need help to setup wireless router behind another firewall

I bought a wireless router [ D-Link DI-624 ] and I want to configure it
BEHIND my gateway firewall. Like so...

{ use a fixed font to display the following }

+----+ +----------+ +----+ / ))))
| | | | |DI- +-'
.....+ CM +----+ firewall +------\ /-----+ 624|
| | | | | | | |
+----+ +----------+ +-.-.-.-.-+ +----+
cable | switch |
modem +-.-.-.-.-+ (((
| | | | \ +--------+
| | | | `-+ laptops|
...---------------[ L A N ]-----... | |
+--------+


Now, the D-Link instructions are solely geared to setup in a Windoze box.
Plus, the instructions only talk about putting the DI-624 between your
Cable/DSL router and the rest of your LAN, so that the DI-624 becomes your
defacto gateway router/Firewall/NAT device. I don't want that.. I want the
firewall box to be the gateway packet filter. I just want the DI-624
to hang off my 8-port switch on the LAN and control only the wireless
traffic segment, and let the F/W box control the gateway.

So, trying to learn what comes out of the router so I could configure it
to play nice, I connected the DI-624 to the switch and ran tcpdump from
another PC box to sniff the traffic that the DI-624 sends out:

1) When I connected the WLAN port coming out of the DI-624 to the switch,
I can see the router broadcasting from
0.0.0.0:bootpc to 255.255.255.255:bootps
Does this mean that I will have to have the firewall run a DHCP server to
give the DI-624 an IP address?

2) When I connect a LAN port coming out of the DI-624 to the switch, I
see the router multicasting from
192.168.0.1:1900 to 239.255.255.250:1900 UDP
What is UDP 1900 used for?

Currently, all boxes on the LAN segment use static addresses.

Has anyone done any similiar sorts of configuration? Thanks for any tips,

ed

On Sat, 05 Nov 2005 15:27:10 +0000, Bit Twister wrote:

> On Sat, 05 Nov 2005 07:23:08 -0700, Ed Franks wrote:
>>
>> I bought a wireless router [ D-Link DI-624 ] and I want to configure it
>> BEHIND my gateway firewall. Like so...
>>
>> { use a fixed font to display the following }
>>
>> +----+ +----------+ +----+ / ))))
>> | | | | |DI- +-'
>> ....+ CM +----+ firewall +------\ /-----+ 624|
>> | | | | | | | |
>> +----+ +----------+ +-.-.-.-.-+ +----+
>> cable | switch |
>> modem +-.-.-.-.-+ (((
>> | | | | \ +--------+
>> | | | | `-+ laptops|
>> ...---------------[ L A N ]-----... | |
>> +--------+
>>
>>
>
>
> For my hardware layout/settings,
> http://groups.google.com/advanced_group_search
> (E-Mail Removed)lid in the Message Id box.

BT,

Thats all good stuff there; I might borrow some of it for
improving my existing setup.

But, I see no wireless router setup on a LAN in there?
Did I miss it. That is the crux of my problem:

How to setup a wireless router off a LAN and
NOT as the primary gateway router.

Thanks,

ed

On Sat, 05 Nov 2005 07:23:08 -0700, Ed Franks wrote:
>
> I bought a wireless router [ D-Link DI-624 ] and I want to configure it
> BEHIND my gateway firewall. Like so...
>
> { use a fixed font to display the following }
>
> +----+ +----------+ +----+ / ))))
> | | | | |DI- +-'
> ....+ CM +----+ firewall +------\ /-----+ 624|
> | | | | | | | |
> +----+ +----------+ +-.-.-.-.-+ +----+
> cable | switch |
> modem +-.-.-.-.-+ (((
> | | | | \ +--------+
> | | | | `-+ laptops|
> ...---------------[ L A N ]-----... | |
> +--------+
>
>


For my hardware layout/settings,
http://groups.google.com/advanced_group_search
(E-Mail Removed)lid in the Message Id box.

Hi Ed -

On Sat, 05 Nov 2005 08:55:12 -0700, "Ed Franks" <(E-Mail Removed)-net>
wrote:

> How to setup a wireless router off a LAN and
> NOT as the primary gateway router.

I've never used wireless, but speaking in general terms about routers
....

From your diagram, I assume that the devices on the LAN have the
firewall's internal IP address as their gateway. So it would seem
that you should be able to give the "external" side of the wireless
router a LAN IP address and the firewall's IP address as the
"external" gateway.

--
Ken
http://www.ke9nr.net/

Ed Franks wrote:
> I bought a wireless router [ D-Link DI-624 ] and I want to configure it
> BEHIND my gateway firewall. Like so...
>
> { use a fixed font to display the following }
>
> +----+ +----------+ +----+ / ))))
> | | | | |DI- +-'
> ....+ CM +----+ firewall +------\ /-----+ 624|
> | | | | | | | |
> +----+ +----------+ +-.-.-.-.-+ +----+
> cable | switch |
> modem +-.-.-.-.-+ (((
> | | | | \ +--------+
> | | | | `-+ laptops|
> ...---------------[ L A N ]-----... | |
> +--------+
>
>
> Now, the D-Link instructions are solely geared to setup in a Windoze box.
> Plus, the instructions only talk about putting the DI-624 between your
> Cable/DSL router and the rest of your LAN, so that the DI-624 becomes your
> defacto gateway router/Firewall/NAT device. I don't want that.. I want the
> firewall box to be the gateway packet filter. I just want the DI-624
> to hang off my 8-port switch on the LAN and control only the wireless
> traffic segment, and let the F/W box control the gateway.
>
> So, trying to learn what comes out of the router so I could configure it
> to play nice, I connected the DI-624 to the switch and ran tcpdump from
> another PC box to sniff the traffic that the DI-624 sends out:
>
> 1) When I connected the WLAN port coming out of the DI-624 to the switch,
> I can see the router broadcasting from
> 0.0.0.0:bootpc to 255.255.255.255:bootps
> Does this mean that I will have to have the firewall run a DHCP server to
> give the DI-624 an IP address?
>
> 2) When I connect a LAN port coming out of the DI-624 to the switch, I
> see the router multicasting from
> 192.168.0.1:1900 to 239.255.255.250:1900 UDP
> What is UDP 1900 used for?
>
> Currently, all boxes on the LAN segment use static addresses.
>
> Has anyone done any similiar sorts of configuration? Thanks for any tips,

Look if there is a way to put the router to bridge mode,
so it will be an extension to the LAN. I'm running a
D-link AP-900+ in this way.

The BOOTP messages are probably from the DHCP server in the
gateway box. Just disable it.

Please do not forget to enable some kind of wireless
encryption if you're not intending to share your LAN
with the whole suburb. Although much lamented, WEP
does already much toward the goal.

HTH

--

Tauno Voipio
tauno voipio (at) iki fi