[cobalt-users] Using Qube behind Cayman Router

["Antony Chang" <tonychang@xxxxxxxxxxxx>]

Actually, I'll tell you how I have it setup.  We actually have IP address
assigned to us from Pac Bell (our ISP).  What we have setup is the router
with a hub and everything is behind the router. I am not using the
Primary/Secondary setup for the Qube. (This is one of the options I am
considering if the NAT/Pinhole on the Cayman does not work.)

The Qube has a dedicated IP address in the same address space of the LAN but
not on the same address space as the WAN.

Cayman says that if you use NAT/Pinholing what you do to set it up is (if
you have a web server on your LAN) turn on NAT and then set the pinhole to
point at the IP address of the web server.

I've followed Cayman's instructions, but when I turn on NAT our entire
network is closed off from the outside. The pinhole/address forwarding is
not working.  I've got it set to the IP and port 80 for http access.  Now
people have written to me saying I have to enable port 81 for Qube
administration.  That was the question I was asking. What I am asking is
whether or not the Qube even supports having some other machine forwarding
net traffic to it via NAT/Pinholes.  I am trying to figure out why it
doesn't work the way Cayman says it will. At this point it's either the Qube
of the Cayman. And that's one too many to deal with...

Thanks for your help so far. I think I'm going to also look up those
firewall softwares you've suggested as well. We're not against buying a
solution to this problem either.


From: "Jeff Newman" <mjeffn@xxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-users] Using Qube behind Cayman Router
Date: Wed, 5 Apr 2000 16:56:23 -0500
charset="iso-8859-1"
Reply-To: cobalt-users@xxxxxxxxxxxxxxx

I checked their web site and reviewed the manual, the pin hole is what is
reffered to as port forwarding or static NAT.

I'm guessing that you are trying to go from the router to the primary
interface and from the secondary interface to the lan.  I imagine that your
intent is to be able to forward port 25 etc. to the routers ip address and
filter any packets to/from the trusted lan on the secondary interface.  I
don't think that this will work the way you appear to be doing it.  Here are
some alternatives.

If you only have one real ip and it has to be the router your only choice
(without purchasing something) is to assign a trusted lan ip address to the
primary and put the cube on the same network as your lan.  This means not
using the secondary interface and not filtering packets for the trusted lan.
Use pinhole to forward only those ports necessary.  Not very secure.

If you have two (or more) real IP's then assign one to the router and one to
the cube.  Do not use the pin hole or NAT feature of the router.  Assign the
secondary interface of the cube an address from your trusted lan's address
space.  Configure the cube to use NAT and the firewall.  This will be as
secure as you can make it with what you've got.

Of course the third choice is to purchase a real firewall such as the
Watchguard Firebox II, or the Sonicwall DMZ or Pro.

If I am 'off' on how you have laid out your network or on the IP address
details give me some more information.  I know that we will get this licked.

Jeff N