl_albright
Mikerowaved wrote:
rl_albright wrote:aebrown: what information does yours present? (I recently re-activated the firewall here and the new firewall settings change the IP range from a Class A network to a Class C network (from 10.*.*.* to 192.168.*.*)
Interesting. That's the first time I've seen that from a church firewall. Looks like they might have given up on trying to keep every PC and device church-wide on a unique 10.x.x.x address. (I don't blame them!)
Well it will certainly make it a LOT easier to manage overall on both ends.
I get a user zone subnet with:
Static: 192.168.108.2 - 32 (31 total addresses)
DHCP: 192.168.108.33 - 192.168.111.254 (990 total addresses)

I get a Facility Zone with:
Static: 10.134.166.210 - 222 (13 total addresses)

The old configuration with buildings that needed a larger number of IP addresses, I had 2 different subnets under the user zones and if I had a printer on one zone, it could ONLY be printed by devices that were on that zone. (Very annoying for trying to manage a small family history room!!)

Re: Firewall filtering out LDS.org

Posted: Thu Aug 21, 2014 12:15 pm
by russellhltn
Mikerowaved wrote:Looks like they might have given up on trying to keep every PC and device church-wide on a unique 10.x.x.x address. (I don't blame them!)
Mostly. The information I have indicates that new activations will result in a 192.168.x.x for members (port 0 and 1), a 10.x.x.x for FM group devices (port 3), and if there is a FHC there will be another 10.x.x.x (port 2) for the FHC to use. I believe this is to allow the FH department to continue to support the Lexmark printers.

In a few weeks a tool will appear in tm that will allow us to upgrade our firewalls to the new system.

Re: Firewall filtering out LDS.org

Posted: Thu Aug 21, 2014 1:30 pm
by drepouille
This thread is mutating to a different subject.
  • What do you mean by "for members"?
  • Which port do I use for all my wireless access points?
  • Which port do I use for all my clerk computers?
  • What happens if some (but not all) my FHC computers use wireless adapters?
  • What happens if some (but not all) my clerk computers use wireless adapters?
  • Will I need different SSIDs and passwords for FHC, clerk, and member access?
  • Will I have to purchase a different switch for each port on the firewall?

Re: Firewall filtering out LDS.org

Posted: Thu Aug 21, 2014 1:49 pm
by russellhltn
Good questions. By "for members" I mean the usual things we've been attaching to the Internet: WAPs, clerk computers, etc.

I did see one person indicated that FM had attached their unit via wireless. I'm not sure how that works. Probably OK for a "phone home" system. Not so good if they expect to access it remotely.

And to some extent, yes, you would need a separate switch for each type. (Either that or a more expensive switch that allows you to assign ports into different LANs.)

I don't know, but I suspect there's no real downside to connecting "memebers" to the the FHC side (other than they can't talk to the "member" side very well.) It's not a security issue. The problem was that the church was running out of 10.x.x.x IPs and needed to change tactics. The bulk of the users don't need unique 10.x.x.x IPs so they're getting switched to 192.168.x.x. If you could get enough addresses, you could make the whole building 10.x.x.x. (Like it is now.) But I'm just guessing.

Re: Firewall filtering out LDS.org

Posted: Thu Aug 21, 2014 6:27 pm
by Mikerowaved
russellhltn wrote:In a few weeks a tool will appear in tm that will allow us to upgrade our firewalls to the new system.
That would make it real nice to be able to do one building at a time at my own pace. Helps me remember where all those pesky static IP devices are hiding that need to be manually updated. :) Hummm... If this works, it might be the LAST time I have to fiddle with them. (Of course, I tell myself that every time I have to update them.)

Re: Firewall filtering out LDS.org

Posted: Thu Aug 21, 2014 6:30 pm
by russellhltn
Mikerowaved wrote:Helps me remember where all those pesky static IP devices are hiding that need to be manually updated.
In TM under "Internet Provider" there's a "notes" area. I record mine in there. Maybe not the perfect spot, but I like having them in TM.

Re: New 192.168.x.x subnet option for MH firewalls

Posted: Fri Aug 22, 2014 2:07 pm
by CleggGP
The Church is introducing a new Meetinghouse Firewall configuration that provides faster firewall data throughput, and creates a large DHCP address pool in the Public Network space. The configuration upgrade creates two network zones: Public Network (with 990 DHCP and 31 static addresses in the 192.168.x.x space) and Facilities Zone (with 13 static addresses for heating/cooling, sprinkler, alarm systems, etc. in the 10.x.x.x space).

Firewall ports are dedicated to network zones: Public Network (881W Ports 0 and 1) and Facilities Zone (881W Port 3). The second-to-last port (881W Port 2) is reserved for Special Purpose network (like a co-located Family History Center).

The firewall upgrade is performed by the Technology Manager (TM) tool. Initially only the Global Service Center can upgrade existing Meetinghouse Firewalls, but later Facilities Managers (FMs) and Stake Technology Specialists (STSs) will be granted permissions in the TM Tool to perform the upgrade.

Before performing the upgrade:
  • 1. FMs/STSs must ensure that network devices are connected to the correct firewall ports. For example: access points, clerk PCs, etc. should only be connected to the Public Network firewall ports (881W Ports 0 & 1). The Facilities Zone is not designed for USER traffic, so any USER-based devices must be connected to the Public Network ports.

    2. If the meetinghouse contains an official Family History, before doing the firewall upgrade you must contact the Global Service Center (+1 855-537-4357) for additional information.

    3. You must identify devices assigned static IP addresses in the building. Where the meetinghouse network addresses are changing, these devices will need to be assigned new addresses in the new IP address space.
This is an exciting change for Church meetinghouses. It will enable existing Meetinghouse Firewalls to perform better, and allow users to better connect to the meetinghouse network.

Re: New 192.168.x.x subnet option for MH firewalls

Posted: Fri Aug 22, 2014 2:28 pm
by russellhltn
Welcome!
CleggGP wrote:Initially only the Global Service Center can upgrade existing Meetinghouse Firewalls, but later Facilities Managers (FMs) and Stake Technology Specialists (STSs) will be granted permissions in the TM Tool to perform the upgrade.
Any idea what time-frame that will be?

And when you say "Facilities Zone" that would NOT include a FM Employee who works in the building, correct? It's just for 'devices' under the control of FM?

And any suggestions for drepouille who may have issues separating his FHC network from the public network?

Re: New 192.168.x.x subnet option for MH firewalls

Posted: Fri Aug 22, 2014 3:16 pm
by CleggGP
We don't yet have the date of when FMs/STSs will be able to perform the upgrade. It will likely be within a few weeks, but we want to get more communication out first about the new MH firewall configuration.

russellhltn: The "Facilities Zone" is for MH network devices. Family History will define the type of meetinghouse FH centers to place in the Special Purpose Zone.