Meetinghouse Firewall Upgrade Available to FMs/STSs

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
Post Reply
xenserve
New Member
Posts: 4
Joined: Fri May 30, 2014 4:11 pm
Location: Canada

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#71

Post by xenserve »

Biggles wrote:I'm not familiar with the 891f (not practical at the moment to research unit), but does it have the same number of ports on the back?

If it does, I imagine that the configuration is the same.

It has double the lan ports compared to the 881, and some additional ports as well. I'll check the ports page to check what the loadout shows.

Thanks for the suggestion from russellhltn.


Now I just wish it would check in to manage it by the TM website.

Mike
tlhackett
Church Employee
Church Employee
Posts: 69
Joined: Mon Dec 23, 2013 1:54 pm

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#72

Post by tlhackett »

You can use the following picture to know what each port is used for on each firewall. It is in no way a professional image but it serves its purpose
firewallports.png
(282.27 KiB) Not downloaded yet
tlhackett
Church Employee
Church Employee
Posts: 69
Joined: Mon Dec 23, 2013 1:54 pm

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#73

Post by tlhackett »

aclawson wrote:
Biggles wrote:
aclawson wrote:class-map access-match
match access-group 1
exit
policy-map police-setting
class access-match
police 8000 1000 1000 conform-action transmit exceed-action set-qos-transmit 1
violate-action drop
exit
exit
service-policy output police-setting
Explanation! Please!
This is the code that can be used to throttle the bandwidth by classification of connection: the powers that be can limit connection by declaring, for example, that machines with static IP addresses get first priority to the bandwidth. So far however there have been other goals that are more important so this possibility goes to the back burner.
I hope you are just trying to be helpful and suggesting a change to be made by posting it here and hoping those in control see it. Unauthorized access to our firewalls is considered criminal activity and is punishable by law. The only ones authorized to make configuration changes are church engineers and, to a degree, the global service center.
CleggGP
Church Employee
Church Employee
Posts: 118
Joined: Mon Jul 28, 2014 1:55 pm

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#74

Post by CleggGP »

russellhltn wrote:
xenserve wrote:I have 1 891f in the stake, all the rest are 881's so I'd like to confirm the port config please?
Port 7 will be the Facilities Zone.
If a Special Purpose Zone is created on the C891F firewall for a Family History Center, it will be assigned to Port 6. The rest of the ports 0-5 are available for the Public Network.
rolandc
Member
Posts: 257
Joined: Tue May 15, 2012 8:20 pm

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#75

Post by rolandc »

yarrgh wrote:
I hope you are just trying to be helpful and suggesting a change to be made by posting it here and hoping those in control see it. Unauthorized access to our firewalls is considered criminal activity and is punishable by law. The only ones authorized to make configuration changes are church engineers and, to a degree, the global service center.

Ouch!
Roland
miken2av
New Member
Posts: 32
Joined: Wed Jul 20, 2011 10:30 am
Location: Birmingham, AL USA

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#76

Post by miken2av »

I have completed our Stake Routers upgrade. Wanted to post some of my experience here.

We have 9 buildings. 11 wards/branchs. 881 routers. all buildings have FHC.

Since all our buildings have FHC and I also had new Clerk computers to distribute I bit the bullet and did the whole stake over 5 day period. Most of it was pretty easy thanks to reading comments here and the documentation (email) I received before I started. I calculated all additional materials I would need and our FM group was happy to provide the addition switches and cables.

Ran into only 3 issues that were stumbling blocks:

1) called in to Support to start one of the upgrades and gave them the unit number. explained that we had a FHC in that building so needed that zone set up. That person couldn't do it and passed in on to someone else. Something got lost in translation because after no change after about 30 minutes I called back. Turns out instead of upgrading the building where I was they upgraded my Stake Center. I wasn't at the Stake Center or ready to do that building. Support said it could not be undone so I just had to deal with it.

2) Turns out one of my buildings with a cable modem has a static IP on the router/cable modem. When they did the upgrade we lost connectivity. FM group had set that up so I didn't have the IP info or even know about it. Once I figured out what the issue was I was able to call the isp and get the IP info. Global Support does not keep a record of that info so they couldn't help at all.

3) After I completed all our buildings I got a call from our FM guy saying he couldn't access any of his stuff we had moved to port 3. :::sigh::: We are now two weeks out from when we upgraded this and he told me he has been instructed to move all his HVAC devices to port 0 or 1 and there is no fix for getting his stuff to work on port 3. (interested if anyone else has had this issue and why this is. I think we did everything the way we were supposed to.)

anyway, everything seems like it is working fine. maybe faster. our only ingering issue is now moving all the stuff we put on port 3 to port 0 or 1 (unless someone knows something else to try)

Thanks for all the good information in this tread.
russellhltn
Community Administrator
Posts: 34419
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#77

Post by russellhltn »

miken2av wrote:explained that we had a FHC in that building so needed that zone set up. That person couldn't do it and passed in on to someone else.
That was my experience as well. If that someone isn't immediately available, then that can set back your plans. I would not count on being able to do it right then and there. (Although it may well happen that way.)

miken2av wrote:Turns out one of my buildings with a cable modem has a static IP on the router/cable modem. When they did the upgrade we lost connectivity. FM group had set that up so I didn't have the IP info or even know about it. Once I figured out what the issue was I was able to call the isp and get the IP info. Global Support does not keep a record of that info so they couldn't help at all.
You can record that information in TM.

miken2av wrote:After I completed all our buildings I got a call from our FM guy saying he couldn't access any of his stuff we had moved to port 3. :::sigh::: We are now two weeks out from when we upgraded this and he told me he has been instructed to move all his HVAC devices to port 0 or 1 and there is no fix for getting his stuff to work on port 3. (interested if anyone else has had this issue and why this is. I think we did everything the way we were supposed to.)

anyway, everything seems like it is working fine. maybe faster. our only ingering issue is now moving all the stuff we put on port 3 to port 0 or 1 (unless someone knows something else to try)
If it was on port 3 before, the address range of port 3 shouldn't change with the upgrade. But if it does, you'll no longer be able to access them.

I doubt if FM will be able to access anything on Port 0 or 1 unless they are in the building - that's because that range is the same for every building - there's no way for someone outside to specify an IP and get routed to the right building. If it wasn't on port 3 before, or if the port 3 range got changed, then they'll have to be reconfigured. Note that there is no DHCP on port 3 - all devices have to have a static IP in the range shown by TM.

On the other hand, if the devices need to "call home" then they may need to be on Port 0 or 1 since I don't think the Port 3 zone will have Internet access. However, if they're on Port 0/1, then anyone in the building can access those devices via the network - including via WiFi.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
ksteurer
New Member
Posts: 29
Joined: Sat Jul 06, 2013 8:11 pm

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#78

Post by ksteurer »

miken2av wrote:Since all our buildings have FHC and I also had new Clerk computers to distribute I bit the bullet and did the whole stake over 5 day period.
Do you have a day job? How did you find the time to do all that in 5 days? I have come to the conclusion that it will take me in my stake a long time to get all this done.


::FYI: I have no computer background, but I am trying to magnify my STS calling regardless::

I am trying to keep this constructive and looking for real help, so I apologize if it sounds like complaining. I have read over all the instructions, and we have a complicated stake. We are very spread out for a stake. Most of the buildings in the stake are between an hour and 2 hours drive each way from where I live. All but 2 buildings have FHCs.

We tried doing the upgrade on the closest building last week for starters and ran into a big snag that wasn't anticipated or described in the instructions. The FHC there has all devices in a switch with a single ethernet running back to the mechanical room. So far so good. The ethernet from that goes into a wall. In the mechanical room with the firewall, there were 11 ethernet cables plugged into a switch, and one line from the switch to port 0 on the firewall. None of the ethernet cables are labeled so no one has a clue as to what is FHC, what is access points, what is clerk computers, what is building facility data, etc. I talked to FM and they said they don't have the budget to have someone label all the data lines in the stake". So is this on the stake to do this?

I am thinking it will take a long time to get all this done in my spare time on weekends to visit each building, trace all the ethernet, get things in a proper zone, and hope the upgrade actually works without knocking out connectivity and causing a riot on Sunday when the iPhones won't connect. GSC said if the wrong lines are in the wrong port, there may be no connectivity, especially for FHCs.

GSC said I can update a firewall from my computer at home, but there is a lot of work to do in the buildings before we can run the upgrade, and I will need to visit the buildings as part of the upgrade to reset all the IP addresses.

Can someone offer a step by step on how they successfully did this in their stake?

Can I hire a data wiring contractor or network specialist to do some of this w/ my STS budget? Seems like much less complicated things required to keep the buildings running are done with hired contractors (lawns mowed, furnaces cleaned, gym floor refinished).

Thanks for input on all these questions~
russellhltn
Community Administrator
Posts: 34419
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#79

Post by russellhltn »

ksteurer wrote::FYI: I have no computer background, but I am trying to magnify my STS calling regardless::
Well, that's a shame. While it's not stated explicitly in the Handbook, I'd think the STS is supposed to be someone with respectable technical skills, even if they are not experts at every aspect of their job. Mostly because the job seems to be "hands on" rather than overseeing others.
ksteurer wrote:None of the ethernet cables are labeled so no one has a clue as to what is FHC, what is access points, what is clerk computers, what is building facility data, etc.
Oh, fun.

There's are few tricks that can help. First, it's really not necessary to identify every line (although I have). In this case, you have 2, maybe three classes of devices: "VPN" (the FHC zone), FM (for FM's devices - if any), and everything else (AP, computers, wall jacks, etc.) While it's nice to know exactly each wire, for the purpose of the upgrade, you only need to identify what class it belongs in.

Anytime there is a "live" device, the link light on both that device and the switch will be on. Unplug it, and the both lights will go out. So here's what I'd do: Go to the switch by the firewall. Take careful note of which link lights are on. Go to the FHC. If the switch is on, turn it off. If it was off, turn it on. Go back to the firewall and see which port has changed status. That's your FHC cable. Label it and plug it into the second to last port. (Port 2 for the 881W).

The next part depends on how nice you want to be with the FM group. You could tell them that you're going to upgrade the firewall and they'll have to figure out which cable are the ones for their devices. (And if there's more than one, install a second switch.) Either way, all the "public" stuff and the FHC stuff should work after the upgrade.

Or, you could try to locate as many other cables by the same technique. Unplug things, turn them on/off and see what ports light up or go dark. I think it takes me about an hour and a half for a building. Just one thing to keep in mind: If a computer has power, even if it seems to be off, it will usually establish a link. So you may need to unplug the computer to see which line that one uses. Do take note what color the cables are. They may all be the same, or they might be different. Everything helps to narrow down what's what.

APs are likely to either use a power brick or the port on the switch will have an extra light indicating "POE" - that the switch is powering the device on the other end. That will help narrow down the options.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Meetinghouse Firewall Upgrade Available to FMs/STSs

#80

Post by Mikerowaved »

russellhltn wrote:Anytime there is a "live" device, the link light on both that device and the switch will be on. Unplug it, and the both lights will go out. So here's what I'd do: Go to the switch by the firewall. Take careful note of which link lights are on. Go to the FHC. If the switch is on, turn it off. If it was off, turn it on. Go back to the firewall and see which port has changed status. That's your FHC cable. Label it and plug it into the second to last port. (Port 2 for the 881W).
This part is far easier with a companion, especially if you choose to label as many wires as possible. (This would be my choice.) Your companion can wander the building with a notebook PC and a short Ethernet cable and plug into each jack that's empty, or unplug a device that's already there, and tell you via cell phone what location he's at. You can watch the lights go on (or off) and label that wire accordingly. It actually goes pretty fast, IF you have some idea where all the jacks are located.

Having every wire labeled has been invaluable for me during stake conference webcasts. There are times that I've had to bypass the firewall for the conference, so I needed to know the single jack in the cultural hall I would do this with. Without labels, I'd be lost.
So we can better help you, please edit your Profile to include your general location.
Post Reply

Return to “Meetinghouse Internet”