Re: need help to setup wireless router behind another firewall

From: Tauno Voipio (tauno.voipio_at_INVALIDiki.fi)
Date: 11/06/05


Date: Sun, 06 Nov 2005 09:37:26 GMT

Ed Franks wrote:
> I bought a wireless router [ D-Link DI-624 ] and I want to configure it
> BEHIND my gateway firewall. Like so...
>
> { use a fixed font to display the following }
>
> +----+ +----------+ +----+ / ))))
> | | | | |DI- +-'
> ....+ CM +----+ firewall +------\ /-----+ 624|
> | | | | | | | |
> +----+ +----------+ +-.-.-.-.-+ +----+
> cable | switch |
> modem +-.-.-.-.-+ (((
> | | | | \ +--------+
> | | | | `-+ laptops|
> ...---------------[ L A N ]-----... | |
> +--------+
>
>
> Now, the D-Link instructions are solely geared to setup in a Windoze box.
> Plus, the instructions only talk about putting the DI-624 between your
> Cable/DSL router and the rest of your LAN, so that the DI-624 becomes your
> defacto gateway router/Firewall/NAT device. I don't want that.. I want the
> firewall box to be the gateway packet filter. I just want the DI-624
> to hang off my 8-port switch on the LAN and control only the wireless
> traffic segment, and let the F/W box control the gateway.
>
> So, trying to learn what comes out of the router so I could configure it
> to play nice, I connected the DI-624 to the switch and ran tcpdump from
> another PC box to sniff the traffic that the DI-624 sends out:
>
> 1) When I connected the WLAN port coming out of the DI-624 to the switch,
> I can see the router broadcasting from
> 0.0.0.0:bootpc to 255.255.255.255:bootps
> Does this mean that I will have to have the firewall run a DHCP server to
> give the DI-624 an IP address?
>
> 2) When I connect a LAN port coming out of the DI-624 to the switch, I
> see the router multicasting from
> 192.168.0.1:1900 to 239.255.255.250:1900 UDP
> What is UDP 1900 used for?
>
> Currently, all boxes on the LAN segment use static addresses.
>
> Has anyone done any similiar sorts of configuration? Thanks for any tips,

Look if there is a way to put the router to bridge mode,
so it will be an extension to the LAN. I'm running a
D-link AP-900+ in this way.

The BOOTP messages are probably from the DHCP server in the
gateway box. Just disable it.

Please do not forget to enable some kind of wireless
encryption if you're not intending to share your LAN
with the whole suburb. Although much lamented, WEP
does already much toward the goal.

HTH

-- 
Tauno Voipio
tauno voipio (at) iki fi