[HamWAN PSDR] Metal 5SHPN Network Help
Rob Salsgiver
rob at nr3o.com
Sun Mar 5 19:16:00 PST 2017
Thanks Tom, you’re beginning to stir more memories of the conversation.
Part of it is that it comes back to the overall amount of administration. To be honest, other than things that absolutely NEED to be on a public IP, I prefer to have all of the internal assets protected by a firewall – same as your typical household. I realize that firewall rules can be setup to protect public IPs as well as private, but why go to all that extra effort? Your average consumer router takes care of all that, rather than giving and EOC or hospital a dozen IPs that all MUST have administration applied and updated every time the end-user wants to add a widget or make a change.
I can understand it if for example a hospital for some reason wanted to have public web servers on the 44 space, but most EMCOMM uses are pretty standard – we want to hook up a laptop, VOIP phone, or tablet to be able to communicate in a disaster. Very seldom (if ever) would you have inbound IPs needing to be port forwarded or managed, and if so then they can do that on their end-user firewall (Netgear, ‘Tik, or whatever). It still leaves the greater flexibility and capabilities that you outline when needed, but the admins don’t need to be involved UNTIL it is one of those cases. Most EOCs and hospitals don’t host Echolink nodes!
Another aspect is – why put something critical like an EOC or hospital at risk when it’s not needed. You may have perfectly good firewall rules and configurations on the public / 44 IPs used by laptops or other items within an EOC, but one screw-up snafu’d automation script and those devices are potentially compromised. Not the kind of PR you want to move forward with – particularly when the default “safe” method of having an internal firewall covers that – and transfers the liability to the end-user and not the network admins.
Not sure where that leaves us, but thanks for the discussion. Look forward to getting it ironed out.
Cheers,
Rob
From: PSDR [mailto:psdr-bounces at hamwan.org] On Behalf Of Tom Hayward
Sent: Sunday, March 5, 2017 5:49 PM
To: Puget Sound Data Ring
Subject: Re: [HamWAN PSDR] Metal 5SHPN Network Help
Rob,
When you and I were talking about this, the point I was trying to make is, why stop at one? Why do you only want HamWAN on the site router? It's no problem to give you as many addresses as you need to cover all the devices at the site. For instance, we have EOCs with a full public /24 dedicated to end-user devices. There's no need to NAT; we have plenty of addresses available. The benefit of this, in the long run, is that people can add devices in the EOC, hospital, etc., and not have to request port forwarding for apps that require it. We set up the /24 once and then don't have to make changes every time someone wants to add an Echolink node. It just works.
Tom
On Sun, Mar 5, 2017 at 5:10 PM, Rob Salsgiver <rob at nr3o.com> wrote:
Cory,
This is pretty much the question I had brought up after working with Tom I think when bringing up the Monroe hospital. All I was looking for was to expose the site's router (RB2011 in this case) to grab a public IP similar to a DSL or cable connection. Configuring a public subnet just to have an external IP on an internal router seems to add more administration than would be needed for 90% or more of the sites. Having the firewall configurations being done/updated on a normal basis out at the antenna/metal means you have to GO to the antenns to reaet the router if there are and config snags (been there/done that). Having the user-managed device be inside the building is a LOT more convenient when something goes TU and leaves the antenna router in a more static/stable condition. Please keep me in the loop for what becomes the preferred config for this as I expect to have most of my sites in this situation.
-------- Original message --------
From: "Cory (NQ1E)" <cory at nq1e.hm>
Date: 3/5/17 3:56 PM (GMT-08:00)
To: Puget Sound Data Ring <psdr at hamwan.org>
Cc: netops at hamwan.org
Subject: Re: [HamWAN PSDR] Metal 5SHPN Network Help
Hi Kyle,
It is possible to bridge your interfaces togtether so your internal router could request a DHCP lease from the sector. However, we would prefer you avoided that.
If you would like public IP addresses to use inside of your network, we can have a subnet of your desired size routed to your modem.
For help configuring that, please either join us in the IRC chat room (#HamWAN on freenode) or email the ops team directly at: netops at hamwan.org
Good luck!
-Cory
NQ1E
On Sun, Mar 5, 2017 at 2:39 PM, Kyle Burgess <kd7iyt at gmail.com> wrote:
I am trying to figure out the best way to configure my Metal 5SHPn so it acts like a bridge. However, I want to try and do it in a way where it won't disrupt the ability to remotely manage the radio (so the HamWAN team can still access it if need be).
Ultimately, I would like to have the HamWAN assigned IP handed off to a dedicated interface on my router, just like what your typical ISP would do. That way I can handle any additional routing or NAT via my router, and not on the radio itself.
Any thoughts on the best way to go about that? Would I just simply switch the wireless mode from "station" to "station bridge"? Or would there be more involved to do that?
Any assistance would be greatly appreciated!
Regards,
Kyle Burgess
_______________________________________________
PSDR mailing list
PSDR at hamwan.org
http://mail.hamwan.net/mailman/listinfo/psdr
_______________________________________________
PSDR mailing list
PSDR at hamwan.org
http://mail.hamwan.net/mailman/listinfo/psdr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.hamwan.net/pipermail/psdr/attachments/20170305/fd2aa5e3/attachment-0001.html>
More information about the PSDR
mailing list