Firewall Upgrade Feedback

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
Post Reply
autryld
New Member
Posts: 25
Joined: Sat Feb 25, 2012 11:23 am
Location: St. Louis, MO Stake

Firewall Upgrade Feedback

#1

Post by autryld »

I was surprised that our FM group didn't know anything about the firewall upgrade. Once I started working with them however, they initiated the necessary work orders to install additional cabling and switches in the buildings where required. Another point of confusion was which port to put the FM desktop systems and printers on. The upgrade announcement and instructions provided no guidance for how to connect FM groups co-located with ecclesiastic units. Due to the vague wording, the FM group thought it was port 3 along with their HVAC and other devices. Initially I thought the same thing but that port is static only. After the upgrade, I contacted the Global Service Center for advice. They stated that the FM group can connect to either Port 0,1 or 2. (I'm not sure why it's not solely port 2 since that would connect them with the CHQ LAN (?).) Regardless, they are off of port 3 now and all is well.

By the way...
It's very good that we finally have enough addresses for all the devices present in the building. However, I do hope that usage doesn't go up as a result since our bandwidth is barely sufficient to support the uplink for a webcast even with WiFi disabled. I'm going to request an increase to the next bandwidth tier to see if our video image improves at the ward meetinghouses. I'm also happy that I can now disable WiFi from the TM interface. It saves my knees from climbing up all six of our access points to disconnect and later connect WiFi.

Thanks,
Larry Autry
russellhltn
Community Administrator
Posts: 34418
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall Upgrade Feedback

#2

Post by russellhltn »

Port 0 and 1 would be "public". Port 2 is the VPN. Since FM will probably want to talk to their devices on Port 3 in other buildings (which is also on the 10.x.x.x network), I suspect they should be on Port 2. Port 0/1 will work to some degree since they will have internet access, but I think they'll find some aspects limited unless they are on Port 2 (VPN).
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
autryld
New Member
Posts: 25
Joined: Sat Feb 25, 2012 11:23 am
Location: St. Louis, MO Stake

Re: Firewall Upgrade Feedback

#3

Post by autryld »

I agree that they should be on port 2 (10.x.x.x). However, they have already connected to port 0 along with along with the unit PCs. I believe that the GSC should have given that same advice to the FM group rather than the vague, "port 0, 1 or 2 is okay".

Thanks,
Larry Autry
CleggGP
Church Employee
Church Employee
Posts: 118
Joined: Mon Jul 28, 2014 1:55 pm

Re: Firewall Upgrade Feedback

#4

Post by CleggGP »

As a general rule meetinghouse facilities devices (e.g., HVAC, sprinkler systems) should be connected to the facilities zone port of the firewall (Cisco 881 series: Port 3; Cisco C891F: Port 7). The facilities zone only supports static IP network addresses. If there are facilities devices that uses dynamic (DHCP) network addressing, then those devices should be connected to the Public Network firewall ports (Cisco 881 series: Ports 0-1; Cisco C891F: Ports 0-5). An example of such a devices is the Honeywell Redlink Webstat device that uses DHCP network addresses.

If a facilities device does not function the same way it did before the upgrade, then try connecting the device to the Public Network (instead of being connected to the Facilities Zone).

Firewall Cisco 881 Port 2 (Cisco C891F Port 6) is also a Public Network port unless a "official" Family History Center exists, in which case that port should be converted by the GSC to a "special purpose zone" (VPN) for the FHC.
tlhackett
Church Employee
Church Employee
Posts: 69
Joined: Mon Dec 23, 2013 1:54 pm

Re: Firewall Upgrade Feedback

#5

Post by tlhackett »

Just to reiterate what was said, the FM group would go in port 0-1 (and 2 if there isn't an official family history center). Being on the ports 0-1 will not hinder their access to the equipment that they need. Port 2 does connect to the VPN, but it does not give them the access they need for their devices in other buildings. They have a VPN client that they connect to to give them the access they need and therefore can be plugged into the public ports without issue.

In short, the FM group goes on the same port as the rest of the building
russellhltn
Community Administrator
Posts: 34418
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall Upgrade Feedback

#6

Post by russellhltn »

yarrgh wrote:In short, the FM group goes on the same port as the rest of the building
Thanks for that clarification.

Is that the same for other Church Employees? Is there anyone besides a FHC that would go on the VPN?
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
CleggGP
Church Employee
Church Employee
Posts: 118
Joined: Mon Jul 28, 2014 1:55 pm

Re: Firewall Upgrade Feedback

#7

Post by CleggGP »

russellhltn wrote:Is that the same for other Church Employees? Is there anyone besides a FHC that would go on the VPN?
No, not currently in most meetinghouses.
russellhltn
Community Administrator
Posts: 34418
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall Upgrade Feedback

#8

Post by russellhltn »

OK, while I have your attention - what about a WAP that only services the FHC (separate building). It would only be used for patron laptops, since all the FHC stuff is hard wired. For me to put it on "public" I'd have to have FM run another line to the building. But if I can put it on the VPN, then I can just plug it into the switch.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
Post Reply

Return to “Meetinghouse Internet”