LDSTech

Running out of IP addresses

Discuss various issues around providing Internet access to meetinghouses.

Moderators: MarchantRR, SheffieldTR

Running out of IP addresses

#1Postby michaelfish » Sun May 06, 2012 1:45 pm

I'm sure this question has been addressed elsewhere in the forum, so you can direct me for more information or quickly answer some questions.

What are other wards doing when they run out of IP addresses on Sunday?

By the time our second and third wards show up for sacrament meeting, devices have already automatically logged on and used up all the available IP addresses. As a result, the family history teachers cannot connect to the Internet (connected to Wifi but not the Internet). For the past couple of weeks, I've needed to reboot the church's new Cisco firewall/router (after making sure no clerks are doing a send/receive) to reset IP address leases.


Does anyone have suggestions on what could be done for the family history teacher's wireless laptops? I have come up with some possible solutions but really would prefer not doing the following:
  • Increasing the number of IP addresses in the Cisco firewall/router (increasing will the number of IP addresses will decrease our already very limited bandwidth, which cannot be increased due to DLS limitations in our area)
  • Change the password (would work for a very short time as the password gets spread to too many devices)
  • Assign Static IPs for the Family History instructor's laptops (this would prevent their Internet access once they leave the building).
  • Invest in a building laptop (or have one donated) and assign a static IP to it and allow it to be checked out from the materials center (issues of not being returned, mishandled, maintenance issues, etc.)
  • Put request to turn off your Internet devices during meetings in the Sunday program (I don't think anyone would really honor the request)
I've been wondering if putting a time restriction to the lease (say 2 or 3 hours) would work and if it could be implemented? That way the first block of devices entering the building in the morning would have their leases released automatically just about the time the other wards come in).

Also, how soon is the logging on via captive portal system going to be available?

Do you have other suggestions of what I could try?
michaelfish
Member
 
Posts: 324
Joined: Sun May 10, 2009 3:44 pm
Location: Gilbert, AZ USA

#2Postby jdlessley » Sun May 06, 2012 3:38 pm

michaelfish wrote:I have come up with some possible solutions but really would prefer not doing the following:...
Increasing the number of IP addresses in the Cisco firewall/router (increasing will the number of IP addresses will decrease our already very limited bandwidth, which cannot be increased due to DLS limitations in our area)
Solve the lack of available IP addresses first. Don't place that as a restriction to solving the primary issue raised. Yes, available bandwidth could become an issue. But if nobody can connect to the Internet because all IP addresses are leased then available bandwidth really becomes a moot issue at this point.

michaelfish wrote:I've been wondering if putting a time restriction to the lease (say 2 or 3 hours) would work and if it could be implemented?
If I recall correctly the default lease time is already two hours. Shorter lease times may be a partial solution. Both the lease time and available IP addresses can be changed by calling the GSD.

michaelfish wrote:I have come up with some possible solutions but really would prefer not doing the following:...
Assign Static IPs for the Family History instructor's laptops (this would prevent their Internet access once they leave the building).
Each network a computer connects to can be configured differently. In this case a static IP address can be assigned for the LDS Access network. It will not affect any other network the computer connects to. The only issue here would be connecting that laptop in another Church building using LDS Access.
JD Lessley
Have you tried finding your answer on the LDS.org RKATS page or the LDSTech wiki?
jdlessley
Community Moderators
 
Posts: 5643
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

#3Postby russellhltn » Sun May 06, 2012 8:30 pm

michaelfish wrote:Increasing the number of IP addresses in the Cisco firewall/router (increasing will the number of IP addresses will decrease our already very limited bandwidth, which cannot be increased due to DLS limitations in our area)


From what others have reported, the devices are only requesting an IP. They are not using any signficant bandwidth.


michaelfish wrote:Assign Static IPs for the Family History instructor's laptops (this would prevent their Internet access once they leave the building).


I would imagine that a static IP could be set for the network and not affect other wireless network settings.

michaelfish wrote:I've been wondering if putting a time restriction to the lease (say 2 or 3 hours) would work and if it could be implemented?


From what I've seen, the church firewalls are already set to 1-2 hours lease. Keep in mind that DHCP clients will ask for a renewal at the 50% mark. So after a 3 hour block, the device could leave the building with the better part of 2 hours left on the lease. So the 9-12 ward IPs wouldn't release until about 2-ish.

I suppose one thing you could try: Set up your own router with DHCP behind the church firewall. Then you can set static IP addresses based on the MAC address -effectively making the FH consultants static without having to touch their laptops (and thus be obligated for support for the next several months. <grin>)
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.
russellhltn
Community Administrator
 
Posts: 14111
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#4Postby Mikerowaved » Mon May 07, 2012 1:32 am

Maybe we should start by asking what type of firewall you are using? If I recall, only the newer 881W are set to 2 hour leases. The ASA and PIX have longer leases, and combined with fewer IP addresses to start with, often spells disaster for the current state of having a pseudo open WiFi network in many meetinghouses.
So we can better help you, please edit your Profile to include your general location.
User avatar
Mikerowaved
Community Moderators
 
Posts: 2637
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#5Postby russellhltn » Mon May 07, 2012 3:49 am

It would be good to see what it's currently set to. Different people are reporting different lease times for the same firewalls. Our 501 is only an hour.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.
russellhltn
Community Administrator
 
Posts: 14111
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#6Postby sammythesm » Mon May 07, 2012 5:54 am

GSC once told me that default lease time for 501s and 8800s is 1 hour. You can confirm your lease expiration by opening up a command line and doing "ipconfig /all" - it will show you when your lease expires.

Increasing the # of IP addresses does not necessarily impact bandwidth. Only if those devices that are addressed actively use the connection, will there be an impact.

If you have an 881, this is the best solution to the problems you have stated in your original post.
sammythesm
Member
 
Posts: 213
Joined: Tue Jan 05, 2010 2:50 pm
Location: North Texas, United States

#7Postby nathangg » Mon May 07, 2012 7:03 am

RussellHltn wrote:I suppose one thing you could try: Set up your own router with DHCP behind the church firewall. Then you can set static IP addresses based on the MAC address -effectively making the FH consultants static without having to touch their laptops (and thus be obligated for support for the next several months. <grin>)


This is the first thing that came to my mind also: either set up your own router behind the church firewall and only let the FH consultants use that wireless (pick a different channel, ssid, and password for the wireless)

and/or

configure static leases based on the MAC address (this way the FH consultants wouldn't have to change their IP address or assign the IP address manually... it is all configured at the router level. (although I've done this on my home network, I'm not sure what happens when all the IP addresses fill up... does the router still reserve those static IP addresses for the specific MAC addresses?).
nathangg
Member
 
Posts: 189
Joined: Tue Dec 21, 2010 12:36 pm

#8Postby russellhltn » Mon May 07, 2012 10:02 am

nathangg wrote:This is the first thing that came to my mind also: either set up your own router behind the church firewall and only let the FH consultants use that wireless (pick a different channel, ssid, and password for the wireless)


Just to be clear, I wasn't suggesting a new wireless. The existing wireless would be run though the new router.


nathangg wrote:I'm not sure what happens when all the IP addresses fill up... does the router still reserve those static IP addresses for the specific MAC addresses?


I would expect it to, but that may depend on the particular unit.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.
russellhltn
Community Administrator
 
Posts: 14111
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#9Postby john84601 » Mon May 07, 2012 2:54 pm

nathangg wrote:I'm not sure what happens when all the IP addresses fill up... does the router still reserve those static IP addresses for the specific MAC addresses?).


When you setup a DHCP Scope, you specify a range. With most DHCP services, you can also specify and exclusion range within that range. Typically, you would assign a Static IP from that subnet that was either outside the range... or inside the excluded range. The DHCP can't/won't issue any addresses from either of those (so no chance of them getting used up if you run out of addresses. For example...

IF... you network address was 192.168.1.0/24 (or 255.255.255.0)…
THEN… your typical gateway would be 192.168.1.1
AND... 192.168.1.255 would be your broadcast address.
THAT… would give you usable IPs of 192.168.1.2 - 192.168.1.254.

MOST... admins would setup a DHCP scope that didn't include all address (I believe the church does this too). So the DHCP scope would be added to issue addresses from something like 192.168.1.30 - 192.168.1.254.
SO... the address of 192.168.1.2 - 192.168.1.29 could be used as you please. You could statically assign them or make a DHCP reservation (always and only assigns a specific (IP) address to a specific host (MAC) address. This is actually the ‘cleaner’ method of assigning an IP, but takes a little more work.
john84601
New Member
 
Posts: 44
Joined: Sun Mar 11, 2012 1:24 pm

#10Postby Mikerowaved » Mon May 07, 2012 7:12 pm

john84601 wrote:When you setup a DHCP Scope...

The problem is, we don't have much control over the setup and the default settings can vary quite a bit for different firewall models. For example, the standard ASA firewall setup had only 5 IP addresses outside the DHCP scope for fixed IP devices. With our stake center, they were quickly used up by the WAPs we had in the building. The 881W has quite a few more available.

It will be best to learn which firewall michaelfish is using, so we can best address his concerns.
So we can better help you, please edit your Profile to include your general location.
User avatar
Mikerowaved
Community Moderators
 
Posts: 2637
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Next

Return to Meetinghouse Internet

Who is online

Users browsing this forum: No registered users and 0 guests